[noise] KDF, part 9281274
Trevor Perrin
trevp at trevp.net
Sat Apr 23 11:43:27 PDT 2016
On Fri, Apr 22, 2016 at 8:18 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> What precisely would be wrong about greatly simplifying and
> speeding-up the whole thing by defining KDF either as:
>
> output = BLAKE2b-PRF(key, input)
> return (output[0:31], output[32:63])
>
> or
>
> output = HMAC-SHA2-512(key, input)
> return (output[0:31], output[32:63])
Sure, that works. With a good hash, basically anything that hashes
the inputs into the outputs works.
I don't think fixing a 512-bit hash with 256-bit chaining key is the
best option, though. I prefer the current design's allowance for
256-bit hashes, and getting a full 512-bits chaining key with a
512-bit hash.
I also don't think optimizing here gains much. If you've done timing
comparisons that show otherwise, that would be good to see.
There's a thousand different ways we could do key derivation, all with
slightly different performance / analysis properties.
I don't think any alternatives are going to be dramatically better
than what we have now, which enjoys:
- simple analysis in the ROM (since we just hash everything together)
- simple description as HKDF(salt=chaining_key, ikm=new_material)
But I'll write up some analysis of alternatives in the next few days,
so we can vet the KDF design one more time.
Trevor
More information about the Noise
mailing list