git.codecow.com Git - Monocypher.git/commit

author	Loup Vaillant <loup@loup-vaillant.fr>
	Sun, 1 Dec 2019 21:36:00 +0000 (22:36 +0100)
committer	Loup Vaillant <loup@loup-vaillant.fr>
	Sun, 1 Dec 2019 21:36:00 +0000 (22:36 +0100)
commit	1ca3dce7e74c72a323bed8d05c9379d110fa7d49
tree	69e32983ece4d77bd96c818681127f71cb078d2d	tree \| snapshot
parent	a56b610420bf2f7177ccd6b2087bd1dd59b51194	commit \| diff

Added HMAC SHA512

EXPERIMENTAL. MAY BE REMOVED.

Monocypher is supposed to be small.  This is why we use Blake2b for both
Argon2 and EdDSA signatures.  Some users however need Ed25519 for
compatibility with other tools.  This means using SHA 512.

We could hide SHA 512 from the public interface entirely, but this seems
like a waste: it could replace Blake2b to make the library smaller. It
will come at a performance loss, but when you verify signatures on a
small device, the hash is rarely the bottleneck.

The main problem with SHA 512 is length extension attacks.  It just
cannot be used as a prefix MAC like Blake2b can.  We need HMAC if we
want SHA 512 to entirely displace Blake2b, so the Monocypher binary
stays small.

Users could use Poly1305 and our version of RFC 8439 of course, but if
they're so tight on space, they're likely to get rid of Poly1305 as
well.  When we have SHA 512 already, HMAC requires much less code.

This is kind of a special corner case. But it could come in handy.

TODO: the tests.

src/optional/ed25519.c		diff \| blob \| history
src/optional/ed25519.h		diff \| blob \| history