[Cryptography] New Hash and RNG functions
Jacob Christian Munch-Andersen
nohat at nohatcoder.dk
Fri Jan 3 07:04:18 EST 2025
On Thu, Jan 2, 2025, at 11:46 PM, Pierre Abbat wrote:
>
> In the diagrams, there are AES blocks with one input and one output. AES is a
> block cipher, so it takes two inputs, a key and a block of data. Which is the
> input, and where does the other come from?
>
I see now that this isn't clear, AES in the diagrams is one round. The AES figure and the following XOR combined correspond to the invocation of one AES-NI instruction. I don't use the actual AES schedule, just the instructions.
On Thu, Jan 2, 2025, at 11:46 PM, Pierre Abbat wrote:
>
> In reference.c, where do tjaldr_seed and tjaldr_sbox come from?
>
tjaldr_seed is the default seed, it is pi (3.243F6... in base 16). tjaldr_sbox is the AES sbox, named so to keep a consistent namespace.
On Thu, Jan 2, 2025, at 11:46 PM, Pierre Abbat wrote:
>
> The repo has no build system. (This is not about cryptography, but about open-
> source software in general.) I strongly suggest setting it up with a build
> system, such as CMake (what I use for C++ programs) or Autotools, so that
> users can use the same commands to build it as for other programs, and delete
> the object files, which the build system will produce.
>
The fact that you suggest two different tools already make an issue, what will the users of the other tool do? I have tried to make toolless building as simple as possible, hopefully transplanting the command line into your favourite build tool shouldn't be too difficult. The object files are there so that installing NASM and Node.js is optional.
On Thu, Jan 2, 2025, at 11:46 PM, Pierre Abbat wrote:
>
> Have you tested it on big-endian hardware?
>
No. In general this requires some testing on all the computers that I don't have. Whatever you build it for, please run the self test.
On Fri, Jan 3, 2025, at 2:37 AM, Bertrand Mollinier Toublet wrote:
>
> why?
>
Because nobody else did. I realised that I could build the fastest primitives, and not by a small margin, so I did. I'm more amused that nobody else have done something like this (except for AEGIS), using AES instructions is such an easy and obvious improvement in work done per clock cycle. As for consensus, you gotta start somewhere. I realise that this might have a greater chance of going somewhere if it were made by more prominent people, but all the prominent people are occupied competing for building the most brittle post-quantum primitives. So if you want improvements in symmetric (and I realise that a lot of people apparently don't), you will have to do with me.
On Fri, Jan 3, 2025, at 4:39 AM, David Johnston wrote:
>
> It would be nice to see some algorithm descriptions and a rationale.
>
I'm a bit scared linking to this, not sure if anyone outside my head can understand it, but here is part of the rationale for a precursor to the current functions: https://github.com/NoHatCoder/Meow-Hash-0.6-Candidate/tree/main/Patterncheck The main pattern is the same so I think the only thing outdated in this text is that the Meow4 candidate does 4 rounds where Tjald4 does 3.
On Fri, Jan 3, 2025, at 4:39 AM, David Johnston wrote:
>
> I see the RNGs invoking many instances of AES with the same key schedule - not great for side channel resistance. Update the key on every use. This imposes a cost on software implementations that need to keep re-computing the key schedule. Hence the saying "Friends don't let friends do cryptography in software". In hardware you can implement an inline key schedule.
>
See answer above, I'll get to making it more clear the full schedule is not used. And indeed there is no fixed key in the RNG, so it should be very hard to side channel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250103/7527f2cf/attachment.htm>
More information about the cryptography
mailing list