[noise] Revision 12: hash function cleanup / improvement
Trevor Perrin
trevp at trevp.net
Sat Oct 17 17:49:13 PDT 2015
On Sat, Oct 17, 2015 at 2:59 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>> Choosing crypto functions: The 25519 DH functions are recommended for most
>> uses, along with either AESGCM_SHA256 or ChaChaPoly_BLAKE2s. For an extreme
>> security margin, you could use the 448 DH functions with either
>> AESGCM_SHA512 or ChaChaPoly_BLAKE2b.
>
>
> This might not actually be very good advice in the case of BLAKE2b. The
> reason is that BLAKE2b actually outperforms BLAKE2s by a pretty considerable
> amount on 64bit platforms. ( https://blake2.net/sandy.png ) So, it's
> possible that one might prefer 25519 with ChaChaPoly_BLAKE2b, for the
> performance alone. JP -- correct me if I'm wrong here about that.
I don't think the 64-bit BLAKE2b (or SHA512) will offer a meaningful
speed advantage over the 32-bit hashes.
BLAKE2b and SHA512 use 128-byte blocks instead of 64-byte blocks.
Lots of the hash calls are on small inputs, where only a single block
is hashed (e.g. empty payloads, pre-message public keys, HKDF-Expand),
so BLAKE2b or SHA512 will have to hash more data.
(And in any case, 64-bit platforms probably won't find this small
amount of hashing a performance bottleneck, and DHs dominate handshake
cost.)
Trevor
More information about the Noise
mailing list