[Cryptography] please dont weaken pre-image resistance of SHA3 (Re: NIST about to weaken SHA3?)
Ray Dillinger
bear at sonic.net
Tue Oct 15 04:05:39 EDT 2013
On 10/14/2013 07:51 AM, Adam Back wrote:
> All other common hash functions have tried to do full preimage security so
> it will lead to design confusion, to vary an otherwise standard assumption.
> It will probably have bad-interactions with many existing KDF, MAC,
> merkle-tree designs and combined cipher+integrity modes, hashcash (partial
> preimage as used in bitcoin as a proof of work) that use are designed in a
> generic way to a hash as a building block that assume the hash has full
> length pre-image protection.
Oddly enough, Bitcoin is built on no such assumption. The standard
hash used in Bitcoin is SHA256(SHA256(text)), both for authentication
and proof of work. I had wondered whether there was any rationale
for that choice and figured Nakamoto was just being paranoid about
possible future cryptanalysis. But if considered as a drop-in
replacement, the analogous choice would be fully justified with a
(strength at half-length) SHA3.
Bear
More information about the cryptography
mailing list