[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Ray Dillinger
bear at sonic.net
Fri Aug 7 21:41:25 EDT 2015
On 08/07/2015 02:16 PM, Viktor Dukhovni wrote:
> On Wed, Aug 05, 2015 at 11:41:03PM +0200, Michal Bozon wrote:
> Not "only", rather "as expected". The name reflects the collision
> resistance, not the output width, because the latter is variable.
>
>> So what is the point of their expansion? (In the Example docs linked in
>> FIPS-202 appendix E, their output values are expanded to impressive 4096
>> bits.)
>
> Most likely use case is as DRBG, but perhaps also as a keystream
> for a stream cipher.
>
> Variable length output d, with security min(128, d/2). No surprises.
It seems counterproductive to me to specify a "hash" function that
can produce output longer than its security provides collision
resistance for. People are going to make this mistake - and get
less collision resistance than they're designing for - because
the muddled use case and unfortunate terminology of calling this
a "hash" invite this mistake.
When people want a hash of some level of collision resistance
MANY of them are going to think they should be looking for a
hash function that produces a hash of some bit length. There
shouldn't be a "hash function" they can select which gives them
that bit length without giving them that level of collision
resistance. It invites avoidable design errors.
Keep the primitives simple so everybody knows exactly what they
do and more importantly what they don't do. If you want a PRNG
initialized from a hash on some document, you take the hash and
use it to initialize a PRNG.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150807/907133b8/attachment.sig>
More information about the cryptography
mailing list