Hi all, I see that the leading zero is stripped off of the value of Z (the shared secret) before it is used as input to HKDF. This seems to be compatible with TLS 1.2. Then again, it is not compatible with e.g. NISP800-56A which uses the value of Z with the same size of the prime in octets. Furthermore, it is also different with regards to handling the coordinate X as used in ECDH.
Was this a conscious decision to keep compatibility with TLS? Has the use of the value of Z including zero octets been considered? Regards, Maarten
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls