On Wed, May 03, 2023 at 04:05:49PM +1000, pauli@xxxxxxxxxxx wrote:
> They are never going to change in a way that breaks compatibility.
The point being that HKDFs are used in key agreement protocols with
independently implemented peers of unknown vintage. If the HKDF's
output is ever to be a different function of its input, it is a new
HKDF. In terms of CS type theory, an HKDF is a "pure function".
The only reason that an HKDF *could* change would be if a bug were
discovered in its implementation. In that unlikely scenario, a library
might consider exposing the legacy (buggy) implementation for legacy
purposes along with the fixed new version, if such a bug were to be
discovered. Ideally, the implementations of basic HKDFs are, and
indefinitely remain, correct.
--
Viktor.
