 So, in my original plan, I had plans to go more in detail into some of the analysis. I will go faster and I'll focus on trying to cover the properties that we prove more than how we prove them. But I want to get to the point, I mean, then I want to show how TLS 1.3 is using HKDF and you'll see that basically in one single protocol basically all the properties that I'm going to claim about HKDF are actually used. So, let's see. So, HKDF is this extract then expand design that is based on HMAC where HMAC is both used as a PRF and as an extractor. So, the first stage is the derivation of a key, a pseudo random key where HMAC uses salt. Remember that we are assuming that for the extraction part we have salt, the random seed of extraction and in some cases we will not have it and we will set that salt to a constant, usually the just zeros, but so HMAC, the first application is in the functionality of an extractor and the key, the KPRF that is extracted is used to key again HMAC, but this time as a PRF to produce as many keys as necessary where the keys that are produced are again using HMAC with KPRF in feedback mode. We will not go over this part because this is completely standard. Just in the notation, the first element is the key, it's the thing that is solved with open and iPad and also the salt is used as the key to the extractor. So, note the use of a PRF, HMAC as a PRF with a random but non-secret key. That is a very, very non-standard use of a pseudo random function and we want to claim that even though we reveal the key, there is still some extraction properties that we can claim. Now, this is a very modular construction in the sense that for example you can use HMAC 512 in this extraction and the keys you can use it with SHA-256. Usually that will not be the case. Usually you will use the same hash here and here. It's very interesting that our analytical results are much better when you truncate the output because you get a more gap between entropy and the output. Actually doing HMAC 512 here and 256 here would be very good. So far I have not been brave enough to try to push that into use because I say, okay, let's not exaggerate with the theory. Anyway, context information, I explained that feedback mode for the PRF part is not very interesting. So, we can have this theorem saying that if, okay, so all my figures until now had a lower case F as the compression function and upper case F as the iterated function. Now it will be lower case H for the compression function and upper case H for the iterated. And maybe some, at some place we'll have fine F, but I think I will try to be consistent from now on that lower case H is the compression function and the upper case H is the iterated one. So we have that if the compression function that we use is pseudo-random function, then we have that H, if they are pseudo-random compression functions, HK, then the iterated one is a PRF according to the things that I said before. I will not get into the proof of how this is done because this is a more conventional result. The more interesting thing is that, okay, if that part gives us a PRF then we are happy about the expand part, but then we have the extract that will do the thing is if the instantiation of HMAC with the family HK is a secure computational extractor with respect to sources in some family S, then the HKDF is a secure KDF with respect to these sources. Meaning, right, if we, it's the composition of an extractor with an expansion that is PRF give us a good KDF function. The point, the interesting point here is how do we claim, you know, that actually this HMAC on some family is a good computational extractor, okay? So question is what do we know about HMAC being a secure computational extractor? And we will have this, we will ask these questions in many settings. We will ask question about the extractability from a single function, basically as a deterministic extractor, which will basically build on random more access to random functions. And we will talk about family function with secret keys as in the PRF case with non-secret keys as in the case of HMAC as an extractor with a random but public seed. And the functionalities as to the random function extractor, random oracle, and also collision resistance. The reason I stress collision resistance here is because in all the papers related to HKDF, you will never see that we claim that it's collision resistant. It is collision resistant because that comes from the HACH function, but we didn't think it was interesting to claim that you need collision resistant for these applications. Now in TLS 1.3 it turns out that actually there is a reason why the keys that are extracted also need to be collision resistant. So I added that as a kind of surprise to myself. But that's not an interesting part here. And the kind of results are if the compression function has a property A, then HMAC has property A prime. In some cases it preserves the property like in the PRF case, in some other cases it's a variant of the property. And type of properties that we prove is to the random function delta almost universal extraction random oracle. And in most cases the proof will be for NMAC, not for HMAC, and then we will cheat and say that they are for HMAC. I mean we will not cheat, we will have to add that additional property that we said about keying the function through the input and having some related key assumption. Okay, so again NMAC and HMAC as PRFs, this is something, a result that has been established in different ways through the years, but it's now a kind of standard, so I will not go over it. Now HMAC has a random oracle. So what we want to say is that if the compression, if you look at the compression functions as a family of random oracles, then HMAC is also a family of random oracles. Okay, and there's out that, I mean in most cases it is the case, but if you are in a setting where the random oracle is used in such a way that the attacker can choose the keys to the random oracles that are being used, if we think about key random oracles, then actually there are some attacks where the attacker can choose keys in some particular way to break the random oracle property. So I'll give you one example which is, I mean, obvious example in HMAC. One thing I didn't tell you about HMAC, what happens in HMAC, HMAC can accept keys. Usually it is recommended that HMAC uses keys of the length of the output of the hash function. So if you shot 256, use key of 256 bits, shot one, use keys of 160 bits. But actually since the key goes into a block, the key can be as long as a block, 512 bits. Okay, it's well defined. What happens if you put a key which is beyond 512 bits? Actually HMAC defines that. You hashed the key and you use the output of the hash as your key. So what happens is actually that there are two different keys. If I give you a key which is longer than 512, 1024 bits, you hash it and you have a new key. This means that there are two keys that collide. The key of 1000 bits hashes into some value and that value, these are two keys that output the same function. That contradicts what a modeling of a family of random workers that's supposed to be all the functions to be independent of each other. So there you see something. There is something much more subtle in a work by, if again, I cannot say the authors. Actually I think I can, but I will not do it just to prove that, to be equal opportunity so no one is offended. But anyway, it doesn't matter what exactly, it's a technicality and actually it's not very exploitable, but it's interesting. But someone asked before about, if there are examples where playing with the salt or the salt not being chosen independently of the source is a problem. So this can be an example. Now one nice thing about theory is that when I was specifying the things, I always said you either have pure something which is really random as a seed or if not, you fix it to zero. I wanted not to leave any choice to attackers to do the things even though I didn't know about this result. This result came after that. But that's a nice thing about at least theory as an inspiration. I knew that seeds should not be chosen as after seeing the source. So either you have it at random independent or you fix it to zero. So there's no illusion of having a randomness there. Anyway, so that is how you prove HMAC to be a random oracle through the indifferential ability setting and we will not show. Again, I stole these beautiful slides so I'm just showing them but that's it. You saw them next. Okay, MAC and HMAC as extractors. So first of all, the first thing is that we take HMAC, we think about them as a PRF and we use a non key to key these PRFs. What is the strength of PRF when you put a key which is public? What can you say about that? So actually the intuition of why this thing, even if you know the key, is not that bad is because any observer that doesn't, I mean any statistical test that doesn't use the key. Okay, if you do, you measure zeros against ones and it runs or anything of the output, all these statistical tests that don't use the key, actually they're fine. I mean the output is close to indistinguishable or close to to uniform in some sense but if you have a key then you cannot really claim anything. Now, can you give me examples of a PRF that with a non key becomes distinguishable from random? So you can, as most of my questions they are written in here. So I'll not show the details of the thing but I use something based on quadratic reciprocity. So I build here a counter example that uses quadratic reciprocity, a very very unnatural PRF but that shows that once it is a PRF and once I give it with a secret key, once I give you the key you can distinguish. Now it's interesting because we have a result showing that this kind of going to number theoretic or something type of techniques in showing a counter example is required. We have some results showing some separation you know between one way functions and I mean if in mini-crypt then these things actually exist so it means that to show a counter example you need something that is not in mini-crypt and this is anyway it's again I don't want to get into these details now but there is some interesting thing saying that it's not that easy to build a PRF that when you give the key actually it's easy to distinguish so which is kind of counter-intuitive you know I mean you would think that once you give the key then it should be completely but the fact that actually it's hard to find that helps us in using this stuff as an extractor. So here is one simple example of a type of results that you can get if you model the compression functions as random oracles then and you have a source of min entropy m then you can prove that h-max on such a source is q times 2 to the minus m in distinguishing from uniform with q queries okay so here you have a deterministic extractor actually there is no well I mean this result will also apply even if if you fix the functions that that you use to building h-max now you know even random functions you know that there are a random is a random function a good extractor or not is a random so if you take a random function from let's say n plus one bit strings to n bit strings is the output close to uniform or not you have two n elements you map them into n elements at random is the output close to uniform or not it's not written it's not written you will have something like a constant function of elements that will that you know the function is not going to cover all the elements right in other words will be some one over e square of elements that will not get any any any any parameters right you you throw two n elements into n to two n balls into n bins okay so a constant fraction of the bins will be empty and that means that it will be far from uniform so a random function is not a good extractor however we we we are claiming here that actually this is a good extractor because q times two to the minus m is is good it's basically extracting all the entropy of the source now how is this possible it's a random function but it's a random function that we we limit the attacker to only look at it in q different places okay and that's the reason that you can do that you you can actually get that that thing as I said these balls and bins yeah there is a huge number of things that I don't get any any pre-image but to to distinguish that you'll have to work very hard you have to have an exponential number of queries but these these these are results that telling you that if you start from a random oracle family of of compression functions then you get a random oracle with these kind of properties okay and there is a question about independence with of the the family and the source with some interest subtleties but let me skip that and basically the proof is is quite immediate the only way if if you ask the attacker to distinguish an output of the random oracle from uniform it can only distinguish it if he queried the the random oracle on that value values that he would be inquiry are uniformly random so the only thing it can do in these quick q queries is to query the function on the more on the heaviest elements in the in the in the support and every element is that it has the probability of at most two to the minus m because that's the mean entropy so overall it can have distinguishing on q q elements of two minus m probability each one so this is quite straightforward analysis but it gives us a some meaningful at least understanding of of what the power of the thing is then we have the case of extraction from unpredictability again a group in which the cdh computational Diffie-Hellman holds but not the decision of Diffie-Hellman then we don't have the luxury of using heel entropy and extracting from that in this case you need to output from unpredictability and again for that we I mean if you have that's one another application of the random oracle basically as a hardcore I have there is a very interesting story here from my work in the types of ip sec and 20 years ago that shows that these things that we think okay independence is of course it's a theoretical requirement but will that happen in in practice or not this is a beautiful example of how things that are you know kill you in theory are so kill you in practice but you will have to read maybe the slides or the paper or something to see that or talk to me later okay here actually there is this you see at least this time I asked the question before showing the the answer okay so this is what I said before now nmaku is universal function so a family of function is called yes right so these these first of all these are computational extractors and in computational extractors you get expansion for free right you extract whatever you extract and then you can use a pseudo random generator to to expand right right so again so first of all when you when you when you model things with random functions random oracles this gives you a lot of power that lets you do many things that you cannot do with other things the the approach here is let's try to prove as many properties as possible that are being preserved by these modes of operation okay but let's do them with us you know low assumptions as possible so if I have an application that I can live without a random oracle I will try to do that okay and I'll maybe show some examples of the things so there is a the purpose of the thing is is proving things with a random oracle you can prove almost everything okay but we also want to to use this approach to in cases where we don't need to actually go and I mean and in these cases you may not get that you know expansion for free so that that's one theoretical I mean the answer from the theoretical side there is a an answer from the more practical thing which I said in the first part that the the expansion part you do it with a prf as opposed to a pseudo random generator and the reason is because you are adding some inputs to that prf context information domain separation because you're going to extract not extract but expand more keys that one and you may want to so in that sense you may want also to have this separation and it and the nice thing about this stuff is that it works well with the engineering world because it gives you that modularity that is actually also good for for the engineers or at least those engineers that they can convince that actually it's a good thing to have that the the the issues of independence are very interesting again I'll I'll I'll I'll skip skip them here just because they're trying to get just to show you the type of of properties that one can prove so so a family of function is called almost universal or delta almost universal if a for any pair oops for any pair x y okay in in the domain of the functions the probability that you choose a function at random after setting the the pair the probability that this function will send them to to the same place is at most delta okay so this is the definition of delta u so so we can show that if you model the the yeah if you model n mark right n mark is you you run the the cascade and then you apply a function outside if the if the outside function is random you you assume it to be random on the inside you only assume it to be delta almost universal then you can show actually something similar to before you know we had q times two to the minus m closeness or in distinguishability now you have to pay with this extra delta coming from the internal function but now instead of assuming that the compression function is random both in the cascade part I mean the outside part we are only assuming the the outside function to be random and the internal thing is a combinatorial property okay by the way the property of being delta a u is a property that actually follows from these functions being collision resistant and since these functions were built first and foremost to be collision resistant I mean these are the Shah family md5 family whatever family these were collision resistant then if there is something you hope that these functions have that property is collision resistant and that implies almost universality now you can say if you assume the external function which is a compression function to be random why wouldn't you also assume it for the for the cascade function and the answer is yes actually that's right but at the same time you know again it's trying to understand which structure are we using here so it shows that to get basically the benefit of the random oracle you don't need to assume everything is random it's enough that you assume the external is random the internal is almost universal and the composition gives you something that is basically very close to to the same thing that you could get by assuming everything is random now as I said delta u is natural assumption for for even very very weak collision resistant cash functions you can show that if if the family h the cascade is collision resistant with security delta against linear circuits then it's delta a u I mean you know very very very weak attackers okay and if it's collision resistant then it's delta u why because if it's not delta u it means that there is a pair that many of the functions sent to the same place and therefore it breaks collision resistance why I mean putting more zeros doesn't mean that the values will collide oh okay I so say that actually I yeah so what's the question which one delta oh oh yeah I see what you're saying yeah that that is a secure but this expression closed or indistinguishable from uniform sorry that's indistinguishability distance we which basically comes from the the the analysis we have for the random oracle which had q to minus m combined with the left over hash lemma applied to the to the delta almost universal but wait you had this issue with zeros is that yes what about that it is collision right right collision resistant doesn't imply a random oracle yeah no yeah here there is an application of a random function outside the thing so actually you can replace here this delta a u with the assumption that the h family is is is collision resistant in a very against very weak attackers which is a very reasonable assumption to to have for these functions now what happened if now we assume that the compression function the family of compression function is an extractor okay has the properties of a of a statistical extractor what do we what do we get then ideally I mean the result I would like to have is that if the compression function is a is an extractor family then the the compose the cascade thing or the the h mac n mac is also a an extractor actually we don't get that but we get this result which is if yeah okay let me see what yeah okay so we need so first of all remember that I said that the compression functions can also be keyed through the the input okay I mean we usually key them through the IV but they can be keyed through the input I mean there's the key in the input applied to the IV which in that case would be the input I mean you can reverse the thing so h k prime will denote exactly the thing it will denote a function that applies to x as the IV with the key as part of the input block okay so that will be h prime because that's one definition another definition is what is a k block wise source we I mean there are different definitions but we will mean by this a an input a multi block input where every block has I mean the total the total mean entropy will be whatever but we will ask that every block has mean entropy of k k is the length of the output so if 160 bits in sha one so every 512 bit block will have 160 bit of mean entropy but not just on itself but condition also on other and other actually on the following blocks in the in the input if you have a situation like that then you can we can prove unconditionally I mean this is a this is a non idealized result I mean there is no ideal assumptions on anything in this case we have that if you assume that h k the family is an m delta extractor family meaning that on sources with mean entropy m the statistical distance to uniform is delta and you assume that this dual family h is a t q epsilon pseudo random function actually even with a single query then n mark is n delta plus epsilon statistical no sorry this is not statistical because we have a prf here so it will be indistinguishable from uniform with with these values time t and epsilon or like that but assuming the k block wise source so this this result is interesting because it uses no idealized as modeling or assumptions and at the same time there is a very practical case in which this applies in in i again the ip sake exchange protocol they have different diffi diffi element groups in particular they have groups that use safe primes okay safe prime is where the p is two times I mean the prime has a form of two q plus one where q is a prime okay so and there are the groups like that and in a group like that you can actually prove that the conditions hold every every 512 block actually has you know the 160 b depending on the yeah because of these because of these basically all these elements have all the entropy and in particular they have in in every block even depending on the other one so one has to look at that more carefully but it's it's interesting that you have this result that even though it's asking for things that are not the most common or natural thing that having this block wise mean entropy you can see a practical case so so in this in i you can say that actually you get a good extraction in in probably secure with prs and and and no other computational assumption now if you are willing to truncate the output of n mac then which as I said if you use as the extractor shaft 512 and output you take the output of 512 bits of shaft 512 and you truncate to half of it 256 and use that key to key shaft 256 then you get the benefits of these results which say that if hk are a family of random functions and you truncate the the k bits of of the function to k minus c bits let's say 512 to 512 minus 256 then you get a and a closeness to uniform of 2 to the minus c over 2 times some square root n that's matter but the point here is that if you do what I said from 512 to 256 c over 2 is c is 256 so this is 2 to the minus 128 so if you truncate you get very strong result this one is with an idealized assumption of hk being a set of random functions but we can also get something that is with no ideally ideal assumptions so if hk is strongly universal with you know it's pairwise independent and the the the iterated the market damgar is collision resistant against linear size circuits again something that we assume these things if they don't have that property then forget about these functions because they will be very bad collision resistant very non-collision resistant so hk is strongly universal and n-max truncated by c bits then you get this result and this result is statistically close to uniform so actually we are having a computational assumption here which is the collision resistance but the so we okay so we have a computational assumption but the result is a statistical one and the the reason is that actually we use the computational assumption to claim a combinatorial I mean we the the point here is that we take the collision resistance and say okay if it's a collision resistant like that then it's also almost universal which is a combinatorial thing and then you get a statistical result but the reason we say collision resistant and not delta au is because you know you are you tell one of these people that in the standards we we assume delta almost universal and they say oh wow that's probably something very deep but I don't understand but if you say collision resistance against weak attackers then that that that sounds better but so actually if you did this truncation you get actually a very strong result with no no ideal assumptions no random oracle no random functions okay I have time until when six how many people are still not sleeping here okay how many people know what h magiv is how many people can write the h mag formula now wow we did something in this it was worth coming from New York leaving my beloved ramp behind okay so wow before I went too slow and I'm going too fast but so okay so this hkdf is being accepted to many to many standards so I mean so it's it's something that you know in in the first in TLS 1.0 which was an upgrade from ssl v3 I worked a little bit not too much I don't want to take credit for a terrible protocol but I but I had a great achievement I mean and I think it's my greatest achievement as a cryptographer is that the acronym PRF is in the in the standard if you read the TLS RFC there is a PRF okay and that's mine I mean that is my my theoretical contribution to TLS and now I have to be even more proud because now the word extract is part of the of the standard so anyway but yeah so this is really gaining acceptance as a multi-purpose function and let me show you why this is a good thing yeah bonus achievement word extract medi to standards but let me show you this example of TLS 1.3 and how these all different properties of hmark as an extract or random oracle PRF collision resistance all of them are being used in a very compact protocol now there is TLS 1.3 asterisk because this is not TLS 1.3 unfortunately this was the previous version of TLS 1.3 but I first of all I had this written in a previous talk so I had to take but I'll show after show in some way this example is even better than the one I have now but I'll show you after that exactly an application to TLS 1.3 the way it is defined but let's start with this one so you know TLS is a it's most of the time is used as a server only authenticate only the server authenticates not the client there is an option of the client authenticating but for the sake of this example is enough to look at the server authenticating and of course this is a very schematic representation only of the elements that I need in order to show the example so the client they do a different element so the client says g to the x and the server sends a the server in this case has a public key which is a different element public key so it has a secret s and a public key g to the s so the server sends a g to the y for the for the for the diffie element the ephemeral diffie elements and the certificate that shows that g to the s it's the key and a mac in which it takes a key derived so you know it maxed g to the x and g to the y with some a mac key which is not important for the example so let's not say how that is done but at the end they derive a session key from two values g to the xs and g to the xy so g to the xs is computed by the server as g to the x to the power of s and it's computed by the client as g to the s the public key to the power of x and also g to the xy as the ephemeral diffie element that they compute from these two values okay so the session key is derived from this and from this okay and it's derived using hkdf so it looks like this they derive a key they first derive a key uh from the combination of g to the x and g to the s we will call it k xs and they do that using hkdf with a salt value of zero then they take g to the xy and they derive a key k xy as the hkdf with salt of zero and input g to the xy finally they take these two things k xs and k xy and derive using hkdf as a secret a the session key now in this case k xs is being used as the salt value and k xy as the input volume and this is supposed to be secure as long as one of these two keys are unexposed so uh the forward secrecy is the case in which this thing is exposed you know the the secret key of the server is found so the attacker knows s it can compute this but it cannot compute that that that's what's called forward secrecy and if g to the xy is actually exposed because you know the x was not kept secret enough um this is uh well x no that's not the one if y was not kept secure enough then this will save you anyway the point is that you need to come both keys in order to get the session key so so let's see what is the functionality of each one of these elements so here we are using a hkdf for hmak with a with a key of zero which is implementing a random oracle why do we need a random oracle here because in the proof you know to extract this key from g to the xs forget about the hmak hkdf or whatever the proof requires that this will be a random oracle okay this if if you know dhi es diffie helman something something something my goodness what encryption system anyway this this is basically basically this this is exactly the receiver has g to the s you send g to the x and you derive the key as g to the xs okay but you derive it with a random oracle you need the random oracle in the order for this thing to be cca secure okay um this at least in this case is that you don't remember the acronyms of the name of this construction i will tell you who the authors are this is abdallah belare and rogeway you see half of it i uh so anyway so here you need the random oracle because independently of this mechanism because you need for cca security and here we are using the fact that we can prove that the thing is actually a random oracle if the compression function is is a random oracle here we are using this is only an extract functionality unfortunately there are no i i don't have salt here to use and as i said we could use the nonsense that are not they are not shown here but the the parties exchanged nonsense we could have used the nonsense as salt unfortunately the protocol does not uh authenticate the salt before we need to use it and if we don't have a authenticated salt it means that the attacker can choose the salt it means that he can choose a seed after seeing the the the the source distribution and we don't like that so we use that with an h okay with a with a zero um now look you know we wanted to have the property that if g to the xs is not compromised then this thing is is secure so what property are we going to use here if g to the xs is not compromised then kxs is a secret key and and and in this case hkdf will get a secret key and will get security out of hmak as a prf okay if kxs is not compromised it's a secret key then we just use hmak as a prf because this is not just public salt it's a secret salt and we can use this at prf if g to the xs is actually eventually compromised which is the forward secrecy case then we have hkdf again with kxs but look in this case kxs is public but it's still uniform because it was at the time that it was chosen by the honest parties it's only happened later that s was compromised so this exactly works as a random but non-secret value and but that is enough for this thing to work as an extractor okay so again in this in this case we are using it as a prf uh beautiful in this case we are using it as a random oracle because the proof of dhes requires that for cca security here we are using it as prf here we are using it as an extractor so you see in one little piece of this protocol we actually are using all these properties that we claim and i wrote there minimizing the use of rom you know there is a philosophical thing if in your protocol there is any element that uses something as a random oracle why bother let's do it always a random oracle that's one one approach what approach is this no let's use it only where it's really required of course i am on the on the side of saying let's minimize it for two reasons one is because we want to know for every element in the in the protocol what is what is necessary what is efficient what but also because these protocols then change or they are used in different ways and you you know there are some cases where for example this random oracle will not be needed i think that in the next slide i actually we will not need a random oracle here but anyway so that that's to show you that all these elements come together in this nice way now why salt oh because we don't have authenticated randomness yeah so this one i wanted to say in a random h mark as a random oracle has some subtleties i said about the keys okay so the point here that i was making is that i really know about that subtlety when i define hkdf actually i use the fact that h that h mark is a random oracle when when the keys are not chosen adversarily because either they are chosen by the honest part is what they said to zero but anyway but because theory says that you are not supposed to choose seeds i think i said that i'm repeating myself this is my age uh anyway so since you are not supposed to choose seeds after seeing the source then really i i i had this uh this requirement to either have it them random and chose it by the honest guys or zero and again even though i didn't have an attack or i didn't know if really there is an attack or not you know following the the theory is is is a very good the advisor for avoiding surprises in the future okay now yes i just want to tell you as i said that the example before is not what goes now in tls 1.3 that g to the s by the server is not there anymore now the server signs things instead of doing it with g to the xs but there is something called resumption mode which basically is a case in which the client and this and the server exchange the key in the past and now they are resuming the session or starting a new session with the key that they cashed so you use that key and now everything is the same as i showed before except for the g to the xs but in the the point that the key if not compromised gives you a plf and if it is eventually compromised it gives you it works as some extractor is exactly as i showed before and this is really applies to to the real tls 1.3 now it's interesting again that as a key derivation i never thought that you'd need collision resistance for key derivation because you you don't have you you don't have a situation in which someone can choose two inputs that can collide we we use collision resistance to justify some of the extraction properties okay but just to show some combinatorial property that these functions need to have but that the output is collision resistant was not needed in any of the applications that i had in mind now it happens that in tls 1.3 i i will i will not get into the details of how this happens but basically they are using some keys as you know uh so you client and server never talk to each other so they talk for the first time and they exchange a key they cash the key for using the future okay so that that's a typical use now the key that they that they cash for the future actually needs to be bound to the to the parameters of the first session where they exchange the key so it needs to be bound to the identities of the parties maybe to a certificate that the server sent to some negotiation of cryptographic algorithms that they will apply to the session all all kind of things and they use these keys not only as a key for whatever mac encryption but they also use it to bind these to their history now when you use a string as a binder actually you require collision resistance because you know i exchange a key uh in the past with with the server uh but so there is an issue with key exchange that you know in in key exchange protocols the only thing that you the only assurance you give to keys is that if you exchange the key with an honest party then when that key is secure if you exchange that key with a not honest party our models don't ensure assure anything about that key in particular the attacker can if i exchange a key with the with an attacker and the attacker exchanges key with someone else it can exchange the same key okay so there can be collisions on the keys for key exchange that's not the problem for this application it is a problem and here actually in order to avoid that you need the the the key derivation function to also be collision resistant of course this is something that h mac or hkdf does well because it inherits collision resistant in quite straightforward way from the hash functions so that's another property that in tls 1.3 is also used okay i what do i want to do i have 25 minutes i actually i am let's see i want to do something else so you know what actually i have some okay this i don't want to do okay i my philosophical thing okay so it's not about theory versus practice in the sense of these against these should i do theory should i do practice there is a very interesting dynamic interaction between theory and practice particularly particularly in in in cryptography it's a balancing act in the sense that you know we always try to push more on the side of the theory then the practitioners come and they say no no no and they say okay i will change things a little bit but you know don't force me too much i mean it's a it's a negotiation with with life and actually 20 years ago believe me it was hard to deal with the things today we get much more respect thanks to the fact that you know you see that designs that were not done uh with some good theoretical basis usually break over time so uh now we get a little bit more of respect and now theory is not a panacea it's not that if you follow theory everything is perfect nothing nothing no proof is better than the model which is based on okay and if the model models cover more or less of the actual practical you know what can be a practical attack or not so we cannot exaggerate too much on just saying you know because i have a proof that when the compression function is random family then i mean you know we have to understand what we are getting but also the limitation of the things but of course i mean i don't have to tell you that but i'll tell you that anyway crypto without theoretical analysis has no value there is no empirical evidence that the cryptographic scheme is secure there is this quantifier universal quantifier which says for all adversaries and for all adversaries means you cannot model all adversaries other than mathematically so uh so anytime that someone argues with you about the importance of proofs and theory in cryptography you tell them that universal quantifiers okay it's not about making something faster and showing that is faster uh now this is this it's cryptography has been amazingly successful in in in having practical use of the concepts and methods both the formal formalization of things some basic primitives most of the crypto that we do unfortunately is not used most of it will never be used because we do too much there's not enough in enough applications but the so so in in the sense of building functionality and i'm putting it to work in the real world we have not been very successful i hope that this new generation will will be will see better or more uses of sophisticated cryptography but in the meantime you know when you come even to analyze these kind of things everything you know simulations in this thing which ability extraction all all all all all these all these abstractions are unbelievably useful and a little bit of advertisement need more involvement of researchers with practice i mean do not complain later or this practitioner don't know what they are doing so definitely don't leave the theory but at the same time pay attention to to this kind of thing so that the philosophical speech now i i need to have some discussion with myself i i mean i really i i i wanted very much to do something here but i need to see if if with this time if it's enough to make something you know i'll i'll tell you about this you know i'll i'll i'll not show you in in details but i mean it's a it's a fun it's a it's a fun application you know that yeah i won't okay but basically the first part is are things that if getting covered in his talk but as i i learned some time ago you know never underestimate the power of repetition and i i take it so seriously that i repeat again and again that idiom never underestimate repetition so anyway leftover hash lemma we all know what the leftover hash lemma says the only thing that we i care about in this for for for the thing is okay is that okay let's this yeah okay so this already okay so we start with the a source with meant mean entropy m okay and we want to produce k bits of output okay let's see this how bad is this k here is yeah k here is the seed basically so let's call the output n oh actually it's here okay i couldn't find that so k now is the seed is what before was something else and now now it's it's the key to the hash function for the leftover hash lemma so k is the seed that is being output and see and we are interested to have things an extractor that is close to uniform and the leftover hash lemma says that any any any source and for any extractor you you must lose at least okay you need to have enough entropy so that the difference between entropy and the output that you want to produce is l okay let's let me start again let's call l the difference between the mean entropy that you have in the source and the number of bits that you want to output then the leftover hash lemma says that you must have a loss i mean the the the distance has to be 2 to the minus the the difference l divided by 2 so this is something you can achieve with with for example per wise universal hash functions but also there is a theorem which should be somewhere here that says that this is optimal i mean you this is a something that you can achieve but also something that whatever way you build your extractor you are going to lose that i mean you are going to be bound by this thing okay so you need to let me go to some numerical example okay so for application to key derivation so let's say that you have an elliptic curve group of 160 bits and you need to extract derive a 128 bit es key what do you think says is that if you are going to take this elliptic curve group which we assume is dh and you are going to extract 128 bits then the best security you can expect is half of the difference 32 so it's 2 to the minus 16 okay which is not very good if you have a 260 256 bit you derive 160 bit then you get a different an epsilon which is 2 to the minus 48 and you cannot do better if if the way in which you extract uses the leftover hash lemon also with no other extractor because there is the arty bound that of course i will not tell you who those are from a channel right i think you see and tashma okay tashma i got it right um okay so so we are we we are we must have 2 to the minus l over 2 security degradation however what i think i if again he told you i i wasn't here but is that that that loss on security is is unavoidable if you want to have a general thing but if you want to apply to a setting cryptographic setting for example a setting in which you you have a mac application so how do you break a mac by guessing the the tag of a message that was not queried from the mark function right so it's a predictability issue you need to predict to guess what the value is in that case what we know is that the attacker has very tiny probability of of of guessing the thing which means that actually the set of of keys of mac keys in which the attacker has some significant probability of success is very very tiny and intuitively you know for these extractors that actually you know spread the the input points into outputs in some uniform way then you don't expect that these two to the minus l over two that must be there will all fall on these tiny sets where the attacker has some good probability of success okay so that that's that's intuition but what can be shown that actually if you look at it like that then if you start with an application where the attacker has probability epsilon on uniform n-bit inputs meaning these are the cryptographic keys to the mac okay then the the the leftover hash lemma will tell you that the attacker if you now choose the keys using the the the hash functions or whatever then there now the attacker can have this probability I mean the probability increased by this value which is not that good you know it will give you the two to the minus 16 probability two to the minus 48 but in the case in which the attacker has this tiny set where it succeeds you can actually show that it's better than that you can act basically what this means is that you can borrow security in the in the in the statistical distance you can borrow from the security of your underlying cryptographic primitive so so okay so it means security degradation of this value instead of two to the minus l over two and let me show you some numerical examples so for example if in right I showed this example before in which from 160 to 128 let's say that is to derive an AES key which has let's assume that AES has an epsilon of two to the minus 96 so the left over hash lemma would lower it to to the minus 16 but with this generalized leftover hash lemma you get security of two to the minus 64 which is not the original to to the minus 86 but something much better than this if you go from 256 to 160 where the sha one has an epsilon of two to the minus 80 then leftover hash lemma will give you two to the minus 48 the generalized leftover hash lemma will give you this so you go back basically to the you are not losing real security in this case and it gets even better you can gain entropy okay if if you go from elliptic curve 160 bits to 260 bit h mark sha two as a max function and you assume that the epsilon the security of 256 bit h mark is two to the minus 200 then the security with the extracted keys is to the minus 52 here the this the epsilon square root epsilon comes here that gives you the 200 original divided by two times this part to the minus seven over two anyway these things gave you two to the minus 52 so even though you expanded actually the the input with the mean entropy into something longer actually you you you you're you're still okay because the security of the primitive of the cryptography primitive help you compensate for the loss that comes from from the extractor part now this is for things like unpredictability you know a mac inverting a function doing a key key retrieval things like that where the the attacker has very small probability of success now if we go to undistinguishability okay we want to you know break an encryption by distinguishing the output you know by you know giving two two messages and guessing which of the messages was encrypted here the the the attacker has a huge probability he has half plus epsilon right so it's not a tiny thing it's a it's a big thing so it turns out so you can ask the question whether for these applications we can also enjoy that borrowing of security from the underlying primitive and the answer is that okay so can we do something in this case so the negative answer is no we cannot we cannot do one-time paths to the random functions to the random generators they cannot benefit from this generalizing in what sense in the sense that I can show you examples of each one of the things where an an attack that will show that you cannot really improve okay there is some characterization of the things I will fortunately of course otherwise I wouldn't say anything here fortunately it it does work in some cases and the characterization of what are the cases that it works it works in situations where you know we are talking about indistinguishability so the the output of that of the attacker is a bit right there is a challenger that chooses some experiment under some random bit and the the attacker needs to guess the bit okay and the probability is half plus something so if you are in a situation where the attacker you run the attacker whatever it is it outputs a bit b but now before outputting the bit you you you do the following you you simulate the challenger okay for example if you are doing an encryption function so you you can what does the challenger do the attacker chooses m1 and 2 the challenger chooses one at random encrypts it and see if the attacker can can guess now what you are going to do you are now working with the attacker saying the attacker wait wait wait with your bit b I will test you I will let's run another run okay in which you give me m1 and m2 and I will answer for you and I'll see if you if you know the answer since I now I am choosing the m1 or the m2 I know if the attacker the second time he was right or not so any setting which allows the attacker to check itself to see if if if he's having success or not success with the experiment if you can do that then you can actually and any any any application where you can do this self check actually can enjoy the generalized leftover hash lemma with with the s with the square root of epsilon as we saw before and and that includes encryption functions publicly and and and and and symmetrically and actually you know okay so here is the bad news in all this story the bad news is that you cannot pseudo random function or pseudo random generator now what I would have like to do is to have a key derivation function using the leftover hash lemma okay with real extractors and I would like to improve the security of the output using something like this unfortunately if I will use the left I mean I will use some extractor from my source to get a key and now derive more keys the way I would do that is I would take that key use it with a pseudo random function and and get some other keys unfortunately if I use the output of extractor with this prf this doesn't work okay I don't gain the thing so that's the bad news okay so not applicable to general kdf's but wait not all is lost okay these good news apply to weak prf's what is a weak prf a weak prf is a prf that is secure when all the attacker can see is the the the result of the function on a random values okay so actually it's a weaker notion than a prf but now because we have weak prf's that do enjoy the generalized left over hash lemma then here is a way to do a kdf okay I I have my my source entropy source and I have an extractor that work with that source output in k bits now the inputs to the kdf are the sample from the source x a random seed for the extractor whatever the extractor is but also a random input to the w prf and my kdf will work like this we'll get the sample x the seed s for the extractor input w to the w prf and that's the way I will compute the key is by looking at the seed as the per s w using the extractor with s in the regular way to get a key using that key to key the w prf on the random bit random input w that is part of my seed and that will be my key okay so I took the extractor I did everything as before I took the extractor got the key used the key with w prf but I also as part of my seed I choose a random input to the w prf and now I actually can get all the benefits of the generalized leftover hash lemma on this derivation because for w prf's it's one of the cases where the generalized lhl actually works okay now after I output the key if I want more keys then I'm fine now I can use key they use the key k as a prf as a prf key now I am free of using whatever I want because the guarantee that I got here is that the output from here is away from uniform by you know the epsilon half square root epsilon times 2 to the minus l over 2 for w prf because in w prf you you can play that game you can play the game in yeah because yeah because you know the the real game is that the attacker queries the function okay let's say it queries only one time and then decides so it queries the function the the challenger returns either a random value or the output of the prf the attacker think think think say okay the bit is zero and now I stop and say okay you know what let's play the game again I'll give you I'll give you the value of the prf on another another input okay and and and now now I'm in this simulated challenger and okay that will I will choose whether to give him either the real value of the second sample or of a random one and now I play with the adversary now what what we do is that if the second time the adversary then was right then I will say I will output the original bit b if the second time it was wrong I will output the reverse bit and it's it's a beautiful thing that I mean you know if we had more time I mean I could definitely convince you that if you run these multiple times then you are approximating the the success probability but even only one time is already to give you this result yes okay yes I mean square friendly clearly describes this thing right anyway so I'll finish this I'll tell you what I didn't do and I will leave with that is that we now have a key derivation function that enjoys the benefits of the generalized leftover hash lemma but what we didn't solve at least the practical level is is the I mean what we said is now we are going to apply an irregular extractor and then they use the WPRF and we are done for the regular extractor of at least for the simple ones universal hash functions the salt is long is as long as the message so you want to say okay how can we reduce it so there are theoretical constructions of extractors that we use less a salt but as I said before it would be interesting to find things like that that will also be very practical but if you want to use universal hash functions which are very simple then what we could do is to start with a small short seed and run a PRG on the short seed now get a long seed and use that long seed as your you know the seed to your universal hash function but the point is now that you will outputting s the seed to the PRG okay so the question is if I give you the output of a PRG together with the seed okay how secure is the thing so we are going back to something very similar to what happened with using HMAC with a with a non-secret key again I said there that PRFs with a non-secret key are not secure but in order to be non-secure you have to use things like public key you know quadratic residue DDH blah blah blah here is exactly the same thing actually we can prove that in mini-crypt mini-crypt is a world where there are one-way functions but there is no public key cryptography in mini-crypt if you do that you expand the seed with a pseudorandom generator then they and you build the extractor with the known seed for the PRG it's secure okay how do we do that we show that if there is a distinguisher there's that then we can build a public key scheme out of that distinguisher if you don't believe that we leave no actually we don't believe right we don't believe that we live in mini-crypt we live that we do have public key but the other way of looking at this result is since the PRG can be built with something like AS then this result means if you can break the extractor built in this way then we can build a public key system based solely on AS and since we don't believe that that's possible that maybe that's enough evidence for this to be secure it's kind of cheating because the distinguisher can be very complicated it's so it's not that you know you get something as simple as AS but there anyway I think that it's interesting to see these these variations of the same issue that we had with PRS with with non-secret seed no what the claim is that if if you can show me a distinguisher for that construction of an extractor where the seed is the the public seed is s but the seed that used for the extractor is the longer one stretched with the PRG if you can break that construction give me a distinguisher I will build a public key based on on your distinguisher which is I mean I no I yes I will build the the the public key using AS and your distinguisher oh oh yeah of course of course of course it goes without it goes without saying that and and it will be very simple too anyway I kept you enough thank you very much by the way since I'm living tonight actually I wanted to thank very much the organizers everyone from the committee for inviting me definitely the people the local people the colon and Jessica and the and and Joanna and well also the young ones sorry you are you are young too Zaira Antonio anyway everyone really it was one of the best schools I participated at least before my talk so for them okay whoever wants to stay can ask questions other people can leave because what time is it yes compute do you get what if you start from computation yeah yes but but but you know with computational extractors the limits of the leftover Ashlema don't apply computational extractor I can extract whatever and then stretch it to anything I want with with the PRG so PR you say that the PRF is necessarily what almost universal yeah is that true way but with the secret seed or with the so so if again if you're if you use a secret seed a secret key then the PRF is distinguished from a random function on anything that happens with random function will oh the non-strong yeah oh okay again h mark oh wait wait but you don't have a secret key in the if you have a secret key then h mark as a PRF gives you all these goodies with a secret seed or I mean with a secret seed or with right so we're secret seed okay what what it's not clear to me is how are you going to use h mark with a secret seed in in the extraction applications if you can afford the secret seed h mark is a PRF and basically it outputs you know in this thing to the random values and you are okay you don't you don't need any extraction beyond that if if the key is secret but if the key is not secret then you you are there is what oh no no this are a fix it can be fixed or it can be a salt you know a random I mean we again if it's random but public okay then you don't get anything directly from being a PRF okay a PRF with a public key with a non-secret key can be completely insecure which universe no no in the universal in the universal hash it's a combinatorial property there is no attacker okay it says that for any pair of inputs the the number of functions that will send these two inputs to the same value is small yeah you can see that yeah yeah you can see that as a game yeah the game is the attacker gives you a pair you you choose a key and you see if it collides or not I think I think that I mean I'm not sure exactly I still don't get exactly where you're going with this but one thing I can tell you is that PRFs are excellent weak extractors okay because in a weak extractor situation you don't publish the seed you don't have to be close to uniform condition on the seed and of course so PRFs are excellent weak computational extractors that that's for sure so that that part we can agree with I hope that you agree with that too okay good good yeah I mean you can relax that in this case all I can say is that the weaker I mean the stronger the model of the weaker the attacker the better and not just because of course it's better to be beautiful and rich than ugly and poor but also because really in these applications you you actually find a range of situations where so in the case of the random oracle since the best strategy for that attacker is just to choose the the heaviest the Q heaviest elements in the distribution I'm sorry in particular it's a non-adaptive a non-adaptive strategy and actually you can let the you can let the attacker query its Q queries and the rest of it the attacker can choose in any way he wants respecting the M M M bit entropy so that's that's the weakest form of of independence that you can actually ask for in this case essentially what this means is that with with random oracles the you know okay for example the base the basic claim probably the way it's written in in the papers is that you you assume the random oracle to be independent of the of the source now in practice you know your random oracle is based on some hash shot to and probably the input also is you know the source is also based on shot to because you know even the D film and how did you choose the the the exponents of the D film and you hash something which is to say that these things are independent actually it's quite a stretch but the situation is not that bad because really what the only independence you want is that the those exponents that were chosen using shot to where the where they apply shot to on something different than what you're applying from your source so you know in the random oracle as long as you don't ask that particular point then you are okay and and but the the bottom line of all this discussion is that it shows how important it is to use a key random oracle you know at least if you use the same shot but at least use it with different with independent keys so from a practical point of view I think that that's an that's an important point to to to make a so h mac is indifferential from random oracle under some constraints on on the keys as I said there's you can think about that there are some set of weak keys okay like you know usually in cryptography we have weak keys for encryption weak I mean a subset of keys that if you choose from them you can something can go wrong so in that sense you can think of h mac being indifferential but from random oracle with a set of weak keys now this is exploitable only in settings where the attacker can choose the keys okay if the keys are chosen at random or they are fixed to zero something like that you don't have a problem in a setting where the the the attacker can choose the keys and can choose the variable lengths and the all kind of other constraints then you have an issue but the bottom line as a result it means that really you you can prove the indifferential ability of the thing except for this set of weak keys which are well well defined and don't really come up in practice in all applications I know but but it's actually very nice that the work that as you can imagine I'm not going to say who the authors are if again is here I thought I will not say because if he was here I had to say that he was one of the gods yeah anyway so yeah so it's very nice that when they were trying to prove the indifferential ability actually they they they found the things which are very very non-intuitive particularly if you use instead of a family of random oracles you use it as a single function then it's it's perfectly indifferential but more questions okay who wants to come and write HKDF definition of HKDF okay I think you had enough of me thank you very much