Score:1

What is the security of XORing SHAKE256_XOF with itself?

mc flag

After reading "Can the xor of two RNG outputs ever be less secure than one of them?" I wondered if you can increase security of SHAKE256_XOF by using another instance of the CSRNG. The theoretical security of SHAKE256_XOF is 256 bits. After a theoretical quantum attack it has min(key_length/2, 256) bit security. So using a 512 bit key SHAKE256_XOF should theoretically be able to generate a bit stream of any length with 256 bits of security against classical and quantum attacks.

If you were to compute SHAKE256_XOF(key1) xor SHAKE256_XOF(key2) where both keys are independent true random numbers of at least 512 bits:

  1. Could you obtain a bit stream with more than 256 bits of security against classical attacks?
  2. Could you obtain a bit stream with more than 256 bits of security against quantum attacks?
  3. Can this lead to a bit stream that is weaker than 256 bits with the assumptions of the keys?
  4. What it the security of N SHAKE256_XOF generators chained with xor for classical and quantum attacks?
poncho avatar
my flag
"After a theoretical quantum attack it has `min(key_length/3, 256)` bit security." - no, it has `min(key_length/2, 256)` bit security - collision attacks do not apply, hence the best attack is straight Grover's.
mc flag
@poncho: Wouldn't a birthday attack create the same bit stream with a successful collision effectively breaking it?
poncho avatar
my flag
In a Birthday attack, we assume that the attacker can select *both* preimages (or, at least, influence them). In your scenario (we compute SHAKE based on a secret key), the attacker cannot specify the key.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.