[noise] Hash len > cipher len in tls1.2

[Tony Arcieri]

Since a hash function is effectively a PRF as opposed to a PRP, you run the
possibility of collisions and therefore have to account for the birthday
bound/pigeonhole principle. For a given security level, you take the square
of the key size you would otherwise use with a symmetric cipher.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160304/b5b6fe7d/attachment.html>