-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
derive_key: Add default-off, unstable derive_key_u8ref
API call
#424
base: master
Are you sure you want to change the base?
Conversation
This can be enabled with the unstable feature flag, `i_know_what_i_am_doing`. Developers attempting to deploy blake3 via the Rust crate often encounter `derive_key(&str, ...)` which forces the INFO parameter to be a valid UTF-8 string. Please see the discussion in issue [13](BLAKE3-team#13), in particular, this [comment](BLAKE3-team#13 (comment)). The recommended course of action for those with non-UTF-8 INFO is to use `hash` and `keyed_hash` and open code their own `derive_key` which takes an `&[u8]`. This is not good for two reasons: First, it is quickly seen that this forces deviation from the Blake3 paper for how `derive_key` should be performed, as `hash` doesn't let you set the `flags` field. Attempting to use the underlying `hash_all_at_once` fails because it's not exported. Second, the developer is now forced into the position of maintaining their own patches on top of the blake3 repo. This is a burden on the developer, and makes following blake3 upstream releases *much* less likely. This patch proposes a reasonable compromise. For developers who require `&[u8]` INFO field, they can enable the rust feature flag `i_know_what_i_am_doing` to expose the API `derive_key_u8ref`. This enables developers to use upstream blake3 directly, while still discouraging sloppy behavior in the default case. Signed-off-by: Jason Cooper <[email protected]>
Apologies in advance, I visit GitHub just rarely enough to forget its ins and outs. I've no idea what "1 workflow awaiting approval" means except that I might've done it wrong :-/ If you need me to edit anything just let me know and I'll resend |
You didn't do anything wrong, that's just a change GitHub made a couple years back where they stopped automatically running CI on PRs from new contributors. Apparently some people were "contributing" cryptocurrency mining code to random repos and abusing GitHub compute. Something like that. Anyway, I've clicked the run button :) |
I agree that this is a thing you can do, and even a thing that I suggested in that thread :) but I might not go quite as far as "recommended course of action" without hearing more about what a specific caller is trying to accomplish.
Indeed, nothing lets you set that field, and I'd be surprised if we ever exposed a public API for it. To kind of repeat and summarize my wall of text from #13, the goal of
My suspicion for a long time is that needing arbitrary bytes is usually a side effect of violating the "hardcoded" requirement of the I should mention that we do provide a C API that takes bytes, One scenario I could imagine (not suggesting this is your scenario, just making stuff up here) is using BLAKE3 to implement API-compatible replacement for an existing HKDF construction that currently takes its info/ikm/salt parameters as raw bytes. I'd suggest that |
Ack.
Sure :) Some quick background: The paper is written, and I have a few contacts doing some review right now. The paper will be published (ar, at a minimum, arxiv), and the code will be open source. (I started writing the code, which led to this question ;-) ) Without rewriting the paper, I'm creating an ephemeral cryptographic protocol (think generic ZRTP with modern lessons-learned incorporated) designed to maintain a context between two peers over extended periods of time, like years. Over many connections, and many runs of the process, without losing cryptographic state sync. Since the contexts last so long (there is session key rotation, keys are derived from a shared secret, using Once the context is established, the
I'm definitely having to bite the bullet and call some C code in the initial code, but I'd prefer to avoid it where possible. I say this with extreme sadness, as I've written in C for about 25 years, and only picked up Rust in the past three.
During the design phase, I looked at HKDF, but I've not felt comfortable with how I chose blake3 because it was the first hash algorithm I found that clearly understood password hashing is a different animal from hashing. 32-bit is a first class citizen, it has a Rust implementation, and I'm a lot more comfortable with how To summarize, is there a specific reason why blake3's Thanks! |
@oconnor663 gentle ping? |
Oops, thanks for the ping.
Gotcha. I think what I'd recommend here is a two-step process along the lines of: 1) Thinking about your example is helping me clarify in my head what
But in fact, I think all of this provokes a very natural follow up question, and if you'll forgive me, I'll express that question as a meme: Am I really telling folks to hand-roll their own
Another related question, how do we compare these three different approaches to the same problem:
All of these are valid ways to unambiguously hash |
This can be enabled with the unstable feature flag,
i_know_what_i_am_doing
.Developers attempting to deploy blake3 via the Rust crate often encounter
derive_key(&str, ...)
which forces the INFO parameter to be a valid UTF-8 string.Please see the discussion in issue 13, in particular, this comment.
The recommended course of action for those with non-UTF-8 INFO is to use
hash
andkeyed_hash
and open code their ownderive_key
which takes an&[u8]
.This is not good for two reasons: First, it is quickly seen that this forces deviation from the Blake3 paper for how
derive_key
should be performed, ashash
doesn't let you set theflags
field. Attempting to use the underlyinghash_all_at_once
fails because it's not exported. Second, the developer is now forced into the position of maintaining their own patches on top of the blake3 repo. This is a burden on the developer, and makes following blake3 upstream releases much less likely.This patch proposes a reasonable compromise. For developers who require
&[u8]
INFO field, they can enable the rust feature flagi_know_what_i_am_doing
to expose the APIderive_key_u8ref
. This enables developers to use upstream blake3 directly, while still discouraging sloppy behavior in the default case.