I sent this to Zooko privately, regarding his "100-year cryptography" blog post:
http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html#[[can%20we%20build%20a%20crypto%20system%20to%20last%20for%20a%20hundred%20years%3F]] He asked if I would like to have the dialog in public, so here goes! ----- Forwarded message from Chris Palmer <[email protected]> ----- From: Chris Palmer <[email protected]> To: [email protected] Date: Sat, 6 Mar 2010 16:53:36 -0800 Subject: 100-year cryptography Although SHA-512 is two orders of magnitude slower/more power-hungry on ARM than SHA-256, that is *now*. In 5 or 10 years, we are likely to have faster machines, machines with larger word sizes (even small/low-power machines), and/or better power supplies/batteries. In 5 or 10 years, we will be glad we used unnecessarily strong functions 5 or 10 years ago. For long-lived data at rest, skimping on security for performance is just a bad trade --- even though, yes, I fully agree that the performance concerns are real and critical. I feel certain that K = 128 is good, and pretty sure that SHA-512's K will be gnawed down to 128 or lower in the medium-term. By then, of course, we will have migrated to SHA-3, which will be faster and maybe even safer. If only we had SHA-3 now... ----- End forwarded message ----- _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
