Is the security of output of Skein when using arbitrary output size similar to that of SHAKE?

phantomcraft

11/25/23, 11:18 PM

Let's suppose I have a 1MB high-resolution photo and I want to hash and create a 1536-bits key.

I know that I could just use SHAKE-256 as its a pre-enginered way for doing that.

There is also Skein that can emit outputs of any sizes (up to 2^64-1).

But Skein has a internal state of 1024-bits.

If I decide to use Skein to generate the 1536-bits key, would I have the same security of that of SHAKE-256 despite Skein internal state being shorter than the key size? Would the key have guaranteed 1536-bits of security?

PS: I read the entire Skein manual and I could not find anything that can answer this question.

0 + 5

security-definition

xof

Maarten Bodewes

11/25/23, 11:30 PM

What does it matter? Anything of over 128 bit of security (against any adversary) is unbreakable unless the algorithm gets broken. You can go to 256 bit if you're overly careful. Anything above that basically has the same security. I'd me more worried about the entropy of the input source (i.e. the photo) and why you'd want a 1536 bit key.

phantomcraft

11/26/23, 1:41 AM

@MaartenBodewes I know that any key size greater than 256-bits is paranoia, but I want to create a disk encryption program in the future that allows selection of very large key sizes. Obviously I would hash a particular kind of file, such as a video/photo carefully and caring about the input file a lot. Here I use AES with secret S-Boxes, in this scenario large keys are needed.

poncho

11/26/23, 4:11 PM

"Here I use AES with secret S-Boxes"; nope, no such thing exists. You are doing home-brew crypto

phantomcraft

11/26/23, 5:38 PM

@poncho https://github.com/veracrypt/VeraCrypt/blob/master/src/Crypto/AesSmall_x86.asm#L823 -- https://github.com/veracrypt/VeraCrypt/blob/master/src/Crypto/AesSmall.c#L79 -- I created my own S-Box (and its inverse) and replaced the AES S-Box of Veracrypt with it, then I compiled and I have been using for some days, at least is more secure than pure AES I think.

forest

11/27/23, 10:53 PM

@phantomcraft The AES S-boxes are very carefully chosen to have certain differential characteristics. Using random key-dependent S-boxes might actually _reduce_ security.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is the security of output of Skein when using arbitrary output size similar to that of SHAKE?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.