[147345] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [Cryptography] NIST about to weaken SHA3?

daemon@ATHENA.MIT.EDU (Viktor Dukhovni)
Mon Sep 30 14:00:55 2013

X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Sep 2013 14:44:17 +0000
From: Viktor Dukhovni <cryptography@dukhovni.org>
To: cryptography@metzdowd.com
In-Reply-To: <52492C30.3080401@echeque.com>
Reply-To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

On Mon, Sep 30, 2013 at 05:45:52PM +1000, James A. Donald wrote:

> On 2013-09-30 14:34, Viktor Dukhovni wrote:
> >On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote:
> >
> >>Not sure whether this has been pointed out / discussed here already (but
> >>I guess Perry will reject my mail in case it has):
> >>
> >>https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3
> >I call FUD.  If progress is to be made, fight the right fights.
> >
> >The SHA-3 specification was not "weakened", the blog confuses the
> >effective security of the algorithtm with the *capacity* of the
> >sponge construction.
> 
> SHA3 has been drastically weakened from the proposal that was
> submitted and cryptanalyzed:  See for example slides 43 and 44 of
> https://docs.google.com/file/d/0BzRYQSHuuMYOQXdHWkRiZXlURVE/edit

Have you read the SAKURA paper?

    http://eprint.iacr.org/2013/231.pdf

In section 6.1 it describes 4 capacities for the SHA-2 drop-in
replacements, and in 6.2 these are simplified to two (and strengthened
for the truncated digests) i.e. the proposal chosen by NIST.

Should one also accuse ESTREAM of maliciously weakening SALSA?  Or
might one admit the possibility that winning designs in contests
are at times quite conservative and that one can reasonably
standardize less conservative parameters that are more competitive
in software?

If SHA-3 is going to be used, it needs to offer some advantages
over SHA-2.  Good performance and built-in support for tree hashing
(ZFS, ...) are acceptable reasons to make the trade-off explained
on slides 34, 35 and 36 of:

    https://ae.rsaconference.com/US13/connect/fileDownload/session/397EA47B1FB103F0B3E87D6163C7129E/CRYP-W23.pdf

-- 
	Viktor.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
home help back first fref pref prev next nref lref last post