Would it be worth adding a Blake2s option for embedded?

[pallas]

It could work the same way the SHA512 switch works. If you believe this would be useful, I'm happy to work on it.

[LoupVaillant]

Hi,

Sorry, but that would be out of scope. I agree Blake2s could be nice for some use cases, but if we start adding primitives like that, I fear Monocypher could end up bloated like Libsodium.

SHA-512 is kind of an exception: it was only added for Ed25519 compatibility (the default is EdDSA with curve25519 and Blake2b), so I could test it against other libraries. Had I known about @floodyberry's ed25519 Donna sooner, I may not have added it at all.

[pallas]

Thanks, that makes sense. I'll just switch to using Blake2b.

[LoupVaillant]

Sorry, I know Blake2s makes more sense for some use cases.

What could work would be implementing Blake2s in a separate project. Monocypher already has a significant test infrastructure, we could imitate the Blake2b tests for Blake2s. We could also take some code from Blake2b: while the rounds are different, the outer structure is bound to be similar.

I have other priorities right now (like working on authenticated key exchange), but we could imagine having something like a Monocypher-extra project or something, that would contain all those nice primitives Monocypher itself rejects.