|
@@ -8,8 +8,7 @@
|
8
|
8
|
// Both types of hash function use the "sponge" construction and the Keccak
|
9
|
9
|
// permutation. For a detailed specification see http://keccak.noekeon.org/
|
10
|
10
|
//
|
11
|
|
-//
|
12
|
|
-// Guidance
|
|
11
|
+// # Guidance
|
13
|
12
|
//
|
14
|
13
|
// If you aren't sure what function you need, use SHAKE256 with at least 64
|
15
|
14
|
// bytes of output. The SHAKE instances are faster than the SHA3 instances;
|
|
@@ -19,8 +18,7 @@
|
19
|
18
|
// secret key to the input, hash with SHAKE256 and read at least 32 bytes of
|
20
|
19
|
// output.
|
21
|
20
|
//
|
22
|
|
-//
|
23
|
|
-// Security strengths
|
|
21
|
+// # Security strengths
|
24
|
22
|
//
|
25
|
23
|
// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
|
26
|
24
|
// strength against preimage attacks of x bits. Since they only produce "x"
|
|
@@ -31,8 +29,7 @@
|
31
|
29
|
// is used. Requesting more than 64 or 32 bytes of output, respectively, does
|
32
|
30
|
// not increase the collision-resistance of the SHAKE functions.
|
33
|
31
|
//
|
34
|
|
-//
|
35
|
|
-// The sponge construction
|
|
32
|
+// # The sponge construction
|
36
|
33
|
//
|
37
|
34
|
// A sponge builds a pseudo-random function from a public pseudo-random
|
38
|
35
|
// permutation, by applying the permutation to a state of "rate + capacity"
|
|
@@ -50,8 +47,7 @@
|
50
|
47
|
// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
|
51
|
48
|
// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
|
52
|
49
|
//
|
53
|
|
-//
|
54
|
|
-// Recommendations
|
|
50
|
+// # Recommendations
|
55
|
51
|
//
|
56
|
52
|
// The SHAKE functions are recommended for most new uses. They can produce
|
57
|
53
|
// output of arbitrary length. SHAKE256, with an output length of at least
|