[noise] Resumption PSKs

Christopher Wood christopherwood07 at gmail.com
Tue Jun 5 07:43:22 PDT 2018


On Tue, Jun 5, 2018 at 2:10 AM Trevor Perrin <trevp at trevp.net> wrote:
>
> On Mon, Jun 4, 2018 at 3:07 PM, Christopher Wood
> <christopherwood07 at gmail.com> wrote:
> >
> > FWIW, I would vote for the former, wherein the handshake is explicitly
> > mixed into the PRF.
>
>
> Yeah, I'm leaning towards mixing "h" in, and doing the psk addendum thing.
>
> > Also, would you be opposed to using the HKDF-Extract notation from RFC5869?
> >
> >    ck = HKDF-Extract(h || label, K)
> >
> > It's HMAC under the hood, so functionally there's no difference.
>
> I think terminology is still up in the air here.  We previously only
> used HMAC within HKDF, so we can think about how we want to specify
> it.
>
> I'm not sure why HKDF-Extract is a good terminology here, though?
> What we're trying to do here is just a PRF, similar to HKDF-Expand,
> it's not doing "entropy extraction" in the HKDF sense.

True -- I was again aiming for (what seemed to be) HKDF usage
consistency. We could
Extract+Expand, though if we only need the PRF step, then perhaps it's
best to stick with
what you proposed.

Best,
Chris


More information about the Noise mailing list