In the sponge construction for hash functions, including SHA3 and SHAKE, its used a permutation $$f:\{0,1\}^r\times\{0,1\}^c\to\{0,1\}^r\times\{0,1\}^c\\ \;\quad(R,C)\quad\quad\mapsto\quad\;(R',C')$$ where $r$ is the rate, $c$ is the capacity (with $r+c=1600$ in SHA3 and SHAKE). Function $f$ is iterated with a $r$-bit (padded) message block XORed with $R$. The hash is the first $d$ bits of $R'$ at the last output of $f$ assuming $d\le r$ (for eXtendable Output Functions, it's performed $\lceil d/r\rceil-1$ extra iterations of $f$, and the output is the first $d$ bits of the concatenation of the $R'$ in the last $\lceil d/r\rceil$ iterations of $f$).
In SHA3 with $d$-bit output, it's used $c=2d$. There was some back an forth on that, and by this account, the rationale for $c=2d$ was having $d$ bits of preimage resistance.
| Function | $d$ | $r$ | $c$ | Collision resistance* | Preimage resistance* |
|---|---|---|---|---|---|
| $\operatorname{SHA3-224}$ | $224$ | $1152$ | $ 448$ | $112$ | $224$ |
| $\operatorname{SHA3-256}$ | $256$ | $1088$ | $ 512$ | $128$ | $256$ |
| $\operatorname{SHA3-384}$ | $384$ | $ 832$ | $ 768$ | $192$ | $384$ |
| $\operatorname{SHA3-512}$ | $512$ | $ 576$ | $1024$ | $256$ | $512$ |
| $\operatorname{SHAKE128}$ | $ d$ | $1344$ | $ 256$ | $\min(d/2,128)$ | $\min(d,128)$ |
| $\operatorname{SHAKE256}$ | $ d$ | $1088$ | $ 512$ | $\min(d/2,256)$ | $\min(d,256)$ |
* Stated design goal
- How is the stated preimage resistance above justified (against classical computers, under an ideal permutation model for $f$) ?
- Could we obtain the stated assurances with a lower $c$ (thus a faster processing of large messages), in particular in light of Charlotte Lefevre & Bart Mennink's Tight Preimage Resistance of the Sponge Construction, in proceedings of Crypto 2022 and ePrint.
