[147678] in cryptography@c2.net mail archive
Re: [Cryptography] please dont weaken pre-image resistance of SHA3
daemon@ATHENA.MIT.EDU (Adam Back)
Tue Oct 15 19:19:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Oct 2013 23:59:32 +0200
From: Adam Back <adam@cypherspace.org>
To: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <82824DA4-C218-4851-BB2A-C1AD01FA8D9C@gmail.com>
Cc: Adam Back <adam@cypherspace.org>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Tue, Oct 15, 2013 at 05:47:27PM -0400, John Kelsey wrote:
>On Oct 15, 2013, at 2:22 PM, Adam Back <adam@cypherspace.org> wrote:
>> would SHA3-512 STILL have 256-bit preimage security if truncated to 256-bit ie
>
> Yes. The 2^{c/2} preimage attack on Keccak/SHA3 is a meet in the middle
> attack on the internal hash state, and it has nothing to do with the
> output size.
OK.
> More broadly, anything you can do to a SHA3 version with much less than
> 2^{c/2} work, you could also do to *any* hash function with the same
> output size.
I think what you just said is an attack of work less than 2^128 is harmless
on both a weakened SHA3 preimage and SHA2. But that is not an argument for
reducing the preimage strength to 2^128. Actually I dont understand the
argument for weakening it. Is there a pointer to a rationale? - so far it
makes no sense - unless its micro-optimization to the massive detriment of
preimage security if you care about that.
Adam
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography