[147677] in cryptography@c2.net mail archive
Re: [Cryptography] please dont weaken pre-image resistance of SHA3
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Oct 15 19:18:45 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20131015182250.GA9010@netbook.cypherspace.org>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Tue, 15 Oct 2013 17:47:27 -0400
To: Adam Back <adam@cypherspace.org>
Cc: Adam Back <adam@cypherspace.org>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Oct 15, 2013, at 2:22 PM, Adam Back <adam@cypherspace.org> wrote:
> Are you including truncation in that? (The question was would SHA3-512
> STILL have 256-bit preimage security if it was truncated to 256-bit ie
> motivated by a workaround to get a 256-bit output with conventional 256-bit
> preimage resistance).
Yes. The 2^{c/2} preimage attack on Keccak/SHA3 is a meet in the middle attack on the internal hash state, and it has nothing to do with the output size.
More broadly, anything you can do to a SHA3 version with much less than 2^{c/2} work, you could also do to *any* hash function with the same output size.
> Adam
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography