[147504] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: [Cryptography] Sha3

daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Sat Oct 5 10:37:45 2013

X-Original-To: cryptography@metzdowd.com
In-Reply-To: <g46fj9rtkj0g6o0ts8nogxx2.1380620082652@email.android.com>
Date: Fri, 4 Oct 2013 16:09:32 -0700
From: Dan Kaminsky <dan@doxpara.com>
To: Ray Dillinger <bear@sonic.net>
Cc: John Kelsey <crypto.jmk@gmail.com>,
	"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

--===============1521051883272616291==
Content-Type: multipart/alternative; boundary=047d7b3a7fca29e6af04e7f265f8

--047d7b3a7fca29e6af04e7f265f8
Content-Type: text/plain; charset=ISO-8859-1

Because not being fast enough means you don't ship.  You don't ship, you
didn't secure anything.

Performance will in fact trump security.  This is the empirical reality.
 There's some budget for performance loss. But we have lots and lots of
slow functions. Fast is the game.

(Now, whether my theory that we stuck with MD5 over SHA1 because variable
field lengths are harder to parse in C -- that's an open question to say
the least.)

On Tuesday, October 1, 2013, Ray Dillinger wrote:

> What I don't understand here is why the process of selecting a standard
> algorithm for cryptographic primitives is so highly focused on speed.
>
> We have machines that are fast enough now that while speed isn't a non
> issue, it is no longer nearly as important as the process is giving it
> precedence for.
>
> Our biggest problem now is security,  not speed. I believe that it's a bit
> silly to aim for a minimum acceptable security achievable within the
> context of speed while experience shows that each new class of attacks is
> usually first seen against some limited form of the cipher or found to be
> effective only if the cipher is not carried out to a longer process.
>
>
>
> -------- Original message --------
> From: John Kelsey <crypto.jmk@gmail.com <javascript:_e({}, 'cvml',
> 'crypto.jmk@gmail.com');>>
> Date: 09/30/2013 17:24 (GMT-08:00)
> To: "cryptography@metzdowd.com <javascript:_e({}, 'cvml',
> 'cryptography@metzdowd.com');> List" <cryptography@metzdowd.com<javascript:_e({}, 'cvml', 'cryptography@metzdowd.com');>>
>
> Subject: [Cryptography] Sha3
>
>
> If you want to understand what's going on wrt SHA3, you might want to look
> at the nist website, where we have all the slide presentations we have been
> giving over the last six months detailing our plans.  There is a lively
> discussion going on at the hash forum on the topic.
>
> This doesn't make as good a story as the new sha3 being some hell spawn
> cooked up in a basement at Fort Meade, but it does have the advantage that
> it has some connection to reality.
>
> You might also want to look at what the Keccak designers said about what
> the capacities should be, to us (they put their slides up) and later to
> various crypto conferences.
>
> Or not.
>
> --John
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com <javascript:_e({}, 'cvml',
> 'cryptography@metzdowd.com');>
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
>

--047d7b3a7fca29e6af04e7f265f8
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Because not being fast enough means you don&#39;t ship. =A0You don&#39;t sh=
ip, you didn&#39;t secure anything.<div><div><br></div><div>Performance wil=
l in fact trump security. =A0This is the empirical reality. =A0There&#39;s =
some budget for performance loss. But we have lots and lots of slow functio=
ns. Fast is the game.<span></span></div>
<div><br></div><div>(Now, whether my theory that we stuck with MD5 over SHA=
1 because variable field lengths are harder to parse in C -- that&#39;s an =
open question to say the least.)</div><div><br>On Tuesday, October 1, 2013,=
 Ray Dillinger  wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div>What I don&#39;t understand here is why=
 the process of selecting a standard algorithm for cryptographic primitives=
 is so highly focused on speed.=A0<div>
<br></div><div>We have machines that are fast enough now that while speed i=
sn&#39;t a non issue, it is no longer nearly as important as the process is=
 giving it precedence for. =A0</div><div><br></div><div>Our biggest problem=
 now is security, =A0not speed. I believe that it&#39;s a bit silly to aim =
for a minimum acceptable security achievable within the context of speed wh=
ile experience shows that each new class of attacks is usually first seen a=
gainst some limited form of the cipher or found to be effective only if the=
 cipher is not carried out to a longer process. =A0</div>
<br><br><br>-------- Original message --------<br>From: John Kelsey &lt;<a =
href=3D"javascript:_e({}, &#39;cvml&#39;, &#39;crypto.jmk@gmail.com&#39;);"=
 target=3D"_blank">crypto.jmk@gmail.com</a>&gt; <br>Date: 09/30/2013  17:24=
  (GMT-08:00) <br>
To: &quot;<a href=3D"javascript:_e({}, &#39;cvml&#39;, &#39;cryptography@me=
tzdowd.com&#39;);" target=3D"_blank">cryptography@metzdowd.com</a> List&quo=
t; &lt;<a href=3D"javascript:_e({}, &#39;cvml&#39;, &#39;cryptography@metzd=
owd.com&#39;);" target=3D"_blank">cryptography@metzdowd.com</a>&gt; <br>
Subject: [Cryptography] Sha3 <br> <br><br>If you want to understand what&#3=
9;s going on wrt SHA3, you might want to look at the nist website, where we=
 have all the slide presentations we have been giving over the last six mon=
ths detailing our plans.=A0 There is a lively discussion going on at the ha=
sh forum on the topic.=A0 <br>
<br>This doesn&#39;t make as good a story as the new sha3 being some hell s=
pawn cooked up in a basement at Fort Meade, but it does have the advantage =
that it has some connection to reality.<br><br>You might also want to look =
at what the Keccak designers said about what the capacities should be, to u=
s (they put their slides up) and later to various crypto conferences.=A0 <b=
r>
<br>Or not.=A0 <br><br>--John<br>__________________________________________=
_____<br>The cryptography mailing list<br><a href=3D"javascript:_e({}, &#39=
;cvml&#39;, &#39;cryptography@metzdowd.com&#39;);" target=3D"_blank">crypto=
graphy@metzdowd.com</a><br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" target=3D=
"_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br><br><=
/div></blockquote></div></div>

--047d7b3a7fca29e6af04e7f265f8--

--===============1521051883272616291==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1521051883272616291==--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[147504] in cryptography@c2.net mail archive

Re: [Cryptography] Sha3

daemon@ATHENA.MIT.EDU (Dan Kaminsky)Sat Oct 5 10:37:45 2013

daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Sat Oct 5 10:37:45 2013
