Score:-1

truncated sha3-512

tr flag

Let's say I need performance on 64-bit machine, then SHA3-512 is the way to go.
SHA-512/256(x) is SHA-512(x) with output truncated to 256 bits, according to https://pycryptodome.readthedocs.io/en/latest/src/hash/sha512.html

Let H1(x) be SHA-512/256(SHA-512(SHA-512(x)))
Let H2(x) be SHA-256(SHA-512(SHA-512(x)))

Is H1 safer than H2?

Is there a way to truncate SHA3-512 like SHA-512/256 does that?
Is SHAKE-256 with 256 bits output size the solution?

kelalaka avatar
in flag
Could you stop for a while and think and express your actual question? Who does need the triple hashing? Why a single SHA3, BLAKE2 is not enough for you? Your next question will be quadruple hashing? and next, next, and going to ask is there a cycle at the end? Are you afraid that one is going to be broken in the far future? Very improbable... BLAKE2 is the way to go for performance not SHA3-512.
Kuba Chrabański avatar
tr flag
My questions are mostly unrelated
kelalaka avatar
in flag
Actually, they are mostly related.
Kuba Chrabański avatar
tr flag
Not in a way you think they are. There is no actual question to express that stands behind all of them.
kelalaka avatar
in flag
`Let say I need` so what is your actual need? `SHA3-512 is the way to go` then why ask triple hashing instead of providing your **actual target security with risks**? `SHA3-512 like SHA-512/256`, there is no need by design thanks to sponge construction.
Kuba Chrabański avatar
tr flag
Okay, but "there is no need by design thanks to sponge construction" means that I can simply cut first 256 bits, or use SHAKE-256
Kuba Chrabański avatar
tr flag
`Let say I need` is just a way to start a question
kelalaka avatar
in flag
Why do you need to cut, there is SHA3-256 for 256-bit output. Shake-x can output arbitrary sizes, they are members of the eXtendible Output Functions (XOF).
Kuba Chrabański avatar
tr flag
Here comes the first part of the question and my first question. Do I have a benefit from running SHA3-512 N times and SHA3-256 to narrow the output instead of running SHA3-256 (N+1) times
Maarten Bodewes avatar
in flag
Note that most CPU's nowadays accelerate SHA-1 and SHA-256, not SHA-512 - probably because it was already quite fast. Because of this, SHA-256 is often faster on 64 bit hardware (assuming that the acceleration is actually used, of course, not sure of PyCryptoDome on that).
Score:1
in flag

Truncating SHA3-512 to 256 produces an excellent wide pipe 256 bit hash functions and is definitely reasonable and IMHO the top choice when looking for a general purpose 256 bit hash function.

There may be faster options but it's pretty fast.

Triple hashing like you suggest doesn't seem to be suitable for any purpose I know of. And the question doesn't suggest why you may think such a structure with any hash function as a base is a good idea for any purpose.

In particular it is easy to see such a construction preserves all collisions from the base hash function and adds more in repeat invocations. Such triple hashing is strictly less collision resistant than any of the original hash functions.

Kuba Chrabański avatar
tr flag
Firstly, what do you mean by truncating, taking first or second 256 bits, or some specific operation like the one used in SHA-512/256. Also I understood a few things recently so I can make my question more precise. Let's say I have a password hash function PH(x), I need to keep as much preimage resistance as possible, while also I need the output to be 256 bits, should I then: use PH(x) in 256 bit variant, or "reduce" the output of PH(x) in 512 bit variant through some 256 bit hash function like SHA-256? (SHA-256(PH(x)))
kelalaka avatar
in flag
@KubaChrabański learn the distinction between a password hashing function and collision resistance hashing like SHAx... We want them fast, Password hashing algorithms are designed to be slow, memory-hard, thread consuming. Though some include SHA-256 or similar in their design the target aim is different. Of course, the pre-image resistance is important in password hashing, however, don't expect them to be broken in their collision resistance, too.
Meir Maor avatar
in flag
When we do iterated hashing we like in pbkdf we keep mixing in the original input, to prevent the domain getting smaller and smaller with each iteration. Do not build your own password hashing scheme. Use something already designed for that purpose. As for how to truncate? It's not important all methods work.
Kuba Chrabański avatar
tr flag
@kelalaka maybe you should stop for a while. That was not my question at all
Kuba Chrabański avatar
tr flag
@MeirMaor I'm obviously not gonna build my own password hashing function (PH(x)), I just need it's output to be 256 bits, and I wonder if I can use PH[512](x) and truncate the output (if so then how), or put the output through normal hash function like SHA3-256, and still have any benefit from using 512 bit variant of PH
Meir Maor avatar
in flag
SHA3 isn't suitable as password hashing. Except maybe if you mean PBKDF2-SHA3. look at argon2 or scrypt or even the older but tried and true bcrypt.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.