[Cryptography] NIST about to weaken SHA3?
Viktor Dukhovni
cryptography at dukhovni.org
Mon Sep 30 19:09:27 EDT 2013
On Tue, Oct 01, 2013 at 07:21:03AM +1000, James A. Donald wrote:
> On 2013-10-01 00:44, Viktor Dukhovni wrote:
> >Should one also accuse ESTREAM of maliciously weakening SALSA? Or
> >might one admit the possibility that winning designs in contests
> >are at times quite conservative and that one can reasonably
> >standardize less conservative parameters that are more competitive
> >in software?
>
> "less conservative" means weaker.
Weakening SHA3 to gain cryptanalytic advantage does not make much
sense. SHA3 collisions or preimages even at 80-bit cost don't
provide anything interesting to a cryptanalyst, and MITM attackers
will attack much softer targets.
We know exactly why it was "weakened". The the proposed SHA3-256
digest gives 128 bits of security for both collisions and preimages.
Likewise the proposed SHA3-512 digest gives 256 bits of security
for both collisions and preimages.
> Weaker in ways that the NSA has examined, and the people that chose
> the winning design have not.
The lower capacity is not weaker in obscure ways. If Keccak delivers
substantially less than c/2 security, then it should not have been
chosen at all.
If you believe that 128-bit preimage and collision resistance is
inadequate in combination with AES128, or 256-bit preimage and
collision resistance is inadequate in combination with AES256,
please explain.
> Why then hold a contest and invite outside scrutiny in the first place.?
The contest led to an excellent new hash function design.
> This is simply a brand new unexplained secret design emerging from
> the bowels of the NSA, which already gave us a variety of backdoored
> crypto.
Just because they're after you, doesn't mean they're controlling
your brain with radio waves. Don't let FUD cloud your judgement.
--
Viktor.
More information about the cryptography
mailing list