[147670] in cryptography@c2.net mail archive
Re: [Cryptography] please dont weaken pre-image resistance of SHA3
daemon@ATHENA.MIT.EDU (Ray Dillinger)
Tue Oct 15 12:50:25 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Oct 2013 01:05:39 -0700
From: Ray Dillinger <bear@sonic.net>
To: cryptography@metzdowd.com
In-Reply-To: <20131014145143.GA30733@netbook.cypherspace.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/14/2013 07:51 AM, Adam Back wrote:
> All other common hash functions have tried to do full preimage security so
> it will lead to design confusion, to vary an otherwise standard assumption.
> It will probably have bad-interactions with many existing KDF, MAC,
> merkle-tree designs and combined cipher+integrity modes, hashcash (partial
> preimage as used in bitcoin as a proof of work) that use are designed in a
> generic way to a hash as a building block that assume the hash has full
> length pre-image protection.
Oddly enough, Bitcoin is built on no such assumption. The standard
hash used in Bitcoin is SHA256(SHA256(text)), both for authentication
and proof of work. I had wondered whether there was any rationale
for that choice and figured Nakamoto was just being paranoid about
possible future cryptanalysis. But if considered as a drop-in
replacement, the analogous choice would be fully justified with a
(strength at half-length) SHA3.
Bear
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography