Conversation

Notices

1. Embed this notice
   Wolf480pl (wolf480pl@mstdn.io)'s status on Wednesday, 26-Mar-2025 20:19:38 JST Wolf480pl

   • Lynne

   @lynne
   is the following:

   KEK = SHA3-256("I like strawberry cake" || ecdhKeyShare)

   secure?

   If yes, then replacing the constant string in there with something more random should be at least as secure, right?

   • Embed this notice
     Ignas Kiela (ignaloidas@not.acu.lt)'s status on Wednesday, 26-Mar-2025 20:19:37 JST Ignas Kiela

     in reply to

     • Lynne

     @wolf480pl@mstdn.io @lynne@pars.ee yes, SHA3 is not vulnerable to length extension attacks or similar stuff

     Fish of Rage likes this.
   • Embed this notice
     Ignas Kiela (ignaloidas@not.acu.lt)'s status on Wednesday, 26-Mar-2025 20:44:17 JST Ignas Kiela

     in reply to

     • Lynne

     @wolf480pl@mstdn.io @lynne@pars.ee It's got to do with the sponge construction as far I'm aware, because there's hidden state and how it's updated depends both on the inputs and the state.
     
     Though probably you'd want to use some kind of KDF for this anyways, SHA3 has a KDF mode that's faster than just using in HKDF

     Fish of Rage likes this.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Wednesday, 26-Mar-2025 20:44:18 JST Wolf480pl

     in reply to

     • Lynne
     • Ignas Kiela

     @ignaloidas @lynne
     Why?

     I mean, it's obviously safe in Random Oracle Model, where the only way to learn anything about a hash function's output is to feed it the exact input that produces that output. So knowing some of the bits of the input gives you nothing.

     But Random Oracles don't exist IRL, and there are cryptographic schemes that are secure in Random Oracle Model but insecure with any real hash function.

     So what is SHA-3 then? A collision-resistant function?

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Wednesday, 26-Mar-2025 20:44:20 JST Wolf480pl

     in reply to

     • Lynne
     • Ignas Kiela

     @ignaloidas @lynne what if it's H(a||b), you control a, but don't control b?

   • Embed this notice
     Ignas Kiela (ignaloidas@not.acu.lt)'s status on Wednesday, 26-Mar-2025 20:44:20 JST Ignas Kiela

     in reply to

     • Lynne

     @wolf480pl@mstdn.io @lynne@pars.ee still safe for SHA3, AFAIK

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Wednesday, 26-Mar-2025 20:44:22 JST Wolf480pl

     in reply to

     • Lynne
     • Ignas Kiela

     @ignaloidas @lynne I don't think length exrension attacks are applicable here?

   • Embed this notice
     Ignas Kiela (ignaloidas@not.acu.lt)'s status on Wednesday, 26-Mar-2025 20:44:22 JST Ignas Kiela

     in reply to

     • Lynne

     @wolf480pl@mstdn.io @lynne@pars.ee this very much feels like a length extension attack though, no?
     
     You have some predefined bit at the start that you can't control, and then you're trying to get to some other state with what you control.