Dear all. I just now noticed the call for comment for SP-800-56c. Please note the state-of-the-art paper on seedless randomness extraction in the recent CRYPTO'19 paper by Sandro Coretti, Harish Karthikeyan, Stefano Tessaro and myself: "Seedless Fruit is the Sweetest: Random Number Generation, Revisited",
https://cs.nyu.edu/~dodis/ps/seedless.pdf Along its results, it strongly advises AGAINST using CBC-mode, such as AES-CMAC, for randomness extraction. It also gives very clean randomness extraction modules based on existing functions, such as SHA2 and SHA3, and also analyzes HKDF. I (and likely my co-authors, cc'ed) will be happy to work with NIST on making sure they follow state-of-the-art recommendation validated by the top conferences such as CRYPTO. I admit I did not read the document in detail, but it looks like it does not include any of the optimized constructions from our paper, but still includes (at least theoretically) insecure CMAC mode. Can somebody recommend a proper course of action if my suspicion is correct? Yevgeniy On Fri, May 8, 2020 at 4:21 PM Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> wrote: > > If you don’t care about FIPS-140, just delete this message, and avoid the > temptation to argue how bad it is. > > NIST SP 800-56C (Recommendation for Key-Derivation Methods in > Key-Establishment Schemes) is currently a draft in review. The document is at > https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/draft Email > comments can be sent to 800-56c_comme...@nist.gov with a deadline of May 15. > That is not a lot of time. The NIST crypto group is currently unlikely to > include HKDF, which means that TLS 1.3 would not be part of FIPS. The CMVP > folks at NIST understand this, and agree that this would be bad; they are > looking at adding it, perhaps via an Implementation Guidance update. > > If you have a view of HKDF (and perhaps TLS 1.3), I strongly encourage you to > comment at the above address. Please do not comment here. I know that many > members of industry and academia have been involved with TLS 1.3, and > performed security analysis of it. If you are one of those people, *please* > send email and ask the NIST Crypto Team to reconsider. > > Thank you. > /r$ > > > > _______________________________________________ > Cfrg mailing list > c...@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
