Re: [Cryptography] Sha3

On Oct 7, 2013, at 6:04 PM, "Philipp Gühring" wrote: >> it makes no sense for a hash function: If the attacker can specify >> something about the input, he ... knows something about the input! > Yes, but since it's standardized, it's public knowledge, and just knowing > the padding does not giv

Re: [Cryptography] Sha3

On 05/10/13 00:09, Dan Kaminsky wrote: Because not being fast enough means you don't ship. You don't ship, you didn't secure anything. Performance will in fact trump security. This is the empirical reality. There's some budget for performance loss. But we have lots and lots of slow functions

Re: [Cryptography] Sha3

On 05/10/13 20:00, John Kelsey wrote: http://keccak.noekeon.org/yes_this_is_keccak.html Seems the Keccac people take the position that Keccak is actually a way of creating hash functions, rather than a specific hash function - the created functions may be ridiculously strong, or far too weak

Re: [Cryptography] Sha3

On Oct 6, 2013, at 11:41 PM, John Kelsey wrote: > ...They're making this argument by pointing out that you could simply stick > the fixed extra padding bits on the end of a message you processed with the > original Keccak spec, and you would get the same result as what they are > doing. So if t

Re: [Cryptography] Sha3

On Oct 6, 2013, at 6:29 PM, Jerry Leichter wrote: > On Oct 5, 2013, at 6:12 PM, Ben Laurie wrote: >> I have to take issue with this: >> >> "The security is not reduced by adding these suffixes, as this is only >> restricting the input space compared to the original Keccak. If there >> is no secu

Re: [Cryptography] Sha3

On Oct 5, 2013, at 6:12 PM, Ben Laurie wrote: > I have to take issue with this: > > "The security is not reduced by adding these suffixes, as this is only > restricting the input space compared to the original Keccak. If there > is no security problem on Keccak(M), there is no security problem on

Re: [Cryptography] Sha3

On 10/04/2013 07:38 AM, Jerry Leichter wrote: > On Oct 1, 2013, at 5:34 AM, Ray Dillinger wrote: >> What I don't understand here is why the process of selecting a standard >> algorithm for cryptographic primitives is so highly focused on speed. > If you're going to choose a single standard cryp

Re: [Cryptography] Sha3

On Sat, 2013-10-05 at 12:18 -0700, james hughes wrote: > and the authors state that You know why other people than the authors are doing cryptoanalysis on algorithms? Simply because the authors may also oversee something in the analysis of their own algorithm. So while the argument "the original a

Re: [Cryptography] Sha3

On 5 October 2013 20:18, james hughes wrote: > On Oct 5, 2013, at 12:00 PM, John Kelsey wrote: > >> http://keccak.noekeon.org/yes_this_is_keccak.html > > From the authors: "NIST's current proposal for SHA-3 is a subset of the > Keccak family", "one can generate the test vectors for that proposal

Re: [Cryptography] Sha3

On Oct 5, 2013, at 12:00 PM, John Kelsey wrote: > http://keccak.noekeon.org/yes_this_is_keccak.html >From the authors: "NIST's current proposal for SHA-3 is a subset of the Keccak >family", "one can generate the test vectors for that proposal using the Kecca >kreference code." and this "shows

Re: [Cryptography] Sha3

On Oct 5, 2013, at 11:54 AM, radi...@gmail.com wrote: > Jerry Leichter wrote: >> Currently we have SHA-128 and SHA-256, >but exactly why one should choose >> one or >the other has never been clear - SHA-256 is >somewhat more >> expensive, but I can't >think of any examples where SHA-128 >would be

Re: [Cryptography] Sha3

On 2013-10-05 16:40, james hughes wrote: Instead of pontificating at length based on conjecture and conspiracy > theories and smearing reputations based on nothing other than hot air But there really is a conspiracy, which requires us to consider conjectures as serious risks, and people deserv

Re: [Cryptography] Sha3

Jerry Leichter wrote: >Currently we have SHA-128 and SHA-256, >but exactly why one should choose one >or >the other has never been clear - SHA-256 is >somewhat more expensive, but >I can't >think of any examples where SHA-128 >would be practical but SHA-256 >would not. >In practice, when CPU is

Re: [Cryptography] Sha3

http://keccak.noekeon.org/yes_this_is_keccak.html --John___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Sha3

On Oct 3, 2013, at 9:27 PM, David Johnston wrote: > On 10/1/2013 2:34 AM, Ray Dillinger wrote: >> What I don't understand here is why the process of selecting a standard >> algorithm for cryptographic primitives is so highly focused on speed. ~ > > What makes you think Keccak is faster than th

Re: [Cryptography] Sha3

On Fri, Oct 4, 2013 at 12:27 AM, David Johnston wrote: > On 10/1/2013 2:34 AM, Ray Dillinger wrote: > > What I don't understand here is why the process of selecting a standard > algorithm for cryptographic primitives is so highly focused on speed. ~ > > > What makes you think Keccak is faster th

Re: [Cryptography] Sha3

On Oct 1, 2013, at 5:34 AM, Ray Dillinger wrote: > What I don't understand here is why the process of selecting a standard > algorithm for cryptographic primitives is so highly focused on speed. If you're going to choose a single standard cryptographic algorithm, you have to consider all the pl

Re: [Cryptography] Sha3

On 10/4/2013 10:23 AM, Phillip Hallam-Baker wrote: On Fri, Oct 4, 2013 at 12:27 AM, David Johnston > wrote: On 10/1/2013 2:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primiti

Re: [Cryptography] Sha3

be > effective only if the cipher is not carried out to a longer process. > > > > Original message > From: John Kelsey 'crypto@gmail.com');>> > Date: 09/30/2013 17:24 (GMT-08:00) > To: "cryptography@metzdowd.com 'cryptography@metzdowd.com');>

Re: [Cryptography] Sha3 and selecting algorithms for speed

Most applications of crypto shouldn't care much about performance of the symmetric crypto, as that's never the thing that matters for slowing things down. But performance continues to matter in competitions and algorithm selection for at least three reasons: a. We can measure performance, whe

Re: [Cryptography] Sha3

On 10/1/2013 2:34 AM, Ray Dillinger wrote: What I don't understand here is why the process of selecting a standard algorithm for cryptographic primitives is so highly focused on speed. ~ What makes you think Keccak is faster than the alternatives that were not selected? My implementations sug

Re: [Cryptography] Sha3

On Tue, 2013-10-01 at 02:34 -0700, Ray Dillinger wrote: > What I don't understand here is why the process of selecting a > standard algorithm for cryptographic primitives is so highly focused > on speed. > > > We have machines that are fast enough now that while speed isn't a non > issue, it is

Re: [Cryptography] Sha3

ough to make you wish you'd overdesigned, isn't it? Original message ---- From: John Kelsey Date: 09/30/2013 17:24 (GMT-08:00) To: "cryptography@metzdowd.com List" Subject: [Cryptography] Sha3 If you want to understand what's going on wrt SHA3, yo

Re: [Cryptography] Sha3

cipher or found to be effective only if the cipher is not carried out to a longer process.   Original message From: John Kelsey Date: 09/30/2013 17:24 (GMT-08:00) To: "cryptography@metzdowd.com List" Subject: [Cryptography] Sha3 If you want to understand what

Re: [Cryptography] Sha3

On 2013-10-01 10:24, John Kelsey wrote: If you want to understand what's going on wrt SHA3, you might want to look at the nist website If you want to understand what is going on with SHA3, and you believe that NIST is frank, open, honest, and has no ulterior motives, you might want to look a

[Cryptography] Sha3

If you want to understand what's going on wrt SHA3, you might want to look at the nist website, where we have all the slide presentations we have been giving over the last six months detailing our plans. There is a lively discussion going on at the hash forum on the topic. This doesn't make