Hash strength about libhydrogen HOT 4 CLOSED

It currently provides a security level of 128 bits. Preimages and collision resistance depend on the output size. Like cSHAKE, with an output of L bits, a collision attack will require about 2^(L/2) work, and a preimage attack will require about 2^L work.

Sponge-based constructions, and the libhydrogen API, allow great flexibility. The internal permutation can easily be replaced, and the rate/capacity ratio can also be adjusted to increase strength at the expense of speed or the other way round.

libhydrogen currently has these parameters hardcoded, but a goal that's also a justification for opting for that design, is to make these configurable at compile-time.

from libhydrogen.

No, SHAKE and cSHAKE suffer from exactly the same weakness, by design, with 256 bits of capacity you only get 128 bits of security, meaning that an attack takes 2^128 work. Additional output does nothing.

from libhydrogen.

additional output does nothing

Strength increases with the output size, until the output size reaches 256 bits.

from libhydrogen.

additional output does nothing

Strength increases with the output size, until the output size reaches 256 bits.

Additional output after the first 256 bits does nothing.
The cutoff point is different for the different attack scenarios.

Collision strength increases with the output size until the output size reaches 256 bits, and the collision strength reaches 128 bits.

Second preimage strength increases with the output size until the output size reaches 128 bits, and the second preimage strength reaches 128 bits.

from libhydrogen.