-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DiffieHellman exchange as AEAD key #61
Comments
Afaik, there is nobody using these functions in deployment, so we could change them. The hkdf is If I understand, you're suggesting we remove the I felt the |
I'm not sure I got everything from your last paragraph, but I would make a PR where Also, I've noticed that the api would look a bit more consistent, arguably more idiomatic, if commit_* methods operated on a transcript instead of having to hand it down as |
I've put far too little thought into the aead module, so sure it could be improved in many ways, but that said.. Actually A feature gate is a questionable example of (c). I suppose We've no "inherent" trait methods, and no arbitrary self types here, so you're suggesting making the aead |
We could place deprecation warnings on |
I was unaware that this difference was on purpose. Given the similarity in names I was thinking
The |
I kinda think separate It's actually common that ad hoc niche protocols skip the KDF like It's true I made |
I've mostly convinced myself we should deprecate |
There is an interest in key committing AEADs which I suspect poses minimal risk here but still.. https://eprint.iacr.org/2017/664.pdf |
I never understood that last paragraph, can you elaborate on it? Are there differences between Blake2x and Keccak that are relevant, or are you referring to how Keccak is used internally in Merlin? I could (maybe) dig through it, but a tl;dr would be appreciated. |
I suspect no, and my words there make little sense, but.. blake2 is based on chacha so one asks does it do much over chacha alone, ala aerad32? The answer is that it brings in some context. |
Appears the age/rage symmetric crypto part lives externally at https://github.com/str4d/rage/tree/main/age-core/src so this key exchange could be used with it, similar to the code at https://github.com/str4d/rage/blob/main/age/src/x25519.rs#L211 We should ensure nothing from age-core is really missing here I guess. |
The output of the raw diffie-hellman is used as the aead key after compression.
Afaik standard practice is to use a hkdf over diffie-hellman to get symmetric keys.
Is there a reason why this isn't needed/recommended here?
The text was updated successfully, but these errors were encountered: