[noise] PSK-based resumption, postquantum, and XOFs

David Wong davidwong.crypto at gmail.com
Mon Nov 27 15:17:37 PST 2017

> If an XOF is chosen, these functions are constructed:
>  - HASH(message) = XOF(message)
>  - PRF(key, message) = XOF(pad_to_block(key) || message)
>  - KDF(key, message) = XOF(pad_to_block(key) || input)

If you look at KMAC, it is really just SHAKE (or rather cSHAKE) with
optimizations for precomputing a key.
Knowing that:

1. using cSHAKE sounds like the way to go (with custom strings for
Noise and the operation name)
2. do you need the optimization? It sounds like the key is going to
change so you would not need to pad the key to the block


More information about the Noise mailing list