[noise] What noise/blake2b is being used for
Jason A. Donenfeld
Jason at zx2c4.com
Wed Nov 4 01:28:27 PST 2015
Hi JP,
Bringing this back onto the noise list, as you actually bring up some very
relevant issues for there.
Jason
On Wed, Nov 4, 2015 at 10:03 AM, Jean-Philippe Aumasson <
jeanphilippe.aumasson at gmail.com> wrote:
> Hi Jason,
>
> had a look at the WG protocol (sorry for the delay). Was wondering about
> the data keys derivation:
>
> temp1 = PRF(initiator.chaining_key, [empty])
> temp2 = PRF(temp1, 0x1)
> temp3 = PRF(temp1, temp2 || 0x2)
>
> Here there's a secret (chaining_key) and you want to derive two keys from
> this value such that breaking either of the derived keys doesn't compromise
> the other derived key nor the root key. This can be achieved by just doing
> PRF(key, 1) and PRF(key, 2), or even key := PRF(key, 'meh') and doing key1
> := key[:32] and key2 := key[-32:], assuming key is 64 or more bytes long.
>
> The roadmap includes a point "Decide on Curve25519 vs Curve448 and Blake2b
> vs Blake2s". Guess the most important is consistency of security levels;
> all primitive with a level ~128 bits, or ~224 bits, etc. In terms of speed,
> on x86_64 BLAKE2s is faster when the messages hashed are ~64 bytes or
> below, otherwise BLAKE2b is faster. I don't have figures but I guess it's
> similar for 64-bit ARM (and NEON-enabled ARM).
>
> Only looked at the .md docs so far, will peek at the code once I've some
> time.
>
> Hope it helps,
>
> JP
>
>
> On Wed, Oct 14, 2015 at 7:12 PM Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
>
>> By the way, if you get around to proving an equivalence between keyed
>> BLAKE2 and NMAC, you'll be able to piggyback on the HKDF paper's security
>> proofs that it's suitable as an randomness extractor...
>>
>> It seems like it would be relatively straightforward. Keyed BLAKE2 sets
>> the keylen parameter, and then it does a full block, and only after that
>> does it hash in the ordinary data. That seems to me fairly close to a
>> nested structure. But I'm not sure. Anyway, something to think about if one
>> night, late, you're yearning to write some LaTeX.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151104/46ed2a4e/attachment.html>
More information about the Noise
mailing list