Dmitry Baryshkov <[email protected]> writes: >> Is there any consensus on the cryptographic strength and general quality >> of streebog? I wonder if it really should go in the section "Recommended >> hash functions" with SHA2 and SHA3, or in the "Legacy hash functions" >> section. > > I wouldn't call it legacy (since it is an actual standard). What about > adding the "Other hash functions" section? It can further receive > algorithms such as SM3 (if somebody submits it)?
"Other" sounds goood to me. Would you like to do that? > Yes, this is interesting research which has raised a lot of > controversion here. However it did not result in demonstration of > theoretical or practical weakness of such constructions. > >> And https://en.wikipedia.org/wiki/Hash_function_security_summary lists a >> "theoretical" preimage attack on the full hash function, referencing >> https://eprint.iacr.org/2014/675. As I read the numbers there, it sounds like streebog 512 is significantly weaker then the claimed security level, and not much more secure than streebog 256. But I haven't looked into the details. And as far as I'm aware, attacks on a good hash function with 256 bit output are completely not practical today. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
