[147369] in cryptography@c2.net mail archive
Re: [Cryptography] NIST about to weaken SHA3?
daemon@ATHENA.MIT.EDU (Watson Ladd)
Mon Sep 30 20:41:35 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <5249EB3F.6070304@echeque.com>
Date: Mon, 30 Sep 2013 15:51:13 -0700
From: Watson Ladd <watsonbladd@gmail.com>
To: jamesd@echeque.com
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1718336500073097551==
Content-Type: multipart/alternative; boundary=001a11c3836c4f548004e7a1ac0d
--001a11c3836c4f548004e7a1ac0d
Content-Type: text/plain; charset=UTF-8
On Mon, Sep 30, 2013 at 2:21 PM, James A. Donald <jamesd@echeque.com> wrote:
> On 2013-10-01 00:44, Viktor Dukhovni wrote:
>
>> Should one also accuse ESTREAM of maliciously weakening SALSA? Or
>> might one admit the possibility that winning designs in contests
>> are at times quite conservative and that one can reasonably
>> standardize less conservative parameters that are more competitive
>> in software?
>>
>
> "less conservative" means weaker.
>
> Weaker in ways that the NSA has examined, and the people that chose the
> winning design have not.
>
This isn't true: Keccak's designers proposed a wide range of capacity
parameters for different environments.
>
> Why then hold a contest and invite outside scrutiny in the first place.?
>
> This is simply a brand new unexplained secret design emerging from the
> bowels of the NSA, which already gave us a variety of backdoored crypto.
>
No, it is the Keccak construction with a different rate and capacity.
>
> The design process, the contest, the public examination, was a lie.
>
> Therefore, the design is a lie.
I'm sorry, but the tradeoffs in capacity and their implications were part
of the Keccak submission from the beginning. During the entire process
commentators were questioning the difference between collision security and
preimage security, as it was clear that collisions kill a hash as dead as
preimages. This was a topic of debate on the SHA-3 list between DJB and
others, because DJB designed Cubehash to have the same tradeoff as the
design NIST is proposing to standardize.
>
>
>
> ______________________________**_________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/**mailman/listinfo/cryptography<http://www.metzdowd.com/mailman/listinfo/cryptography>
>
Sincerely,
Watson
--
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
--001a11c3836c4f548004e7a1ac0d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Mon, Sep 30, 2013 at 2:21 PM, James A. Donald <span dir=3D"ltr">=
<<a href=3D"mailto:jamesd@echeque.com" target=3D"_blank">jamesd@echeque.=
com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On 2013-10-01 00:44, Vikto=
r Dukhovni wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Should one also accuse ESTREAM of maliciously weakening SALSA? =C2=A0Or<br>
might one admit the possibility that winning designs in contests<br>
are at times quite conservative and that one can reasonably<br>
standardize less conservative parameters that are more competitive<br>
in software?<br>
</blockquote>
<br></div>
"less conservative" means weaker.<br>
<br>
Weaker in ways that the NSA has examined, and the people that chose the win=
ning design have not.<br></blockquote><div>This isn't true: Keccak'=
s designers proposed a wide range of capacity parameters for different envi=
ronments.=C2=A0</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<br>
Why then hold a contest and invite outside scrutiny in the first place.?<br=
>
<br>
This is simply a brand new unexplained secret design emerging from the bowe=
ls of the NSA, which already gave us a variety of backdoored crypto.<br></b=
lockquote><div>No, it is the Keccak construction with a different rate and =
capacity.=C2=A0</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<br>
The design process, the contest, the public examination, was a lie.<br>
<br>
Therefore, the design is a lie.</blockquote><div>I'm sorry, but the tra=
deoffs in capacity and their implications were part of the Keccak submissio=
n from the beginning. During the entire process commentators were questioni=
ng the difference between collision security and preimage security, as it w=
as clear that collisions kill a hash as dead as preimages. This was a topic=
of debate on the SHA-3 list between DJB and others, because DJB designed C=
ubehash to have the same tradeoff as the design NIST is proposing to standa=
rdize.</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"HOEnZb"><div class=3D"h5"><br>
<br>
<br>
______________________________<u></u>_________________<br>
The cryptography mailing list<br>
<a href=3D"mailto:cryptography@metzdowd.com" target=3D"_blank">cryptography=
@metzdowd.com</a><br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" target=3D=
"_blank">http://www.metzdowd.com/<u></u>mailman/listinfo/cryptography</a><b=
r>
</div></div></blockquote></div><br>Sincerely,<br>Watson<br>-- <br>"Tho=
se who would give up Essential Liberty to purchase a little Temporary Safet=
y deserve neither=C2=A0 Liberty nor Safety."<br>-- Benjamin Franklin=
=20
</div></div>
--001a11c3836c4f548004e7a1ac0d--
--===============1718336500073097551==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1718336500073097551==--
