Re: MD6 withdrawn from SHA-3 competition
On Thu, 2 Jul 2009 20:51:47 -0700 Joseph Ashwood ashw...@msn.com wrote: -- Sent: Wednesday, July 01, 2009 4:05 PM Subject: MD6 withdrawn from SHA-3 competition Also from Bruce Schneier, a report that MD6 was withdrawn from the SHA-3 competition because of performance considerations. I find this disappointing. With the rate of destruction of primitives in any such competition I would've liked to see them let it stay until it is either broken or at least until the second round. A quick glance at the SHA-3 zoo and you won't see much left with no attacks. It would be different if it was yet another M-D, using AES as a foundation, blah, blah, blah, but MD6 is a truly unique and interesting design. I hope the report is wrong, and in keeping that hope alive, the MD6 page has no statement about the withdrawl. The report is quite correct. Rivest sent a note to NIST's hash forum mailing list (http://csrc.nist.gov/groups/ST/hash/email_list.html) announcing the withdrawal. Since a password is necessary to access the archives (anti-spam?), I don't want to post the whole note, but Rivest said that they couldn't improve MD6's performance to meet NIST's criteria (at least as fast as SHA-2); the designers of MD6 felt that they could not manage that and still achieve provable resistance to differential attacks, and they regard the latter as very important. Here's the essential paragraph: Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration for the next SHA-3 round. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: What will happen to your crypto keys when you die?
On Fri, Jul 3, 2009 at 4:37 AM, Jack Lloydll...@randombit.net wrote: On Thu, Jul 02, 2009 at 09:29:30AM +1000, silky wrote: A potentially amusing/silly solution would be to have one strong key that you change monthly, and then, encrypt *that* key, with a method that will be brute-forceable in 2 months and make it public. As long as you are constantly changing your key, no-one will decrypt it in time, but assuming you do die, they can potentially decrypt it while arranging your funeral :) This method would not work terribly well for data at rest. Copy the ciphertext, start the brute force process, and two months later you get out everything, regardless of the fact that in the meantime the data was reencrypted. Indeed, hence the reason I suggested encrypting only your real key with this method. By the time you're done decrypting that, you've only gotten a stale key. Of course the approach isn't really practical in principle, it's only cute. -Jack -- noon silky http://lets.coozi.com.au/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: MD6 withdrawn from SHA-3 competition
On Thu, 2 Jul 2009 20:51:47 -0700 or thereabouts Joseph Ashwood ashw...@msn.com wrote: Sent: Wednesday, July 01, 2009 4:05 PM Subject: MD6 withdrawn from SHA-3 competition Also from Bruce Schneier, a report that MD6 was withdrawn from the SHA-3 competition because of performance considerations. I find this disappointing. With the rate of destruction of primitives in any such competition I would've liked to see them let it stay until it is either broken or at least until the second round. A quick glance at the SHA-3 zoo and you won't see much left with no attacks. It would be different if it was yet another M-D, using AES as a foundation, blah, blah, blah, but MD6 is a truly unique and interesting design. I hope the report is wrong, and in keeping that hope alive, the MD6 page has no statement about the withdrawl. Joe It wasn't entirely clear to me if it really was withdrawn. Ron Rivest posted on behalf of the MD6 team some thoughts on MD6 performance and specifically suggested/requested that NIST ask for submitted algorithms to be provably resistant to differential attacks. The logic was that MD6 is slow because the high number of rounds is needed in their proof. They won't tweak/submit a version that doesn't meet this requirement of theirs and based on the current contest requirements, they can't be competitive speed-wise without losing their proof of resistance to differential attacks. Unless the contest changes to require such a proof, there is no point in moving MD6 forward. Brandon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com