[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

Krisztián Pintér pinterkr at gmail.com
Sat Aug 8 16:52:30 EDT 2015


Michal Bozon (at Saturday, August 8, 2015, 12:59:07 PM):

> I was just wondering why the Keccak capacity for best extendable output
> hash function was not chosen to be at least as big as for the best fixed
> hash function.


the reason for the SHAKE's is exactly to have something reasonable,
unlike the SHA3 instances, which are not.

as it happened, the keccak team submitted stupid parameters, because
the NIST call for submissions was unclear, and they didn't want to be
disqualified. old hash functions often have larger security against
preimage attacks than collision attacks. NIST wanted something that
has at least the same security as the SHA2 variants. so the keccak
team had to replicate the 256 bit preimage and 128 collision for the
SHA-256 drop-in. that requires 512 bit capacity.

it is especially crazy for the SHA3-512 version, which now has 512 bit
preimage security, which is for all intents and purposes a nonsensical
securit level. this comes at a terrible performance hit.

it is completely useless. you want one general security against
everything. therefore NIST proposed to change the parametrization to
have 256bit output, 256 bit capacity for the SHA3-256. that would have
a general 128 bit security. this was in agreement with the keccak
team's intent. they actually discussed it, and agreed to it. this is
how you use keccak if you are a sane person.

here comes the crypto celebrity mob. schneier and the like were quick
to jump on the "NIST weakens crypto again" bandwagon. the entire thing
was shameful. to save its nonexistent reputation, NIST backed off, and
decided to standardize the original stupid parameters. congrats to
everyone involved, djb included!

so to save the day, they added the SHAKE instances as a workaround.
they are pretty much what SHA3 should have been. if you don't
understand how a sponge works, you are very much free to use the SHA3
instances. but if you want to do actual cryptography, you should
choose the SHAKE's.





More information about the cryptography mailing list