Extendable-output function: Difference between revisions
Evgeny Kapun (talk | contribs) m Fixed domain separation link Tags: Reverted 2017 wikitext editor |
Undid revision 1199060251 by Evgeny Kapun (talk) fix turned a blue link into a red one, unfixing |
||
| Line 2: | Line 2: | ||
'''Extendable-output function''' ('''XOF''') is an extension{{sfn|Peyrin|Wang|2020|p=7}} of the [[cryptographic hash]] that allows its output to be arbitrarily long. In particular, the [[sponge construction]] makes any [[sponge hash]] a natural XOF: the squeeze operation can be repeated, and the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).{{sfn | Mittelbach | Fischlin | 2021 | p=526}} |
'''Extendable-output function''' ('''XOF''') is an extension{{sfn|Peyrin|Wang|2020|p=7}} of the [[cryptographic hash]] that allows its output to be arbitrarily long. In particular, the [[sponge construction]] makes any [[sponge hash]] a natural XOF: the squeeze operation can be repeated, and the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).{{sfn | Mittelbach | Fischlin | 2021 | p=526}} |
||
The genesis of a XOF makes it [[Collision resistance|collision]], [[Preimage resistance|preimage]] and [[second preimage]] resistant. Technically, any XOF can be turned into a cryptographic hash by truncating the result to a fixed length (in practice, hashes and XOFs are defined differently for [[domain separation]]{{sfn|Dworkin|2014|p=3}}). The examples of XOF include the algorithms from the [[Keccak]] family: [[SHAKE128]], [[SHAKE256]], and a variant with higher efficiency, [[KangarooTwelve]].{{sfn|Peyrin|Wang|2020|p=7}} |
The genesis of a XOF makes it [[Collision resistance|collision]], [[Preimage resistance|preimage]] and [[second preimage]] resistant. Technically, any XOF can be turned into a cryptographic hash by truncating the result to a fixed length (in practice, hashes and XOFs are defined differently for [[Domain separation (cryptography)|domain separation]]{{sfn|Dworkin|2014|p=3}}). The examples of XOF include the algorithms from the [[Keccak]] family: [[SHAKE128]], [[SHAKE256]], and a variant with higher efficiency, [[KangarooTwelve]].{{sfn|Peyrin|Wang|2020|p=7}} |
||
XOFs are used as [[key derivation function]]s (KDFs), [[stream cipher]]s,{{sfn|Peyrin|Wang|2020|p=7}} [[mask generation function]]s.{{sfn|Perlner|2014|p=4}} |
XOFs are used as [[key derivation function]]s (KDFs), [[stream cipher]]s,{{sfn|Peyrin|Wang|2020|p=7}} [[mask generation function]]s.{{sfn|Perlner|2014|p=4}} |
||
Revision as of 23:56, 25 January 2024
 | This article may be too technical for most readers to understand. (July 2023) |
Extendable-output function (XOF) is an extension[1] of the cryptographic hash that allows its output to be arbitrarily long. In particular, the sponge construction makes any sponge hash a natural XOF: the squeeze operation can be repeated, and the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).[2]
The genesis of a XOF makes it collision, preimage and second preimage resistant. Technically, any XOF can be turned into a cryptographic hash by truncating the result to a fixed length (in practice, hashes and XOFs are defined differently for domain separation[3]). The examples of XOF include the algorithms from the Keccak family: SHAKE128, SHAKE256, and a variant with higher efficiency, KangarooTwelve.[1]
XOFs are used as key derivation functions (KDFs), stream ciphers,[1] mask generation functions.[4]
Related-output issues
By their nature, XOFs can produce related outputs (a longer result includes a shorter one as a prefix). The use of KDFs for key derivation can therefore cause related-output problems. As a "naïve" example, if the Triple DES keys are generated with a XOF, and there is a confusion in the implementation that causes some operations to be performed as 3TDEA (3x56 = 168-bit key), and some as 2TDEA (2x56 = 112 bit key), comparing the encryption results will lower the attack complexity to just 56 bits; similar problems can occur if hashes in the NIST SP 800-108 are naïvely replaced by the KDFs.[5]
References
- ^ a b c Peyrin & Wang 2020, p. 7.
- ^ Mittelbach & Fischlin 2021, p. 526.
- ^ Dworkin 2014, p. 3.
- ^ Perlner 2014, p. 4.
- ^ Perlner 2014, p. 5.
Sources
- Mittelbach, Arno; Fischlin, Marc (2021). "Extendable Output Functions (XOFs)". The Theory of Hash Functions and Random Oracles: An Approach to Modern Cryptography. Information Security and Cryptography. Springer International Publishing. ISBN 978-3-030-63287-8. Retrieved 2023-06-22.
- Peyrin, Thomas; Wang, Haoyang (2020). "The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers" (PDF). Advances in Cryptology – CRYPTO 2020. Lecture Notes in Computer Science. Vol. 12172. Springer International Publishing. pp. 249–278. doi:10.1007/978-3-030-56877-1_9. ISBN 978-3-030-56876-4. ISSN 0302-9743. S2CID 221107066.
- Perlner, Ray (August 22, 2014). "Extendable-Output Functions (XOFs)". csrc.nist.gov. NIST. Retrieved 22 June 2023.
- Dworkin, Morris (August 22, 2014). "Domain Extensions". csrc.nist.gov. NIST. Retrieved 22 June 2023.
 | This cryptography-related article is a stub. You can help Wikipedia by expanding it. |
 | This article needs additional or more specific categories. (June 2023) |