SHAKE Stirs-up Crypto

When I teach cryptography, I normally define the hashing methods (MD5, SHA-1, SHA-256, and so on), the symmetric key methods (AES, 3DES…
Photo by Markus Spiske on Unsplash

SHAKE Stirs-up Crypto

When I teach cryptography, I normally define the hashing methods (MD5, SHA-1, SHA-256, and so on), the symmetric key methods (AES, 3DES, ChaCha20, and so on), and asymmetric key methods (ECC, RSA, ElGamal, and so on). And so I include SHA-3 as a hashing method, in the same old way I talk about MD5, SHA-1 and SHA-256. We feed in some data, and out pops a fixed-length hash signature.

But if you break SHA-3 away from its fixed-length output you get an Extendable Output Function (XOF). This now has the potential of producing an almost infinite set of outputs, and where we could thus take a single byte and produce an output of a billion bytes, or even take a billion bytes of input and produce a single byte output. In essence, it is a state generator, and with given inputs, we can reach a well-defined state. We can expose the state to anyone, as they will not know the secrets that allow us to take us to the previous and the next state.

A Hash Function: SHA-3

NIST held a competition for a hashing function to replace SHA-1 and SHA-2, and select Keccak as the winner. It has since been defined as SHA-3. The following are test vectors for “abc” [Test vectors][Sample]:

SHA-3-224	e642824c3f8cf24a d09234ee7d3c766f c9a3a5168d0c94ad 73b46fdf
SHA-3-256	3a985da74fe225b2 045c172d6bd390bd 855f086e3e9d525b 46bfe24511431532
SHA-3-384	ec01498288516fc9 26459f58e2c6ad8d f9b473cb0fc08c25 96da7cf0e49be4b2 98d88cea927ac7f5 39f1edf228376d25
SHA-3-512	b751850b1a57168a 5693cd924b6b096e 08f621827444f70d 884f5d0240d2712e 10e116e9192af3c9 1a7ec57647e39340 57340b4cf408d5a5 6592f8274eec53f0

and for “” it is [Test]:

SHA-3-224	6b4e03423667dbb7 3b6e15454f0eb1ab d4597f9a1b078e3f 5b5a6bc7
SHA-3-256	a7ffc6f8bf1ed766 51c14756a061d662 f580ff4de43b49fa 82d80a4b80f8434a
SHA-3-384	0c63a75b845e4f7d 01107d852e4c2485 c51a50aaaa94fc61 995e71bbee983a2a c3713831264adb47 fb6bd1e058d5f004
SHA-3-512	a69f73cca23a9ac5 c8b567dc185a756e 97c982164fe25859 e0d1dcc1475c80a6 15b2123af1f5f94c 11e3e9402c3ac558 f500199d95b6d3e3 01758586281dcd26

SHAKE

The interesting thing about SHA-3 is that is stores a state value, and we can thus use it to synchronise messages (and where each side has the same state, given secret initialisation values). This state (S) is defined with a 5 × 5 array of w-bit words (with w=64). This gives b = 5 × 5 × w = 5 × 5 × 64 = 1600 bits total. So while SHA-3 is great for creating hash functions, we can extend it with SHAKE-128 (SHA and KEccak) and SHAKE-256 to give an output which has an arbitrary output length.

This extends the usage of the method towards symmetric key encryption (and where an input value and a salt, gives us a given state value). SHAKE is thus defined as extendable-output functions (XOFs).

The following is a test run for eight bytes [Test]:

Input word: hello123
Length (bytes): 8
-----SHAKE-----
Shake 128 bit:  1b85861510bc4d8e
Shake 256 bit:  ade612ba265f92de

But we can select for one byte [Test]:

Input word: hello123
Length (bytes): 1
— — -SHAKE — — -
Shake 128 bit: 1b
Shake 256 bit: ad

Or 32 bytes [Test]:

-----SHAKE-----
Shake 128 bit:  1b85861510bc4d8e467d6f8a92270533cbaa7ba5e06c2d2a502854bac468b8b9
Shake 256 bit:  ade612ba265f92de4a37db5e252906218b453f68b57479ef2ec41db0db6b1855

The following is an outline of the code:

The power of this is amazing. We can now take a word of “hello”, and add a secret key of any length, and produce a permutation of the input. We can thus vary the security level of the output dependent on our requirement. If we have a limited processing device, we could use a 2-byte hash output (16-bit), but with a more powerful one, we could generate a 32-byte output (256-bit).

The core advantages of the SHAKE method are:

  1. Signature message hashing. For this, we can produce a signed hash message with a defined key.
  2. Stream ciphers. We can create a stream cipher from the SHAKE output, and where we are not fixed with blocks.
  3. Key derivation. We can easily use the SHAKE method to produce an encryption key of a given length, from a define passphrase.
  4. Easier instantiation of random oracles. With this, we can take a random seed value, and feed it into SHAKE, in order to produce a random oracle of a given length.

There is even a customizable version for SHAKE (and named cSHAKE), and which takes a customization string:

cSHAKE(custom_string=“MySalt”, input=“key || myMessage”)

If you want to see how this is used, try here:

IoT Goes to the Disco
What is one of the easiest roles in Cybersecurity? Ans: Making IoT security look bad.medium.com

The following is an outline of the code in Go [here]:

Conclusions

SHAKE and SHA-3 are defined as FIPS 202. Note that SHAKE is not a good password hashing method, as it is extremely fast. Improved methods are Bcrypt and PBKDF2. For IoT devices, SHAKE provides an excellent resource, as it can be applied into a light-weight cryptography environment, and is efficient with energy consumption, as does not require a large physical and logical footprint. But SHAKE does so many other things, and it will increasingly be seen at the core of many security systems, and not just to produce hashes.