SHAKE-128/256 or SHA3-256/512What security do Cryptographic Sponges offer against generic quantum attacks?Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256What are the practical differences between 256-bit, 192-bit, and 128-bit AES encryption?How secure would HMAC-SHA3 be?Should HMAC-SHA3 be preferred over H(C(k,M))?Crypto++ and SHA3Questions about SHA and SHAKESHA3 HMAC key paddingShake 128/256 Output Length RestrictionsStrength of Hash obtained by XOR of parts of SHA3Is it secure to hash an AES key?SHA3 hardware implementation
Knight's Tour on a 7x7 Board starting from D5
Physical only checkdb is failing, but full one is completed successfully
Why is the Eisenstein ideal paper so great?
Why did OJ Simpson's trial take 9 months?
How do you earn the reader's trust?
Is a world with one country feeding everyone possible?
What did Brienne write about Jaime?
How to deceive the MC
Who wrote “A writer only begins a book. A reader finishes it.”?
Are cells guaranteed to get at least one mitochondrion when they divide?
Why is unzipped directory exactly 4.0K (much smaller than zipped file)?
How would a developer who mostly fixed bugs for years at a company call out their contributions in their CV?
How can I minimize the damage of an unstable nuclear reactor to the surrounding area?
Is this homebrew "Cactus Grenade" cantrip balanced?
Why does the hash of infinity have the digits of π?
Why is this integration method not valid?
Quantum corrections to geometry
Testing using real data of the customer
Why does FOO=bar; export the variable into my environment
"Official wife" or "Formal wife"?
How did the Allies achieve air superiority on Sicily?
Can a multiclassed Kensei monk/Swashbuckler rogue use an offhand finesse weapon to trigger Sneak Attack, without using a bonus action?
Why is std::ssize() introduced in C++20?
Are there guidelines for finding good names for LaTeX 2e packages and control sequences defined in these packages?
SHAKE-128/256 or SHA3-256/512
What security do Cryptographic Sponges offer against generic quantum attacks?Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256What are the practical differences between 256-bit, 192-bit, and 128-bit AES encryption?How secure would HMAC-SHA3 be?Should HMAC-SHA3 be preferred over H(C(k,M))?Crypto++ and SHA3Questions about SHA and SHAKESHA3 HMAC key paddingShake 128/256 Output Length RestrictionsStrength of Hash obtained by XOR of parts of SHA3Is it secure to hash an AES key?SHA3 hardware implementation
$begingroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
add a comment |
$begingroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
edited May 15 at 20:40
Maarten Bodewes♦
56.6k681200
56.6k681200
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
314
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Alejandro Martinez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
add a comment |
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
$endgroup$
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
$endgroup$
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Alejandro Martinez is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70565%2fshake-128-256-or-sha3-256-512%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
$endgroup$
add a comment |
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
$endgroup$
add a comment |
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
$endgroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
answered May 15 at 19:19
SEJPM♦SEJPM
30.1k661143
30.1k661143
add a comment |
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
$endgroup$
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
$endgroup$
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
$endgroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
25.5k137115
25.5k137115
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
Alejandro Martinez is a new contributor. Be nice, and check out our Code of Conduct.
Alejandro Martinez is a new contributor. Be nice, and check out our Code of Conduct.
Alejandro Martinez is a new contributor. Be nice, and check out our Code of Conduct.
Alejandro Martinez is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70565%2fshake-128-256-or-sha3-256-512%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18