[noise] PSK-based resumption, postquantum, and XOFs
Trevor Perrin
trevp at trevp.net
Fri Nov 24 09:11:50 PST 2017
On Fri, Nov 24, 2017 at 9:06 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> So if we want to plug XOFs into Noise, I'd suggest adopting a simple,
> SHAKE-like notion, and then constructing what we need on top of that.
>
> Putting this together, Noise could require choosing either a HASH or
> XOF. If a HASH is chosen, these functions are constructed:
[...]
Better explanation:
Noise could require the user to choose either a HASH or XOF. Noise
could use "constructions" to provide the full set of functions (HASH,
PRF, KDF, XOF). These functions would be used as follows:
- HASH for transcript hashing
- PRF for "extra" key derivation (e.g. resumption PSKs)
- KDF for MixKey()
- XOF for public-key algorithms like Kyber
If a HASH is chosen, these functions are constructed:
- PRF(key, message) = HMAC(key, message)
- KDF(key, input) = HKDF(key, input)
- XOF(input) = HKDF(<zerolen>, input)
If an XOF is chosen, these functions are constructed:
- HASH(message) = XOF(message)
- PRF(key, message) = XOF(pad_to_block(key) || message)
- KDF(key, message) = XOF(pad_to_block(key) || input)
Trevor
More information about the Noise
mailing list