Team Keccak

Guido Bertoni³, Joan Daemen², Seth Hoffert, Michaël Peeters¹, Gilles Van Assche¹ and Ronny Van Keer¹
¹STMicroelectronics - ²Radboud University - ³Security Pattern

2 October 2013

A concrete proposal

This article is a copy of a message we posted on the NIST hash-forum mailing list on September 30, 2013.

SUMMARY: In the SHA-3 standard, we propose to set the capacity of all four SHA-2 drop-in replacements to 512 bits, and to make SHAKE256 and SHAKE512 the primary choice.

Technically, we think that NIST's current proposal is fine. As said in our previous post, we have proposed to reduce the capacities of the SHA-3 hash functions at numerous occasions, including during our last visit to NIST in February. Nevertheless, in the light of the current discussions and to improve public acceptance, we think it would be indeed better to change plans. For us, the best option would be the following (taking inspiration from different other proposals).

Set the capacity of the SHA-2 drop-in replacements (i.e., SHA3-224 to SHA3-512) to c=512. This guarantees the same claimed security properties as for the corresponding SHA-2 instances up to the 256-bit security level. (In particular, the pre-image resistance of SHA3-256 would be raised to 256 bits.)
Keep the SHAKEs as they are (i.e., SHAKE256 with c=256 and SHAKE512 with c=512) and make them the primary choice for new applications of hash functions, for replacing mask generating functions (MGFs) and for those who wish to follow the security strength levels approach of [NIST SP 800-57].

For the SHAKEs, we think it would be good to include in the standard a short procedure for replacing a hash function or MGF based on SHA-1 or SHA-2. For instance, if there is only one to be replaced, here is a sketch.

Choose between SHAKE256 and SHAKE512. If the user can determine the required security level and it is 128 bits or smaller, choose SHAKE256. Otherwise (or if unsure), choose SHAKE512.
Let the output length be determined by the application.

We have seen proposals for keeping instances with c=1024 in SHA-3. We think that claiming or relying on security strength levels above 256 bits is meaningless and that c=1024 would induce a significant performance loss, which should be avoided.

This proposal means that SHA-3 standard will offer drop-in primitives with the same security level as SHA-2 (modulo the comment on c=1024), but also gives protocol and product designers the possibility to use SHAKE256, which is more efficient and is in practice not less secure than SHAKE512 or the drop-ins.