Why is SHA-3 robust against Length-Extension Attacks?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?










share|improve this question









New contributor




elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    2
    down vote

    favorite












    If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?










    share|improve this question









    New contributor




    elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?










      share|improve this question









      New contributor




      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?







      mac sha-3






      share|improve this question









      New contributor




      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 16 mins ago









      Ella Rose

      13.6k43372




      13.6k43372






      New contributor




      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 54 mins ago









      elberman

      111




      111




      New contributor




      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote













          Everything was changed between SHA-2 and SHA-3.



          In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.



          In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.



          You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.






          share|improve this answer




















            Your Answer




            StackExchange.ifUsing("editor", function ()
            return StackExchange.using("mathjaxEditing", function ()
            StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
            StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
            );
            );
            , "mathjax-editing");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "281"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            elberman is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62622%2fwhy-is-sha-3-robust-against-length-extension-attacks%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote













            Everything was changed between SHA-2 and SHA-3.



            In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.



            In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.



            You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.






            share|improve this answer
























              up vote
              3
              down vote













              Everything was changed between SHA-2 and SHA-3.



              In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.



              In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.



              You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.






              share|improve this answer






















                up vote
                3
                down vote










                up vote
                3
                down vote









                Everything was changed between SHA-2 and SHA-3.



                In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.



                In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.



                You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.






                share|improve this answer












                Everything was changed between SHA-2 and SHA-3.



                In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.



                In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.



                You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 34 mins ago









                Thomas Pornin

                65.8k12171251




                65.8k12171251




















                    elberman is a new contributor. Be nice, and check out our Code of Conduct.









                     

                    draft saved


                    draft discarded


















                    elberman is a new contributor. Be nice, and check out our Code of Conduct.












                    elberman is a new contributor. Be nice, and check out our Code of Conduct.











                    elberman is a new contributor. Be nice, and check out our Code of Conduct.













                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62622%2fwhy-is-sha-3-robust-against-length-extension-attacks%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke