On Sun, Apr 22, 2012 at 4:54 AM, Marsh Ray <ma...@extendedsubset.com> wrote: > > On 04/22/2012 02:55 PM, Jeffrey Walton wrote: > >> > >> > >> This might sound crazy, but I would rather have a NIST approved hash > >> that runs orders of magnitude slower to resist offline, brute forcing > >> attacks. > > > > > > Well, that's what we have KDFs with a tunable work factor like PBKDF2 > for. > >
Exactly, hash functions aren't designed to be KDFs - they've merely been appropriated within the design of some KDFs. A specific hash function, to meet the general requirements of a hash function, must be fast. You can take a fast hash function and design a slow KDF from it but not the converse. It would rather silly in my opinion for NIST to mandate a "slow" hash function as it would only be useful for this particular scenario. For almost every other application - and there are many, many more uses for a hash function - it would be rendered useless and nobody would implement it other than for, guess what, as part of a KDF. So why not just mandate an/another KDF standard? The moral of the story is use the correct tool for the job: a artist's paint brush is excellent for painting pictures but it will take you a while to decorate your house with it.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography