hkdf: add Extract and Expand

RFC 5869, Section 3.3 suggests it might be sometimes appropriate to use
Expand without Extract, and it is reasonable to reuse (secret, salt)
with different info values, in which case the Extract can be performed
once as an optimization.

TLS 1.3 also needs direct access to both Extract and Expand.

pseudorandomKey is ugly to look at, but that's intentional, as it
signals that this should have non-obvious properties to the user. The
docs will make it clear it's not the thing you should use in most cases.

Fixes golang/go#28237

Change-Id: Ib43ae8cdde0663aa4752172c39aadfb0e1c35f10
Reviewed-by: Adam Langley <>
2 files changed
tree: 1a8df200eab1ee6a568c2ba9498926b93c03a0ae
  1. .gitattributes
  2. .gitignore
  9. acme/
  10. argon2/
  11. bcrypt/
  12. blake2b/
  13. blake2s/
  14. blowfish/
  15. bn256/
  16. cast5/
  17. chacha20poly1305/
  18. codereview.cfg
  19. cryptobyte/
  20. curve25519/
  21. ed25519/
  22. hkdf/
  23. internal/
  24. md4/
  25. nacl/
  26. ocsp/
  27. openpgp/
  28. otr/
  29. pbkdf2/
  30. pkcs12/
  31. poly1305/
  32. ripemd160/
  33. salsa20/
  34. scrypt/
  35. sha3/
  36. ssh/
  37. tea/
  38. twofish/
  39. xtea/
  40. xts/

Go Cryptography

This repository holds supplementary Go cryptography libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the crypto repository is located at Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.