1

I am using a PQ-KEM to get a 32 byte shared secret. I want to derive 2 keys , 1 for encryption of message using AES-CTR and another for HMAC-512. can I safely ignore salt and info parameter in hkdf-sha512 as they are marked optional?

I want to skip salt parameter because in https://datatracker.ietf.org/doc/html/rfc5869#section-3.4 it is given attacker must not manipulate salt parameter. in my application salt for hkdf , info parameter will be sent along with encrypted message with HMAC, however in recipient side before verification of HMAC , the salt and info values sent along with encrypted message has to be used to derive keys using hkdf to derive key to verify HMAC , only then i could authenticate salt , info and ciphertext. I guess this will make my crypto insecure am I correct?

vladmir illusinov
  • 49
  • 2

1 Answers1

1

You only need to use a salt if you need domain separation or randomness extraction (as you can see from the comments in the randomness extraction answer, it is questionable as to whether a salt is actually even needed for randomness extraction).

The info parameter will contain strings as defined in your protocol that will allow different keys to be derived from the same initial keying material at the HKDF-Expand step. Therefore, since the choice of info parameter values used to generate each key will be defined in your protocol, you should not be transmitting them.

knaccc
  • 4,880
  • 1
  • 18
  • 33