Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HKDF tweaks #100

Merged
merged 9 commits into from
Jan 29, 2025
Merged

HKDF tweaks #100

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c63ebd5
Specified the input params for HKDF. Closes #87
ounsworth Jan 5, 2025
fc23125
Ilari's comments
ounsworth Jan 26, 2025
551b85c
Tweaks to HKDF. Thanks Ilari
ounsworth Jan 26, 2025
e71c69d
Tweak. Thanks Ilari
ounsworth Jan 26, 2025
804955f
HKDF SHA256 vs 512
ounsworth Jan 29, 2025
1c6c537
HKDF sha256 v 512
ounsworth Jan 29, 2025
b31f770
Tweaks to HKDF salt description
ounsworth Jan 29, 2025
13bfd24
fix-lint
ounsworth Jan 29, 2025
c4c6b92
Tweak to HKDF Salt
ounsworth Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions draft-ietf-lamps-pq-composite-kem.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1566,9 +1566,9 @@ One of the primary NIST documents which is relevant for certification of a compo

[SP.800-56Cr2] section 4 "One-Step Key Derivation" requires a `counter` which begins at the 4-byte value 0x00000001. However, the counter is allowed to be omitted when the hash function is executed only once, as specified on page 159 of the FIPS 140-3 Implementation Guidance [FIPS-140-3-IG].

The HKDF-SHA2 options can be certified under SP.800-56Cr2 One-Step Key Derivation Option 2: `H(x) = HMAC-hash(salt, x)` where `salt` is the fixed value `0x00000000000000000000000000000000` (ie 64 bytes of zeros) in order to satisfy the requirement in [SP.800-56Cr2] that "nn the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash". Note that since the desired shared secret key output length of 256 bits for all security levels aligns with the block size of SHA256, we do not need to use the HKDF-Extract step specified in [RFC5869], which further simplifies FIPS certification by allowing us to use the One-Step KDF rather than the Two-Step KDF from [SP.800-56Cr2].
The HKDF-SHA2 options can be certified under SP.800-56Cr2 One-Step Key Derivation Option 2: `H(x) = HMAC-hash(salt, x)` where `salt` is the fixed value `0x00..00` (ie 64 bytes of zeros for SHA2-256 and 96 bytes of zeros for SHA2-384) in order to satisfy the requirement in [SP.800-56Cr2] that "nn the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash". Note that since the desired shared secret key output length of 256 bits for all security levels aligns with the block size of SHA256, we do not need to use the HKDF-Extract step specified in [RFC5869], which further simplifies FIPS certification by allowing us to use the One-Step KDF rather than the Two-Step KDF from [SP.800-56Cr2].
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Input block size of SHA384 is 128 bytes (16 words of 8 bytes each).

(Not that it makes actual difference as HMAC would zero-extend the key anyway.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. I need to actually go read FIPS 180-4 so that I don't continue getting this wrong.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait. HKDF (RFC 5869) says:

if not provided, it is set to a string of HashLen zeros

And some of its test vectors have salt = (0 octets), so maybe it's easier for me to do the same instead of trying to figure out the correct-width input? As you say, HKDF will internally handle this properly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ilaril Can you please re-check that the current wording is ok?


The SHA3 options can be certified under [SP.800-56Cr2] One-Step Key Derivation Option 2: `H(x) = HMAC-hash(salt, x)` with the salt omitted.
The SHA3 options can be certified under [SP.800-56Cr2] One-Step Key Derivation Option 1: `H(x) = hash(x)`.


## Backwards Compatibility {#sec-backwards-compat}
Expand Down
Loading