Add hash around Context when Context is big

[vauclair]

Current specification states that Context is a string with application data. This string with its length are prepended to the Transcript TT. This implies that the device has to keep a potentially large amount of data in memory to be able to compute the transcript. An alternative would be to prepend the hash of the Context and the length of the hash of the Context to the transcript. This implies that as soon as these value are computed, the Context can be dropped. However, for the cases where the Context is small, this would be overkill because at the end, in these cases, the hashed Context would be bigger than the unhashed Context. A solution that would give the best of both worlds would be to state that if the Context size is smaller or equal to the size of the output of the Spake2+ selected hash function, the Context is prepended to the script and if the Context size is bigger than the size of the hash function output, the hash of the Context is prepended to the script.

[ttaubert]

Key derivation uses Hash(TT) instead of TT directly. Most crypto libraries support ingesting data incrementally, see SHA256_Init(), SHA256_Update() and SHA256_Final() in OpenSSL. That way the device has to only keep a fixed-size digest state until the end of the protocol run.

cc @chris-wood

[chris-wood]

@ttaubert this might be worth noting in an appendix. I agree that this is an implementation issue at the end of the day. I'd also be fine closing this without resolution.

[ttaubert]

After some more consideration, I'd be in favour of closing without resolution. This is a very implementation-specific issue -- I don't think it's worth calling out in a separate note.

[chris-wood]

Works for me. That said, @vauclair, if you have text you'd like to suggest, we'd happily review it!