BasileiosKal
commented
1 year ago Discussed on WG call 9th of January. Next step is to open PR with the above approach.
Closed BasileiosKal closed 1 year ago
BasileiosKal
commented
1 year ago Discussed on WG call 9th of January. Next step is to open PR with the above approach.
IMO we are little vague regarding the PRFs in the spec.
For example, in RFCs like IKEv2 and RFC4868 (which we link to as a reference), PRFs are keyed, accept additional input and return constant size output. However, we do call them just on the required output len.
You can build an extendable output PRF, (or PRF* as is called in [H2010]), using a PRF in counter/feedback mode etc., and get something usable by our operations, however we don’t mention that currently.
I think what we are using is something closer to an RBG or a RNG (or a CSPRBG/CSPRNG more specifically) than a PRF.
Is there a reason to use a PRF?? The differences are subtle (and of-course you can build RBGs/RNGs on top of PRFs and vice-versa). It seems more confusing and harder to work with to me though. For example, with PR #228 we recommend the use of a seeded ChaCha20 DRNG to avoid some entropy attacks. However, the result is not "strictly speaking" a PRF.
Other specs like FROST or OPAQUE also use a CSPRNG with both pointing to RFC4086 for requirements.