- "Finally, we point out to a particularly advantageous instantiation using
- HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is
- truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a
- stronger hash function due to the unconventional demand from the hash function in the extraction
- setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor
- allows to prove the security of HKDF under considerably weaker assumptions on the underlying
- hash function."
-
- http://eprint.iacr.org/2010/264
+ * "Finally, we point out to a particularly advantageous instantiation using
+ * HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is
+ * truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a
+ * stronger hash function due to the unconventional demand from the hash function in the extraction
+ * setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor
+ * allows to prove the security of HKDF under considerably weaker assumptions on the underlying
+ * hash function."
+ *
+ * http://eprint.iacr.org/2010/264