From: Niels Möller Date: Fri, 21 Sep 2012 18:14:16 +0000 (+0200) Subject: Stress that the salsa20 hash function is not for general use. X-Git-Tag: nettle_2.6_release_20130116~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12bbae8ba25713a0ebadefef7e64bb1134a64063;p=thirdparty%2Fnettle.git Stress that the salsa20 hash function is not for general use. --- diff --git a/ChangeLog b/ChangeLog index efb578e0..05c463c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2012-09-21 Niels Möller + + * nettle.texinfo (Cipher functions): Stress that the salsa20 hash + function is not suitable as a general hash function. + 2012-09-20 Simon Josefsson * pbkdf2-hmac-sha1.c, pbkdf2-hmac-sha256.c: New files. diff --git a/nettle.texinfo b/nettle.texinfo index c73861bf..bfaf0a6f 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -1275,12 +1275,15 @@ in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to -mix key, block counter, and a couple of constants (input and output are -the same size, making it not directly applicable for use as a general -hash function). It's also designed for speed; on x86_64, it is currently -the fastest cipher offered by nettle. It uses a block size of 512 bits -(64 octets) and there are two specified key sizes, 128 and 256 bits (16 -and 32 octets). +mix key, block counter, and a couple of constants. It's also designed +for speed; on x86_64, it is currently the fastest cipher offered by +nettle. It uses a block size of 512 bits (64 octets) and there are two +specified key sizes, 128 and 256 bits (16 and 32 octets). + +@strong{Caution:} The hash function used in Salsa20 is @emph{not} +directly applicable for use as a general hash function. It's @emph{not} +collision resistant if arbitrary inputs are allowed, and furthermore, +the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a @dfn{nonce}, the latter playing a similar rôle to the initialization