[noise] Stateful Hash Object Proposal

Peter Schwabe peter at cryptojedi.org
Fri Dec 7 20:23:10 PST 2018 

Trevor Perrin <trevp at trevp.net> wrote:

Hi Trevor, hi all,

> On Sun, Dec 2, 2018 at 9:40 PM Peter Schwabe <peter at cryptojedi.org> wrote:
> >
> > Trevor Perrin <trevp at trevp.net> wrote:
> > > Maybe we could just sketch it out?  Looks like Kyber uses symmetric
> > > functions PRF, XOF, G, H instantiated as:
> > >
> > > PRF(s, b) = SHAKE256(s || b)
> > > XOF = SHAKE128
> > > G = SHA3-256
> > > H = SHA3-512
> > >
> > > This could be domain-separated in a simple way, by just Absorbing a
> > > domain-separator byte at the beginning, which we could represent like:
> > >
> > > PRF = SHO("P" || ...)
> > > PRF = SHO("X" || ...)
> > > G = SHO("G" || ...)
> > > H = SHO("H" || ...)
> > >
> > > With constructions from [2] this would just be:
> > >
> > > H = SHAKE("H" || ..., len=32)
> >
> > > The Kyber spec says an earlier version instantiated everything with
> > > SHAKE-256, maybe similar to this?  But you changed to avoid
> > > domain-separation discussion, so I wonder how you'd feel about this
> > > now?
> >
> > I think that if you have an incremental hash API, what you're suggesting
> > is the natural thing to do. In a non-incremental hash API, you have to
> > do quite some copying around to put the domain separator at the
> > beginning of the buffer; also it needs additional stack space. That's
> > why I don't like the concatenation notation too much -- it hides those
> > costs for moving data around.
> 
> OK, would you prefer Absorb(separator), then Ratchet()?

I would prefer

  PRF = SHO("P")
  PRF.Absorb(...)
  PRF.Sqeeze(...)

  XOF = SHO("X")
  XOF.Absorb(...)
  XOF .Sqeeze(...)

etc.

> For SHAKE, Ratchet() would run the permutation and then zeroize the
> sponge "rate".   So effectively, the sponge's "capacity" of 32 or 64
> bytes just becomes a different constant for Kyber's XOF, PRF, G, and
> H.

> For SHA256, Ratchet() would just zero-pad to the next block boundary
> and run the compression function, which could also be treated as
> different IVs for Kyber's XOF, PRF, G, and H.

I wouldn't expose Ratched() as a method on the SHO, but handle
ratcheting internally.

Cheers,

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20181208/b2e8b31a/attachment.sig>

More information about the Noise mailing list