kevinlewi
commented
4 days ago Thanks, you are right. Although the salt doesn't matter and the output length just needs to satisfy collision-resistance (for 128-bit security as mentioned in that section, dkLen = 32 suffices), it would be a good idea to mention these explicitly.
I have updated this in https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/472
iaik-jheher
The latest RFC draft (draft 17), in section
7. Configurations, specifies the recommended scrypt parameters as(N = 32768, r = 8, p = 1), and refers to RFC 7914 for the definition of scrypt.As best as I can tell,
scryptas specified in RFC 7914 takes parametersP(passphrase),S(salt),N(cost parameter),r(block size),p(parallelization difficulty), anddkLen(output length).It is clear that
P = msg, and the draft specifies values forN,r, andp. However, the other parameters are not explicitly specified.My best guesses are:
S = zeroes(16), because that's what everything else usesdkLen = 32, since that's the output length of the P256-SHA256 OPRF, and I assume that KSF input length and output length are equalStill, I think these values -- unless I am completely missing something -- are missing, and should be specified explicitly.