KMAC / cSHAKE in Libgcrypt
Werner Koch
wk at gnupg.org
Fri Sep 15 10:08:24 CEST 2023
On Thu, 14 Sep 2023 15:38, Falko Strenzke said:
> I don't understand what you mean exactly by "we may not even need
> GCRY_MD_CSHAKE". Maybe it is with respect to how we implement it, in that case
> see my comment below on reusing the SHAKE implementation.
That we can use the GCRY_MD_SHAKE256 identifier also for cSHAKE. The
use of the control codes would modify SHAKE256 to cSHAKE.
> In my opinion we need to add GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256, the two
As long as the resulting digest lengths are the same as the original SHAKE
versions, new identifier won't be needed. However, if cSHAKE and SHAKE
are used by a protocol in the same way, new identifiers are indeed
useful. What I mean is this:
switch (hash_algo) {
case GCRY_MD_SHAKE256: do_one_thing (); break,
case GCRY_MD_CSHAKE256: do_another_thing (); break,
....
}
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230915/89197985/attachment.sig>
More information about the Gcrypt-devel
mailing list