[noise] Stateful Hash Object Proposal

Trevor Perrin trevp at trevp.net
Sat Dec 8 01:48:19 PST 2018 

On Mon, Dec 3, 2018 at 10:17 AM Samuel Neves <samuel.c.p.neves at gmail.com> wrote:
>
> Replacing varint with uint64 seems like a good idea regardless of anything else.

Agreed, I like varint if space is an issue, but it's not here.


> > Note that this proposal runs SHA3 and BLAKE2 through the same
> > nested-hashed plus zero-block thing as SHA2.  Is that silly - because
> > they don't have length-extension problems - or still worth doing
> > because it's simpler, and you could use the more optimized BLAKE2X or
> > SHAKE if you wanted?
>
> BLAKE2X is essentially this scheme already, except it acts as H(pad(0)
> || h) ... by changing the IV of each call.

Ah, OK.  I was thinking there might be a non-nested alternative.


> In BLAKE2's case, I suppose
> you can do as below. It's not silly, but it's a bit suboptimal, since
> you can change the IV directly. The simplicity of the overall spec
> might well be worth it.

Might also be easier for implementers to prepend something instead of
change IV, depending on their library.

There's a small performance cost, but if you were preprocessing the
domain-separation into an IV constant then that cost would disappear.

So I feel like the below is looking fairly good, I'll try to do a
better writeup soon.

> > SHA3 (not xof, not owf):
> >   Init()       : init(zero_block)
> >   Absorb(data) : update(data)
> >   Ratchet()    : update(pad_to_block); f(); zeroize_rate()
> >   Squeeze(len) : h = finalize(); return HASH(h || uint64(0))  ||
> > HASH(h || uint64(1)) ...
> >
> > SHA2 / BLAKE2 (not xof, owf):
> >   Init()       : init(zero_block)
> >   Absorb(data) : update(data)
> >   Ratchet()    : update(pad_to_block); f()
> >   Squeeze(len) : h = finalize(); return HASH(h || uint64(0))  ||
> > HASH(h || uint64(1)) ...
> >
> > SHAKE (xof, not owf):
> >   Absorb(data) : update(data)
> >   Ratchet()    : update(pad_to_block); f(); zeroize_rate()
> >   Squeeze(len) : return finalize(len)
> >
> > BLAKE2X (xof, owf):
> >   Absorb(data) : update(data)
> >   Ratchet()    : update(pad_to_block); f();
> >   Squeeze(len) : finalize(len)


Trevor

More information about the Noise mailing list