What Is Domain Separation In Hashing? Meet cSHAKE

NIST held a competition for a hashing function to replace SHA-1 and SHA-2, and select Keccak as the winner. It has since been defined as…
Photo by Claudio Schwarz on Unsplash

What Is Domain Separation In Hashing? Meet cSHAKE

NIST held a competition for a hashing function to replace SHA-1 and SHA-2, and select Keccak as the winner. It has since been defined as SHA-3 within FIP 202. The following are test vectors for “abc” [Test vectors][Sample]:

SHA-3-224	e642824c3f8cf24a d09234ee7d3c766f c9a3a5168d0c94ad 73b46fdf
SHA-3-256	3a985da74fe225b2 045c172d6bd390bd 855f086e3e9d525b 46bfe24511431532
SHA-3-384	ec01498288516fc9 26459f58e2c6ad8d f9b473cb0fc08c25 96da7cf0e49be4b2 98d88cea927ac7f5 39f1edf228376d25
SHA-3-512	b751850b1a57168a 5693cd924b6b096e 08f621827444f70d 884f5d0240d2712e 10e116e9192af3c9 1a7ec57647e39340 57340b4cf408d5a5 6592f8274eec53f0

and for “” it is:

SHA-3-224	6b4e03423667dbb7 3b6e15454f0eb1ab d4597f9a1b078e3f 5b5a6bc7
SHA-3-256	a7ffc6f8bf1ed766 51c14756a061d662 f580ff4de43b49fa 82d80a4b80f8434a
SHA-3-384	0c63a75b845e4f7d 01107d852e4c2485 c51a50aaaa94fc61 995e71bbee983a2a c3713831264adb47 fb6bd1e058d5f004
SHA-3-512	a69f73cca23a9ac5 c8b567dc185a756e 97c982164fe25859 e0d1dcc1475c80a6 15b2123af1f5f94c 11e3e9402c3ac558 f500199d95b6d3e3 01758586281dcd26

The interesting thing about SHA-3 is that it stores a state value, and we can thus use it to synchronise messages (and where each side has the same state, given secret initialisation values). This state (S) is defined with a 5 × 5 array of w-bit words (with w=64). This gives b = 5 × 5 × w = 5 × 5 × 64 = 1600 bits total. So while SHA-3 is great for creating hash functions, we can extend it with SHAKE-128 (SHA and KEccak) and SHAKE-256 to give an output which has an arbitrary output length.

cSHAKE

Apart from creating a fixed length hash (such as with MD5, SHA-1 and SHA-256), FIPS 202 defines two XOF (eXtendable Output Functions): SHAKE128 and SHAKE256. These define a variable length output. The standard also defines domain separation between different functions — and which are known as cSHAKE [here]:

But, what’s domain separation? Well, it allows applications to use a different hashing function, and thus separate their usage. It can also be used as a salt value for a hash value. For example, we might have an email application and a digital signature application. For this, we could define two application domains as strings, such as “Email”, and “Digital Signature”. The SHAKE128 hash for a 32-byte output for the email application can then be:

hash = SHAKE128(msg,"Email","",32)

and for “Digital Signature”:

hash = SHAKE128(msg,"Digital Signature","",32)

The general format is:

hash = SHAKE128(data, S,N,size)

and where S is the customization string for each application, and N is a function level string. With the function-level string, we should only use strings defined by NIST, but where the customization string can be adopted by different applications.

The code to implement this is [here]:

A sample run is [here]:

To test, we can go to the NIST site for test vectors [here], and use an input of “0x00010203”, S as “Email Signature”, and N=””. This should give:

If we now try cSHAKE for hashes with S=”” and N=””, we can run a test for eight bytes [Test]:

Input word: hello123
Length (bytes): 8
-----SHAKE-----
Shake 128 bit:  1b85861510bc4d8e
Shake 256 bit:  ade612ba265f92de

But we can select for one byte [Test]:

Input word: hello123
Length (bytes): 1
— — -SHAKE — — -
Shake 128 bit: 1b
Shake 256 bit: ad

Or 32 bytes [Test]:

-----SHAKE-----
Shake 128 bit:  1b85861510bc4d8e467d6f8a92270533cbaa7ba5e06c2d2a502854bac468b8b9
Shake 256 bit:  ade612ba265f92de4a37db5e252906218b453f68b57479ef2ec41db0db6b1855

If we try our program from before and use S=”” and N=””, we get [here]:

The core advantages of the SHAKE method are:

  1. Signature message hashing. For this, we can produce a signed hash message with a defined key.
  2. Stream ciphers. We can create a stream cipher from the SHAKE output, and where we are not fixed with blocks.
  3. Key derivation. We can easily use the SHAKE method to produce an encryption key of a given length, from a defined passphrase.
  4. Easier instantiation of random oracles. With this, we can take a random seed value, and feed it into SHAKE, in order to produce a random oracle of a given length.

And with cSHAKE we can add an application string (or salt value, if required). An example of using this is within the STROBE protocol and which uses an application separation value (S) of “STROBEv1.0.2” and a NIST separation string (N) of “” as part of the initial initialisation of the protocol.

Conclusions

And, so, if you need signatures, stream ciphers, key derivation or random oracles, cSHAKE is an adaptable method to integrate into your code. The demo is here:

https://asecuritysite.com/hash/cs

and an application here:

IoT Goes to the Disco
What is one of the easiest roles in Cybersecurity? Ans: Making IoT security look bad.medium.com