Score:1

Exact security requirements for extendable output functions (XOF)?

cn flag

In the FIPS202 document "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions" an extendable-output functions is defined as:

An extendable-output function (XOF) is a function on bit strings (also called messages) in which the output can be extended to any desired length.

That is all the definition I could find on that. However, this definition does not capture the notion that the bits should be pseudorandom or any other security requirements. The way I saw XOF functions used (in Dilithium, for example) and the way they are designed, they fulfill additional security requirements, most notable being indistinguishable from pseudorandom functions.

Are those additional security requirements spelled out somewhere? When a paper/cryptographic algorithm uses an XOF somewhere, what are the implicit security assumptions that the XOF should fulfill?

SEJPM avatar
us flag
Most papers will explicitly spell the security notions out for their XOFs which will also be more concrete than the quoted one. Otherwise, I would probably expect Random Oracle or CRHF like properties from a SHAKE XOF (with appropriate restrictions to block truncation based attacks).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.