[noise] Stateful Hash Object Proposal
Peter Schwabe
peter at cryptojedi.org
Thu Nov 22 03:03:11 PST 2018
Trevor Perrin <trevp at trevp.net> wrote:
Dear Trevor, dear all,
> The "SHO" API and examples were still vague. Here's another pass.
>
> One goal is to make this API useful for more than just Noise
> transcript hashing. For example, Noise could provide a SHO API to
> public-key algorithms like postquantum KEMs that use a hash function
> internally.
>
>
> API
> ----
> Same as before:
>
> StatefulHashObject {
>
> Absorb(bytes)
> Squeeze(len) -> bytes
> Ratchet()
>
> Clone() -> StatefulHashObject
>
> // Below functions are optional.
> // If supported, Encrypt() must have same properties as:
> // key = Squeeze'(32);
> // ciphertext = Authenticated-Encryption(key, plaintext)
> // Absorb(ciphertext)
> // return ciphertext
> //
> // where Squeeze' is a domain-separated version of Squeeze()
> // and ciphertext is 16 bytes longer than plaintext
>
> Encrypt(bytes) -> bytes
> Decrypt(bytes) -> bytes
> }
Some post-quantum KEMs need multiple hash functions, i.e., they would
need such a StatefulHashObject to be domain-separated. Is the idea that
the caller needs to first absorb the domain-separation string then?
When using SHA-2 you'd probably want to put the domain-separation string
into a separate block, so the callee needs to know that some input is
not a part of the message, but a domain separation. That would require
making domain-separators a separate argument of the first call to Absorb
or alternatively an argument of an Init function.
I'm not sure how you want to do domain separation in the Squeeze'
function. This wouldn't really be (input) domain separation but some
sort of output separation?
About instantiating Squeeze for SHA-2: Wouldn't the "standard" way to
build a XOF from SHA-2 be to use MGF1 [1]?
Cheers,
Peter
[1] https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf,
Appendix B.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20181122/e14a5f55/attachment.sig>
More information about the Noise
mailing list