diff options
author | slontis <shane.lontis@oracle.com> | 2022-06-22 15:21:13 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-08-17 16:18:30 +0200 |
commit | ba8fd22b358ce0467f4893bc8f925c6272964628 (patch) | |
tree | d7e2042360b0c86b17fa211409fb0162bc64fa11 /doc/man1/openssl-dgst.pod.in | |
parent | 93e5c63ee7a7ef627d234558e850ff962e5dbc71 (diff) |
SHAKE documentation updates for default output length.
Fixes #18586
In order to not break existing applications the OpenSSL documentation
related to SHAKE has been updated.
Background:
All digests algorithms (including XOF's) use the bitlen as the default output length.
This results in a security strength of bitlen / 2.
This means that SHAKE128 will by default have an output length of 16
bytes and a security strength of 64 bits.
For SHAKE256 the default output length is 32 bytes and has a security
strength of 128 bits.
This behaviour was present in 1.1.1 and has been duplicated in the
provider SHAKE algorithms for 3.0.
The SHAKE XOF algorithms have a security strength of
min(bitlen, output xof length in bits / 2).
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18622)
(cherry picked from commit b7cf9dd2393de8e90a15e83466d9b8b781b18385)
Diffstat (limited to 'doc/man1/openssl-dgst.pod.in')
-rw-r--r-- | doc/man1/openssl-dgst.pod.in | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index 8a091131cf..5dcdbe548e 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -86,7 +86,20 @@ Output the digest or signature in binary form. =item B<-xoflen> I<length> -Set the output length for XOF algorithms, such as B<shake128>. +Set the output length for XOF algorithms, such as B<shake128> and B<shake256>. +This option is not supported for signing operations. + +For OpenSSL providers it is recommended to set this value for shake algorithms, +since the default values are set to only supply half of the maximum security +strength. + +For backwards compatibility reasons the default xoflen length for B<shake128> is +16 (bytes) which results in a security strength of only 64 bits. To ensure the +maximum security strength of 128 bits, the xoflen should be set to at least 32. + +For backwards compatibility reasons the default xoflen length for B<shake256> is +32 (bytes) which results in a security strength of only 128 bits. To ensure the +maximum security strength of 256 bits, the xoflen should be set to at least 64. =item B<-r> |