[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Michal Bozon
michal.bozon at cesnet.cz
Wed Aug 5 17:41:03 EDT 2015
Hi.
There is new fresh FIPS-202 standardizing SHA-3.
In addition to SHA3-{224,256,384,512}, SHAKE-{256,512} were expected.
However, we got SHAKE-{128,256} instead.
So in addition to four fixed hash functions with 224 up to 512 bit
security, there are two "expandable-output" functions (XOF) with only
max. 128 vs max. 256 bit security.
So what is the point of their expansion? (In the Example docs linked in
FIPS-202 appendix E, their output values are expanded to impressive 4096
bits.)
And regarding to SHAKE security.. according to the FIPS-202's Table 4,
unlike SHA3 functions, where the collision resistance is half of the
(2nd) preimage resistance, as expected, SHAKE functions have these
resistances equal (for sufficient output lengths).
Interesting.. Birthday paradox does not apply here?
Do I have a mistake somewhere? Do they?
thanks for any insider comments,
Michal Bozon
More information about the cryptography
mailing list