Current proofs for TLS 1.3 generally require HKDF to act as a dual-PRF (or as a random oracle - an even stronger assumption). HKDF has not yet been proven to satisfy this property, under any assumption. Our construction satisfies this property.
best, Nimrod On Mon, 24 Jan 2022 at 17:13, D. J. Bernstein <[email protected]> wrote: > Nimrod Aviram writes: > > To summarize, we recommend using our new proposed construction. It’s > fast, > > easy to implement, and provides provable security. > > The baseline construction is faster and is easier to implement, so > you're saying it doesn't provide "provable security"? Can you please > clarify what precisely you mean by "provable security" here? > > ---Dan > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
