[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security

Sat Aug 15 14:21:45 EDT 2015

Phillip Hallam-Baker (at Saturday, August 15, 2015, 6:11:03 PM):
> I think we will settle on a new defacto consensus. But I think its
> going to be centered on the 256 bit algorithms:
> SHA-3-512
> AES256-GCM
> CFRG-SIG-448
> CFRG-DH-448

first of all using sha-3-512 seems very weird, it is the one primitive
most suffering the most severe performance hit from the overised
preimage. SHAKE256 seems to be the better option.

but the more interesting question is: why aes-gcm if you already have
keccak in there? keccak supports a one-pass authenticated encryption
scheme. http://keccak.noekeon.org/KeccakDIAC2012.pdf

getting rid of gcm seems to be a good thing in itself.