Thank you for the discussion :-) 1. The construction is proven to satisfy this property under precise assumptions about its components. A formal theorem statement can be found in Theorem 1 on page 11 of ePrint 2022/065 <https://eprint.iacr.org/2022/065>. A discussion of how to instantiate those components can be found in Section 5 of the same paper. We think the resulting assumptions are reasonable when SHA-256 is used in the instantiation, as in our reference implementation <https://github.com/nimia/kdf_reference_implementation/blob/main/reference_implementation.c> .
2. There is no conjecture involved, beyond whether the assumptions required for the proof hold. Such assumptions are quite common in cryptography. 3. Please see my previous email to the list: Current proofs for TLS 1.3 generally require HKDF to act as a dual-PRF (or as a random oracle - an even stronger assumption). HKDF has not yet been proven to satisfy this property, under any assumption. best, Nimrod On Mon, 24 Jan 2022 at 18:37, D. J. Bernstein <d...@cr.yp.to> wrote: > Nimrod Aviram writes: > [ regarding the "dual-PRF" security property ] > > Our construction satisfies this property. > > To make sure I understand: > > (1) You mean that the construction is _conjectured_ to satisfy this > property, i.e., to be a dual PRF? There must be some sort of > limit on the hash functions allowed here; is SHA-256 allowed? > > (2) The basis for this conjecture is your previous claim that the > construction provides "provable security"? > > (3) Meanwhile you claim that the H(x,y) construction used in the > hybrid-key-exchange draft doesn't provide "provable security"? > > In any case, can you please clarify what precisely you mean by "provable > security" in the previous claim that the construction provides "provable > security"? Clarity is a prerequisite for evaluation of the claim. Thanks > in advance. > > ---Dan > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
