[noise] Stateful Hash Object Proposal
Peter Schwabe
peter at cryptojedi.org
Sun Dec 2 13:39:45 PST 2018
Trevor Perrin <trevp at trevp.net> wrote:
Hi Trevor, hi all.
> > > It would be a great exercise to work through some PQ algorithms and
> > > see whether they could be adjusted to this API
> [...]
> > Totally biased view: could try Kyber, which is currently using all kind
> > of different functions from the SHA-3 family, relying on their internal
> > domain separation.
> [...]
> > Any preference for what language to try this in?
>
> Maybe we could just sketch it out? Looks like Kyber uses symmetric
> functions PRF, XOF, G, H instantiated as:
>
> PRF(s, b) = SHAKE256(s || b)
> XOF = SHAKE128
> G = SHA3-256
> H = SHA3-512
>
> This could be domain-separated in a simple way, by just Absorbing a
> domain-separator byte at the beginning, which we could represent like:
>
> PRF = SHO("P" || ...)
> PRF = SHO("X" || ...)
> G = SHO("G" || ...)
> H = SHO("H" || ...)
>
> With constructions from [2] this would just be:
>
> H = SHAKE("H" || ..., len=32)
> The Kyber spec says an earlier version instantiated everything with
> SHAKE-256, maybe similar to this? But you changed to avoid
> domain-separation discussion, so I wonder how you'd feel about this
> now?
I think that if you have an incremental hash API, what you're suggesting
is the natural thing to do. In a non-incremental hash API, you have to
do quite some copying around to put the domain separator at the
beginning of the buffer; also it needs additional stack space. That's
why I don't like the concatenation notation too much -- it hides those
costs for moving data around.
Cheers,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20181202/45e851b7/attachment.sig>
More information about the Noise
mailing list