0

I am well aware that the general consensus is that a hashing algorithm with a security of 512 bits is unnecessary, but I'm just curious about how that would be implemented for Keccak despite that.

According to SHA-3 block sizes / bitrate calculation?, the bitrate of the algorithm would be calculated by 1600 - 2c = r. However, with C being 1024, one would get a negative value, which I assume would mean the algorithm will not work for that capacity.

Am I wrong in my assumption? Are there any workarounds that would allow for a capacity this high?

Again, this is just a theoretical question to sate my curiosity. I am well aware that such a level of security is considered unnecessary.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
Lev Knoblock
  • 423
  • 5
  • 17
  • The rate and capacity are independent, all you would do is truncate fewer total bits from the state. Having 16 lanes exposed might be an issue if you decided to play with fire and hash passwords with keccak. – Q-Club Mar 13 '18 at 05:36
  • @Q-Club so does that mean the bitrate is effectively arbitrary? Why is it calculated using the equations from the other question then? – Lev Knoblock Mar 13 '18 at 05:39
  • Whoops, I ment the digest length is independent of the rate and capacity. – Q-Club Mar 13 '18 at 05:49
  • Ah, thanks for pointing out the error in my question – Lev Knoblock Mar 13 '18 at 05:50
  • related https://crypto.stackexchange.com/questions/18695/does-sha-1024-hash-exist/18713#18713 – Richie Frame Mar 14 '18 at 12:27
  • Also related: you could use the SHAKE family of Keccak if you want 1024 bit output. It doesn't have 512 bits of security though (only 128/256). – Ruben De Smet Mar 14 '18 at 13:35
  • I'm just asking about whether the Keccak or SHAKE family can scale to 512 bits in their current form. – Lev Knoblock Mar 14 '18 at 13:41

1 Answers1

2

The highest capacity possible is 1599, which means you repeat the permutation for every bit you enter into the state.

For a ‘512-bit security level’ (which is (completely meaningless)^2, since a 256-bit security level is already past the threshold of meaning), it suffices to choose capacity 1024 and digest length 1024 to thwart all generic classical and quantum attacks limited to $2^{512}$ cost.

The SHA-3 parameters for the fixed-length functions SHA3-256 etc. were overdesigned partly out of paranoia and partly for political reasons. The XOFs SHAKE128 and SHAKE256 were more reasonably designed to give a 128- or 256-bit security level, respectively, assuming adequate output length; if ‘SHAKE512’ existed it would use capacity 1024.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223