On Mon, 2013-09-30 at 14:44 +0000, Viktor Dukhovni wrote: > If SHA-3 is going to be used, it needs to offer some advantages > over SHA-2. Good performance and built-in support for tree hashing > (ZFS, ...) are acceptable reasons to make the trade-off explained > on slides 34, 35 and 36 of:
Well I think the most important advantage would be more security... performance can only have far lower priority,... otherwise the whole thing is rubbish. Sure, SHA2 is far from being broken, but we've seen some first scratches in SHA1 already... so it doesn't hurt if we have an algo which is based on different principles, and has a high security margin. I guess we've seen that in the most recent developments... better take twice or three times than what we expect to be the reasonable security margins, since we don't exactly know what NSA and friends is capable of. Better try to combine different algos, for the same reason. NIST has somewhat proven, that they can't be trusted, IMHO, regardless of whether they just didn't notice what the NSA did, whether they happily helped the agency, or whether they were forced so by law. For us this doesn't matter. To my understanding, performance wasn't the top-priority during the SHA3 competition, otherwise other algos might have been even better than Keccack. So this move now is highly disturbing and people should question, what does NIST/NSA know what we don't. Can you really exclude for sure, that they haven't found some weaknesses which only apply at lower capacities? I a way, that reminds me to ECC and the issues with the curves (not from a mathematical POV, of course)... we have some (likely) fine algorithm,... but the bad[0] guys standardise some parameters (like the curves)... At some point we smell the scandal and start wondering, if we wouldn't be far better off with a different set of curves... but in practise it's more or less too late then (well at least it's very problematic), since all world is using that set of standardised curves. It seems a bit as if we now to the same,... following NIST/NSA like sheep. Keccack seems to be a fine algorithm... perhaps it would be better the scree SHA3 altogether an let the community decide upon a common set of concrete algos (i.e. a community-SHA3) which is then to be standardised by IETF, or whatever else. An better take two or four times the capacity and/or bit-lenghts than what we optimistically consider to be very secure. Cheers, Chris. [0] In contrast to the evil guys, like terrorists and so on. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
