On 04/14/2012 06:39 AM, David Adamson wrote:
NSA designed SHA-2 to stay in libraries for a long time. Length
extension is not an issue for SHA-2 anymore with SHA-512/256. That is
a double-pipe hash function perfectly secure against length-extension
attack. On 64-bit platforms SHA512 and SHA512/256 is almost as fast as
Skein and Blake (one of which will be the next SHA-3), and according
to [1], "Furthermore, even the fastest finalists will probably offer
only a small performance advantage over the current SHA-256 and
SHA-512 implementations."
And they seem to be significantly less efficient in hardware than SHA-2.
Gee, it's almost as if the NSA knows a thing or two about designing and
implementing hash functions! :-)
However, since SHA-2 and (to be SHA-3) are 2, 3 or even 4 times slower
than MD5 or SHA-1, and NIST running the SHA-3 competition changed
their own initial goal SHA-3 to be significantly faster than SHA-2, I
expect in the following period several other influential international
players in the area of standardizing cryptographic primitives to use
that strategic mistake done by NIST, and to push for a hash standard
that will be significantly faster than SHA-2 and SHA-3.
[...]
Now I expect EU to use the opportunity and finally back up a
hash function that industry will prefer. But I see also that Russia,
China and Japan can also use the NIST's screw up with the performance
of SHA-3 and will try to take over the industrial primacy with their
own hash function.
Honest question: why should we think they can do it?
Everyone was invited to take part in the SHA-3 competition, and many
international teams did. In fact, most of the finalists aren't US teams.
Of all the hundreds of entrants there are 5 left. It seems that most
were weeded out because they were less-that-maximally efficient or had
attacks on their security.
Beating SHA-2-256 or SHA-2-512/256 is turning out to be harder than
anyone expected.
At the end, supremacy in setting up cryptographic
standards is what will bring reputation, trust and strategic
positioning in the world that in the following years will digest
exabytes per hour.
No one spends more money on info systems than the US Government. Vendors
can implement whatever they want in the own (or extensible) protocols,
but if USG requires SHA-3, it's going to be implemented in gear designed
for sale in N. America.
Still, China is an increasing market too and their rulers are not afraid
of "intelligent design". We have them to thank for killing off
proprietary incompatible cellphone chargers. They simply mandated that
all mobiles charge via mini-USB.
http://en.wikipedia.org/wiki/USB#Mobile_device_charger_standards
We may be seeing signs of a fork in data security protocols too.
http://www.nytimes.com/2012/03/27/technology/symantec-dissolves-alliance-with-huawei-of-china.html?_r=1
SO: I expect a new hash competition (run by EU, Russia, China or
Japan) where US SHA-3 standard will be a reference point and the goal
will be to design 256 and 512 bits hash function that is 3-4 times
faster than SHA-3.
Alternatively, NIST could say "we've learned so much about hash
functions over the past few years that we're going to allow designers
another round of submissions."
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography