cpace icon indicating copy to clipboard operation
cpace copied to clipboard

Published 20 hours ago verified publisher icon hdevalence

Switch from SHA512 to SHA256

Open hdevalence opened this issue 4 years ago • 4 comments

Since the PAKE has ~128-bit security, it would be slightly cleaner to use SHA-256 for the HKDF construction rather than SHA-512, so that the strength of the hash function is balanced with the strength of the PAKE. This would be incompatible with the Go implementation, so #1 would be nice to close out first (to be sure that there are no existing mismatches in the implementation).

hdevalence avatar May 01 '20 01:05 hdevalence

cc @FiloSottile

hdevalence avatar May 01 '20 01:05 hdevalence

👍 I haven't tagged v1 so I am not opposed to breaking changes, although I'd like to maybe discuss the design more widely to batch with any further changes.

FiloSottile avatar May 02 '20 00:05 FiloSottile

This is now done in filippo.io/cpace.

FiloSottile avatar May 03 '20 19:05 FiloSottile

When switching to SHA-256 there is an issue as for using the mapping from the ristretto255 environment, 64 random bytes are required. When using SHA-256 a quite complex construction has to be used in order to be able to rule out length-extension problems that can come with Merkle-Damgard constructions. (See the current ID version).

For this reason, we recommend SHA-512 for ristretto255 in the ID, and also because for signatures SHA-512 is commonly used in conjunction with curve25519.

Finally, when using SHA-512 for the mapping there is the question as to use also SHA-512 for the ISK and a HKDF operation and possibly truncate the result to 32 bytes.

BjoernMHaase avatar Dec 09 '21 17:12 BjoernMHaase