- Dec 2020
Is the entropy from
Q_plainreally needed? A reason for it would be that the client provides randomness with the nonce contained in
Q_plain, in the sense of a contributive key exchange. However, the client already contributes the HPKE ephemeral key.
If the Extract step should stay, I suggest changing the order of
odoh_secret. The value
odoh_secretis of fixed size and uniformly random, and thus fits better as
saltto HKDF-Extract. If the first value is longer than a hash function block size, HMAC will do an additional hashing step: This seems easily possible for Q_plain.
proxy and target indistinguishability
How is this defined?
of unique per-client keys
What kind of keys are meant here? Unique target public keys per client?
The function could receive only
ctinstead, as it does not use
The function does not use this parameter.
contextis not returned by this function, but required as parameter to
Expand(Extract("", config), "odoh key id", Nh)
configcontains kem_id, kdf_id, aead_id, and the public key. Why is entropy extraction needed here?
- Nov 2019
- Oct 2018
- Mar 2018