Nimrod Aviram writes: [ regarding the "dual-PRF" security property ] > Our construction satisfies this property.
To make sure I understand: (1) You mean that the construction is _conjectured_ to satisfy this property, i.e., to be a dual PRF? There must be some sort of limit on the hash functions allowed here; is SHA-256 allowed? (2) The basis for this conjecture is your previous claim that the construction provides "provable security"? (3) Meanwhile you claim that the H(x,y) construction used in the hybrid-key-exchange draft doesn't provide "provable security"? In any case, can you please clarify what precisely you mean by "provable security" in the previous claim that the construction provides "provable security"? Clarity is a prerequisite for evaluation of the claim. Thanks in advance. ---Dan _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls