I've done some hacking to implement the skein hash function (one of the
sha3 candidates, see
https://en.wikipedia.org/wiki/Skein_%28hash_function%29). Development is
done on the "skein" branch of the repo.
At low-level it has some similarities to salsa20 and chacha: An input
block is mangled in a perfectly invertible way using only add, xor and
rotation, followed by an addition of the original input, which destroys
invertibility. And then this primitive is used to construct a hash
function.
I've implemented skein256, both for portable C and x86_64 assembly.
The current implementation is written for small footprint in both code
and data, it could perhaps be made a little faster with more unrolling.
On x86_64, it's slightly slower than sha1, slightly faster than sha512,
and considerably faster than sha256 and sha3 (and these relations are
likely to be similar on all platforms with a reasonable number of 64-bit
registers). Performance is a bit behind the numbers reported in the
skein paper http://www.skein-hash.info/sites/default/files/skein1.3.pdf;
not sure if the difference is due to unrolling, different benchmarking
machines, or additional implementation tricks. (On my current x86_64
machines, benchmarking using the nettle-enchmark is not very accurate,
numbers vary quite a bit from one run to the next).
And it's a pity there's no easy way to rotate different pieces of an xmm
register by different counts; that makes it hard to get any advantage of
the parts of the skein/threefish round which do fit SIMD. So the design
is a lot less SIMD-friendly than chacha.
skein512 is in progress; there it's not possible to fit all inputs in
registers (unless one can make good use of SIMD registers in some way),
and I haven't yet figured out a good way to organize it for performance.
Skein can be used in additional ways than a plain hash function, e.g.,
as a mac, or key derivation function. I don't plan to implement such
additional skein features until there's some clear use case for them.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
I'm happy to announce a new release of GNU Nettle, a low-level
cryptographics library. This is mainly a bug fix release.
The Nettle home page can be found at
https://www.lysator.liu.se/~nisse/nettle/, and the manual at
https://www.lysator.liu.se/~nisse/nettle/nettle.html.
NEWS for the Nettle 3.3 release
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
Changes in behavoir:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions
allowed such keys, even if results of using them were
bogus).
Nettle applications are required to call
rsa_private_key_prepare and check the return value, before
using any other RSA private key functions; failing to do so
may result in crashes for invalid private keys. As a
workaround for versions of Gnutls which don't use
rsa_private_key_prepare, additional checks for even moduli
are added to the rsa_*_tr functions which are used by all
recent versions of Gnutls.
* Ignore bit 255 of the x coordinate of the input point to
curve25519_mul, as required by RFC 7748. To differentiate at
compile time, curve25519.h defines the constant
NETTLE_CURVE25519_RFC7748.
Security:
* RSA and DSA now use side-channel silent modular
exponentiation, to defend against attacks on the private key
from evil processes sharing the same processor cache. This
attack scenario is of particular relevance when running an
HTTPS server on a virtual machine, where you don't know who
you share the cache hardware with.
(Private key operations on elliptic curves were already
side-channel silent).
Bug fixes:
* Fix sexp-conv crashes on invalid input. Reported by Hanno
Böck.
* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
Mavrogiannopoulos.
* Fix a couple of formally undefined shift operations,
reported by Nikos Mavrogiannopoulos.
* Fix compilation with c89. Reported by Henrik Grubbström.
New features:
* New function memeql_sec, for side-channel silent comparison
of two memory areas.
Miscellaneous:
* Building the public key support of nettle now requires GMP
version 5.0 or later (unless --enable-mini-gmp is used).
* Filenames of windows DLL libraries now include major number
only. So the dll names change at the same time as the
corresponding soname on ELF platforms. Fixed by Nikos
Mavrogiannopoulos.
* Eliminate most pointer-signedness warnings. In the process,
the strings representing expression type for sexp_interator
functions were changed from const uint8_t * to const char *.
These functions are undocumented, and it doesn't change the
ABI on any platform I'm aware of.
The shared library names are libnettle.so.6.3 and
libhogweed.so.4.3, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
https://ftp.gnu.org/gnu/nettle/nettle-3.3.tar.gzftp://ftp.gnu.org/gnu/nettle/nettle-3.3.tar.gzhttps://www.lysator.liu.se/~nisse/archive/nettle-3.3.tar.gz
Happy hacking,
/Niels Möller
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
