Extendable-output function (XOF) is a type of cryptographic hash function that allows its output to be arbitrarily long, allowing it to be used as a cryptographically secure pseudo-random number generator.1
One particular hash construction, the sponge construction, makes any sponge hash a natural XOF: the squeeze operation can be repeated thus resulting in a XOF (the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).2
A secure XOF is collision, preimage and second preimage resistant. While technically any XOF can be turned into a cryptographic hash by truncating the result to a fixed length, in the real world hashes and XOFs tend to be defined differently using domain separation.3) Examples of sponge construction XOFs include the algorithms from the Keccak family: SHAKE128, SHAKE256, and a variant with higher efficiency, KangarooTwelve.1
There are other XOFs which are not sponge constructions, such as Skein and RadioGatún.
XOFs are used as key derivation functions (KDFs), stream ciphers,1 mask generation functions.4
Related-output issues
By their nature, XOFs can produce related outputs (a longer result includes a shorter one as a prefix). The use of KDFs for key derivation can therefore cause related-output problems. As a "naïve" example, if the Triple DES keys are generated with a XOF, and there is a confusion in the implementation that causes some operations to be performed as 3TDEA (3 × 56 = 168-bit key), and some as 2TDEA (2 × 56 = 112 bit key), comparing the encryption results will lower the attack complexity to just 56 bits; similar problems can occur if hashes in the NIST SP 800-108 are naïvely replaced by the KDFs.5
References
References
- Peyrin & Wang 2020, p. 7.
- Mittelbach & Fischlin 2021, p. 526.
- Dworkin 2014, p. 3.
- Perlner 2014, p. 4.
- Perlner 2014, p. 5.
Sources
Sources
- Mittelbach, Arno; Fischlin, Marc (2021). "Extendable Output Functions (XOFs)". The Theory of Hash Functions and Random Oracles: An Approach to Modern Cryptography. Information Security and Cryptography. Springer International Publishing. ISBN 978-3-030-63287-8. Retrieved 2023-06-22.
- Peyrin, Thomas; Wang, Haoyang (2020). "The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers" (PDF). Advances in Cryptology – CRYPTO 2020. Lecture Notes in Computer Science. Vol. 12172. Springer International Publishing. pp. 249–278. doi:10.1007/978-3-030-56877-1_9. ISBN 978-3-030-56876-4. ISSN 0302-9743. S2CID 221107066.
- Perlner, Ray (August 22, 2014). "Extendable-Output Functions (XOFs)". csrc.nist.gov. NIST. Retrieved 22 June 2023.
- Dworkin, Morris (August 22, 2014). "Domain Extensions". csrc.nist.gov. NIST. Retrieved 22 June 2023.