[noise] Hash len > cipher len in tls1.2

Tony Arcieri bascule at gmail.com
Fri Mar 4 20:37:04 PST 2016

Since a hash function is effectively a PRF as opposed to a PRP, you run the
possibility of collisions and therefore have to account for the birthday
bound/pigeonhole principle. For a given security level, you take the square
of the key size you would otherwise use with a symmetric cipher.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160304/b5b6fe7d/attachment.html>

More information about the Noise mailing list