ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Version 5 key and fingerprint proposal

2017-03-10 16:13:45

On Mar 10, 2017, at 2:08 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:

On Thu,  9 Mar 2017 23:01, joncallas(_at_)icloud(_dot_)com said:
At the risk of sending this into a rathole, a viable alternative would
be to use SHA512/t as a truncation function. It's got a well-defined

We had a discussion here on the merits of SHA-256 over SHA-512 with the
two arguments I already mentioned:

 - SHA-256 is much faster on smaller 32 bit systems
 - SHA-256 is anyway required to verify existing signatures.

An advantage of SHA-512 is that this would benefit an X25519-only based
implementation because that requires SHA-512 anyway.

This is a different suggestion, one about SHA512/t, which has an output length 
of 't' bits. It's a cute little hack that NIST put on top of SHA-512 to get a 
variable-output hash function.

I didn't bring in performance discussions because this is about fingerprints 
where it doesn't matter so much one way or the other. But since you did, you're 
right, that on a 32-bit system, SHA256 is faster. But on a 64-bit system, 
SHA-512 is faster, often like 1.5x faster.

But anyway, the suggestion is because if you're going to generate a 200-bit 
fingerprint, using a variable output hash function solves the problem of having 
to figure out how to truncate, as well as any issues in truncation.

        Jon


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp