SHAKE-128/256 or SHA3-256/512What security do Cryptographic Sponges offer against generic quantum attacks?Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256What are the practical differences between 256-bit, 192-bit, and 128-bit AES encryption?How secure would HMAC-SHA3 be?Should HMAC-SHA3 be preferred over H(C(k,M))?Crypto++ and SHA3Questions about SHA and SHAKESHA3 HMAC key paddingShake 128/256 Output Length RestrictionsStrength of Hash obtained by XOR of parts of SHA3Is it secure to hash an AES key?SHA3 hardware implementation
Is having a hidden directory under /etc safe?
Select row of data if next row contains zero
Can a non-EU citizen travel within the Schengen area without identity documents?
How should I push back against my job assigning "homework"?
If a massive object like Jupiter flew past the Earth how close would it need to come to pull people off of the surface?
What does "tea juice" mean in this context?
Hiker's Cabin Mystery | Pt. IX
Draw a checker pattern with a black X in the center
Did airlines fly their aircraft slower in response to oil prices in the 1970s?
What caused the tendency for conservatives to not support climate change regulations?
Asking bank to reduce APR instead of increasing credit limit
Where can I find the list of all tendons in the human body?
How was Apollo supposed to rendezvous in the case of a lunar abort?
Beginner's snake game using PyGame
What does it mean when you think without speaking?
chmod would set file permission to 000 no matter what permission i try to set
Points within polygons in different projections
What are the benefits of cryosleep?
Different PCB color ( is it different material? )
My player wants to cast multiple charges of magic missile from a wand
How to properly maintain eye contact with people that have distinctive facial features?
Uncommanded roll at high speed
What are the problems in teaching guitar via Skype?
Term for checking piece whose opponent daren't capture it
SHAKE-128/256 or SHA3-256/512
What security do Cryptographic Sponges offer against generic quantum attacks?Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256What are the practical differences between 256-bit, 192-bit, and 128-bit AES encryption?How secure would HMAC-SHA3 be?Should HMAC-SHA3 be preferred over H(C(k,M))?Crypto++ and SHA3Questions about SHA and SHAKESHA3 HMAC key paddingShake 128/256 Output Length RestrictionsStrength of Hash obtained by XOR of parts of SHA3Is it secure to hash an AES key?SHA3 hardware implementation
$begingroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
$endgroup$
add a comment |
$begingroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
$endgroup$
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
add a comment |
$begingroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
$endgroup$
Would it be better to use SHAKE-128/256 or SHA3-256/512? In what situation should I chose one over the other?
encryption sha-3
encryption sha-3
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
edited May 15 at 20:40
Maarten Bodewes♦
56.2k682202
56.2k682202
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
asked May 15 at 18:36
Alejandro MartinezAlejandro Martinez
314
314
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
add a comment |
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
$endgroup$
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70565%2fshake-128-256-or-sha3-256-512%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
$endgroup$
add a comment |
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
$endgroup$
add a comment |
$begingroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
$endgroup$
And in which case would it be more interesting to use one or another?
So SHA3-$n$ offers $n$ bits of security against preimage and second-preimage attacks and $n/2$ bits of security against collision attacks.
On the other side SHAKE-$n$ offers at $n$ bits of security against preimage and second-preimage attacks and also $n$ bits of security against collision attacks (assuming the digest is at least $2n$ bits long). So when to use which?
- When you are forced to use "an approved hash function", you use SHA3, because SHAKE doesn't qualify.
- When you need a really long hash output (or an XOF in general), you use SHAKE.
- When you really need more than 256 bits of security against preimage or second-preimage attacks you use SHA3.
- When you want to be compatible with more other systems, you probably want to use SHA3.
- When speed matters to you (and you still want to use SHA3 / SHAKE) and you are happy with an all-arond $n$-bit security level (for $nin128,256$), you use SHAKE.
This last point follows from the fact that the higher preimage resistance in SHA3 is paid for with lower rate (=number of new bits processed per internal permutation invocation) which is usually higher in SHAKE than in SHA3 (SHAKE256 has the same as SHA3-256).
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
answered May 15 at 19:19
SEJPM♦SEJPM
29.7k661143
29.7k661143
add a comment |
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
$begingroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
$endgroup$
You should generally just use SHAKE128, but you should make sure that within your application, you don't use the SHAKE128 hash (to any length) of the same data for two different purposes. For example, prefix each message you hash with an unambiguous description of the purpose for which you are hashing it: $operatornameSHAKE128-256(text‘file hash:’ mathbin| m)$ and $operatornameSHAKE128-512(text‘username hash:’ mathbin| u)$.
The main reason for (e.g.) SHA3-256 and SHA3-512 is to provide a mindless upgrade path from SHA-256 and SHA-512 that won't hurt security in the event that you happened to use SHA-256 and SHA-512 hashes of the same string and assumed the hashes to be independent. In contrast, SHAKE128-256 is a prefix of SHAKE128-512 and therefore very much not independent.
Otherwise, SHA3-256 was overdesigned out of paranoia and political reasons—and SHA3-512 even moreso—and is consequently substantially more expensive than SHAKE128 for no meaningful improvement in security. SHAKE128 is conjectured to provide up to the standard 128-bit security level for preimage resistance and collision resistance against all adversaries, classical or quantum. Of course, for 128-bit preimage resistance you need to use at least a 128-bit output, and for 128-bit collision resistance you need to use at least a 256-bit output.
For an additional hedge against modest cryptanalytic advances, like for use with edwards448 instead of edwards25519, you might use SHAKE256.
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
answered May 16 at 4:10
Squeamish OssifrageSqueamish Ossifrage
26.4k142119
26.4k142119
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
$begingroup$
Thank you very much, that really helped me a lot!
$endgroup$
– Alejandro Martinez
May 16 at 6:14
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70565%2fshake-128-256-or-sha3-256-512%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Thank you very much! It really helped!
$endgroup$
– Alejandro Martinez
May 16 at 6:18