[noise] Fwd: BLAKE2 as a diffie-hellman entropy extractor
Trevor Perrin
trevp at trevp.net
Tue Oct 13 12:23:02 PDT 2015
Thanks J.P.,
The spec we're discussing is here:
https://github.com/trevp/noise/blob/hkdf/noise.md
You could also check out (or join!) our mailing list:
https://moderncrypto.org/mailman/listinfo/noise
> From: Jean-Philippe Aumasson <jeanphilippe.aumasson at gmail.com>
>
> A KDF as defined in Krawczyk paper (and in SP 800-108) is essentially
> a PRF with variable-size output: it takes as input a key and returns
> key material that's typically longer than the given key. HKDF achieves
> this by iterating calls to a PRF.
Well, in HKDF there's an "extract" phase followed by an "expand"
phase. Certainly the "expand" is easily accomplished by a PRF. But
much of the HKDF paper is about extraction under different
assumptions. For example, Section 6 has several lemmas based on the
NMAC / HMAC structure.
HKDF has been widely adopted (e.g. IPsec, TextSecure, TLS 1.3, QUIC).
The use being considered is just processing a few DHs, so is not a
performance bottleneck. So I still think the most conservative and
easy-to-defend choice would just use the hash function (whether SHA2,
SHA3, BLAKE2, etc) within the HKDF / HMAC framework.
More arguments here:
https://moderncrypto.org/mail-archive/noise/2015/000300.html
Trevor
More information about the Noise
mailing list