Separate hash functions for chaining and final hashing into public key #4
Comments
starius
added a commit
to starius/wots
that referenced
this issue
Aug 7, 2019
See rationale here: dchest#4
|
You're right, somehow it didn't occur to me to add the ability to use separate functions. Indeed, the chaining function doesn't have a requirement for being collision-resistant. In fact, to be able to use shorter hash output, I tried to reduce the effect of collisions on the message hash function by using randomization — it's harder to exploit collisions if you can't guess the randomization parameter — but this isn't as good as using collision-resistant hash function. Thanks for the PR! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
According to https://eprint.iacr.org/2011/191.pdf the requirement for chaining function are weaker than for the final hashing step. The former needs to be PRF, while the later needs to be a collision resistant hash function. I think this means for chaining we can use something 128 bit (first 128 bits of sha256 or AES maybe or something better suited for this task). and for final shashing normal 256 bit hash function (sha256) as now.
The problem is that currently the package supports only one hash function for both applications. I'll send PR with separation them into 2 arguments.
The text was updated successfully, but these errors were encountered: