355
370
The most commonly used hash functions are MD5 and SHA1. Unfortunately,
356
371
both these fail the collision-resistance requirement; cryptologists have
357
found ways to construct colliding inputs. The recommended hash function
358
for new applications is SHA256, even though it uses a structure similar
359
to MD5 and SHA1. Constructing better hash functions is an urgent research
362
@subsection @acronym{MD5}
372
found ways to construct colliding inputs. The recommended hash functions
373
for new applications are SHA2 (with main variants SHA256 and SHA512). At
374
the time of this writing (December 2012), the winner of the NIST SHA3
375
competition has recently been announced, and the new SHA3 (earlier known
376
as Keccak) and other top SHA3 candidates may also be reasonable
380
* Recommended hash functions::
381
* Legacy hash functions::
382
* nettle_hash abstraction::
385
@node Recommended hash functions, Legacy hash functions,, Hash functions
386
@comment node-name, next, previous, up
387
@subsection Recommended hash functions
389
The following hash functions have no known weaknesses, and are suitable
390
for new applications. The SHA2 family of hash functions were specified
391
by @dfn{NIST}, intended as a replacement for @acronym{SHA1}.
393
@subsubsection @acronym{SHA256}
395
SHA256 is a member of the SHA2 family. It outputs hash values of 256
396
bits, or 32 octets. Nettle defines SHA256 in @file{<nettle/sha2.h>}.
398
@deftp {Context struct} {struct sha256_ctx}
401
@defvr Constant SHA256_DIGEST_SIZE
402
The size of a SHA256 digest, i.e. 32.
405
@defvr Constant SHA256_DATA_SIZE
406
The internal block size of SHA256. Useful for some special constructions,
407
in particular HMAC-SHA256.
410
@deftypefun void sha256_init (struct sha256_ctx *@var{ctx})
411
Initialize the SHA256 state.
414
@deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
418
@deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
419
Performs final processing and extracts the message digest, writing it
420
to @var{digest}. @var{length} may be smaller than
421
@code{SHA256_DIGEST_SIZE}, in which case only the first @var{length}
422
octets of the digest are written.
424
This function also resets the context in the same way as
428
Earlier versions of nettle defined SHA256 in the header file
429
@file{<nettle/sha.h>}, which is now deprecated, but kept for
432
@subsubsection @acronym{SHA224}
434
SHA224 is a variant of SHA256, with a different initial state, and with
435
the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in
436
@file{<nettle/sha2.h>} (and in @file{<nettle/sha.h>}, for backwards
439
@deftp {Context struct} {struct sha224_ctx}
442
@defvr Constant SHA224_DIGEST_SIZE
443
The size of a SHA224 digest, i.e. 28.
446
@defvr Constant SHA224_DATA_SIZE
447
The internal block size of SHA224. Useful for some special constructions,
448
in particular HMAC-SHA224.
451
@deftypefun void sha224_init (struct sha224_ctx *@var{ctx})
452
Initialize the SHA224 state.
455
@deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
459
@deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
460
Performs final processing and extracts the message digest, writing it
461
to @var{digest}. @var{length} may be smaller than
462
@code{SHA224_DIGEST_SIZE}, in which case only the first @var{length}
463
octets of the digest are written.
465
This function also resets the context in the same way as
469
@subsubsection @acronym{SHA512}
471
SHA512 is a larger sibling to SHA256, with a very similar structure but
472
with both the output and the internal variables of twice the size. The
473
internal variables are 64 bits rather than 32, making it significantly
474
slower on 32-bit computers. It outputs hash values of 512 bits, or 64
475
octets. Nettle defines SHA512 in @file{<nettle/sha2.h>} (and in
476
@file{<nettle/sha.h>}, for backwards compatibility).
478
@deftp {Context struct} {struct sha512_ctx}
481
@defvr Constant SHA512_DIGEST_SIZE
482
The size of a SHA512 digest, i.e. 64.
485
@defvr Constant SHA512_DATA_SIZE
486
The internal block size of SHA512. Useful for some special constructions,
487
in particular HMAC-SHA512.
490
@deftypefun void sha512_init (struct sha512_ctx *@var{ctx})
491
Initialize the SHA512 state.
494
@deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
498
@deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
499
Performs final processing and extracts the message digest, writing it
500
to @var{digest}. @var{length} may be smaller than
501
@code{SHA512_DIGEST_SIZE}, in which case only the first @var{length}
502
octets of the digest are written.
504
This function also resets the context in the same way as
508
@subsubsection @acronym{SHA384}
510
SHA384 is a variant of SHA512, with a different initial state, and with
511
the output truncated to 384 bits, or 48 octets. Nettle defines SHA384 in
512
@file{<nettle/sha2.h>} (and in @file{<nettle/sha.h>}, for backwards
515
@deftp {Context struct} {struct sha384_ctx}
518
@defvr Constant SHA384_DIGEST_SIZE
519
The size of a SHA384 digest, i.e. 48.
522
@defvr Constant SHA384_DATA_SIZE
523
The internal block size of SHA384. Useful for some special constructions,
524
in particular HMAC-SHA384.
527
@deftypefun void sha384_init (struct sha384_ctx *@var{ctx})
528
Initialize the SHA384 state.
531
@deftypefun void sha384_update (struct sha384_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
535
@deftypefun void sha384_digest (struct sha384_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
536
Performs final processing and extracts the message digest, writing it
537
to @var{digest}. @var{length} may be smaller than
538
@code{SHA384_DIGEST_SIZE}, in which case only the first @var{length}
539
octets of the digest are written.
541
This function also resets the context in the same way as
545
@subsubsection @acronym{SHA3-224}
547
The SHA3 hash functions were specified by NIST in repsonse to weaknesses
548
in SHA1, and doubts about SHA2 hash functions which structurally are
549
very similar to SHA1. The standard is a result of a competition, where
550
the winner, also known as Keccak, was designed by Guido Bertoni, Joan
551
Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very
552
different from all widely used earlier hash functions. Like SHA2, there
553
are several variants, with output sizes of 224, 256, 384 and 512 bits
554
(28, 32, 48 and 64 octets, respectively).
556
Nettle defines SHA3-224 in @file{<nettle/sha3.h>}.
558
@deftp {Context struct} {struct sha3_224_ctx}
561
@defvr Constant SHA3_224_DIGEST_SIZE
562
The size of a SHA3_224 digest, i.e., 28.
565
@defvr Constant SHA3_224_DATA_SIZE
566
The internal block size of SHA3_224.
569
@deftypefun void sha3_224_init (struct sha3_224_ctx *@var{ctx})
570
Initialize the SHA3-224 state.
573
@deftypefun void sha3_224_update (struct sha3_224_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
577
@deftypefun void sha3_224_digest (struct sha3_224_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
578
Performs final processing and extracts the message digest, writing it
579
to @var{digest}. @var{length} may be smaller than
580
@code{SHA3_224_DIGEST_SIZE}, in which case only the first @var{length}
581
octets of the digest are written.
583
This function also resets the context.
586
@subsubsection @acronym{SHA3-256}
588
This is SHA3 with 256-bit output size, and possibly the most useful
589
of the SHA3 hash functions.
591
Nettle defines SHA3-256 in @file{<nettle/sha3.h>}.
593
@deftp {Context struct} {struct sha3_256_ctx}
596
@defvr Constant SHA3_256_DIGEST_SIZE
597
The size of a SHA3_256 digest, i.e., 32.
600
@defvr Constant SHA3_256_DATA_SIZE
601
The internal block size of SHA3_256.
604
@deftypefun void sha3_256_init (struct sha3_256_ctx *@var{ctx})
605
Initialize the SHA3-256 state.
608
@deftypefun void sha3_256_update (struct sha3_256_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
612
@deftypefun void sha3_256_digest (struct sha3_256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
613
Performs final processing and extracts the message digest, writing it
614
to @var{digest}. @var{length} may be smaller than
615
@code{SHA3_256_DIGEST_SIZE}, in which case only the first @var{length}
616
octets of the digest are written.
618
This function also resets the context.
621
@subsubsection @acronym{SHA3-384}
623
This is SHA3 with 384-bit output size.
625
Nettle defines SHA3-384 in @file{<nettle/sha3.h>}.
627
@deftp {Context struct} {struct sha3_384_ctx}
630
@defvr Constant SHA3_384_DIGEST_SIZE
631
The size of a SHA3_384 digest, i.e., 48.
634
@defvr Constant SHA3_384_DATA_SIZE
635
The internal block size of SHA3_384.
638
@deftypefun void sha3_384_init (struct sha3_384_ctx *@var{ctx})
639
Initialize the SHA3-384 state.
642
@deftypefun void sha3_384_update (struct sha3_384_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
646
@deftypefun void sha3_384_digest (struct sha3_384_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
647
Performs final processing and extracts the message digest, writing it
648
to @var{digest}. @var{length} may be smaller than
649
@code{SHA3_384_DIGEST_SIZE}, in which case only the first @var{length}
650
octets of the digest are written.
652
This function also resets the context.
655
@subsubsection @acronym{SHA3-512}
657
This is SHA3 with 512-bit output size.
659
Nettle defines SHA3-512 in @file{<nettle/sha3.h>}.
661
@deftp {Context struct} {struct sha3_512_ctx}
664
@defvr Constant SHA3_512_DIGEST_SIZE
665
The size of a SHA3_512 digest, i.e. 64.
668
@defvr Constant SHA3_512_DATA_SIZE
669
The internal block size of SHA3_512.
672
@deftypefun void sha3_512_init (struct sha3_512_ctx *@var{ctx})
673
Initialize the SHA3-512 state.
676
@deftypefun void sha3_512_update (struct sha3_512_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
680
@deftypefun void sha3_512_digest (struct sha3_512_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
681
Performs final processing and extracts the message digest, writing it
682
to @var{digest}. @var{length} may be smaller than
683
@code{SHA3_512_DIGEST_SIZE}, in which case only the first @var{length}
684
octets of the digest are written.
686
This function also resets the context.
689
@node Legacy hash functions, nettle_hash abstraction, Recommended hash functions, Hash functions
690
@comment node-name, next, previous, up
691
@subsection Legacy hash functions
693
The hash functions in this section all have some known weaknesses, and
694
should be avoided for new applications. These hash functions are mainly
695
useful for compatibility with old applications and protocols. Some are
696
still considered safe as building blocks for particular constructions,
697
e.g., there seems to be no known attacks against HMAC-SHA1 or even
698
HMAC-MD5. In some important cases, use of a ``legacy'' hash function
699
does not in itself make the application insecure; if a known weakness is
700
relevant depends on how the hash function is used, and on the threat
703
@subsubsection @acronym{MD5}
364
705
MD5 is a message digest function constructed by Ronald Rivest, and
365
706
described in @cite{RFC 1321}. It outputs message digests of 128 bits, or
550
890
@code{sha1_init}.
553
@subsection @acronym{SHA256}
555
SHA256 is another hash function specified by @dfn{NIST}, intended as a
556
replacement for @acronym{SHA1}, generating larger digests. It outputs
557
hash values of 256 bits, or 32 octets. Nettle defines SHA256 in
558
@file{<nettle/sha.h>}.
560
The functions are analogous to the MD5 ones.
562
@deftp {Context struct} {struct sha256_ctx}
565
@defvr Constant SHA256_DIGEST_SIZE
566
The size of an SHA256 digest, i.e. 32.
569
@defvr Constant SHA256_DATA_SIZE
570
The internal block size of SHA256. Useful for some special constructions,
571
in particular HMAC-SHA256.
574
@deftypefun void sha256_init (struct sha256_ctx *@var{ctx})
575
Initialize the SHA256 state.
578
@deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
582
@deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
583
Performs final processing and extracts the message digest, writing it
584
to @var{digest}. @var{length} may be smaller than
585
@code{SHA256_DIGEST_SIZE}, in which case only the first @var{length}
586
octets of the digest are written.
588
This function also resets the context in the same way as
592
@subsection @acronym{SHA224}
594
SHA224 is a variant of SHA256, with a different initial state, and with
595
the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in
596
@file{<nettle/sha.h>}.
598
The functions are analogous to the MD5 ones.
600
@deftp {Context struct} {struct sha224_ctx}
603
@defvr Constant SHA224_DIGEST_SIZE
604
The size of an SHA224 digest, i.e. 28.
607
@defvr Constant SHA224_DATA_SIZE
608
The internal block size of SHA224. Useful for some special constructions,
609
in particular HMAC-SHA224.
612
@deftypefun void sha224_init (struct sha224_ctx *@var{ctx})
613
Initialize the SHA224 state.
616
@deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
620
@deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
621
Performs final processing and extracts the message digest, writing it
622
to @var{digest}. @var{length} may be smaller than
623
@code{SHA224_DIGEST_SIZE}, in which case only the first @var{length}
624
octets of the digest are written.
626
This function also resets the context in the same way as
630
@subsection @acronym{SHA512}
632
SHA512 is a larger sibling to SHA256, with a very similar structure but
633
with both the output and the internal variables of twice the size. The
634
internal variables are 64 bits rather than 32, making it significantly
635
slower on 32-bit computers. It outputs hash values of 512 bits, or 64
636
octets. Nettle defines SHA512 in @file{<nettle/sha.h>}.
638
The functions are analogous to the MD5 ones.
640
@deftp {Context struct} {struct sha512_ctx}
643
@defvr Constant SHA512_DIGEST_SIZE
644
The size of an SHA512 digest, i.e. 64.
647
@defvr Constant SHA512_DATA_SIZE
648
The internal block size of SHA512. Useful for some special constructions,
649
in particular HMAC-SHA512.
652
@deftypefun void sha512_init (struct sha512_ctx *@var{ctx})
653
Initialize the SHA512 state.
656
@deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
660
@deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
661
Performs final processing and extracts the message digest, writing it
662
to @var{digest}. @var{length} may be smaller than
663
@code{SHA512_DIGEST_SIZE}, in which case only the first @var{length}
664
octets of the digest are written.
666
This function also resets the context in the same way as
670
@subsection @acronym{SHA384}
672
SHA384 is a variant of SHA512, with a different initial state, and with
673
the output truncated to 384 bits, or 48 octets. Nettle defines SHA384 in
674
@file{<nettle/sha.h>}.
676
The functions are analogous to the MD5 ones.
678
@deftp {Context struct} {struct sha384_ctx}
681
@defvr Constant SHA384_DIGEST_SIZE
682
The size of an SHA384 digest, i.e. 48.
685
@defvr Constant SHA384_DATA_SIZE
686
The internal block size of SHA384. Useful for some special constructions,
687
in particular HMAC-SHA384.
690
@deftypefun void sha384_init (struct sha384_ctx *@var{ctx})
691
Initialize the SHA384 state.
694
@deftypefun void sha384_update (struct sha384_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
698
@deftypefun void sha384_digest (struct sha384_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
699
Performs final processing and extracts the message digest, writing it
700
to @var{digest}. @var{length} may be smaller than
701
@code{SHA384_DIGEST_SIZE}, in which case only the first @var{length}
702
octets of the digest are written.
704
This function also resets the context in the same way as
708
@subsection @code{struct nettle_hash}
894
@subsubsection @acronym{GOSTHASH94}
896
The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm
897
used in Russian government standards (see @cite{RFC 4357}).
898
It outputs message digests of 256 bits, or 32 octets.
899
Nettle defines GOSTHASH94 in @file{<nettle/gosthash94.h>}.
901
@deftp {Context struct} {struct gosthash94_ctx}
904
@defvr Constant GOSTHASH94_DIGEST_SIZE
905
The size of a GOSTHASH94 digest, i.e. 32.
908
@defvr Constant GOSTHASH94_DATA_SIZE
909
The internal block size of GOSTHASH94, i.e., 32.
912
@deftypefun void gosthash94_init (struct gosthash94_ctx *@var{ctx})
913
Initialize the GOSTHASH94 state.
916
@deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data})
920
@deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest})
921
Performs final processing and extracts the message digest, writing it
922
to @var{digest}. @var{length} may be smaller than
923
@code{GOSTHASH94_DIGEST_SIZE}, in which case only the first @var{length}
924
octets of the digest are written.
926
This function also resets the context in the same way as
927
@code{gosthash94_init}.
930
@node nettle_hash abstraction,, Legacy hash functions, Hash functions
931
@comment node-name, next, previous, up
932
@subsection The nettle_hash abstraction
710
934
Nettle includes a struct including information about the supported hash
711
935
functions. It is defined in @file{<nettle/nettle-meta.h>}, and is used
2103
2332
@end deftypefun
2105
@node Public-key algorithms, Randomness, Keyed hash functions, Reference
2334
@node Key derivation functions, Public-key algorithms, Keyed hash functions, Reference
2335
@comment node-name, next, previous, up
2336
@section Key derivation Functions
2338
@cindex Key Derivation Function
2339
@cindex Password Based Key Derivation Function
2344
A @dfn{key derivation function} (@acronym{KDF}) is a function that from
2345
a given symmetric key derives other symmetric keys. A sub-class of KDFs
2346
is the @dfn{password-based key derivation functions} (@acronym{PBKDFs}),
2347
which take as input a password or passphrase, and its purpose is
2348
typically to strengthen it and protect against certain pre-computation
2349
attacks by using salting and expensive computation.
2351
@subsection @acronym{PBKDF2}
2352
The most well known PBKDF is the @code{PKCS #5 PBKDF2} described in
2353
@cite{RFC 2898} which uses a pseudorandom function such as
2354
@acronym{HMAC-SHA1}.
2356
Nettle's @acronym{PBKDF2} functions are defined in
2357
@file{<nettle/pbkdf2.h>}. There is an abstract function that operate on
2358
any PRF implemented via the @code{nettle_hash_update_func},
2359
@code{nettle_hash_digest_func} interfaces. There is also helper macros
2360
and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First,
2361
the abstract function:
2363
@deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, unsigned digest_size, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst)
2364
Derive symmetric key from a password according to PKCS #5 PBKDF2. The
2365
PRF is assumed to have been initialized and this function will call the
2366
@var{update} and @var{digest} functions passing the @var{mac_ctx}
2367
context parameter as an argument in order to compute digest of size
2368
@var{digest_size}. Inputs are the salt @var{salt} of length
2369
@var{salt_length}, the iteration counter @var{iterations} (> 0), and the
2370
desired derived output length @var{length}. The output buffer is
2371
@var{dst} which must have room for at least @var{length} octets.
2374
Like for CBC and HMAC, there is a macro to help use the function
2377
@deffn Macro PBKDF2 (@var{ctx}, @var{update}, @var{digest}, @var{digest_size}, @var{iterations}, @var{salt_length}, @var{salt}, @var{length}, @var{dst})
2378
@var{ctx} is a pointer to a context struct passed to the @var{update}
2379
and @var{digest} functions (of the types @code{nettle_hash_update_func}
2380
and @code{nettle_hash_digest_func} respectively) to implement the
2381
underlying PRF with digest size of @var{digest_size}. Inputs are the
2382
salt @var{salt} of length @var{salt_length}, the iteration counter
2383
@var{iterations} (> 0), and the desired derived output length
2384
@var{length}. The output buffer is @var{dst} which must have room for
2385
at least @var{length} octets.
2388
@subsection Concrete @acronym{PBKDF2} functions
2389
Now we come to the specialized @acronym{PBKDF2} functions, which are
2390
easier to use than the general @acronym{PBKDF2} function.
2392
@subsubsection @acronym{PBKDF2-HMAC-SHA1}
2394
@deftypefun void pbkdf2_hmac_sha1 (unsigned @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, unsigned @var{salt_length}, const uint8_t *@var{salt}, unsigned @var{length}, uint8_t *@var{dst})
2395
PBKDF2 with HMAC-SHA1. Derive @var{length} bytes of key into buffer
2396
@var{dst} using the password @var{key} of length @var{key_length} and
2397
salt @var{salt} of length @var{salt_length}, with iteration counter
2398
@var{iterations} (> 0). The output buffer is @var{dst} which must have
2399
room for at least @var{length} octets.
2402
@subsubsection @acronym{PBKDF2-HMAC-SHA256}
2404
@deftypefun void pbkdf2_hmac_sha256 (unsigned @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, unsigned @var{salt_length}, const uint8_t *@var{salt}, unsigned @var{length}, uint8_t *@var{dst})
2405
PBKDF2 with HMAC-SHA256. Derive @var{length} bytes of key into buffer
2406
@var{dst} using the password @var{key} of length @var{key_length} and
2407
salt @var{salt} of length @var{salt_length}, with iteration counter
2408
@var{iterations} (> 0). The output buffer is @var{dst} which must have
2409
room for at least @var{length} octets.
2412
@node Public-key algorithms, Randomness, Key derivation functions, Reference
2106
2413
@comment node-name, next, previous, up
2107
2414
@section Public-key algorithms