BLAKE2b default digest length: 32 or 64?

Question

BLAKE2b default digest length: 32 or 64?

Closed this issue 8 years ago · 12 comments

src/libsodium/include/sodium/crypto_generichash_blake2b.h, line 46:

#define crypto_generichash_blake2b_BYTES         32U

org.abstractj.kalium/NaCl line #80:

 public static final int BLAKE2B_OUTBYTES = 64;

Is that intentional?

Answer 1 · 2016-04-20T13:38:11.000Z

IIRC Blake2B can produce anywhere between 16 and 64 byte outputs depending on the needs. Libsodium documentation states

The minimum recommended output size is crypto_generichash_BYTES. This size makes it practically impossible for two messages to produce the same fingerprint.

But for specific use cases, the size can be any value between crypto_generichash_BYTES_MIN (included) and crypto_generichash_BYTES_MAX (included).

With BYTES = 32, MIN = 16, and MAX = 64. I imagine the original PR that added blake2b choose the largest size to expose for Kalium. I've fixed this and made it identical to Libsodium on my branch which I'm working towards primary API completeness with Libsodium.

Answer 2 · 2016-04-20T14:25:09.000Z

You are correct re: BLAKE2b's output sizes :) However; BLAKE2b is pretty clear that the default is 32 bytes (as you pointed out); so I don't think it's reasonable for Kalium to do something else by default. Thanks for fixing it in that other branch!

(On a related note: have you considered jnr-ffi pinning? I'm using it now when porting kalium to bind directly, and it seems to work like a charm :))

Answer 3 · 2016-05-05T13:58:15.000Z

Somehow I've missed jnr-ffi's Pinned annotation, if I understand, it basically accomplishes the same as using a Direct ByteBuffer as suggested in #21. We won't be copying between java and native.

Answer 4 · 2016-05-05T14:00:52.000Z

They're related; yes, the difference being that one only works at call time and the other changes where the object is allocated. When you say won't, does that mean "when #21 is closed", or currently?

Answer 5 · 2016-05-05T14:09:52.000Z

(FYI, this is why I'm currently porting caesium to bind to libsodium directly. That, and that creating objects to throw them away feels a little weird. And I wanted to be able to bind new functions faster than waiting for a release. So perhaps those bindings in caesium can help you if you're trying to get pinning to work :))

Answer 6 · 2016-05-05T14:09:55.000Z

Ah, yea I wasn't very clear. By using either the Pinned annotation or a Direct ByteBuffer we can avoid copying byte arrays. My reference to #21 was just regarding the first bullet point.

Answer 7 · 2016-05-05T14:12:55.000Z

Right. The API design I'm using in caesium right now lets you use byte arrays directly or it will create them for you, so you can get actual zerocopy, instead of just zerocopy during the ffi call.

Answer 8 · 2016-05-14T04:55:48.000Z

@lvh @bendoerr let me know if this change makes sense to you #56 please.

Answer 9 · 2016-05-16T12:58:16.000Z

@abstractj are you concerned about backwards compatibility? Doesn't 24e9948 breaks hash checks for anyone verifying previously generated hashes using BLAKE2B_OUTBYTES?

Answer 10 · 2016-05-16T13:47:08.000Z

@bendoerr indeed, but that would be manageable with semver, nope? Another alternative would be provide break backwards compatibility and provide a way for people the output size desired. Makes sense?

Answer 11 · 2016-05-16T21:25:12.000Z

Indeed, just wanted to call it out.

Answer 12 · 2016-05-16T21:45:31.000Z

@bendoerr @lvh thanks a lot, very appreciated.

Will do the merge.