On Mar 10, 2017, at 2:08 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Thu, 9 Mar 2017 23:01, joncallas(_at_)icloud(_dot_)com said:
At the risk of sending this into a rathole, a viable alternative would
be to use SHA512/t as a truncation function. It's got a well-defined
We had a discussion here on the merits of SHA-256 over SHA-512 with the
two arguments I already mentioned:
- SHA-256 is much faster on smaller 32 bit systems
- SHA-256 is anyway required to verify existing signatures.
An advantage of SHA-512 is that this would benefit an X25519-only based
implementation because that requires SHA-512 anyway.
This is a different suggestion, one about SHA512/t, which has an output length
of 't' bits. It's a cute little hack that NIST put on top of SHA-512 to get a
variable-output hash function.
I didn't bring in performance discussions because this is about fingerprints
where it doesn't matter so much one way or the other. But since you did, you're
right, that on a 32-bit system, SHA256 is faster. But on a 64-bit system,
SHA-512 is faster, often like 1.5x faster.
But anyway, the suggestion is because if you're going to generate a 200-bit
fingerprint, using a variable output hash function solves the problem of having
to figure out how to truncate, as well as any issues in truncation.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp