The Pure Crypto Project's Hash Function

John Kelsey kelsey.j at ix.netcom.com
Mon May 5 12:30:59 EDT 2003 

At 08:37 AM 5/4/03 +0200, Ralf Senderek wrote:
>On Sat, 3 May 2003, Rich Salz wrote:
...
> > Very simple:  known to be cryptographically secure.  SHA-1 is good.  Your
> > invention is bad.
>
>So everything new must be bad, because it isn't "known to be .. secure"?

Suppose you're about to take a job as a policeman or security guard or 
something, and believe there's a serious chance you'll be shot at.  You're 
trying to decide on which bulletproof vest to buy.  Several vendors 
demonstrate both safety arguments involving the tensile strength of Kevlar, 
the way impacts are distributed across a large area, etc, and extensive 
tests where various kinds of guns and knives are tried against the vest, 
without penetrating it.  Another vendor says "well, I decided to invent my 
own bulletproof vest.  I shot at it a couple times with my .22, and punched 
it once, and it seems to hold up very well.  Besides, it's conceptually 
simpler than my competitors' vests, and I spent several days thinking over 
the design without finding any weaknesses.  Trust me."  Which one do you 
want to trust?

If you want to design a hash function, that's cool.  In fact, designing 
crypto primitives is one of the most fun things you can do.  But doing it 
right involves actually understanding the existing known attacks on the 
primitives, and being capable of applying those attacks to a new 
design.  It also involves getting a lot of public comment--meaning writing 
it up for submission to a good conference (FSE is great for new 
primitives), and making your writeup so clear that you encourage lots of 
people to look at it.  And it still may be that people don't jump at the 
chance to use your primitive, either for performance reasons, or because 
they have a satisfactory alternative they trust more.

How much trust people have in some primitive is dependent on the reputation 
of the designers, the amount of review it's seen, and even how well you 
imagine the problem to be understood by the community.  (Even very sharp 
people designing block ciphers in 1985 were going to have a hard time 
getting it right, because the public state of the art in cryptanalysis 
wasn't all that great.)
...

>* Ralf Senderek  <ralf at senderek.de> http://senderek.de  * What is privacy *

--John Kelsey, kelsey.j at ix.netcom.com
PGP: FA48 3237 9AD5 30AC EEDD  BBC8 2A80 6948 4CAA F259



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list