[noise] Stateful Hash Object Proposal
Trevor Perrin
trevp at trevp.net
Sun Dec 2 20:10:21 PST 2018
On Sun, Dec 2, 2018 at 9:40 PM Peter Schwabe <peter at cryptojedi.org> wrote:
>
> Trevor Perrin <trevp at trevp.net> wrote:
> > Maybe we could just sketch it out? Looks like Kyber uses symmetric
> > functions PRF, XOF, G, H instantiated as:
> >
> > PRF(s, b) = SHAKE256(s || b)
> > XOF = SHAKE128
> > G = SHA3-256
> > H = SHA3-512
> >
> > This could be domain-separated in a simple way, by just Absorbing a
> > domain-separator byte at the beginning, which we could represent like:
> >
> > PRF = SHO("P" || ...)
> > PRF = SHO("X" || ...)
> > G = SHO("G" || ...)
> > H = SHO("H" || ...)
> >
> > With constructions from [2] this would just be:
> >
> > H = SHAKE("H" || ..., len=32)
>
> > The Kyber spec says an earlier version instantiated everything with
> > SHAKE-256, maybe similar to this? But you changed to avoid
> > domain-separation discussion, so I wonder how you'd feel about this
> > now?
>
> I think that if you have an incremental hash API, what you're suggesting
> is the natural thing to do. In a non-incremental hash API, you have to
> do quite some copying around to put the domain separator at the
> beginning of the buffer; also it needs additional stack space. That's
> why I don't like the concatenation notation too much -- it hides those
> costs for moving data around.
OK, would you prefer Absorb(separator), then Ratchet()?
For SHAKE, Ratchet() would run the permutation and then zeroize the
sponge "rate". So effectively, the sponge's "capacity" of 32 or 64
bytes just becomes a different constant for Kyber's XOF, PRF, G, and
H.
For SHA256, Ratchet() would just zero-pad to the next block boundary
and run the compression function, which could also be treated as
different IVs for Kyber's XOF, PRF, G, and H.
Trevor
More information about the Noise
mailing list