HKDF tweaks #100
HKDF tweaks #100
Conversation
|
@chris-wood I would like your review on this. Regardless of how you feel about whether or not SHA2 combiners should be included, does this PR address the issue that the HKDF combiner was under-specified? |
draft-ietf-lamps-pq-composite-kem.md
Outdated
| @@ -1566,9 +1566,9 @@ One of the primary NIST documents which is relevant for certification of a compo | |||
|
|
|||
| [SP.800-56Cr2] section 4 "One-Step Key Derivation" requires a `counter` which begins at the 4-byte value 0x00000001. However, the counter is allowed to be omitted when the hash function is executed only once, as specified on page 159 of the FIPS 140-3 Implementation Guidance [FIPS-140-3-IG]. | |||
|
|
|||
| The HKDF-SHA2 options can be certified under SP.800-56Cr2 One-Step Key Derivation Option 2: `H(x) = HMAC-hash(salt, x)` where `salt` is the fixed value `0x00000000000000000000000000000000` (ie 64 bytes of zeros) in order to satisfy the requirement in [SP.800-56Cr2] that "nn the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash". Note that since the desired shared secret key output length of 256 bits for all security levels aligns with the block size of SHA256, we do not need to use the HKDF-Extract step specified in [RFC5869], which further simplifies FIPS certification by allowing us to use the One-Step KDF rather than the Two-Step KDF from [SP.800-56Cr2]. | |||
| The HKDF-SHA2 options can be certified under SP.800-56Cr2 One-Step Key Derivation Option 2: `H(x) = HMAC-hash(salt, x)` where `salt` is the fixed value `0x00..00` (ie 64 bytes of zeros for SHA2-256 and 96 bytes of zeros for SHA2-384) in order to satisfy the requirement in [SP.800-56Cr2] that "nn the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash". Note that since the desired shared secret key output length of 256 bits for all security levels aligns with the block size of SHA256, we do not need to use the HKDF-Extract step specified in [RFC5869], which further simplifies FIPS certification by allowing us to use the One-Step KDF rather than the Two-Step KDF from [SP.800-56Cr2]. | |||
There was a problem hiding this comment.
Nit: Input block size of SHA384 is 128 bytes (16 words of 8 bytes each).
(Not that it makes actual difference as HMAC would zero-extend the key anyway.)
There was a problem hiding this comment.
Right. I need to actually go read FIPS 180-4 so that I don't continue getting this wrong.
There was a problem hiding this comment.
Wait. HKDF (RFC 5869) says:
if not provided, it is set to a string of HashLen zeros
And some of its test vectors have salt = (0 octets), so maybe it's easier for me to do the same instead of trying to figure out the correct-width input? As you say, HKDF will internally handle this properly.
There was a problem hiding this comment.
@ilaril Can you please re-check that the current wording is ok?
|
I'm going to merge this so that we can proceed with the other PRs that depend on it. If Ilari has more comments, we can address those separately. |
Closes #87
Closes #93