[noise] Stateful Hash Object Proposal
Trevor Perrin
trevp at trevp.net
Thu Nov 29 23:21:29 PST 2018
On Mon, Nov 26, 2018 at 8:04 AM Peter Schwabe <peter at cryptojedi.org> wrote:
>
> Trevor Perrin <trevp at trevp.net> wrote:
>
> Hi again,
>
> > It would be a great exercise to work through some PQ algorithms and
> > see whether they could be adjusted to this API
[...]
> Totally biased view: could try Kyber, which is currently using all kind
> of different functions from the SHA-3 family, relying on their internal
> domain separation.
[...]
> Any preference for what language to try this in?
Maybe we could just sketch it out? Looks like Kyber uses symmetric
functions PRF, XOF, G, H instantiated as:
PRF(s, b) = SHAKE256(s || b)
XOF = SHAKE128
G = SHA3-256
H = SHA3-512
This could be domain-separated in a simple way, by just Absorbing a
domain-separator byte at the beginning, which we could represent like:
PRF = SHO("P" || ...)
PRF = SHO("X" || ...)
G = SHO("G" || ...)
H = SHO("H" || ...)
With constructions from [2] this would just be:
H = SHAKE("H" || ..., len=32)
The Kyber spec says an earlier version instantiated everything with
SHAKE-256, maybe similar to this? But you changed to avoid
domain-separation discussion, so I wonder how you'd feel about this
now?
To me it looks better to express this via domain-separation and a more
abstract API, since it makes it easier to then swap in SHA256 or
anything else, e.g.
H = SHA256(SHA256(zeros || "H" || ...) || uint64(0))
G = SHA256(SHA256(zeros || "H" || ...) || uint64(0)),
SHA256(SHA256(zeros || "H" || ...) || uint64(1))
etc
Trevor
[1] https://pq-crystals.org/kyber/data/kyber-specification.pdf
[2] https://moderncrypto.org/mail-archive/noise/2018/001894.html
More information about the Noise
mailing list