Extendable-output function: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 22:13, 22 June 2023 edit Dimawik (talk \| contribs) Extended confirmed users 2,445 edits →top: added information ← Previous edit		Latest revision as of 08:27, 29 May 2025 edit undo Dimawik (talk \| contribs) Extended confirmed users 2,445 edits →Sources: per the discussion on the talk page
(20 intermediate revisions by 6 users not shown)
Line 1: {{Technical\|date=July 2023}} ~~{{in use}}~~ '''Extendable-output function''' ('''XOF''') is an extension{{sfn\|Peyrin\|Wang\|2020\|p=7}} of the [[cryptographic hash]] that allows its output to be arbitrarily long. In particular, ~~the nature of~~ the [[sponge construction]] makes aany [[sponge hash]] a natural XOF: the squeeze operation can be repeated, and (the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).{{sfn \| Mittelbach \| Fischlin \| 2021 \| p=526}} The genesis of a XOF makes it [[Collision resistance\|collision]], [[Preimage resistance\|preimage]] and [[second preimage]] resistant. Technically, any XOF can be turned into a cryptographic hash by truncating the result to a fixed length (in practice, hashes and XOFs are defined differently for [[Domain separation (cryptography)\|___domain separation]]{{sfn\|Dworkin\|2014\|p=3}}). The examples of XOF include the algorithms from the [[Keccak]] family: [[SHAKE128]], [[SHAKE256]], and a variant with higher efficiency, [[KangarooTwelve]].{{sfn\|Peyrin\|Wang\|2020\|p=7}} XOFs are used as [[key derivation function]]s (KDFs), [[stream cipher]]s,{{sfn\|Peyrin\|Wang\|2020\|p=7}} [[mask generation function]]s.{{sfn\|Perlner\|2014\|p=4}} ==Related-output issues== By their nature, XOFs can produce related outputs (a longer result includes a shorter one as a prefix). The use of KDFs for key derivation can therefore cause related-output problems. As a "naïve" example, if the [[Triple DES]] keys are generated with a XOF, and there is a confusion in the implementation that causes some operations to be performed as 3TDEA (3x56 = 168-bit key), and some as 2TDEA (2x56 = 112 bit key), comparing the encryption results will lower the attack complexity to just 56 bits; similar problems can occur if hashes in the NIST [[SP 800-108]] are naïvely replaced by the KDFs.{{sfn\|Perlner\|2014\|p=5}} ==References== Line 6 ⟶ 13: ==Sources== * {{cite book \| ~~last~~last1=Mittelbach \| ~~first~~first1=Arno \| last2=Fischlin \| first2=Marc \| title=The Theory of Hash Functions and Random Oracles: An Approach to Modern Cryptography \| publisher=Springer International Publishing \| series=Information Security and Cryptography \| year=2021 \| chapter = Extendable Output Functions (XOFs) \| isbn=978-3-030-63287-8 \| chapter-url=https://books.google.com/books?id=Ly8WEAAAQBAJ&pg=PA526 \| access-date=2023-06-22}} * {{cite book \| ~~last~~last1=Peyrin \| ~~first~~first1=Thomas \| last2=Wang \| first2=Haoyang \| series=Lecture Notes in Computer Science \| volume=12172 \| pages=249–278 \| title=Advances in Cryptology – CRYPTO 2020 \| chapter=The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers \| publisher=Springer International Publishing ~~\| publication-place=Cham~~ \| year=2020 \| isbn=978-3-030-56876-4 \| issn=0302-9743 \| doi=10.1007/978-3-030-56877-1_9 \| s2cid=221107066 \| chapter-url=https://eprint.iacr.org/2020/986.pdf}} * {{cite web \|last1=Perlner \|first1=Ray \|title=Extendable-Output Functions (XOFs) \|url=https://csrc.nist.gov/events/2014/sha-3-2014-workshop \|website=csrc.nist.gov \|publisher=[[NIST]] \|access-date=22 June 2023 \| date = August 22, 2014}} {{crypto-stub}}▼ * {{cite web \|last1=Dworkin \|first1=Morris \|title=Domain Extensions \|url=https://csrc.nist.gov/events/2014/sha-3-2014-workshop \|website=csrc.nist.gov \|publisher=[[NIST]] \|access-date=22 June 2023 \| date = August 22, 2014}} [[Category:Extendable-output functions]] ▲{{crypto-stub}}