[noise] Hash len > cipher len in tls1.2

Trevor Perrin trevp at trevp.net
Tue Mar 8 16:24:23 PST 2016

On Fri, Mar 4, 2016 at 4:47 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi guys,
> I haven't looked in depth into the details, but recently while doing some
> menial sysadmin labor, I noticed that TLS1.2 cipher suites always have a
> hash length bigger than the cipher key length. AES128 uses SHA256 and AES256

Noise doesn't use 128-bit ciphers, it uses 256-bit ciphers even with
hash functions and curves that only offer ~128 bits security.

This is because ciphers might be subject to precomputation attacks, it
cheaply buys extra security margin, and reduces the number of options.

> uses SHA384. I was wondering if we should consider the same thing here for
> Noise. Namely, suggesting Blake2b over Blake2s, since ChaCha is 256 bits.

Noise already suggests "super-sizing" the curve and hash, if you want:

"For an extreme security margin, you could use the 448 DH functions
with either AESGCM_SHA512 or ChaChaPoly_BLAKE2b."


More information about the Noise mailing list