SHAKE Stirs-up Crypto

SHAKE Stirs-up CryptoProf Bill Buchanan OBEBlockedUnblockFollowFollowingJun 12When I teach cryptography, I normally define the hashing methods (MD5, SHA-1, SHA-256, and so on), the symmetric key methods (AES, 3DES, ChaCha20, and so on), and asymmetric key methods (ECC, RSA, ElGamal, and so on).

And so I include SHA-3 as a hashing method, in the same old way I talk about MD5, SHA-1 and SHA-256.

We feed in some data, and out pops a fixed length hash signature.

But if you break SHA-3 away from its fixed length output you get an Extendable Output Function (XOF).

This now has the potential of producing an almost infinite sets of outputs, and where we could thus take a single byte and produce an output of a billion bytes, or even take a billion bytes of input and produce a single byte output.

In essence, it is a state generator, and where with given inputs we can reach a well-defined state.

We can expose the state to anyone, as they will not know the secrets that allow us to take us to the previous and the next state.

A Hash Function: SHA-3NIST held a competition for a hashing function to replace SHA-1 and SHA-2, and select Keccak as the winner.

It has since been defined as SHA-3.

The following are test vectors for “abc” [Test vectors][Sample]:SHA-3-224 e642824c3f8cf24a d09234ee7d3c766f c9a3a5168d0c94ad 73b46fdfSHA-3-256 3a985da74fe225b2 045c172d6bd390bd 855f086e3e9d525b 46bfe24511431532SHA-3-384 ec01498288516fc9 26459f58e2c6ad8d f9b473cb0fc08c25 96da7cf0e49be4b2 98d88cea927ac7f5 39f1edf228376d25SHA-3-512 b751850b1a57168a 5693cd924b6b096e 08f621827444f70d 884f5d0240d2712e 10e116e9192af3c9 1a7ec57647e39340 57340b4cf408d5a5 6592f8274eec53f0and for “” it is [Test]:SHA-3-224 6b4e03423667dbb7 3b6e15454f0eb1ab d4597f9a1b078e3f 5b5a6bc7SHA-3-256 a7ffc6f8bf1ed766 51c14756a061d662 f580ff4de43b49fa 82d80a4b80f8434aSHA-3-384 0c63a75b845e4f7d 01107d852e4c2485 c51a50aaaa94fc61 995e71bbee983a2a c3713831264adb47 fb6bd1e058d5f004SHA-3-512 a69f73cca23a9ac5 c8b567dc185a756e 97c982164fe25859 e0d1dcc1475c80a6 15b2123af1f5f94c 11e3e9402c3ac558 f500199d95b6d3e3 01758586281dcd26SHAKEThe interesting thing about SHA-3 is that is stores a state value, and we can thus use it to synchronise messages (and where each side has the same state, given secret initialisation values).

This state (S) is defined with a 5 × 5 array of w-bit words (with w=64).

This gives b = 5 × 5 × w = 5 × 5 × 64 = 1600 bits total.

So while SHA-3 is great for creating hash functions, we can extend it with SHAKE-128 (SHA and KEccak) and SHAKE-256 to give an output which has an arbitrary output length.

This extends the usage of the method towards symmetric key encryption (and where an input value and a salt gives us a given state value).

SHAKE is thus defined as extendable-output functions (XOFs).

The following is a test run for eight bytes [Test]:Input word: hello123Length (bytes): 8—–SHAKE—–Shake 128 bit: 1b85861510bc4d8eShake 256 bit: ade612ba265f92deBut we can select for one byte [Test]:Input word: hello123Length (bytes): 1— — -SHAKE — — -Shake 128 bit: 1bShake 256 bit: adOr 32 bytes [Test]:—–SHAKE—–Shake 128 bit: 1b85861510bc4d8e467d6f8a92270533cbaa7ba5e06c2d2a502854bac468b8b9Shake 256 bit: ade612ba265f92de4a37db5e252906218b453f68b57479ef2ec41db0db6b1855The following is an outline of the code:import sysimport hashlibimport sha3data=""size=16if (len(sys.

argv)>1): data=sys.

argv[1]if (len(sys.

argv)>2): size=int(sys.

argv[2])print 'Input word:',dataprint 'Length (bytes):',sizeprint '?.—–SHAKE—–.'s = sha3.


update(data)print 'Shake 128 bit: ',s.

hexdigest(size)s = sha3.


update(data)print 'Shake 256 bit: ',s.

hexdigest(size)The power of this is amazing.

We can now take a word of “hello”, and add a secret key of any length, and produce a permutation of the input.

We can thus vary the security level of the output dependent on our requirement.

If we have a limited processing device, we could use a 2 byte hash output (16-bit), but with a more powerful one we could generate a 32-byte output (256-bit).

The core advantages of the SHAKE method are:Signature message hashing.

For this we can produce a signed hash message with defined key.

Stream ciphers.

We can create a stream cipher from the SHAKE output, and where we are not fixed with blocks.

Key derivation.

We can easily use the SHAKE method to produce an encryption key of a given length, from a define passphrase.

Easier instantiation of random oracles.

With this we can take a random seed value, and feed it into SHAKE, in order to produce a random oracle of a given length.

There is even a customizable version for SHAKE (and named cSHAKE), and which takes a customization string:cSHAKE(custom_string=“MySalt”, input=“key || myMessage”)If you want to see how this is used, try here:IoT Goes to the DiscoWhat is one of the easiest roles in Cybersecurity.Ans: Making IoT security look bad.


comThe following is an outline of the code in Go [here]:package mainimport( "fmt" "golang.

org/x/crypto/sha3" "os" "strconv")func main(){ str1:="abc" length:=8 argCount := len(os.

Args[1:]) if (argCount>0) {str1 = string(os.

Args[1])} if (argCount>1) {length,_ = strconv.


Args[2])} buf := []byte(str1) h := make([]byte, length) sha3.

ShakeSum128(h, buf) fmt.

Printf("Shake 128: %x.", h) sha3.

ShakeSum256(h, buf) fmt.

Printf("Shake 256: %x.", h)}ConclusionsSHAKE and SHA-3 are defined as FIPS 202.

Note that SHAKE is not a good password hashing method, as it is extremely fast.

Improved methods are bcrypt and PBKDF2.

For IoT devices, SHAKE provides an excellent resource, as it can be applied into a light-weight cryptography environment, and is efficient with energy consumption, as does not require a large physical and logical footprint.

But SHAKE does so many other things, and it will increasingly be seen at the core of many security systems, and not just to produce hashes.


. More details

Leave a Reply