[noise] Wrong arguments for KDF in PSK mode

Jason A. Donenfeld Jason at zx2c4.com
Thu Apr 21 15:17:08 PDT 2016

On Thu, Apr 21, 2016 at 9:25 PM, Trevor Perrin <trevp at trevp.net> wrote:
> (d) Note that whether you pass a key to HMAC in the first or second
> argument, this key is processed as message data by the hash function.
> So security reductions for HMAC (like Bellare's 2006 proof) already
> need to assume that the underlying compression function is a "dual
> PRF", a PRF when keyed either through the chaining variable or the
> message.
This is a key point.  For certain PRFs -- "dual PRF"s -- the order of
arguments does not matter. The security considerations section should note
that Noise depends on this property of the underlying PRF.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160422/fccaf5e0/attachment.html>

More information about the Noise mailing list