8.9. Use of SHAKE256 as a Hash Function

Ed448 uses SHAKE256 as a hash function, even if SHAKE256 is specifically defined not to be a hash function.

The first potentially troublesome property is that shorter outputs are prefixes of longer ones. This is acceptable because output lengths are fixed.

The second potentially troublesome property is failing to meet standard hash security notions (especially with preimages). However, the estimated 256-bit security level against collisions and preimages is sufficient to pair with a 224-bit level elliptic curve.

8.9. Use of SHAKE256 as a Hash Function​

8.9. Use of SHAKE256 as a Hash Function