[noise] BLAKE2 as a diffie-hellman entropy extractor

Trevor Perrin trevp at trevp.net
Tue Oct 13 12:48:56 PDT 2015


On Tue, Oct 13, 2015 at 10:47 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> This leads me wonder, then -- Trevor: why not just use HMAC-SHA512,
> producing 64bytes of output like BLAKE2b, and therefore not require
> the "expand" step? This would then make it easy to replace that PRF
> with other 64byte-producing PRFs.

The current design assumes HASH produces a 32 byte output.  It's easy
to truncate larger hashes to 32 bytes (and according to the HKDF paper
that has some advantages - see Section 6 of Hugo's paper).

With your approach we'd either have to give up supporting 32-byte
hashes, or support *both* 32 and 64 byte hashes, with different key
derivation.  I'm not thrilled with either - SHA256 might be all you
have, and is significantly more efficient on non-64 bit platforms.
Supporting 2 different key derivations is also confusing.

Truncating a 512 bit hash to 256 bits and using the current
construction is simplest and probably the most conservative choice -
it might be security overkill, but if we're going to err on one side,
that's the side to be on...

Trevor


More information about the Noise mailing list