[noise] Fwd: BLAKE2 as a diffie-hellman entropy extractor

Jason A. Donenfeld Jason at zx2c4.com
Tue Oct 13 07:38:58 PDT 2015


---------- Forwarded message ----------
From: Jean-Philippe Aumasson <jeanphilippe.aumasson at gmail.com>
Date: Tue, Oct 13, 2015 at 4:30 PM
Subject: Re: BLAKE2 as a diffie-hellman entropy extractor

Hi Jason,

thanks for considering BLAKE2 in this scheme!

A KDF as defined in Krawczyk paper (and in SP 800-108) is essentially
a PRF with variable-size output: it takes as input a key and returns
key material that's typically longer than the given key. HKDF achieves
this by iterating calls to a PRF.

But if you only need to derive keys that are as long as the PRF's
length, then I'd say that you'll be fine with a PRF (say, BLAKE2's)
with an output of that size.

If you read section 5 of https://eprint.iacr.org/2010/264.pdf,
however, you'll observe that it may not be totally perfect *in
theory*: "We note that random functions do not make by themselves good
statistical extractors (...)". This says that you may construct a PRF
that's secure as a PRF but that happens to be "insecure" as a KDF.
IMHO that's a theoretical argument irrelevant in practice.

So my answer to your question is about the same as Nadim's: I don't
have a math proof that BLAKE2 is a good randomness extractor, but I'd
be very surprised if it happened not to be one.


More information about the Noise mailing list