jedisct1
commented
5 years ago It currently provides a security level of 128 bits. Preimages and collision resistance depend on the output size. Like cSHAKE, with an output of L bits, a collision attack will require about 2^(L/2) work, and a preimage attack will require about 2^L work.
Sponge-based constructions, and the libhydrogen API, allow great flexibility. The internal permutation can easily be replaced, and the rate/capacity ratio can also be adjusted to increase strength at the expense of speed or the other way round.
libhydrogen currently has these parameters hardcoded, but a goal that's also a justification for opting for that design, is to make these configurable at compile-time.
NoHatCoder
While the output length of the hash function is virtually unlimited, nowhere in the documentation can I find a quote for the cryptographic strength of the hash.
As best I can tell by looking at the code the strength for 256 bits or longer output is: 128 bits collision, 128 bits second preimage and somewhere in the range 128 to 256 bits first preimage. Where an ideal 256 bit hash function would provide 128, 256 and 256 bits of strength.
The strength of the hash should be documented.
For future releases I'd consider improving the hash to be at least an ideal 256 bit hash. I also wonder about the purpose of providing longer hashes when the strength of the underlying algorithm stays the same, one would think a longer output means better security, that just isn't the case here.