Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [xof]

An extendable-output function (XOF) is similar to a hash function, but uses the internal state to output a stream of bits instead of a fixed-length octet string.

A XOF is an extendable-output function. While a standard hash function uses the internal state to output a fixed length bit or octet string, a XOF uses the internal state to output a stream of bits or octets.

The first family of extendable-output functions that was standardized as such is SHAKE128 and SHAKE256, which are variants of and defined in FIPS 202.

26 questions
20
votes
2 answers

Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256

FIPS 202 defines 2 functions, SHAKE128 and SHAKE256, as extendable-output functions (XOFs) that can have variable output length. But in Appendix A.2 marks: it is possible to use an XOF as a hash function by selecting a fixed output length.…
Hauleth
  • 336
  • 5
  • 13
10
votes
2 answers

Functional difference between stream cipher, XOF, seed expander, KDF, etc

This question is a request for terminology clarification. In a canonical XOF interface, the output can be extended as much as needed, but does input has to be variable-length or can be fixed-length in certain constructs? SHAKE{128|256} are the…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
10
votes
1 answer

What is an extendable output function?

The standardization of SHA-3 included the specification of two functions, SHAKE128 and SHAKE256. Both SHAKEs are referred to as extendable output functions, but what makes a function an extendable output function?
Melab
  • 4,178
  • 4
  • 24
  • 49
7
votes
2 answers

Will a SHAKE128 stream cipher be vulnerable to related key attacks?

Suppose that SHAKE is seeded with key concatenated to an IV, will the 'key' stream produced by SHAKE128 vulnerable to related key attacks like RC4 is? My guess is no because seed is already "absorbed" before the key stream is "squeezed" out.
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
7
votes
3 answers

XOFs suitable for 16-bit hardware

I'm working on a programming language that's intended to compile to retro hardware, and I want to add a PRNG to the specification. Ideally, this would be both standard (easy to find specifications for) and cryptographically secure. This won't be…
Draconis
  • 261
  • 1
  • 9
6
votes
2 answers

FIPS 202/SHAKE: insecure 3DES key derivation example

I'm trying to understand the following passage from FIPS 202 (the SHA-3 standard), discussing the SHAKE functions' correlated outputs for different output lengths and the risks they induce in some protocols. The example they give is this (appendix…
Luis Casillas
  • 14,703
  • 2
  • 33
  • 53
5
votes
1 answer

Can MGF1 within OAEP and PSS be replaced by a XOF?

Do we still need MGF1 as used in the PKCS#1 v2.x specifications for SHA-3 hash functions? MGF1 is currently used for OAEP and PSS as Mask Generation Function. Now that the SHA-3 specification contains SHAKE128 and SHAKE256 could MGF1 be replaced? It…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
3
votes
1 answer

Questions: Argon2, its internal state and security of it when generating keys larger than 256/512 bits

Let's suppose I want to use a cipher with a large key size, such as ISAAC that supports 8192 bits ogf key. I can hash with sha-256 or sha-512 and iterate until reaches the key size but I won't get 8192 bits of security as the internal state of this…
phantomcraft
  • 887
  • 6
  • 14
2
votes
0 answers

Exact security requirements for extendable output functions (XOF)?

In the FIPS202 document "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions" an extendable-output functions is defined as: An extendable-output function (XOF) is a function on bit strings (also called messages) in which the…
cryptobeginner
  • 357
  • 1
  • 6
2
votes
1 answer

Number of rounds for constant header size in common hashes and XOFs

We compute hash $H(M_0\mathbin\|M_1)$ of size $d\ge1$ for some constant header $M_0$ of size $m_0$, and $\nu\ge1$ messages $M_1$ of random content and size $m_1$. For Merkle-Damgård hashes, a simple optimization pre-computes the first $\left\lfloor…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
2
votes
1 answer

Why XOFs are more convenient than Hash Functions in modeling Random Oracles

In this answer, it is mentioned that Easier instantiation of random oracles. Some security proofs rely on the so-called random oracle model to prove the security of a given scheme. Normally you'd use some artificial construction around a…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
2
votes
0 answers

Is it possible to use a XOF function as csrng?

Let's say we "seed" a xof function (eg. SHAKE256) with x cryptographically random bytes (enough so that they can't be bruteforced), could said function be used as a cryptographically secure random generator? If so, when should the function be…
jacobi_matrix
  • 135
  • 4
2
votes
3 answers

Are XOFs and KDFs more usable than DRBGs?

CSPRNGs have 2 design requirements: output unpredictability, back-tracing resistance. In addition to which, NIST SP 800-90Ar1 added other features such as a) instance customization/personalization, b) operation administration (reseeding counter,…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
2
votes
1 answer

Can any hash function based on the sponge construction work as extendable output function?

Keccak provides a sort of very useful XOFs. Can other sponge construction hash function like Spongent work as XOF? Is there any lightweight XOF for hardware or software implementation?
Zachary
  • 187
  • 6
2
votes
0 answers

Using NIST constructions based on Keccak like cSHAKE128 for other sponges

NIST defines a lot of interesting applications of sponges in FIPS 202 and NIST SP 800-185 like the XOF cSHAKE128 or the MAC scheme KMAC. All this schemes come with a security guarantee and are explicitly based on a sponge using Keccak as its…
mat
  • 2,558
  • 1
  • 14
  • 28
1
2