15

Keccak is the winner of the SHA3 competition. Since Keccak is highly customizable (presumably for security/memory/time/speed tradeoffs) there does seem to be some controversy around how Keccak compares to SHA2. SHAKE appears to be a set of parameters to reduce friction in the drop-in replacement of SHA2

How does Keccak/SHAKE compare to SHA2 in terms of :

  • bits of security
  • bit pre-image resistance
  • second pre-image resistance
  • the statement "security strength levels above 256 bits is meaningless."
  • "SHA-3 is less appropriate for use as a PRF for pbkdf2 than SHA-2"
  • Any other criteria worthy of comparison

Given that this is a very complex topic, and Keccak having many permutations, I think it's possible the SHAKE simplification may have removed some flexibility, security, and performance from certain scenarios...

That being said, what scenarios are worth diverging from the SHAKE standard and using Keccak directly (for lack of a better analogy)?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

2 Answers2

2

NIST has an excellent document detailing the reasons behind why they wanted to create SHA-3 and shortcomings in SHA-2 which seems to address many of your questions. Specifically this document covers both the design challenges and how Keccak addresses these.

http://csrc.nist.gov/groups/ST/hash/sha-3/documents/burr_dimacs2013_presentation.pdf

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
1

I think one of the main benefits of using "sponge functions" is their continuous input. In sponge functions, you don't feed the input as blocks of bits, but one-by-one. This renders SHA3 quite distinct from SHA2 and make comparison quite obsolete.

Also, after each bit, Keccak runs some kind of permutation within the sponge function. However, it must run so many permutations by design. The sponge functions must soak in the bits one by one, then after some point, emit them one by one.

MTSan
  • 166
  • 3