But what about your hash-crypt project?

That's totally different.

soatok/hash-crypt turns HMAC (which is a construction built with hash functions) into an authenticated stream cipher.

This works because HMAC-SHA256 is a secure pseudo-random function (PRF).

If you HMAC a nonce and an increasing counter value with a secret key, you can XOR the blocks of HMAC output with your message. In order to generate the same sequence of blocks, you need to know the secret key, nonce, and initial counter value.

The only other trick is ensuring key separation between encryption and authentication, and making sure you Encrypt-then-MAC. (Also, use a secure compare function when verifying the authentication tag.)

HMAC-SHA256-Crypt has a birthday bound of 2^128 messages, versus AES's birthday bound of 2^64 messages. However, SHA256 is much slower than AES with AES-NI.

Just because you can build encryption out of SHA256 doesn't mean that SHA256 is, in and of itself, an encryption algorithm.

You should use XChaCha20-Poly1305 instead. Dhole uses XChaCha20-Poly1305.


Permalink https://faq.dhol.es/e/ljxxxx6rwqefoa3pbc3nab4mwgjyixmn