[noise] PSK-based resumption, postquantum, and XOFs
David Wong
davidwong.crypto at gmail.com
Mon Nov 27 15:17:37 PST 2017
> If an XOF is chosen, these functions are constructed:
> - HASH(message) = XOF(message)
> - PRF(key, message) = XOF(pad_to_block(key) || message)
> - KDF(key, message) = XOF(pad_to_block(key) || input)
If you look at KMAC, it is really just SHAKE (or rather cSHAKE) with
optimizations for precomputing a key.
Knowing that:
1. using cSHAKE sounds like the way to go (with custom strings for
Noise and the operation name)
2. do you need the optimization? It sounds like the key is going to
change so you would not need to pad the key to the block
David
More information about the Noise
mailing list