Eric Rescorla <e...@rtfm.com> wrote: > Issue: > https://github.com/tlswg/tls13-spec/issues/555 > > ADL suggested that we could slightly reduce the number of HKDF > computations by generating the IVs as a single block rather than > with individual HKDF-Expands. You can't generally do this kind > of slice-and-dice and preserve the key boundary, but IVs are > public anyway.
When you say "IV," what are you referring to? Definitely the original intent of my proposal to use client_write_iv and server_write_iv is that they would remain secret. I suspect that some analysis might be simplified by assuming that they are publicly-known as a worst-case scenerio, but that's different than them being "public", and we should design things assuming that we're trying to keep them private. Cheers, Brian -- https://briansmith.org/ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
