[noise] hkdf branch with arbitrary-length keyed hashing functions
Trevor Perrin
trevp at trevp.net
Mon Oct 12 21:04:21 PDT 2015
On Mon, Oct 12, 2015 at 5:57 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Mon, Oct 12, 2015 at 8:17 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>> Any objections or security considerations with regards to this?
>
> *If* this turns out to be safe, we've also won a huge performance
> speedup, making this variant of the hkdf branch actually faster than,
> rather than slower than, the n0 branch.
I don't think there's any huge speedup possible here: the key
derivation / hashing is a fraction of a single DH.
> For each MixKey():
> - n0: 1 or 0 encryption + 2 hash
> - hkdf: 6 hash
> - blake2b-kdf: 1 hash
Note that blake2b-kdf hashes 2 blocks x 128 bytes per block = 256
bytes. HKDF with SHA256 hashes 12 blocks x 64 bytes = 768 bytes.
Trevor
More information about the Noise
mailing list