Questionable use of symmetric primitives in Smaug-T and HAETAE
186 views
Skip to first unread message
Seongkwang Kim
Feb 29, 2024, 2:33:45 AMFeb 29
to KpqC-bulletin
Hi,
While reading specs of Smaug-T and HAETAE, I found some peculiar points in the use of symmetric primitives.
1. Smaug-T
Smaug-T seems to use SHAKE128 as XOF in the spec throughout all the security level. I think that the use of SHAKE128 in over-L3-security may have potential vulnerability related to collision resistance. Is there any design criteria of it?
2. HAETAE
While the spec of HAETAE does not provide the size of mu (a hash of pk and message), it seems that mu in the reference code is 32 byte regardless of security level. I think that an attacker can forge HAETAE with L3, L5 security by making a mu-collision in the EUF-CMA game.
I will be happy to receive any correction if I was wrong.
Cheers,
Seongkwang
Hyoeun Seong
Mar 4, 2024, 12:58:37 AMMar 4
to KpqC-bulletin
Hello,Thank you for your interest and review of SMAUG-T.
We noted in the spec that XOF is instantiated with shake128; however, functions related to secret values (such as hwt sampling) use shake256 at all security levels.
But as you mentioned, there are indeed parts where the XOF is used for generating/extending secret values, which needs to be updated to use shake256 (e.g. Fig7 line2).
We are preparing an update to separate and clearly indicate symmetric primitives related to secret values to avoid any confusion.
This update will be made available on our website soon.
Thank you again for your interest.On behalf of team SMAUG-T.
We noted in the spec that XOF is instantiated with shake128; however, functions related to secret values (such as hwt sampling) use shake256 at all security levels.
But as you mentioned, there are indeed parts where the XOF is used for generating/extending secret values, which needs to be updated to use shake256 (e.g. Fig7 line2).
We are preparing an update to separate and clearly indicate symmetric primitives related to secret values to avoid any confusion.
This update will be made available on our website soon.
Thank you again for your interest.On behalf of team SMAUG-T.
2024년 2월 29일 목요일 오후 4시 33분 45초 UTC+9에 Seongkwang Kim님이 작성:
Hyeongmin Choe
Mar 4, 2024, 1:02:33 AMMar 4
to KpqC-bulletin
Hi Dr Seongkwang Kim, and hi all,
we first thank you for your interest in HAETAE.
We agree that the length of mu should be longer, which we made a mistake in hasing the message, not using M directly.
It can be fixed using 512-bit mu, which was originally 256 bits copied from 1088-bit shake256 output, with no performance drop.
This will be included in the next HAETAE update.
Thank you again for your interest.
Hyeongmin Choe,
on behalf of team HAETAE.
we first thank you for your interest in HAETAE.
We agree that the length of mu should be longer, which we made a mistake in hasing the message, not using M directly.
It can be fixed using 512-bit mu, which was originally 256 bits copied from 1088-bit shake256 output, with no performance drop.
This will be included in the next HAETAE update.
Thank you again for your interest.
on behalf of team HAETAE.
2024년 2월 29일 목요일 오후 4시 33분 45초 UTC+9에 Seongkwang Kim님이 작성:
Hi,
Reply all
Reply to author
Forward
0 new messages