{{Short description|Cryptographic hash extension}} {{Technical|date=July 2023}} '''Extendable-output function''' ('''XOF''') is a type of cryptographic hash function that allows its output to be arbitrarily long, allowing it to be used as a cryptographically secure pseudo-random number generator.{{sfn|Peyrin|Wang|2020|p=7}}
One particular hash construction, the sponge construction, makes any sponge hash a natural XOF: the squeeze operation can be repeated thus resulting in a XOF (the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).{{sfn | Mittelbach | Fischlin | 2021 | p=526}}
A secure XOF is collision, preimage and second preimage resistant. While technically any XOF can be turned into a cryptographic hash by truncating the result to a fixed length, in the real world hashes and XOFs tend to be defined differently using domain separation.{{sfn|Dworkin|2014|p=3}}) Examples of sponge construction XOFs include the algorithms from the Keccak family: SHAKE128, SHAKE256, and a variant with higher efficiency, KangarooTwelve.{{sfn|Peyrin|Wang|2020|p=7}}
There are other XOFs which are ''not'' sponge constructions, such as Skein and RadioGatún.
XOFs are used as key derivation functions (KDFs), stream ciphers,{{sfn|Peyrin|Wang|2020|p=7}} mask generation functions.{{sfn|Perlner|2014|p=4}}
==Related-output issues== By their nature, XOFs can produce related outputs (a longer result includes a shorter one as a prefix). The use of KDFs for key derivation can therefore cause related-output problems. As a "naïve" example, if the Triple DES keys are generated with a XOF, and there is a confusion in the implementation that causes some operations to be performed as 3TDEA (3{{times}}56 = 168-bit key), and some as 2TDEA (2{{times}}56 = 112 bit key), comparing the encryption results will lower the attack complexity to just 56 bits; similar problems can occur if hashes in the NIST SP 800-108 are naïvely replaced by the KDFs.{{sfn|Perlner|2014|p=5}}
==References== {{reflist}}
==Sources== * {{cite book | last1=Mittelbach | first1=Arno | last2=Fischlin | first2=Marc | title=The Theory of Hash Functions and Random Oracles: An Approach to Modern Cryptography | publisher=Springer International Publishing | series=Information Security and Cryptography | year=2021 | chapter = Extendable Output Functions (XOFs) | isbn=978-3-030-63287-8 | chapter-url=https://books.google.com/books?id=Ly8WEAAAQBAJ&pg=PA526 | access-date=2023-06-22}} * {{cite book | last1=Peyrin | first1=Thomas | last2=Wang | first2=Haoyang | series=Lecture Notes in Computer Science | volume=12172 | pages=249–278 | title=Advances in Cryptology – CRYPTO 2020 | chapter=The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers | publisher=Springer International Publishing | year=2020 | isbn=978-3-030-56876-4 | issn=0302-9743 | doi=10.1007/978-3-030-56877-1_9 | s2cid=221107066 | chapter-url=https://eprint.iacr.org/2020/986.pdf}} * {{cite web |last1=Perlner |first1=Ray |title=Extendable-Output Functions (XOFs) |url=https://csrc.nist.gov/events/2014/sha-3-2014-workshop |website=csrc.nist.gov |publisher=NIST |access-date=22 June 2023 | date = August 22, 2014}} * {{cite web |last1=Dworkin |first1=Morris |title=Domain Extensions |url=https://csrc.nist.gov/events/2014/sha-3-2014-workshop |website=csrc.nist.gov |publisher=NIST |access-date=22 June 2023 | date = August 22, 2014}}
Category:Extendable-output functions
{{crypto-stub}}