HPKE_maximum_input_lengths.md

Nb: block_length Nh: hash_length (output length)

Formula for maximum input length for a LabeledExtract IKM: max_input_length - Nb - size_label_rfcXXXX - size_label_local

Formula for maximum input length for a LabeledExpand info: max_input_length - Nb - Nh - size_label_rfcXXXX - size_label_local - 2 - 1

Properties of Hash functions in bytes:

Hash in HKDF	max_input_length	Nb	Nh
SHA256	$2^{61}-1$	64	32
SHA384	$2^{125}-1$	128	48
SHA512	$2^{125}-1$	128	64

• max input length definitions in HACL*
• block length definitions in HACL*
• hash output length definitions in HACL*

Label sizes in bytes:

label	size_label
"RFCXXXX "	8
"psk_hash"	8
"pskID_hash"	10
"info_hash"	9
"sec"	3

Maximum input length in bytes, inclusive bound:

		SHA256
psk	extract	$2^{61}-1-64-8-8$
pskID	extract	$2^{61}-1-64-8-10$
info	extract	$2^{61}-1-64-8-9$
exporter_context	expand	$2^{61}-1-64-32-8-3-2-1$

		SHA384
psk	extract	$2^{125}-1-128-8-8$
pskID	extract	$2^{125}-1-128-8-10$
info	extract	$2^{125}-1-128-8-9$
exporter_context	expand	$2^{125}-1-128-48-8-3-2-1$

		SHA512
psk	extract	$2^{125}-1-128-8-8$
pskID	extract	$2^{125}-1-128-8-10$
info	extract	$2^{125}-1-128-8-9$
exporter_context	expand	$2^{125}-1-128-64-8-3-2-1$

Maximum input lengths in bytes, inclusive bounds:

	SHA256	SHA384	SHA512
psk	$2^{61}-81$	$2^{125}-145$	$2^{125}-145$
pskID	$2^{61}-83$	$2^{125}-147$	$2^{125}-147$
info	$2^{61}-82$	$2^{125}-146$	$2^{125}-146$
exporter_context	$2^{61}-111$	$2^{125}-191$	$2^{125}-207$