SHAKE XOFs

Adam Petcher adam.petcher at oracle.com
Wed Apr 11 15:29:03 UTC 2018


On 4/11/2018 5:37 AM, Bernd Eckenfels wrote:

> Hello,
>
> I noticed that the OASIS draft for extending PKCS#11 with SHA-3 also 
> specifies new Mechanisms for SHAKE128/256. They introduce them as Key 
> Derivation functions.

Interesting. Though to be pedantic, it looks like they introduce key 
derivation mechanisms that are based on SHAKE128/256.

>
> I wonder if this would also be the way to introduce this into JCA, at 
> the moment XOFs have been a non-goal of JEP287, but there is some use 
> for them In modern protocols I would guess. (This request was inspired 
> by a discussion  on the bouncycastle crypto-dev mailing list about 
> missing algorithms for it).

Continuing the pedantry, it would be reasonable to put these 
SHAKE128/256-based-KDFs under the KDF API (once that API exists). But 
the underlying SHAKE XOFs probably belong in a different API like 
MessageDigest or a new API that is more appropriate for XOFs. I expect 
that adding the XOFs to the API will be non-trivial because we don't 
have an obviously good place to put them. I think it would be fine to 
put them in MessageDigest, but we would need a way to specify the output 
length.

We will need SHAKE256 for Ed448[1], but my initial thought was to do a 
private implementation, because I don't know if these functions are 
useful enough to justify the effort of the API design. Maybe we can make 
an API for them as a separate effort.

It's also worth noting that the (bare) XOFs are not very good KDFs 
because they allow key extraction through related output attacks.

[1] https://bugs.openjdk.java.net/browse/JDK-8187789
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20180411/d3f19e81/attachment.html>


More information about the security-dev mailing list