Also, this setting does not address the security of MAC constructions based on SHA-3.
For instance, HMAC over SHA-2-256 or SHA-2-512/256 with a 256-bit key is expected to attain 256-bit security (i.e. the MAC size equals the security level).
Yet SHA-3-256 would not reach anything above 128-bit security, even though the MAC is 256 bits long; to attain 256-bit security one would have to scale the MAC size up to 512 bits instead.
Well, not so much now that SHA-3 is length-extension resistant, eschewing the need for HMAC. A standard MAC mode has to be defined anyway, and truncating the output might as well be part of it.
Yeah, Keccak-224 specified c=448. I was trying to simplify things by sticking to Keccak at 256 and 512 bit fixed output lengths, which specified c=512 and c=1024 respectively.
For instance, HMAC over SHA-2-256 or SHA-2-512/256 with a 256-bit key is expected to attain 256-bit security (i.e. the MAC size equals the security level).
Yet SHA-3-256 would not reach anything above 128-bit security, even though the MAC is 256 bits long; to attain 256-bit security one would have to scale the MAC size up to 512 bits instead.