Documentation
¶
Overview ¶
Package sha3 implements the SHA-3 fixed-output-length hash functions and the SHAKE variable-output-length hash functions defined by FIPS-202.
Both types of hash function use the "sponge" construction and the Keccak permutation. For a detailed specification see http://keccak.noekeon.org/
Guidance ¶
If you aren't sure what function you need, use SHAKE256 with at least 64 bytes of output. The SHAKE instances are faster than the SHA3 instances; the latter have to allocate memory to conform to the hash.Hash interface.
If you need a secret-key MAC (message authentication code), prepend the secret key to the input, hash with SHAKE256 and read at least 32 bytes of output.
Security strengths ¶
The SHA3-x (x equals 224, 256, 384, or 512) functions have a security strength against preimage attacks of x bits. Since they only produce "x" bits of output, their collision-resistance is only "x/2" bits.
The SHAKE-256 and -128 functions have a generic security strength of 256 and 128 bits against all attacks, provided that at least 2x bits of their output is used. Requesting more than 64 or 32 bytes of output, respectively, does not increase the collision-resistance of the SHAKE functions.
The sponge construction ¶
A sponge builds a pseudo-random function from a public pseudo-random permutation, by applying the permutation to a state of "rate + capacity" bytes, but hiding "capacity" of the bytes.
A sponge starts out with a zero state. To hash an input using a sponge, up to "rate" bytes of the input are XORed into the sponge's state. The sponge is then "full" and the permutation is applied to "empty" it. This process is repeated until all the input has been "absorbed". The input is then padded. The digest is "squeezed" from the sponge in the same way, except that output output is copied out instead of input being XORed in.
A sponge is parameterized by its generic security strength, which is equal to half its capacity; capacity + rate is equal to the permutation's width. Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
Recommendations ¶
The SHAKE functions are recommended for most new uses. They can produce output of arbitrary length. SHAKE256, with an output length of at least 64 bytes, provides 256-bit security against all attacks. The Keccak team recommends it for most applications upgrading from SHA2-512. (NIST chose a much stronger, but much slower, sponge instance for SHA3-512.)
The SHA-3 functions are "drop-in" replacements for the SHA-2 functions. They produce output of the same length, with the same security strengths against all attacks. This means, in particular, that SHA3-256 only has 128-bit collision resistance, because its output length is 32 bytes.
Example (Mac) ¶
k := []byte("this is a secret key; you should generate a strong random key that's at least 32 bytes long")
buf := []byte("and this is some data to authenticate")
// A MAC with 32 bytes of output has 256-bit security strength -- if you use at least a 32-byte-long key.
h := make([]byte, 32)
d := NewShake256()
// Write the key into the hash.
d.Write(k)
// Now write the data.
d.Write(buf)
// Read 32 bytes of output from the hash into h.
d.Read(h)
fmt.Printf("%x\n", h)
Output: 78de2974bd2711d5549ffd32b753ef0f5fa80a0db2556db60f0987eb8a9218ff
Example (Sum) ¶
buf := []byte("some data to hash")
// A hash needs to be 64 bytes long to have 256-bit collision resistance.
h := make([]byte, 64)
// Compute a 64-byte hash of buf and put it in h.
ShakeSum256(h, buf)
fmt.Printf("%x\n", h)
Output: 0f65fe41fc353e52c55667bb9e2b27bfcc8476f2c413e9437d272ee3194a4e3146d05ec04a25d16b8f577c19b82d16b1424c3e022e783d2b4da98de3658d363d
Index ¶
- func CShakeSum128(hash, data, n, s []byte)
- func CShakeSum256(hash, data, n, s []byte)
- func New224() hash.Hash
- func New256() hash.Hash
- func New384() hash.Hash
- func New512() hash.Hash
- func NewKMAC128(key []byte, length int, s []byte) hash.Hash
- func NewKMAC256(key []byte, length int, s []byte) hash.Hash
- func ShakeSum128(hash, data []byte)
- func ShakeSum256(hash, data []byte)
- func Sum224(data []byte) (digest [28]byte)
- func Sum256(data []byte) (digest [32]byte)
- func Sum384(data []byte) (digest [48]byte)
- func Sum512(data []byte) (digest [64]byte)
- func TupleHash128(tuple [][]byte, s []byte, out []byte)
- func TupleHash256(tuple [][]byte, s []byte, out []byte)
- func TupleHashXOF128(tuple [][]byte, s []byte) io.Reader
- func TupleHashXOF256(tuple [][]byte, s []byte) io.Reader
- type ShakeHash
- type TupleHash
- type TupleHashXOF
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CShakeSum128 ¶
func CShakeSum128(hash, data, n, s []byte)
CShakeSum128 writes an arbitrary-length digest of data into hash. n is a customization string for derived functions specified by NIST. Set n to an empty string if you are building your own derived function. s is a user-defined customization string.
func CShakeSum256 ¶
func CShakeSum256(hash, data, n, s []byte)
CShakeSum256 writes an arbitrary-length digest of data into hash. n is a customization string for derived functions specified by NIST. Set n to an empty string if you are building your own derived function. s is a user-defined customization string.
func New224 ¶
New224 creates a new SHA3-224 hash. Its generic security strength is 224 bits against preimage attacks, and 112 bits against collision attacks.
func New256 ¶
New256 creates a new SHA3-256 hash. Its generic security strength is 256 bits against preimage attacks, and 128 bits against collision attacks.
func New384 ¶
New384 creates a new SHA3-384 hash. Its generic security strength is 384 bits against preimage attacks, and 192 bits against collision attacks.
func New512 ¶
New512 creates a new SHA3-512 hash. Its generic security strength is 512 bits against preimage attacks, and 256 bits against collision attacks.
func NewKMAC128 ¶
NewKMAC128 creates an instance of Hash with a given key, output length in bytes and a customization string s.
func NewKMAC256 ¶
NewKMAC256 creates an instance of Hash with a given key, output length in bytes and a customization string s.
func ShakeSum128 ¶
func ShakeSum128(hash, data []byte)
ShakeSum128 writes an arbitrary-length digest of data into hash.
func ShakeSum256 ¶
func ShakeSum256(hash, data []byte)
ShakeSum256 writes an arbitrary-length digest of data into hash.
func TupleHash128 ¶
TupleHash128 hashes a tuple with a given customization string s. Output is written to `out`. len(out) determines the output size.
func TupleHash256 ¶
TupleHash256 hashes a tuple with a given customization string s. Output is written to `out`. len(out) determines the output size.
func TupleHashXOF128 ¶
TupleHashXOF128 provides an arbitrary-length output.
Types ¶
type ShakeHash ¶
type ShakeHash interface {
// Write absorbs more data into the hash's state. It panics if input is
// written to it after output has been read from it.
io.Writer
// Read reads more output from the hash; reading affects the hash's
// state. (ShakeHash.Read is thus very different from Hash.Sum)
// It never returns an error.
io.Reader
// Clone returns a copy of the ShakeHash in its current state.
Clone() ShakeHash
// Reset resets the ShakeHash to its initial state.
Reset()
}
ShakeHash defines the interface to hash functions that support arbitrary-length output.
func NewCShake128 ¶
NewCShake128 creates a new cSHAKE128 variable-output-length customizable ShakeHash. Its generic security strength is 128 bits against all attacks if at least 32 bytes of its output are used. n is a customization string for derived functions specified by NIST. Set n to an empty string if you are building your own derived function. s is a user-defined customization string.
func NewCShake256 ¶
NewCShake256 creates a new cSHAKE256 variable-output-length customizable ShakeHash. Its generic security strength is 256 bits against all attacks if at least 64 bytes of its output are used. n is a customization string for derived functions specified by NIST. Set n to an empty string if you are building your own derived function. s is a user-defined customization string.
func NewKMACXOF128 ¶
NewKMACXOF128 provides an arbitrary-length output.
func NewKMACXOF256 ¶
NewKMACXOF256 provides an arbitrary-length output.
func NewShake128 ¶
func NewShake128() ShakeHash
NewShake128 creates a new SHAKE128 variable-output-length ShakeHash. Its generic security strength is 128 bits against all attacks if at least 32 bytes of its output are used.
func NewShake256 ¶
func NewShake256() ShakeHash
NewShake256 creates a new SHAKE128 variable-output-length ShakeHash. Its generic security strength is 256 bits against all attacks if at least 64 bytes of its output are used.
type TupleHash ¶
type TupleHash interface {
hash.Hash
// WriteItem writes length-prefixed item to the hash state.
WriteItem(item []byte) (written int, err error)
// WriteItemPrefix writes length prefix to the hash state
// and must be followed by normal Write calls.
WriteItemPrefix(length int) (written int, err error)
}
TupleHash defines the interface to hash functions that support tuple input.
func NewTupleHash128 ¶
NewTupleHash128 creates an instance of Hash with a given key, output length in bytes and a customization string s.
func NewTupleHash256 ¶
NewTupleHash256 creates an instance of Hash with a given key, output length in bytes and a customization string s.
type TupleHashXOF ¶
type TupleHashXOF interface {
ShakeHash
// WriteItem writes length-prefixed item to the hash state.
WriteItem(item []byte) (written int, err error)
// WriteItemPrefix writes length prefix to the hash state
// and must be followed by normal Write calls.
WriteItemPrefix(length int) (written int, err error)
}
TupleHashXOF defines the interface to hash functions that support tuple input with extensible output.
func NewTupleHashXOF128 ¶
func NewTupleHashXOF128(s []byte) TupleHashXOF
NewTupleHashXOF128 provides an arbitrary-length output.
func NewTupleHashXOF256 ¶
func NewTupleHashXOF256(s []byte) TupleHashXOF
NewTupleHashXOF256 provides an arbitrary-length output.
Source Files