[noise] PSK-based resumption, postquantum, and XOFs

Trevor Perrin trevp at trevp.net
Fri Nov 24 09:11:50 PST 2017


On Fri, Nov 24, 2017 at 9:06 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> So if we want to plug XOFs into Noise, I'd suggest adopting a simple,
> SHAKE-like notion, and then constructing what we need on top of that.
>
> Putting this together, Noise could require choosing either a HASH or
> XOF.  If a HASH is chosen, these functions are constructed:
[...]


Better explanation:

Noise could require the user to choose either a HASH or XOF.  Noise
could use "constructions" to provide the full set of functions (HASH,
PRF, KDF, XOF).  These functions would be used as follows:
 - HASH for transcript hashing
 - PRF for "extra" key derivation (e.g. resumption PSKs)
 - KDF for MixKey()
 - XOF for public-key algorithms like Kyber

If a HASH is chosen, these functions are constructed:
 - PRF(key, message) = HMAC(key, message)
 - KDF(key, input) = HKDF(key, input)
 - XOF(input) = HKDF(<zerolen>, input)

If an XOF is chosen, these functions are constructed:
 - HASH(message) = XOF(message)
 - PRF(key, message) = XOF(pad_to_block(key) || message)
 - KDF(key, message) = XOF(pad_to_block(key) || input)


Trevor


More information about the Noise mailing list