[noise] Analysis of Noise KDF
Jason A. Donenfeld
Jason at zx2c4.com
Thu Apr 28 15:11:59 PDT 2016
> (Lemma 6) If the HMAC inner hash's compression function is a
> "statistical extractor" and a "Dual-PRF", i.e. a PRF when keyed
> through the message, not the IV, then HMAC is a computational
> extractor when all hash input blocks have high entropy, a condition
> met by 25519 with all current Noise hash functions, and 448 with the
> 512-bit hash functions.
That's interesting. You may consider adding this to the security
precautions section of the Noise spec itself -- not to use 448 with the
512-bit hash functions. The worst that could happen is you wind up with
less entropy, though hopefully you still in fact do have 256-bits of it, in
that case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160429/781e2f30/attachment.html>
More information about the Noise
mailing list