It may be prudent to use a FIPS 140-1/2 certifiable PRF, such as defined in FIPS 186-2 using SHA-1 in the core. I'm not sure if p1363a's KDF2 is the same as FIPS 186-2 G function-based PRF.

 

- Tolga

>>> ekr(_at_)speedy(_dot_)rtfm(_dot_)com 2/20/01 16:11:53 >>>
William Whyte <WWhyte(_at_)baltimore(_dot_)com> writes:
> > >William suggests byte reversal instead, which seems ok from both
> perspectives.
> >
> > Okay.  So, since bitwise-NOT and bit-reversal both have shortcomings, what
>
> > are you going to use as the mandatory to implement transform?
>
> As Stephen says, I've suggested byte reversal. In fact, what I
> would most like to see as the mandatory to implement transform
> is X9.63 key derivation (the key derivation function referred
> to as KDF2 in IEEE P1363a), but to the best of my knowledge there's
> no stable, freely-available description of this that we could
> reference. If anyone fancied writing it up as an RFC that'd
> be very nice...
How about using the PRF from TLS? It's HMAC-based, widely viewed
as strong, and easily referenceable.

-Ekr