[noise] Stateful Hash Object Proposal
Trevor Perrin
trevp at trevp.net
Fri Nov 16 09:52:39 PST 2018
On Fri, Nov 16, 2018 at 10:12 AM Trevor Perrin <trevp at trevp.net> wrote:
> Example SHOs
> -------------
>
> From traditional hashes (SHA256, BLAKE2, etc):
> Absorb = incrementally hash
> Squeeze = output the hash value
> Ratchet = absorb zeros up to the next internal block boundary, so
> that the internal buffer is cleared and the internal chaining variable
> is updated
Hm, for some reason I was thinking length-extensions attacks weren't
relevant, so "legacy" hashes like SHA2 could just Squeeze as output =
HASH(input).
But I think that's badly wrong, length-extension attacks would apply
to the Noise use (ex: the handshake hash value or ASK is given to an
attacker, who then calculates later keys k).
So for SHA256 and SHA512 and similar (but not for SHA3 or BLAKE2) we
could Squeeze as either:
output = HASH(HASH(input))
or
output = HMAC(key=input, msg="")
(If an HMAC "key" is longer than the BLOCKLEN it will first hash it).
Not sure which to prefer. HMAC is more familiar, and does more
hashing, but if we're trusting the hash function I'm not sure it adds
much.
Trevor
More information about the Noise
mailing list