On 4/11/2018 5:37 AM, Bernd Eckenfels wrote:


I noticed that the OASIS draft for extending PKCS#11 with SHA-3 also specifies new Mechanisms for SHAKE128/256. They introduce them as Key Derivation functions.

Interesting. Though to be pedantic, it looks like they introduce key derivation mechanisms that are based on SHAKE128/256.

I wonder if this would also be the way to introduce this into JCA, at the moment XOFs have been a non-goal of JEP287, but there is some use for them In modern protocols I would guess. (This request was inspired by a discussion  on the bouncycastle crypto-dev mailing list about missing algorithms for it).

Continuing the pedantry, it would be reasonable to put these SHAKE128/256-based-KDFs under the KDF API (once that API exists). But the underlying SHAKE XOFs probably belong in a different API like MessageDigest or a new API that is more appropriate for XOFs. I expect that adding the XOFs to the API will be non-trivial because we don't have an obviously good place to put them. I think it would be fine to put them in MessageDigest, but we would need a way to specify the output length.

We will need SHAKE256 for Ed448[1], but my initial thought was to do a private implementation, because I don't know if these functions are useful enough to justify the effort of the API design. Maybe we can make an API for them as a separate effort.

It's also worth noting that the (bare) XOFs are not very good KDFs because they allow key extraction through related output attacks.

[1] https://bugs.openjdk.java.net/browse/JDK-8187789
  • SHAKE XOFs Bernd Eckenfels
    • Re: SHAKE XOFs Adam Petcher

Reply via email to