is SHAKE ready to bake? (java provider)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

is SHAKE ready to bake? (java provider)

Joseph Gleason ⑈
It seems like SHAKE just needs a small change to turn on SHAKE128 and 256.

Patch here:

Is there any reason this isn't done?  My only guess is that someone wanted to think about how to make available the flexible output side allowed by the SHAKE variant:

"The reduced-capacity forms were published as SHAKE128 and SHAKE256, where the number indicates the security level and the number of bits of output is variable, but should be twice as large as the required collision resistance."

If that is the case, I'm not sure how to enable that.  I suspect it has something to do with the squeezing variable in KeccakDigest.java but it isn't clear to me if that is currently usable.

Reply | Threaded
Open this post in threaded view
|

Re: is SHAKE ready to bake? (java provider)

David Hook-3

It's a bit of a funny one... they're not actually approved hash functions, so it's not really correct to use MessageDigest - they're XOFs.

Oracle will really need to specify a new API for these to provide them at the JCA level - they don't seem to have done so yet (mind you, I could have easily missed it if they did recently, so feel free to correct me).

Regards,

David

On 07/04/18 04:40, Joseph Gleason ⑈ wrote:
It seems like SHAKE just needs a small change to turn on SHAKE128 and 256.

Patch here:

Is there any reason this isn't done?  My only guess is that someone wanted to think about how to make available the flexible output side allowed by the SHAKE variant:

"The reduced-capacity forms were published as SHAKE128 and SHAKE256, where the number indicates the security level and the number of bits of output is variable, but should be twice as large as the required collision resistance."

If that is the case, I'm not sure how to enable that.  I suspect it has something to do with the squeezing variable in KeccakDigest.java but it isn't clear to me if that is currently usable.


Reply | Threaded
Open this post in threaded view
|

RE: is SHAKE ready to bake? (java provider)

Eckenfels. Bernd
Hello,

I would agree, the non-goals of the JEP stilly apply (and XOF did not yet show up as a new mechanism): http://openjdk.java.net/jeps/287

 PKCS#11 drafts SHA3 Hashes. They also suggest to implement SHAKE as a KDF, Inthinkmthismcould be the way to go for JCA as well.

I think it’s good to bring that topic up on OpenJDK security-dev (Imtried to bring it up in the past: https://www.mail-archive.com/search?l=security-dev@...&q=subject:%22JEP+287%5C%3A+SHA%5C-3+Hash+Algorithms%22&o=newest&f=1), but I suspect it will happen when OASIS releases a new PKCS#11 version.

Gruss
Bernd
--
http://www.seeburger.com
________________________________________
From: David Hook [[hidden email]]
Sent: Wednesday, April 11, 2018 10:59
To: [hidden email]
Subject: Re: [dev-crypto] is SHAKE ready to bake? (java provider)

It's a bit of a funny one... they're not actually approved hash functions, so it's not really correct to use MessageDigest - they're XOFs.

Oracle will really need to specify a new API for these to provide them at the JCA level - they don't seem to have done so yet (mind you, I could have easily missed it if they did recently, so feel free to correct me).

Regards,

David

On 07/04/18 04:40, Joseph Gleason ⑈ wrote:
It seems like SHAKE just needs a small change to turn on SHAKE128 and 256.

Patch here:
https://hastebin.com/uzadujayex.java

Is there any reason this isn't done?  My only guess is that someone wanted to think about how to make available the flexible output side allowed by the SHAKE variant:

"The reduced-capacity forms were published as SHAKE128 and SHAKE256, where the number indicates the security level and the number of bits of output is variable, but should be twice as large as the required collision resistance."
-- https://en.wikipedia.org/wiki/SHA-3

If that is the case, I'm not sure how to enable that.  I suspect it has something to do with the squeezing variable in KeccakDigest.java but it isn't clear to me if that is currently usable.








SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.