[noise] Revision 12: hash function cleanup / improvement

Jason A. Donenfeld Jason at zx2c4.com
Sat Oct 17 14:45:26 PDT 2015


On Sat, Oct 17, 2015 at 10:29 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
>  * Added a HASHLEN constant and allowed 32 or 64 byte hashes (e.g.
> SHA512, BLAKE2b).  If you want >128-bit security with the 448 curve,
> you would choose a 64 byte hash so that h remains collision-resistant,
> in which case we might as well use the full output for the chaining
> key, which is possible now that we've separated ck from k.
>
>
So just to clarify -- this means that in some cases, ck is 64 bytes and k
is 32 bytes? And k is then calculated from the truncation of the second
HMAC?

Sounds okay. Though, if keeping ck 32 bytes, use of a 64 byte HASH could
then remove the need for a second HMAC. (On the other hand, there's some
idea that truncating HKDF makes things more secure in this case?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151017/ef2369c7/attachment.html>


More information about the Noise mailing list