On Dec 24, 2016, at 4:26 AM, Ron Frederick ronf@timeheart.net wrote:
What I’d suggest is to split out the nonce increment into its own externally callable function, and add a flag on the context about whether to call that function automatically or not. The flag would default to true to preserve existing behavior, but a function could be provided to disable this for callers that wanted to be able to do partial hashing. They could then call the increment manually if they wanted to reuse a context for multiple messages, avoiding the malloc & memcpy even in both cases. The copy would only be needed in the case I mention above when hashing multiple streams that start with a common prefix.
One other thought on this: Since the sender and receiver of a message need to both know the nonce, I think it would be useful for Nettle to provide a get_nonce() function if it is going to auto-increment the nonce. While this wouldn’t be needed in a simple point-to-point case where both sides are maintaining a context which stays in sync, there are other use cases where a sender might want to take advantage of the auto-increment behavior but send the nonce explicitly with their messages, so a receiver who sees only a subset of the messages can verify them. If the sender had a way to get the nonce back out of the context before they called digest(), they wouldn’t need to replicate the increment functionality in their own code.
This use case is also another argument for being able to make the auto-increment optional. If a receiver is receiving an explicit nonce with each message, there’s no reason for them to pay the cost of doing the increment function every time they call digest() to verify a message, as they’re just going to reset the nonce to something else when the next message arrives. This would apply on senders as well when using a randomly generated nonce for each message, or when they create a new context for every message they send.