Hi Cris! First of all, I love to see new hash designs, it is great!
The standard disclaimer is “please do not use this for cryptographic purposes,” placed at the top of the README.
(I like to add a hint afterwards, like “If you need security, please use BLAKE3.”)
Second, if you do want to make a version in the same family with cryptographic properties, a few things are expected:
• Careful list of cryptographic claims (is it a PRF? a PRP? a compression function? is it collision resistant? with what probability of success?…)
• A published paper with preliminary cryptanalysis. What is the average number of evaluations of the hash function for key recovery? How much probabilistic information of the state bits can be gained from the output? How much output leads to a state recovery? What is the worst statistical bias of the output from single-bit input changes?
• Multiple rounds. The production hash should use at least one more round than is shown to be cryptanalytically safe; ideally twice.
• I worry that multiplication, in particular 128-bit multiplication, is subject to timing attacks. It is uncommon to see it used in cryptographic hashes.
Disclaimer: I am not a cryptographer by trade, so this advice is insufficient.
The standard disclaimer is “please do not use this for cryptographic purposes,” placed at the top of the README.
(I like to add a hint afterwards, like “If you need security, please use BLAKE3.”)
Second, if you do want to make a version in the same family with cryptographic properties, a few things are expected:
• Careful list of cryptographic claims (is it a PRF? a PRP? a compression function? is it collision resistant? with what probability of success?…)
• A published paper with preliminary cryptanalysis. What is the average number of evaluations of the hash function for key recovery? How much probabilistic information of the state bits can be gained from the output? How much output leads to a state recovery? What is the worst statistical bias of the output from single-bit input changes?
• Multiple rounds. The production hash should use at least one more round than is shown to be cryptanalytically safe; ideally twice.
• I worry that multiplication, in particular 128-bit multiplication, is subject to timing attacks. It is uncommon to see it used in cryptographic hashes.
Disclaimer: I am not a cryptographer by trade, so this advice is insufficient.