Add test vectors

[unkaktus]

Hi,
I couldn't find any test vectors here. It would be perfectly nice to have them for other implementations as well as to run unit tests over the reference implementation.
I can generate them using this implementation to verify other ones but it is much better to have official ones. :)

[henrycg]

Please feel free to submit a pull request with some test vectors. I'll take a look at it when I get a moment.

[ecki]

When you are working on testvectors, can we

a) standardize if you want to include a final hash (maybe HMAC) or specify an option in the password blob to signify
b) define how different algorithms would be configured
c) resolve the todo in the compress function regarding hashing in meta data
d) include option for pepper and if it should be signed in hash

i was thinking instead of including all parameters in the hash we could allow/support a profile Id (to facilitate switching parameters for pepper), not sure about the algorithms though. Maybe define a

a=1 (ShA256,AES128,no HMAC“ profile compatible with ref impl?
a=2, sha512, aes256, HMAC256

also, can we define to remove padding characters from base64 and use urlsafe charset instead?

[ecki]

I see that @unkaktus go impl uses FinalHash only in the parallel case. It’s the configured hash not an Hmac - is that agreeable?

https://github.com/unkaktus/balloon/blob/6c6badd85b7c2748b56c2ddc93efd6d99e819757/balloon.go#L55

[DL6ER]

The nettle 3.9 release from two weeks ago ships with a balloon implementation including an automated test suite. They claim to have taken their test vectors from

• https://github.com/nachonavarro/balloon-hashing (here)
• https://github.com/RustCrypto/password-hashes/tree/master/balloon-hash (here)

There would be no shame using the same.

The mentioned test vectors test the sha256 variant with passwords and salts of different lengths (including an empty password and an empty salt case) and different costs. In a second set of test vectors, they test the sha1, sha256, sha384 and sha512 variants all with "password" and "salt" and constant costs as input.

[henrycg]

Please feel free to open a PR for this. I'd be happy to review and merge it.

[daxpedda]

Unfortunately this prototype implementation can not use these test vectors because it's implementation differs slightly. RustCrypto's implementation follows the paper more closely then the prototype implementation. See RustCrypto/password-hashes#232 for more details.

nachonavarro/balloon-hashing was also adjusted to use the same algorithm and test vectors: nachonavarro/balloon-hashing#2, nachonavarro/balloon-hashing#3.

So either this prototype implementation has to adjust to be compatible with RustCrypto's, nachonavarro's and nettle's implementation, or we change all our implementations to something else we all can agree on.

[henrycg]

It would be great with me to change this implementation to be byte-compatible with RustCrypto and nachonavarro's implementations if anyone has interest in doing that.