On Thu, 9 Mar 2017 23:01, joncallas(_at_)icloud(_dot_)com said:
At the risk of sending this into a rathole, a viable alternative would
be to use SHA512/t as a truncation function. It's got a well-defined
We had a discussion here on the merits of SHA-256 over SHA-512 with the
two arguments I already mentioned:
- SHA-256 is much faster on smaller 32 bit systems
- SHA-256 is anyway required to verify existing signatures.
An advantage of SHA-512 is that this would benefit an X25519-only based
implementation because that requires SHA-512 anyway.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpcEpyNU8qK2.pgp
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp