[noise] Stateful Hash Object Proposal
Samuel Neves
samuel.c.p.neves at gmail.com
Mon Nov 26 07:45:14 PST 2018
On Mon, Nov 26, 2018 at 7:58 AM Peter Schwabe <peter at cryptojedi.org> wrote:
>
> The performance difference is negligible: In MGF1 you can remember the
> state before the last block to not always hash over the whole message
> again, so it's essentially also one compression-function call per output
> block.
>
> Length-extension attacks are a good point. It's probably not too hard to
> prove, but is there a proof that your construction is secure for secret
> input as a PRG?
I imagine that Kasuda's H^2-MAC proof [1] would be easy to modify to
accomplish this. Dodis et al. [2] have pointed out some minor issues
with the H^2 structure under unkeyed settings, which I think would be
fixed if the input is padded with a 0-block beforehand, as done in the
HMAC-but-not-really-HMAC of [3, ยง3.5].
[1] https://doi.org/10.1007/978-3-642-04474-8_35
[2] https://cs.nyu.edu/~dodis/ps/h-of-h.pdf
[3] https://iacr.org/archive/crypto2005/36210424/36210424.pdf
More information about the Noise
mailing list