Re: [PATCH 4/6] crypto: hkdf - RFC5869 Key Derivation Function

From: James Bottomley
Date: Sun Jan 13 2019 - 11:52:34 EST


On Sun, 2019-01-13 at 08:56 +0100, Stephan MÃller wrote:
> The question may arise why to plug the KDFs into RNGs. The answer is
> quiteÂsimple: KDFs are a form of random number generator. In that
> they take someÂinput for initialization (aka seed, salt, key,
> personalization string). ThenÂthey produce pseudo-random bit
> sequences of arbitrary length. Possibly theÂgeneration operation can
> be modified by providing some additional input to beÂused by the
> generation process (aka label, context, info string, additionalÂ
> information string). Thus, the RNG interface is a natural fit for the
> KDFs.

Philosophically, that's quite wrong. KDFs are a class of pseudorandom
functions (PRFs). PRFs are designed so that the output is
indistinguishable from a random number generator to observers who don't
know the input but is deterministically useful for participants who do.
That means the're definitely not RNGs they're functions whose output
is designed to look like the output of an RNG.

I suppose the mathematical thing that distinguishes PRFs and RNGs is
entropy: PRFs have zero entropy because given the same inputs you
expect the same output. Now whether it makes sense to use the RNG API
or not I'll leave that up to the crypto people. I would have expected
any cryptographic RNG API to be mostly about entropy management (the
Linux core internal one certainly is), but it appears that the one in
crypto isn't.

James