[Cryptech Tech] Incremental digest outputs

[Bernd Paysan]

Am Sonntag, 16. November 2014, 17:03:02 schrieb Joachim Strömbergson:
> Rob Austein wrote:
> > Something I intended to mention while I was doing the prototype HAL
> > for the digest cores: unless I'm missing something, our digest cores
> > 
> >  don't support incremental digest results.
> 
> You are missing something. ;-)
> 
> The cores supports (or at least should) support incremental digests. You
> can read the digest registers between every block in a multiblock
> message and get the digest for all blocks up to the latest block.

The four operations you need are:

Zero state
Feed in
Feed out
Permutation rounds

And that's what I think you do have.  It is a pretty natural result of how you 
implement hardware (reset, read, write, state transition); if you manage to do 
it otherwise, you should trying to unscrew your mind ;-).

For passwords of on-HSM crytpo storage, you want to have a "loop permutation 
rounds for a second as fast as you can" or so, to make brute-force attacks 
expensive.  That's the place where having a fast hash on the HSM is most 
important, because the faster the hash on the HSM for password diffusion is, 
the harder it becomes for a brute-force attacker without making the HSM feel 
slow.

So you might want to have a counter-based "run the hash state transition as 
fast as possible without new input for n cycles" to support this mode.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/