Re: Basic SHA3 support (cryptographic discussion)
On Wed, Jan 17, 2018 at 10:20:50PM +0100, Christian Weisgerber wrote: > What do you want to USE your SHA-3 implementation for? I would like to have a sha3 command line tool. Just to have it there and start using it. For example adding it to ports distfiles would be trivial. Yes, general protocol transition will be hard. And it will not happen before sha2 is broken. And we will live with broken hashes for a long time. But I think this is not an argument against sha3. Of course there is the question whether this should be in libc and /bin. But this is independent of adding sha3 and even more relevant for broken md5 and sha1. So I would add one sha3 tool there for consistency. If we feel it does not belong there and it hurts, all the hashes could be moved. bluhm
Re: Basic SHA3 support (cryptographic discussion)
Daniel Loebenberger: > - The construction of SHA3 differs considerably from the SHA2 > constructions > - SHA3's design principles are far better understood than the ones of > SHA2. I hear you, but you are missing the point. > - A possible migration away from SHA2 will be > faster when including SHA3 in OpenBSD now if it should happen that major > cryptanalytic advances attacking SHA2 pop up in the future. You are arguing for cryptographic algorithm agility. That is a concept the OpenBSD project has become increasingly critical of, because it adds complexity and code size for questionable gain. SHA-2 is baked into numerous protocols. Off the top of my head: * signify(1) * all non-legacy SSH key exchange and authentication methods * all non-legacy TLS cipher suites and certificates For all of those, a switchover to SHA-3 would require defining new protocol variants and then deploying them throughout the ecosystem. Having a SHA-3 implementation in libc is a rather small part of the overall effort. And there is no practical algorithm agility until you get to the point where you already HAVE deployed the new protocol variants. SHA-3 may be better, but so far SHA-2 is good enough. Algorithm agility is a questionable goal. So let me repeat the question: What do you want to USE your SHA-3 implementation for? -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Basic SHA3 support (cryptographic discussion)
Hi, concerning the question who needs SHA3, we do not agree that SHA3 should be skipped as a standard. As cryptographers we sincerely believe that the SHA3 design is superior to the one of SHA256 also due to the process it was created. We believe that an efficient implementation will trigger increased use of the standard and hope that its user base will grow quickly once the commands are simply there. For the discussion, find here some additional arguments in favor of SHA3: - The construction of SHA3 differs considerably from the SHA2 constructions (which covers all variants). Cryptanalytic progress for SHA2 can destroy all variants at once, but will probably not affect SHA3. - SHA3's design principles are far better understood than the ones of SHA2. The invention of sponge functions is in our opinion one of the greatest inventions in hash-function design over the past few years. It is simple and brilliant, and the generic properties of the construction have appealing properties. - A possible migration away from SHA2 will be faster when including SHA3 in OpenBSD now if it should happen that major cryptanalytic advances attacking SHA2 pop up in the future. - The claim that we now "know" how to build secure hash functions in general seems problematic. To break a function, substantial cryptanalytic effort must be made. It is not clear how much of this effort was put in the presumably secure "newer" functions. - The argument that SHA3 is slow does at least not apply to the reference code we used: The current implementation of sha3-256 is indeed [slightly] faster on our machine than the one of sha256. Best regards, Daniel, Stefan and Alexander