[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

Michal Bozon michal.bozon at cesnet.cz
Wed Aug 12 05:47:24 EDT 2015


On 2015-08-08 Sat 22:52, Krisztián Pintér wrote:
> 
> Michal Bozon (at Saturday, August 8, 2015, 12:59:07 PM):
> 
> > I was just wondering why the Keccak capacity for best extendable output
> > hash function was not chosen to be at least as big as for the best fixed
> > hash function.
> 
> 
> the reason for the SHAKE's is exactly to have something reasonable,
> unlike the SHA3 instances, which are not.
> 
> as it happened, the keccak team submitted stupid parameters, because
> the NIST call for submissions was unclear, and they didn't want to be
> disqualified. old hash functions often have larger security against
> preimage attacks than collision attacks. NIST wanted something that
> has at least the same security as the SHA2 variants. so the keccak
> team had to replicate the 256 bit preimage and 128 collision for the
> SHA-256 drop-in. that requires 512 bit capacity.
> 
> it is especially crazy for the SHA3-512 version, which now has 512 bit
> preimage security, which is for all intents and purposes a nonsensical
> securit level. this comes at a terrible performance hit.
> 
> it is completely useless. you want one general security against
> everything. therefore NIST proposed to change the parametrization to
> have 256bit output, 256 bit capacity for the SHA3-256. that would have
> a general 128 bit security. this was in agreement with the keccak
> team's intent. they actually discussed it, and agreed to it. this is
> how you use keccak if you are a sane person.
> 
> here comes the crypto celebrity mob. schneier and the like were quick
> to jump on the "NIST weakens crypto again" bandwagon. the entire thing
> was shameful. to save its nonexistent reputation, NIST backed off, and
> decided to standardize the original stupid parameters. congrats to
> everyone involved, djb included!


Thanks for brief history intro.

However, I do not think that overkill security is useless, nonsensical
and stupid. The algorithm becomes useless when the algorithm is sufficiently
broken.



> 
> so to save the day, they added the SHAKE instances as a workaround.
> they are pretty much what SHA3 should have been. if you don't
> understand how a sponge works, you are very much free to use the SHA3
> instances. but if you want to do actual cryptography, you should
> choose the SHAKE's.
> 
> 
> 
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography


More information about the cryptography mailing list