[noise] BLAKE2 as a diffie-hellman entropy extractor

Jason A. Donenfeld Jason at zx2c4.com
Tue Oct 13 03:27:44 PDT 2015


Hi Jean-Philippe,

I'm working on a protocol that does a certain type of keychaining
using HKDF [1, 2]. It takes as its input data the result of an
elliptic curve diffie-hellman multiplication and as its input key the
previous value chaining key, and produces a new chaining key:

    (chaining_key, encryption_key) = HKDF-HMAC(chaining_key,
ECDH_multiply(a, B))

I'm certain this is correct and fine. Internally this amounts to:

    HKDF-HMAC(chaining_key, diffie_hellman_result):
        temp_key = HMAC-SHA256(chaining_key, diffie_hellman_result)
        output1 = HMAC-SHA256(temp_key, 0x01)
        output2 = HMAC-SHA256(temp_key, output1 || 0x02)
        return (output1, output2)

One way to replace this with BLAKE2 would be to make this
modification, which I'm pretty sure is okay:

    HKDF-BLAKE2(chaining_key, diffie_hellman_result):
        temp_key = BLAKE2bKeyed(chaining_key, diffie_hellman_result)
        output1 = BLAKE2bKeyed(temp_key, 0x01)
        output2 = BLAKE2bKeyed(temp_key, output1 || 0x02)
        return (output1, output2)

This is a bit dissatisfying though. Really I'd like to do this instead:

    BLAKE2(chaining_key, diffie_hellman_result):
        temp_key = Blake2b(chaining_key, diffie_hellman_result)
        return (temp_key[0:31], temp_key[32:63])

However, I'm told [3] on the noise list (CC'd) that HKDF is proven to
be both a PRF and an entropy extractor, whereas BLAKE2 is only proven
to be a PRF, but not an entropy extractor. And it's necessary to use
an entropy extractor when making use of diffie-hellman results.
Therefore, simply using BLAKE2, as I've done in the third function
above, is not okay.

I was hoping this wasn't the case. If it isn't the case, do you know
of any published claims that BLAKE2 in keyed mode functions as an
entropy extractor? Or, if not, do you have any arguments why it might
be okay to use anyway? Or do I really have to bite the bullet, accept
the facts, and stick with HKDF?

Thanks,
Jason

[1] https://tools.ietf.org/html/rfc5869
[2] https://eprint.iacr.org/2010/264.pdf
[3] https://moderncrypto.org/mail-archive/noise/2015/000310.html


More information about the Noise mailing list