PALISADE uses the HMAC-based Key Derivation Function (HKDF) as defined in RFC 5869, instantiated with SHA3-256 as the underlying hash function.

Implementations MUST use HMAC-SHA3-256 as the pseudorandom function for both HKDF-Extract and HKDF-Expand. Implementations MUST NOT substitute a keyed SHA3-256 hash or any non-HMAC construction in place of HMAC.

The HKDF functions are defined as follows:

HKDF-Extract(salt, IKM):
    PRK = HMAC-SHA3-256(salt, IKM)

HKDF-Expand(PRK, info, L):
    N = ceil(L / 32)
    T(0) = empty
    for i = 1 to N:
        T(i) = HMAC-SHA3-256(PRK, T(i-1) || info || byte(i))
    OKM = first L bytes of T(1) || T(2) || ... || T(N)

Any deviation from this construction is non-conformant.

5.3 Post-Quantum Security Considerations

SHA3-256 is standardized by NIST in FIPS 202 and is widely used in post-quantum cryptographic constructions. When used within HKDF, SHA3-256 provides pseudorandomness suitable for key derivation in the presence of quantum adversaries.

Under Grover’s algorithm, a 256-bit hash output provides approximately 128 bits of security against preimage and collision attacks. No known quantum algorithms provide a structural attack against SHA-3 beyond generic quadratic speedups.

Implementations MUST successfully process the test vectors specified in Appendix E: Test Vectors to be considered conformant.