Hi, - The IANA COSE Algorithms Registry lists draft-ietf-cose-rfc8152bis-algs-12 as a reference for SHA-512/256 and SHA-256/64. This seems incorrect. draft-ietf-cose-rfc8152bis-algs does not mention SHA-512/256 or SHA-256/64.
- NIST SP 180-4 assigns a very specific meaning to the notation SHA-512/t as the name for a t-bit hash function _based_ on SHA-512 whose output is truncated to t bits. The initial hash value is a _function_ of t. SHA-512/256 is defined in NIST SP 180-4. As the initial hash value is a function of t it is infeasible to find any relation between a SHA-512 hash and a SHA-512/256 hash. SHA-256/64 is not defined in NIST SP 180-4. draft-ietf-cose-hash-algs introduces a new meaning to the /t notation. In SHA-256/64 the initial hash value is the same as in SHA-256, i.e., it is not a function of t. This means that SHA-256/64 has different security properties than SHA-512/256. There is a trivial relation between a SHA-256 hash and a SHA-256/64 hash. I think this difference needs to be made clearer in draft-ietf-cose-hash-algs. The security properties of the SHA-256/64 might come as a surprise to a user expecting the same properties as SHA-512/512. There is also a risk for incompatible implementations as people might implement SHA-256/64 in a similar way as SHA-512/256. I think that the name SHA-256/64 should be changes as the “/64” in SHA-256/64 has different meaning than the “/256” in SHA-512/256. I do not think that the initial hash value in SHA-256/64 should be changed as that would make it incompatible with any current implementation of SHA-256. Cheers, John
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
