SHAKE XOFs
Adam Petcher
adam.petcher at oracle.com
Wed Apr 11 15:29:03 UTC 2018
On 4/11/2018 5:37 AM, Bernd Eckenfels wrote:
> Hello,
>
> I noticed that the OASIS draft for extending PKCS#11 with SHA-3 also
> specifies new Mechanisms for SHAKE128/256. They introduce them as Key
> Derivation functions.
Interesting. Though to be pedantic, it looks like they introduce key
derivation mechanisms that are based on SHAKE128/256.
>
> I wonder if this would also be the way to introduce this into JCA, at
> the moment XOFs have been a non-goal of JEP287, but there is some use
> for them In modern protocols I would guess. (This request was inspired
> by a discussion on the bouncycastle crypto-dev mailing list about
> missing algorithms for it).
Continuing the pedantry, it would be reasonable to put these
SHAKE128/256-based-KDFs under the KDF API (once that API exists). But
the underlying SHAKE XOFs probably belong in a different API like
MessageDigest or a new API that is more appropriate for XOFs. I expect
that adding the XOFs to the API will be non-trivial because we don't
have an obviously good place to put them. I think it would be fine to
put them in MessageDigest, but we would need a way to specify the output
length.
We will need SHAKE256 for Ed448[1], but my initial thought was to do a
private implementation, because I don't know if these functions are
useful enough to justify the effort of the API design. Maybe we can make
an API for them as a separate effort.
It's also worth noting that the (bare) XOFs are not very good KDFs
because they allow key extraction through related output attacks.
[1] https://bugs.openjdk.java.net/browse/JDK-8187789
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180411/d3f19e81/attachment.htm>
More information about the security-dev
mailing list