[noise] Revision 12: hash function cleanup / improvement
Trevor Perrin
trevp at trevp.net
Sat Oct 17 13:29:03 PDT 2015
I make some changes around hash functions, mostly adding a couple
options and some clarification, but one substantive change to naming:
SUBSTANTIVE CHANGE:
* Previously handshakes were named with "symmetric crypto parameters"
which identified the cipher but left the hash (SHA256) implicit, e.g.
Noise_N_25519_ChaChaPoly
It's reasonable for people to choose different hash functions, e.g. if
they're using SHA512 in other parts of the system or want extreme
security with the 448 curve, or want to use SHA3, or if they're using
ChaChaPoly and want to use a hash based on ChaCha, like BLAKE2.
So I replaced "symmetric crypto parameters" with separate cipher and
hash functions, which are part of the name, e.g.
Noise_N_25519_ChaChaPoly_SHA256
This makes the names more likely to tip over 32 bytes and require
hashing, but I guess we can live with that.
ADDITIONS:
* Added a HASHLEN constant and allowed 32 or 64 byte hashes (e.g.
SHA512, BLAKE2b). If you want >128-bit security with the 448 curve,
you would choose a 64 byte hash so that h remains collision-resistant,
in which case we might as well use the full output for the chaining
key, which is possible now that we've separated ck from k.
* Added BLAKE2b and BLAKE2s as recommended hashes. Since they are
ChaCha based it would make sense to use them alongside ChaChaPoly.
CLARIFICATIONS:
* I clarified use of HMAC (there's now a BLOCKLEN constant associated
with each hash function, which HMAC needs).
Trevor
More information about the Noise
mailing list