[147333] in cryptography@c2.net mail archive
Re: [Cryptography] NIST about to weaken SHA3?
daemon@ATHENA.MIT.EDU (Viktor Dukhovni)
Mon Sep 30 00:55:05 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Sep 2013 04:34:50 +0000
From: Viktor Dukhovni <cryptography@dukhovni.org>
To: cryptography@metzdowd.com
In-Reply-To: <1380510726.26613.4.camel@heisenberg.scientia.net>
Reply-To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote:
> Not sure whether this has been pointed out / discussed here already (but
> I guess Perry will reject my mail in case it has):
>
> https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3
I call FUD. If progress is to be made, fight the right fights.
The SHA-3 specification was not "weakened", the blog confuses the
effective security of the algorithtm with the *capacity* of the
sponge construction.
The actual NIST Proposal strengthens SHA-3 relative to the authors'
most performant proposal (http://eprint.iacr.org/2013/231.pdf
section 6.1) by rounding up the capacity of the sponge construction
to 256 bits for both SHA3-224 and SHA3-256, and rounding up to 512
bits for both SHA3-384 and SHA3-512 (matching the proposal in
section 6.2).
The result is that the 256-capacity variant gives 128-bit security
against both collision and first preimage attacks, while the 512-bit
capacity variant gives 256-bit security. This removes the asymmetry
in the security properties of the hash. Yes, this is a performance
trade-off, but it seems entirely reasonable. Do you really need
256 bits of preimage resistance with 128-bit ciphersuites, or 512
bits of preimage resistance with 256-bit ciphersuites?
SHA2-256's O(256) bits of preimage resistance was not a design
requirement, rather it needed 128-bits of collision resistance,
the stronger preimage resistance is an artifact of the construction.
For a similar sentiment see:
http://crypto.stackexchange.com/questions/10008/why-restricting-sha3-to-have-only-two-possible-capacities
--
Viktor.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
