Closed armfazh closed 3 years ago
On other point of view, each suite fully specifies the parameter k
. So, the change I proposed may not needed.
My vote is that we leave this as-is given that k
is specified. @kwantam?
Agreed!
Closing in favor of the current status.
Section 5.4.3 shows a method to reduce long DST to short strings.
For the MD expander, the new DST gets as large as the underlying hash function. However, for the XOF expander the output depends on
k
(the security parameter).It is no clear what value for
k
must be chosen, so I propose to remove it and always generate a DST of the maximum allowed size (255 bytes) only for the XOF expander.Here is my proposal: