Nimrod Aviram writes:
[ regarding the "dual-PRF" security property ]
> Our construction satisfies this property.
To make sure I understand:
(1) You mean that the construction is _conjectured_ to satisfy this
property, i.e., to be a dual PRF? There must be some sort of
limit on the hash functions allowed here; is SHA-256 allowed?
(2) The basis for this conjecture is your previous claim that the
construction provides "provable security"?
(3) Meanwhile you claim that the H(x,y) construction used in the
hybrid-key-exchange draft doesn't provide "provable security"?
In any case, can you please clarify what precisely you mean by "provable
security" in the previous claim that the construction provides "provable
security"? Clarity is a prerequisite for evaluation of the claim. Thanks
in advance.
---Dan
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
