On 23 April 2012 19:53, David Adamson <[email protected]> wrote:

> On 4/23/12, Steven Bellovin <[email protected]> wrote:
> >
> > On Apr 23, 2012, at 12:51 14PM, David Adamson wrote:
> >
> >>
> >> Unfortunately, also I do not see any more improvements of the
> >> implementations of other SHA-3 candidates that did not enter 2-nd and
> >> final round (especially CubeHash, Shabal, BMW, Edon-R, Echo and SIMD).
> >>
> > And the MD6 team withdrew their submission because they couldn't make
> > it fast enough and still have enough security.
> >
>
> Ahhh, I think it was a mistake to withdraw MD6. But Ron and his team
> had dignity and set up higher mathematical standards than NIST (the
> hash function to be provably secure against the differential
> cryptanalysis).
> If you void the mathematically set up security margin of MD6 and
> reduce the number of rounds from 168 down to 64, (with similar
> artistic, cryptographer's experience and "trust me" arguments present
> in other finalists) you will have a hash function that is faster than
> SHA-2 and is definitively faster than 2 or 3 of the SHA-3 finalists (I
> never understood why NIST picked up those 2 or 3 slower than SHA-2
>  candidates as finalists).
>

"Higher mathematical standards" haven't tended to be that much use in
cryptography.  By the very nature of these proofs, the results tend to have
somewhat narrow scope and cannot account for the "Oh f***, I didn't think
of that" type scenarios.  It's akin to saying a lock may be hardened
against normal drills but saying nothing against a thief that can use a
lock pick: all you're doing is proving is a certain property about the
lock/hash function, not that is is inherently secure.

There seems to be a "split milk" ethos surrounding SHA-3, something that I
cannot fathom.  Personally, I think the algorithms presented are well
designed and seriously doubt it can be done much better.  Which of the five
is actually selected is probably neither-here-nor-there really -- they all
do what it says on the tin and have been fairly thoroughly tested.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to