[noise] hkdf branch with arbitrary-length keyed hashing functions
Trevor Perrin
trevp at trevp.net
Mon Oct 12 20:51:59 PDT 2015
On Mon, Oct 12, 2015 at 2:17 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi,
>
> Here's a more general question about using blake2b with noise than my
> previous email.
>
> Functions like blake2b(key, data) can produce an arbitrary length
> output: blake2b(key, data, size). So, I find it appealing to replace:
>
> HKDF(chaining_key, data):
> temp_key = HMAC-HASH(chaining_key, data)
> output1 = HMAC-HASH(temp_key, 0x01)
> output2 = HMAC-HASH(temp_key, output1 || 0x02)
> return (output1, output2)
>
> With:
>
> Blake2b-KDF(chaining_key, data):
> key_material = Blake2b(chaining_key, data, 64 bytes)
> return (key_material[0:31], key_material[32:63])
The HKDF paper analyzes HKDF as an entropy extractor (and also a PRF).
The Blake2 paper only claims the keyed version is a PRF.
The HKDF analysis depends on the nested structure of HMAC, I think,
which your alternative doesn't have. You could try nesting your
keyed-Blake2 calls, but then you're basically the same as HMAC (HMAC
"keys" the hash by prepending the key in the first block, and Blake2's
keyed version does the same.)
So I would just set HASH=Blake2 and use the HKDF / HMAC structure like
any other hash, to leverage the HKDF extractor analysis.
Trevor
More information about the Noise
mailing list