search

cfrg / draft-irtf-cfrg-hash-to-curve

Hashing to Elliptic Curves
Other
78 stars 27 forks source link

proposal: remove k and a set fixed size #315

Closed armfazh closed 3 years ago

armfazh commented 3 years ago

Section 5.4.3 shows a method to reduce long DST to short strings.

For the MD expander, the new DST gets as large as the underlying hash function. However, for the XOF expander the output depends on k (the security parameter).

It is no clear what value for k must be chosen, so I propose to remove it and always generate a DST of the maximum allowed size (255 bytes) only for the XOF expander.

Here is my proposal:

5.4.3.  Using DSTs longer than 255 bytes
  o  For expand_message_xof using extensible-output function H, DST is
      computed as

-   DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, ceil(2 * k / 8))
+   DST = H("H2C-OVERSIZE-DST-" || a_very_long_DST, 255)

  Here, a_very_long_DST is the DST whose length is greater than 255
-  bytes, "H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal, and k
-  is the target security level in bits.
+  bytes, "H2C-OVERSIZE-DST-" is a 17-byte ASCII string literal.
armfazh commented 3 years ago

On other point of view, each suite fully specifies the parameter k. So, the change I proposed may not needed.

chris-wood commented 3 years ago

My vote is that we leave this as-is given that k is specified. @kwantam?

kwantam commented 3 years ago

Agreed!

armfazh commented 3 years ago

Closing in favor of the current status.