[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Michal Bozon
michal.bozon at cesnet.cz
Sat Aug 8 06:59:07 EDT 2015
On 2015-08-07 Fri 21:16, Viktor Dukhovni wrote:
> On Wed, Aug 05, 2015 at 11:41:03PM +0200, Michal Bozon wrote:
>
> > In addition to SHA3-{224,256,384,512}, SHAKE-{256,512} were expected.
> > However, we got SHAKE-{128,256} instead.
>
> SHAKE-128 is essentially SHA3-256 with variable length output.
> SHAKE-256 is essentially SHA3-512 with variable length output.
Not sure I can agree here.
SHA3-256 =~ Keccak[512](d=256)
SHA3-512 =~ Keccak[1024](d=512)
SHAKE128(d) =~ Keccak[256](d)
SHAKE256(d) =~ Keccak[512](d)
(d is output length; Keccak[c]: c is capacity)
Best SHA-3 (SHA3-512) is essentially Keccak with capacity 1024
(output fixed to 512 bits though),
best SHAKE (SHAKE256) is essentially Keccak with capacity 512.
I was just wondering why the Keccak capacity for best extendable output
hash function was not chosen to be at least as big as for the best fixed
hash function.
Michal Bozon
>
> > So in addition to four fixed hash functions with 224 up to 512 bit
> > security, there are two "expandable-output" functions (XOF) with only
> > max. 128 vs max. 256 bit security.
>
> Not "only", rather "as expected". The name reflects the collision
> resistance, not the output width, because the latter is variable.
>
> > So what is the point of their expansion? (In the Example docs linked in
> > FIPS-202 appendix E, their output values are expanded to impressive 4096
> > bits.)
>
> Most likely use case is as DRBG, but perhaps also as a keystream
> for a stream cipher.
>
> > Interesting.. Birthday paradox does not apply here?
> > Do I have a mistake somewhere? Do they?
>
> Variable length output d, with security min(128, d/2). No surprises.
>
> --
> Viktor.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list