[noise] BLAKE2 as a diffie-hellman entropy extractor
Jason A. Donenfeld
Jason at zx2c4.com
Tue Oct 13 07:47:37 PDT 2015
Hi Jean-Philippe,
Great, this is encouraging. So in other words, since BLAKE2 already
produces 64byte outputs, we don't need the "expand" step. And so this
leaves us only with a question of whether or not it's sufficient for
"extraction". And in your opinion, keyed BLAKE2 is as good as an
"extract" step as HMAC-SHA256.
The only downside is that there is a proof of HMAC being a sufficient
randomness extractor, whereas there isn't one for keyed BLAKE2. But
you say you suspect it would, in fact, be quite okay. (Though I
haven't read such a proof of HMAC, I do observe keyed BLAKE2 has
similar properties of it -- the key length is encoded in the initial
block XOR'd with the IV, there is a full block round computed on the
key itself, and only then is the data hashed ontop; there seems to be
_some_ analogue to HMAC's nesting design. But again, I haven't read
the HMAC proof, so I don't know if this is relevant.)
This leads me wonder, then -- Trevor: why not just use HMAC-SHA512,
producing 64bytes of output like BLAKE2b, and therefore not require
the "expand" step? This would then make it easy to replace that PRF
with other 64byte-producing PRFs.
Jason
More information about the Noise
mailing list