[147731] in cryptography@c2.net mail archive
Re: [Cryptography] please dont weaken pre-image resistance of
daemon@ATHENA.MIT.EDU (Arnold Reinhold)
Fri Oct 18 12:40:14 2013
X-Original-To: cryptography@metzdowd.com
From: Arnold Reinhold <agr@me.com>
Date: Fri, 18 Oct 2013 10:15:14 -0400
To: John Kelsey <crypto.jmk@gmail.com>
Cc: cryptography@metzdowd.com, Adam Back <adam@cypherspace.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On October 17, 2013 12:00 John Kelsey wrote:
...
> In the case of SHA3-512, it's hard to imagine any crypto application needing more than 256 bits of security, and almost nothing else in our crypto toolkit (NIST's or the bigger community's) tries to get higher security than that. Personally, I think demanding a loss of performance to reach security levels higher than 256 bits is nuts. It's trading real performance off against imaginary, cosmetic security. ...
Let's think for a moment about users who design to 256-bit security. There is nothing currently that comes close to compromising 128-bit systems. A trillion processors each testing a trillion keys a second would take 6 million years on average to recover or forge just one 128-bit key. Any rational choice for 256-bit security is seeking to protect data far into the future, against threats currently unknown or only imagined, like quantum computing, DNA processing, super algebra systems or other mathematical breakthroughs. How important is performance to such users? I submit such users want primitives with large margins of safety. Does larger internal state delay any quantum attack? Certainly. Does larger internal state complicate attacks on entropy collectors? Indeed. We've only had a few years to look at Keccak-like systems. Weaknesses that revealed less-than-nominal strength in other primitives have emerged after longer intervals. Those who express conservative instincts are
being not foolish here.
Arnold Reinhold
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
