[noise] New branch: hkdf
Jason A. Donenfeld
Jason at zx2c4.com
Wed Oct 14 03:11:03 PDT 2015
On Wed, Oct 14, 2015 at 7:25 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> The HKDF paper and spec consider using the output from HKDF-Extract
> directly, without HKDF-Expand. But they don't recommend it:
Thanks for pointing that out; I had overlooked these sections
(although they don't exactly make the most compelling arguments...).
>
> https://eprint.iacr.org/2010/264.pdf, Appendix D:
> """
> when SKM is from a source or form that requires the use of the
> extraction step but the number of key-material bits required is no
> larger than the output PRK of the extractor, one could use directly
> this key as the output of the KDF. Yet, in this case one could still
> apply the PRF* part as an additional level of “smoothing” of the
> output of XTR. In particular, this can help against potential attacks
> on XTR since by applying PRF* we make sure that the raw output from
> XTR is never directly exposed.
> """
>
> RFC 5869, 3.3:
> """
> In the case where the amount of required key bits, L, is no more than
> HashLen, one could use PRK directly as the OKM. This, however, is NOT
> RECOMMENDED, especially because it would omit the use of 'info' as
> part of the derivation process (and adding 'info' as an input to the
> extract step is not advisable -- see [HKDF-paper]).
> """
Are we using the info param?
More information about the Noise
mailing list