KMAC / cSHAKE in Libgcrypt

Werner Koch wk at
Fri Sep 15 10:08:24 CEST 2023

On Thu, 14 Sep 2023 15:38, Falko Strenzke said:

> I don't understand what you mean exactly by "we may not even need
> GCRY_MD_CSHAKE". Maybe it is with respect to how we implement it, in that case
> see my comment below on reusing the SHAKE implementation.

That we can use the GCRY_MD_SHAKE256 identifier also for cSHAKE.  The
use of the control codes would modify SHAKE256 to cSHAKE.

> In my opinion we need to add GCRY_MD_CSHAKE128 and  GCRY_MD_CSHAKE256, the two

As long as the resulting digest lengths are the same as the original SHAKE
versions, new identifier won't be needed.  However, if cSHAKE and SHAKE
are used by a protocol in the same way, new identifiers are indeed
useful.  What I mean is this:

  switch (hash_algo) {
    case GCRY_MD_SHAKE256: do_one_thing (); break,
    case GCRY_MD_CSHAKE256: do_another_thing (); break,



The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gcrypt-devel mailing list