[noise] Revision 12: hash function cleanup / improvement
Jason A. Donenfeld
Jason at zx2c4.com
Sat Oct 17 14:59:23 PDT 2015
>
> Choosing crypto functions: The 25519 DH functions are recommended for most
> uses, along with either AESGCM_SHA256 or ChaChaPoly_BLAKE2s. For an extreme
> security margin, you could use the 448 DH functions with either
> AESGCM_SHA512 or ChaChaPoly_BLAKE2b.
This might not actually be very good advice in the case of BLAKE2b. The
reason is that BLAKE2b actually outperforms BLAKE2s by a pretty
considerable amount on 64bit platforms. ( https://blake2.net/sandy.png )
So, it's possible that one might prefer 25519 with ChaChaPoly_BLAKE2b, for
the performance alone. JP -- correct me if I'm wrong here about that.
(On the other hand, now that HMAC is in the mix, speed wishes involving the
HASH function sort of go out the window. Hopefully someone can prove that
BLAKE2b's keyed mode is reducable to NMAC, and then we'll inherit those
nice security proofs.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151017/567b3600/attachment.html>
More information about the Noise
mailing list