SHA3-256 vs SHAKE256_256 in XMSS and SPHINCS

Question

By SHAKE256_256, I mean taking first 256 bits of the output of SHAKE256

i.e. SHAKE256_256(M) = SHAKE256(M,256)

What is the motivation of choosing SHAKE256_256 instead of SHA3-256 in XMSS and SPHINCS. Are there any advantages of SHAKE256_256 over SHA3-256.

As far as I know, they both have 24 rounds keccak with instantiations

SHA3-256(M)      = Keccak[512](M || 01, 256)
SHAKE256(M, 256) = Keccak[512](M || 1111, 256)

Why is SHA3-256 avoided in hash based signatures?

Maybe they consider that in the future one may use longer output. While there is SHAKE why chose SHA-3? See also this Q/A SHAKE-128/256 or SHA3-256/512 — kelalaka, Nov 09 '23 at 11:05
Not an answer, but I've seen some preference to use SHAKE for everything in the crypto community, thinking that SHA-3 is kinda useless if you can configure SHAKE for the correct output size anyway. SHA-3 is then basically used for backwards compatibility with SHA-2 where you cannot configure the output size. — Maarten Bodewes, Nov 09 '23 at 13:00
Backing up @MaartenBodewes' comment, have a look at Proposals for Standardization of the Ascon Family. SHA-3 has seen far less use than SHAKE, and XOFs are just more useful constructions. — samuel-lucas6, Nov 09 '23 at 17:22

score 7 · Answer 1 · answered Nov 09 '23 at 14:32

What is the motivation of choosing SHAKE256_256 instead of SHA3-256 in XMSS and SPHINCS.

For Sphincs+ (SLH-DSA), sometimes there is a need to generate more than 256 bits from a single hash operation; specifically, when we hash the message into a series of FORS leaves, the Merkle leaf and the Merkle tree.

If we were to use SHA3-256, they would need to be a way to generate those additional bits (which we could do - they do it for SHA-2). On the other hand, SHAKE makes it much cleaner (we just squeeze out as many bits as needed), so they went with that.

And, since they're using SHAKE there, there's no reason not to use SHAKE everywhere.

SHA3-256 vs SHAKE256_256 in XMSS and SPHINCS

1 Answers1