Extendable-output function

Extendable-output function (XOF) is an extension^[1] of the cryptographic hash that allows its output to be arbitrarily long. In particular, the sponge construction makes any sponge hash a natural XOF: the squeeze operation can be repeated, and the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).^[2]

The genesis of a XOF makes it collision, preimage and second preimage resistant. Technically, any XOF can be turned into a cryptographic hash by truncating the result to a fixed length (in practice, hashes and XOFs are defined differently for domain separation^[3]). The examples of XOF include the algorithms from the Keccak family: SHAKE128, SHAKE256, and a variant with higher efficiency, KangarooTwelve.^[1]

XOFs are used as key derivation functions (KDFs), stream ciphers,^[1] mask generation functions.^[4]

By their nature, XOFs can produce related outputs (a longer result includes a shorter one as a prefix). The use of KDFs for key derivation can therefore cause related-output problems. As a "naïve" example, if the Triple DES keys are generated with a XOF, and there is a confusion in the implementation that causes some operations to be performed as 3TDEA (3x56 = 168-bit key), and some as 2TDEA (2x56 = 112 bit key), comparing the encryption results will lower the attack complexity to just 56 bits; similar problems can occur if hashes in the NIST SP 800-108 are naïvely replaced by the KDFs.^[5]

• Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
• Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
• Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
• Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).