[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

Sebastian Gesemann s.gesemann at gmail.com
Sun Aug 9 10:08:35 EDT 2015


On Wed, Aug 5, 2015 at 11:41 PM, Michal Bozon <michal.bozon at cesnet.cz> wrote:
> Hi.
> There is new fresh FIPS-202 standardizing SHA-3.
>
> In addition to SHA3-{224,256,384,512}, SHAKE-{256,512} were expected.
> However, we got SHAKE-{128,256} instead.
>
> So in addition to four fixed hash functions with 224 up to 512 bit
> security,

That's not their security. Their security is 112 up to 256. We don't
use 512 bits of output because we need a preimage resistance of 2^512.
We use 512 bits of output because they are necessary for collision
resistance of 2^256.

> there are two "expandable-output" functions (XOF) with only
> max. 128 vs max. 256 bit security.

128 and 256 are the "standard security levels" we know from AES already.

Even in the quantum computer context, 256 is perfectly fine and 512
rather meaningless.

> So what is the point of their expansion?

The SHAKEs can be used as a DRBG (deterministic random bit generator)
or an MGF (mask generation function, something you use in RSA-OAEP and
RSA-PSS, for example).

You can also use them if you need a faster hash. Just pick the desired
security level (s=128 or s=256), an appropriate digest length d and
use SHAKE-s with d bits of output. If you care about collision
resistance use d=2s, otherwise d=s should be fine. So, with the SHAKEs
you are pretty flexible in that you can choose the security level s
and output length d independently for a better security/speed
trade-off. Given SHAKE-s with d bits of output you get a 1st and 2nd
preimage resistance of 2^min(s, d) and a collision resistance of
2^min(s, d/2).

In the quantum computer context (using Grover's algorithm) this should
drop down to preimage resistance of 2^min(2s/3, d/2) and a collision
resistance of 2^min(2s/3, d/3) I believe.

Cheers!
sg


More information about the cryptography mailing list