[noise] PSK-based resumption, postquantum, and XOFs

David Wong davidwong.crypto at gmail.com
Tue Nov 28 01:05:43 PST 2017

> KMAC is more complicated than the above SHAKE-based "PRF" in a few ways:
>  (1) The first block of KMAC absorbs the string "KMAC" and an optional
> user-specified customization string.

This is the customization string of cSHAKE

>  (2) The second block of KMAC absorbs the key, with a length prefix
> (this is similar to the first block of "PRF", except for the added
> length prefix).

yeah this is part of the encoding/padding which you have to use (or at
least something similar)

>  (3) At the end, KMAC contains the desired output length (or 2-bytes
> of zeros if you want a SHAKE-style arbitrary-length output stream).

SHAKE also takes a desired output length if I'm reading the FIPS 202
spec correctly. Although I've seen it implemented by just allowing you
to read forever.

>  (3) Instead of using the output-length field, it seems easier to use
> SHAKE-style arbitrary-length output, and just take however many bytes
> we need.

in the end implementers might have access to a SHAKE API that just
takes an output length. Depending on the implementation they end up

> I thought the padding helped security, or at least made the assumptions simpler?

I'm not aware of that. From one of the sponge paper it says that this
is done for allowing you to pre-compute the key (which is true, this
allows you to permute and discard the key).


More information about the Noise mailing list