[noise] Specifying Blake2sp / Blake2bp

Jean-Philippe Aumasson jeanphilippe.aumasson at gmail.com
Tue May 2 04:50:37 PDT 2017


The parallel versions are mostly beneficial when hashing long (say, 1k+)
messages and when faster hashing is noticeable. Not sure it's the case
here.

On Tue, May 2, 2017 at 4:55 AM Trevor Perrin <trevp at trevp.net> wrote:

> On Mon, May 1, 2017 at 7:54 PM, Jason A. Donenfeld <Jason at zx2c4.com>
> wrote:
> >
> > I was looking at Samuel's (CC'd) AVX2 optimized implementations of
> > Blake2 [1] and noticed there wasn't any implementation for Blake2s.
> > Samuel explained to me that blake2s and blake2b don't naturally
> > parallelize, which is why the blake2sp and blake2bp variants exist;
> > these nicely parallelize, so fast implementations are possible. Given
> > that Noise is pretty hash-heavy, we have good reason to be interested
> > in fast hash functions.
>
>
> Is it, really? ("hash-heavy").  The hash is just used during the
> handshake, where's there's all the public-key ops.
>
> Noise does lots of small-message hashing (including HMAC and HKDF),
> plus hashing the "e" and "s" tokens, where I imagine this wouldn't
> help much or at all.  And I assume it's more complex and less widely
> available.
>
> It's easy to just do it if you use the "BLAKE2sp" name, but at first
> glance I'm skeptical this would be a good recommendation for the core
> spec.
>
> Trevor
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170502/857d1478/attachment.html>


More information about the Noise mailing list