[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Viktor Dukhovni
cryptography at dukhovni.org
Fri Aug 7 22:47:32 EDT 2015
On Fri, Aug 07, 2015 at 06:41:25PM -0700, Ray Dillinger wrote:
> > Most likely use case is as DRBG, but perhaps also as a keystream
> > for a stream cipher.
> >
> > Variable length output d, with security min(128, d/2). No surprises.
>
> It seems counterproductive to me to specify a "hash" function that
> can produce output longer than its security provides collision
> resistance for. People are going to make this mistake - and get
> less collision resistance than they're designing for - because
> the muddled use case and unfortunate terminology of calling this
> a "hash" invite this mistake.
The hash functions are the SHA3 ones, the SHAKE functions serve a
different (useful) purpose, and generate variable width output at
the stated security. NIST is doing the right thing.
If you find the novelty disturbing, I expect you'll get used to it.
--
Viktor.
More information about the cryptography
mailing list