[noise] New branch: hkdf
Jason A. Donenfeld
Jason at zx2c4.com
Mon Oct 12 11:10:50 PDT 2015
> Split(): Creates two child CipherState objects by calling HKDF(ck, empty)
> where empty is a zero-length byte sequence.
When the keyed mode of blake2b(key, data) is used instead of
HMAC-SHA2-256(key, data), and when data = zero length empty, this
simply amounts to hashing a block of zeros:
memset(block, 0, BLAKE2B_BLOCKBYTES);
memcpy(block, key, keylen);
blake2b_update(state, block, BLAKE2B_BLOCKBYTES);
Thus, for using blake2b with HKDF, I will replace:
temp = KDF(chaining_key, empty zero byte sequence)
With:
temp = HASH(chaining_key)
In fact, the reference blake2b implementation already contains such an
optimization:
if (keylen > 0 && key != NULL)
blake2b_init_key(&state, outlen, key, keylen);
else
blake2b_init(&state, outlen);
It only goes into keying mode if the key has a length > 0.
Any security objections to doing this with noise?
More information about the Noise
mailing list