Shortest SHA-3 output

You have a misconception:
With SHA3/Keccak, being a bit strange compared to previous hash functions, output size is not comparable to security. A certain security level requires a minimum output size, but the output can be made longer without increasing the security as hash.

The minimum hash size (of Keccak in general, not of the standardized subset called SHA3) is 1 bit:

In the sponge construction the value of the sum c+r is restricted, but how much of it is c and how much r is freely choosable. Make r=1 and do only one iteration in the squeezing part (after the vertical line), then the hash output z0 has exactly 1 bit.

enter image description here


The SHA-3 standard is both old and new.

It's "old" because the competition for selecting the SHA-3 hash function began back in 2009 and we know since 2012 that Keccak won.

On the other hand, the standardization of SHA-3 is fairly new, considering FIPS-202 was standardized in August 2015.

If you want to use SHA-3, the shortest output length is 224 bits (SHA3-224), the longest output lenght for SHA-3 is 512-bit (SHA3-512).

However FIPS-202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions also defines two exentdible output functions (XOFs): SHAKE128 and SHAKE256 which have both a variable output length. Note that SHAKE128-256 isn't the same as SHA3-256 due to different padding.

The SHAKE functions allow arbitrary output lengths, as long as Keccak supports it. As Keccak is based on the sponge construction abitrary long outputs are no problem, however arbitrary short outputs can be obtained by simple truncation. The SHAKE functions accept the digest length in bits and don't perform any lower-bound checking, meaning that 1 bit is the shortest possible output of these functions.

Tags:

Sha 3