<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Apr 29, 2016 at 2:29 AM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class=""> > This is simpler and less expensive computationally<br> <br> </span>It's not simpler<br></blockquote><div><br></div><div>Here's specifically what I mean. Here is HKDF:</div><div><br></div><div><font face="monospace, monospace">static void kdf(u8 *first_dst, u8 *second_dst, const u8 *data,</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>size_t first_len, size_t second_len, size_t data_len,</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>const u8 chaining_key[NOISE_HASH_LEN])</font></div><div><font face="monospace, monospace">{</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>u8 secret[BLAKE2S_OUTBYTES];</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>u8 output[BLAKE2S_OUTBYTES + 1];</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>BUG_ON(first_len > BLAKE2S_OUTBYTES || second_len > BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Extract entropy from data into secret */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>blake2s_hmac(secret, data, chaining_key, BLAKE2S_OUTBYTES, data_len, NOISE_HASH_LEN);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Expand first key: key = secret, data = 0x1 */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>output[0] = 1;</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>blake2s_hmac(output, output, secret, BLAKE2S_OUTBYTES, 1, BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>memcpy(first_dst, output, first_len);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Expand second key: key = secret, data = first-key || 0x2 */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>output[BLAKE2S_OUTBYTES] = 2;</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>blake2s_hmac(output, output, secret, BLAKE2S_OUTBYTES, BLAKE2S_OUTBYTES + 1, BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>memcpy(second_dst, output, second_len);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Clear sensitive data from stack */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>memzero_explicit(secret, BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>memzero_explicit(output, BLAKE2S_OUTBYTES + 1);</font></div><div><font face="monospace, monospace">}</font></div><div><br></div><div>And here is the more simpler alternative I suggested:</div><div><br></div><div><font face="monospace, monospace">static void kdf(u8 *first_dst, u8 *second_dst, const u8 *data,</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>size_t first_len, size_t second_len, size_t data_len,</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>const u8 chaining_key[NOISE_HASH_LEN])</font></div><div><font face="monospace, monospace">{</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>u8 secret[BLAKE2S_OUTBYTES];</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>BUG_ON(first_len > BLAKE2S_OUTBYTES || second_len > BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Extract entropy from data into secret */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>blake2s_hmac(secret, data, chaining_key, BLAKE2S_OUTBYTES, data_len, NOISE_HASH_LEN);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Expand first key: key = secret, data = [empty] */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>blake2s_hmac(first_dst, NULL, secret, BLAKE2S_OUTBYTES, 0, BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Expand second key: key = secret, data = first-key */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>blake2s_hmac(second_dst, first_dst, secret, BLAKE2S_OUTBYTES, BLAKE2S_OUTBYTES, BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>/* Clear sensitive data from stack */</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>memzero_explicit(secret, BLAKE2S_OUTBYTES);</font></div><div><font face="monospace, monospace">} </font></div><div><br></div><div>Less stack, less copying --> faster, simpler. </div></div> </div></div>