Why is SHA-3 robust against Length-Extension Attacks?

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?

mac sha-3

share|improve this question

edited 16 mins ago

Ella Rose

13.6k43372

asked 54 mins ago

elberman

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
2
down vote

favorite

If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?

mac sha-3

share|improve this question

edited 16 mins ago

Ella Rose

13.6k43372

asked 54 mins ago

elberman

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
2
down vote

favorite

up vote
2
down vote

favorite

If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?

mac sha-3

share|improve this question

edited 16 mins ago

Ella Rose

13.6k43372

asked 54 mins ago

elberman

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

If a length extension attack can occur because of $H(textK||textMessage)$, what changed in SHA-3 from SHA-2 that prevents this from occurring?

mac sha-3

mac sha-3

share|improve this question

edited 16 mins ago

Ella Rose

13.6k43372

asked 54 mins ago

elberman

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 16 mins ago

Ella Rose

13.6k43372

asked 54 mins ago

elberman

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

edited 16 mins ago

Ella Rose

13.6k43372

edited 16 mins ago

Ella Rose

13.6k43372

edited 16 mins ago

Ella Rose

13.6k43372

13.6k43372

asked 54 mins ago

elberman

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 54 mins ago

elberman

111

asked 54 mins ago

elberman

111

111

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

elberman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
3
down vote

Everything was changed between SHA-2 and SHA-3.

In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.

In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.

You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.

share|improve this answer

answered 34 mins ago

Thomas Pornin

65.8k12171251

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

elberman is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62622%2fwhy-is-sha-3-robust-against-length-extension-attacks%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

Everything was changed between SHA-2 and SHA-3.

In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.

In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.

You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.

share|improve this answer

answered 34 mins ago

Thomas Pornin

65.8k12171251

add a comment | 

up vote
3
down vote

Everything was changed between SHA-2 and SHA-3.

In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.

In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.

You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.

share|improve this answer

answered 34 mins ago

Thomas Pornin

65.8k12171251

add a comment | 

up vote
3
down vote

up vote
3
down vote

Everything was changed between SHA-2 and SHA-3.

In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.

In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.

You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.

share|improve this answer

answered 34 mins ago

Thomas Pornin

65.8k12171251

Everything was changed between SHA-2 and SHA-3.

In the specific case of the "length extension attack": the issue is that SHA-2 process data by splitting it into elementary blocks (64 or 128 bytes, depending on the SHA-2 variant), and produces for each block an output which has exactly the same size as the function output. Moreover, the output for a complete message is merely the current output after processing all blocks of the (padded) message. This means that anybody can take a hash output and "continue" processing of a longer message with additional blocks.

In SHA-3, a sponge construction is used. The crucial point is that, in a sponge, the internal state is much larger than the hash function output. Thus, you cannot simply "continue" processing of a message by using a hash output, because that output contains only a fraction of the internal state.

You can get the same kind of protection with a SHA-2 function by truncating the output. For instance, there is a (relatively new) member of the SHA-2 family called "SHA-512/256", which is SHA-512 (with a different conventional IV) with output truncated to 256 bits. This truncation makes it immune to the length extension attack.

share|improve this answer

answered 34 mins ago

Thomas Pornin

65.8k12171251

share|improve this answer

share|improve this answer

answered 34 mins ago

Thomas Pornin

65.8k12171251

answered 34 mins ago

Thomas Pornin

65.8k12171251

answered 34 mins ago

Thomas Pornin

65.8k12171251

65.8k12171251

add a comment | 

add a comment | 

elberman is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

elberman is a new contributor. Be nice, and check out our Code of Conduct.

elberman is a new contributor. Be nice, and check out our Code of Conduct.

elberman is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62622%2fwhy-is-sha-3-robust-against-length-extension-attacks%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email