-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aloha!
I've thought about som algorithms and constructs that I think would be
useful, good to add to Nettle.
We are seeing in an interest in using EC keys for both DH and DSA
operations. Esp in embedded systems. One should be careful of reusing
keys for more than one purpose. But for EC there seem to be some
circumstances when using the keys for the two constructions does not
harm each other, see:
“On the Joint Security of Encryption and Signature in EMV.” Cryptology
ePrint Archive, Report 2011/615, 2011. http://eprint.iacr.org/2011/6
Recently, Trevor Perrin from Openwhispersystems wrote a paper that
describes how given a Curve25519 (or Curve448) keypair can reuse them in
a specific DSA construction called XEdDSA. The XEdDSA is in fact a way
to convert the Curve-keys in a specific way and then use them with
Ed25519, Ed448 to sign or verify messages. Openwhispersystems have also
code for XEd25519 on Github. I've looked at it and compared to the Curve
code in Nettle. It seems that we could add this algorithm with basically
a small wrapper.
https://whispersystems.org/docs/specifications/xeddsa/xeddsa.pdfhttps://github.com/WhisperSystems/curve25519-java/blob/master/android/jni/e…https://github.com/WhisperSystems/curve25519-java/blob/master/android/jni/e…
Another algorithm that I've seen been used in embedded space is the
SipHash PRF/keyed hash function. It is very fast on Cortex-M devices and
have low code and RAM resource requirements. If implemented in Nettle I
think we should support both 64 and 128 bit digests.
https://131002.net/siphash/https://github.com/veorq/SipHash
When it comes to block cipher modes, CMAC and OCB are two modes that are
very interesting for embedded space. CMAC is a "better CBC-MAC" that can
be/is used as KDF, MAC etc.
http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
OCB is an aead construction that has seen little used until now due to
licensing issues. But the licensing has been changed by Rogaway et al
and there is a RFC for OCB. The cost for OCB goes asymptotically towards
one cipher block operation/message block.
https://www.rfc-editor.org/rfc/rfc7253.txthttp://web.cs.ucdavis.edu/~rogaway/ocb/
I don't know what the idea is in relation to password hashing,
memory/computational hard functions. PBKDF2 is in Nettle, but not
bcrypt, scrypt or the PHC winner Argon2. Are there any interest in
adding them to Nettle?
https://github.com/P-H-C/phc-winner-argon2
Finally. Since Skein was being developed, how about adding blake2?
Blake2 was one of the runner ups for SHA-3 and is faster than Keccak.
There is also versions of Blake2 suitable for embedded systems.
https://blake2.net/
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Joachim Strömbergson Secworks AB joachim(a)secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJYIYmnAAoJEF3cfFQkIuyN1FQQALQdER6bmnvN6fV5M2CQuVPR
mMZPzm/V6DK2+WcQnB8m5X4F3t3wB6svOO0qRGJfp13+r+xftlhBR1yGhZdA/sh+
uFVEdDl71eRgg6wFlnfKB7oo1z8gVaBDiUeZFnmnB33nttXIJTS6uL+5u+c1443L
4gdylLwL/TdJzttyPUIWdiqVkqKlJCC3VX1dfvTGbXdK5NuTypZYnfESY3XI4z+m
uMNsHTQtTy3JPmL0KDawPQr33ZJNYItdxLNTOae5bePMyeOTWBA52OX+SN7te/xV
eFUNjMA0j7Z3haAOqAwjP5WwMwzcDbkpK1qHNuN2rbtnbqVdS8MoR66Te4y04x7t
YOhtZqbV9DOVRBTNaqprHjV+4K0m6xDN6YWWOwb1fKi54mGjM6h1VvybyfKHCKpu
rBRVj6uhU7gRSAQnnUhCGK4i6s0dDfS0qFikb64r9P22BtNE3KQantpdDX9M+kVH
+iskZKMAqbb/i+9Yi+wm/oAnJRoaXPy44V6NXOpzlh4Leau1LeVnaesrkruo2HMd
X5UvbIv7OUsbgiTt8W9fjCECP5Ub2qA1w8aV8GjiAzY27E5qiRTKoRC31uDrNymt
bdwLogZmHny6kuRJADdbVcWtMaZp5gtoX53akA4obu8Ub45bA8nl+n2yHuz480+L
FeU8Gr/go+MkcCRygnfW
=iQua
-----END PGP SIGNATURE-----
