[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

Watson Ladd watsonbladd at gmail.com
Sat Aug 8 18:18:38 EDT 2015 

On Sat, Aug 8, 2015 at 1:52 PM, Krisztián Pintér <pinterkr at gmail.com> wrote:
>
> Michal Bozon (at Saturday, August 8, 2015, 12:59:07 PM):
>
>> I was just wondering why the Keccak capacity for best extendable output
>> hash function was not chosen to be at least as big as for the best fixed
>> hash function.
>
>
> the reason for the SHAKE's is exactly to have something reasonable,
> unlike the SHA3 instances, which are not.
>
> as it happened, the keccak team submitted stupid parameters, because
> the NIST call for submissions was unclear, and they didn't want to be
> disqualified. old hash functions often have larger security against
> preimage attacks than collision attacks. NIST wanted something that
> has at least the same security as the SHA2 variants. so the keccak
> team had to replicate the 256 bit preimage and 128 collision for the
> SHA-256 drop-in. that requires 512 bit capacity.
>
> it is especially crazy for the SHA3-512 version, which now has 512 bit
> preimage security, which is for all intents and purposes a nonsensical
> securit level. this comes at a terrible performance hit.
>
> it is completely useless. you want one general security against
> everything. therefore NIST proposed to change the parametrization to
> have 256bit output, 256 bit capacity for the SHA3-256. that would have
> a general 128 bit security. this was in agreement with the keccak
> team's intent. they actually discussed it, and agreed to it. this is
> how you use keccak if you are a sane person.
>
> here comes the crypto celebrity mob. schneier and the like were quick
> to jump on the "NIST weakens crypto again" bandwagon. the entire thing
> was shameful. to save its nonexistent reputation, NIST backed off, and
> decided to standardize the original stupid parameters. congrats to
> everyone involved, djb included!

That's missing part of the story. NIST had eliminated CubeHash on the
basis that its preimage resistance was insufficient, in favor of
Keccak parameters which had been designed for their ridiculous
requirements. This elimination happened going into the final round.
Once that requirement was dropped, they would have had to redo a bunch
of things to be fair to everyone.

>
> so to save the day, they added the SHAKE instances as a workaround.
> they are pretty much what SHA3 should have been. if you don't
> understand how a sponge works, you are very much free to use the SHA3
> instances. but if you want to do actual cryptography, you should
> choose the SHAKE's.
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

More information about the cryptography mailing list