cSHAKE with Golang[Hashing Home][Home]
An eXtendable-Output Function (XOF) produces a bit string that can be of any length. In fact, we can create an infinitely long bit string, if required. The main methods are SHAKE128, SHAKE256, BLAKE2XB and BLAKE2XS. With the SHA-3 hashing method, we have four different cryptographic hashing methods (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) and two XOF functions (SHAKE128 and SHAKE256). With SHAKE128 and SHAKE256 we can integrate domain separation between different functions — and which are known as cSHAKE128 and cSHAKE256.
|
Outline
NIST held a competition for a hashing function to replace SHA-1 and SHA-2, and select Keccak as the winner. It has since been defined as SHA-3 within FIP 202. The following are test vectors for “abc” [Test vectors][Sample]:
SHA-3-224 e642824c3f8cf24a d09234ee7d3c766f c9a3a5168d0c94ad 73b46fdf SHA-3-256 3a985da74fe225b2 045c172d6bd390bd 855f086e3e9d525b 46bfe24511431532 SHA-3-384 ec01498288516fc9 26459f58e2c6ad8d f9b473cb0fc08c25 96da7cf0e49be4b2 98d88cea927ac7f5 39f1edf228376d25 SHA-3-512 b751850b1a57168a 5693cd924b6b096e 08f621827444f70d 884f5d0240d2712e 10e116e9192af3c9 1a7ec57647e39340 57340b4cf408d5a5 6592f8274eec53f0
and for "" it is:
SHA-3-224 6b4e03423667dbb7 3b6e15454f0eb1ab d4597f9a1b078e3f 5b5a6bc7 SHA-3-256 a7ffc6f8bf1ed766 51c14756a061d662 f580ff4de43b49fa 82d80a4b80f8434a SHA-3-384 0c63a75b845e4f7d 01107d852e4c2485 c51a50aaaa94fc61 995e71bbee983a2a c3713831264adb47 fb6bd1e058d5f004 SHA-3-512 a69f73cca23a9ac5 c8b567dc185a756e 97c982164fe25859 e0d1dcc1475c80a6 15b2123af1f5f94c 11e3e9402c3ac558 f500199d95b6d3e3 01758586281dcd26
The interesting thing about SHA-3 is that it stores a state value, and we can thus use it to synchronise messages (and where each side has the same state, given secret initialisation values). This state (S) is defined with a 5 × 5 array of w-bit words (with w=64). This gives b = 5 × 5 × w = 5 × 5 × 64 = 1600 bits total. So while SHA-3 is great for creating hash functions, we can extend it with SHAKE-128 (SHA and KEccak) and SHAKE-256 to give an output which has an arbitrary output length.
cSHAKE
Apart from creating a fixed length hash (such as with MD5, SHA-1 and SHA-256), FIPS 202 defines two XOF (eXtendable Output Functions): SHAKE128 and SHAKE256. These define a variable length output. The standard also defines domain separation between different functions — and which are known as cSHAKE128 and cSHAKE256 [here]:
But, what’s domain separation? Well, it allows applications to use a different hashing function, and thus separate their usage. It can also be used as a salt value for a hash value. For example, we might have an email application and a digital signature application. For this, we could define two application domains as strings, such as “Email”, and “Digital Signature”. The SHAKE128 hash for a 32-byte output for the email application can then be:
hash = SHAKE128(msg,"Email","",32) and for “Digital Signature”: hash = SHAKE128(msg,"Digital Signature","",32)
The general format is:
hash = SHAKE128(data, S,N,size)
and where S is the customization string for each application, and N is a function level string. With the function-level string, we should only use strings defined by NIST, but where the customization string can be adopted by different applications.
The code to implement this is:
package main import ( "fmt" "os" "encoding/hex" "strings" "golang.org/x/crypto/sha3" "strconv" ) func main() { size:=32 m:="0x00010203" s:="Email Signature" n:="" argCount := len(os.Args[1:]) if (argCount>0) {m = string(os.Args[1])} if (argCount>1) {s = string(os.Args[2])} if (argCount>2) {n = string(os.Args[3])} if (argCount>3) {size,_ = strconv.Atoi(os.Args[4])} out := make([]byte, size) msg := []byte(m) if (strings.HasPrefix(m,"0x")) { m=strings.Replace(m,"0x","",-1) msg,_ = hex.DecodeString(m) fmt.Printf("- Input value is in hex\n") } N := []byte(n) S := []byte(s) fmt.Printf("Data: [%s]\n", m) fmt.Printf("S: [%s]\n", s) fmt.Printf("N: [%s]\n", n) fmt.Printf("Size: %d\n", size) c1 := sha3.NewCShake128(N, S) c1.Write(msg) c1.Read(out) fmt.Printf("SHAKE128: %s\n",hex.EncodeToString(out)) c1 = sha3.NewCShake256(N, S) c1.Write(msg) c1.Read(out) fmt.Printf("SHAKE256: %s\n",hex.EncodeToString(out)) }
A sample run is:
To test, we can go to the NIST site for test vectors [here], and use an input of “0x00010203”, S as “Email Signature”, and N=””. This should give:
If we now try cSHAKE for hashes with S=”” and N=””, we can run a test for eight bytes:
Input word: hello123 Length (bytes): 8 -----SHAKE----- Shake 128 bit: 1b85861510bc4d8e Shake 256 bit: ade612ba265f92de
But we can select for one byte [Test]:
Input word: hello123 Length (bytes): 1 — — -SHAKE — — - Shake 128 bit: 1b Shake 256 bit: ad
Or 32 bytes [Test]:
-----SHAKE----- Shake 128 bit: 1b85861510bc4d8e467d6f8a92270533cbaa7ba5e06c2d2a502854bac468b8b9 Shake 256 bit: ade612ba265f92de4a37db5e252906218b453f68b57479ef2ec41db0db6b1855
If we try our program from before and use S="" and N="", we get:
The core advantages of the SHAKE method are:
- Signature message hashing. For this, we can produce a signed hash message with a defined key.
- Stream ciphers. We can create a stream cipher from the SHAKE output, and where we are not fixed with blocks.
- Key derivation. We can easily use the SHAKE method to produce an encryption key of a given length, from a defined passphrase.
- Easier instantiation of random oracles. With this, we can take a random seed value, and feed it into SHAKE, in order to produce a random oracle of a given length.
And with cSHAKE we can add an application string (or salt value, if required). An example of using this is within the STROBE protocol and which uses an application separation value (S) of “STROBEv1.0.2” and a NIST separation string (N) of “” as part of the initial initialisation of the protocol.