[tahoe-dev] What is the 100 year crypto KDF?
Zooko O'Whielacronx
zookog at gmail.com
Thu Jun 10 17:42:43 UTC 2010
Yeah, that's a good question, Chris. Take, for example the
100-Year-Crypto project of a combined cipher, which I could imagine
offering to other programmers as a standard building block that they
can re-use.
We need two different independent keys to key the two underlying
ciphers. We could require the user of the combined cipher to provide
those two keys, but this requires them to manage a secret that much
larger -- e.g. 512 bits instead of 256 bits. Also, they might screw it
up -- they might use a single 256-bit key just concatenate it onto
itself to get a 512-bit key to pass to the combined cipher, or they
might otherwise cause the two keys to be non-independent.
Of course if they can generate their own keys then getting 512 bits
from /dev/urandom should be no harder than getting 256 bits from
/dev/urandom, but if instead they are being given a key from some
other source that they have to use, and that key is only 256 bits,
then trouble might result.
If instead we define the combined cipher as taking a single 256-bit
key and then we automatically expand it to two keys using a strong KDF
such as HKDF[Comb4P[SHA-256, Shabal]] the user will have an easier
time using this tool correctly.
Regards,
Zooko
More information about the tahoe-dev
mailing list