8

Looking into different papers and online documents, I find the following block sizes for SHA-3:

  • SHA3-224: 1152 Bit
  • SHA3-256: 1088 Bit
  • SHA3-384: 832 Bit
  • SHA3-512: 576 Bit

Somehow I am unable to find (calculate) these numbers from the specifications:

How are these block sizes calculated, respectively where exactly are they specified?

Dennis
  • 183
  • 1
  • 4

2 Answers2

9

First of all, in the case of SHA-3 we don't call it block size but bitrate.

SHA-3 has been formally defined in FIPS 202 and in its reference manual.

We define the sponge function denoted by $\operatorname{KECCAK}[r,c]$ by applying the sponge construction as specified in Algorithm 1 with $\operatorname{KECCAK-}\!f[r+c]$, multi-rate padding and the bitrate $r$. $$\operatorname{KECCAK}[r,c] = \operatorname{SPONGE}[\operatorname{KECCAK-}\!f[r + c], \mathrm{pad10^∗1}, r]$$

$c$ is the capacity, it defines the security level of the sponge.

The value $b = r + c$ is called the width of the state. It is either $25$, $50$, $100$, $200$, $400$, $800$ or $1600$.

In the scope of the SHA-3 contest, we proposed the largest permutation, namely $\operatorname{KECCAK-}\!f[1600]$.

So in our cases $b = 1600$.

The notation $\operatorname{SHA3-}\!x(M)$ produces a digest $x$ bits long and has a security claim $d = x$. Without going into details, $d$ can be seen as $c/2$ (see here and here, Chapter 7, page 71).

Therefore in:

  • $\operatorname{SHA3-224}(M)$, $c = 2\times224 = 448$ and $r = 1600 - c = 1152$
  • $\operatorname{SHA3-256}(M)$, $c = 2\times256 = 512$ and $r = 1600 - c = 1088$
  • $\operatorname{SHA3-384}(M)$, $c = 2\times384 = 768$ and $r = 1600 - c = 832$
  • $\operatorname{SHA3-512}(M)$, $c = 2\times512 = 1024$ and $r = 1600 - c = 576$

Hence:

  • $\operatorname{SHA3-224}(M) = \operatorname{KECCAK}[1152,448]$ with $\mathit{bitrate} = 1152$
  • $\operatorname{SHA3-256}(M) = \operatorname{KECCAK}[1088,512]$ with $\mathit{bitrate} = 1088$
  • $\operatorname{SHA3-384}(M) = \operatorname{KECCAK}[832,768]$ with $\mathit{bitrate} = 832$
  • $\operatorname{SHA3-512}(M) = \operatorname{KECCAK}[576,1024]$ with $\mathit{bitrate} = 576$

As the speed of the algorithm is directly related to $r$ (bit rate absorption), the higher the security, the slower the function will be.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
Biv
  • 9,979
  • 2
  • 39
  • 67
  • 1
    The important take away note for me: b is always 1600 and KECCAK[r = 1600 − c, c], with c = 2 x d (with d = 224/256/384/512). – Dennis May 31 '17 at 09:02
0

b=1600 only in context of FIPS 202 and NIST SP 800-185.

On highly constrained devices we are considering b=400 and target strength of n=128 so:

c = 2*128 = 256 r = 400-c = 146

Robert Moskowitz
  • 1
  • 2
    "On highly constrained devices we are considering b=400 and target strength of n=128". 1. this is extremely subjective. 2. who are "we" ? The use of Keccak[400] is not really defined by any publication in NIST. More over If you want a good algorithm for such architecture you could also use Chaskey which performs way better... – Biv Sep 19 '17 at 16:36