The HMAC variant

[opeth10]

Hello,

Thanks for making your code public!

I have several questions about the HMAC implementation:

1. The switch signs the first 8 bytes of the SHA-256 checksum of the message, along with the session, shard, and sequence numbers. Is this accurate?
2. I don't fully understand how digest0 and digest1 are parsed from the bft_h header. Client messages have a 20B padding before the 8B checksum slice. However, the msg_num_h and bft_h headers are exactly 20B in size. Wouldn't digest0 and digest1 be zeroes in this case? I'm not sure if I'm missing something here.
3. Do replicas verify the HalfSipHash signature? I couldn't locate where the key is shared between the switch and the replicas.
4. How to configure the switch to generate more than one HMAC subgroup (i.e., more than 4 signatures)?

Thanks!

[sgdxbc]

Thanks for your interest. First I must apologize for the ridiculous late response, I really should have monitored this repo more= =

Let's me try to answer these questions to my best. Later my collaborator who wrote the p4 code will review the answers.

1. Yes
2. Thanks for carefully check the code, it indeed seems weird. Probably the server side code and switch side code are getting out of sync a bit during archiving, will further investigate for it. Notice that switch performance is constant no matter what the input digests are.
3. No. The HalfSipHash algorithm is not implemented on server side yet, but its overhead is simulated with a SipHash operation (whose result is discarded). That is also why switch key hasn't been integrated.
4. To enable more HMAC groups, use the hdr.bft.pad0. That field is used to keep track of the shards. As to use different keys, the remaining task is to convert it to use MATs. It should be relatively straightforward. Notice that the server side has not been tested with switch-based multi-groups.