On Tue, 2013-10-01 at 02:34 -0700, Ray Dillinger wrote: > What I don't understand here is why the process of selecting a > standard algorithm for cryptographic primitives is so highly focused > on speed. > > > We have machines that are fast enough now that while speed isn't a non > issue, it is no longer nearly as important as the process is giving it > precedence for. > > > Our biggest problem now is security, not speed. I believe that it's a > bit silly to aim for a minimum acceptable security achievable within > the context of speed while experience shows that each new class of > attacks is usually first seen against some limited form of the cipher > or found to be effective only if the cipher is not carried out to a > longer process.
Absolutely agreeing... I mean that is the most important point about crypto at all - being secure. And if one is in doubt (and probably even when not), better use a very big security margin, which in the SHA3 case would mean, rather take high multiples of bit lengths and capacity than what seems conservatively secure enough. The argument, that attackers don't penetrate but rather circumvent cryptography doesn't count much at all, IMHO. Sure that's what happens in practise, but if we hook up on that, we could more or less drop any cryptography for say 98% of mankind which use insecure (or even backdoored) systems like Windows, MacOS, Flash, etc. pp.. Obviously, performance is an issue for some systems (especially embedded) but an algo that is fast enough, but potentially not secure enough is absolutely worthless[0]. Sure, some people utilise the FUD argument now,... basically pointing that we have no strong reason to believe that e.g. Keccack with the newly proposed parameters from NIST isn't secure enough. But when we should have learned one thing from the whole NSA/friends scandal is ... we really don't have much of an idea how far these guys are up to - neither in terms of mathematics, nor in terms of raw computing power (when the public already knows about facilities like that Utah data centre - one can probably fairly well expect that dozens of these exist which are unknown). Cheers, Chris. [0] And if you want a fast hash algorithm that is not to be used in cryptography, we have plenty of other solutions already. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography