[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Viktor Dukhovni
cryptography at dukhovni.org
Fri Aug 7 17:16:27 EDT 2015
On Wed, Aug 05, 2015 at 11:41:03PM +0200, Michal Bozon wrote:
> In addition to SHA3-{224,256,384,512}, SHAKE-{256,512} were expected.
> However, we got SHAKE-{128,256} instead.
SHAKE-128 is essentially SHA3-256 with variable length output.
SHAKE-256 is essentially SHA3-512 with variable length output.
> So in addition to four fixed hash functions with 224 up to 512 bit
> security, there are two "expandable-output" functions (XOF) with only
> max. 128 vs max. 256 bit security.
Not "only", rather "as expected". The name reflects the collision
resistance, not the output width, because the latter is variable.
> So what is the point of their expansion? (In the Example docs linked in
> FIPS-202 appendix E, their output values are expanded to impressive 4096
> bits.)
Most likely use case is as DRBG, but perhaps also as a keystream
for a stream cipher.
> Interesting.. Birthday paradox does not apply here?
> Do I have a mistake somewhere? Do they?
Variable length output d, with security min(128, d/2). No surprises.
--
Viktor.
More information about the cryptography
mailing list