[Cryptography] NIST about to weaken SHA3?

[ianG]

On 1/10/13 00:21 AM, James A. Donald wrote:
> On 2013-10-01 00:44, Viktor Dukhovni wrote:
>> Should one also accuse ESTREAM of maliciously weakening SALSA?  Or
>> might one admit the possibility that winning designs in contests
>> are at times quite conservative and that one can reasonably
>> standardize less conservative parameters that are more competitive
>> in software?
>
> "less conservative" means weaker.
>
> Weaker in ways that the NSA has examined, and the people that chose the
> winning design have not.
>
> Why then hold a contest and invite outside scrutiny in the first place.?
>
> This is simply a brand new unexplained secret design emerging from the
> bowels of the NSA, which already gave us a variety of backdoored crypto.
>
> The design process, the contest, the public examination, was a lie.
>
> Therefore, the design is a lie.



This could be the uninformed opinion over unexpected changes.  It could 
also be the truth.  How then to differentiate?

Do we need to adjust the competition process for a "tweak" phase?

Let's whiteboard.  Once The One is chosen, have a single round + 
conference where each of the final contestants propose their optimised 
version.  They then vote on the choice.

(OK, we can imagine many ways to do this ... point being that if NIST 
are going to tweak the SHA3 then we need to create a way for them to do 
this, and have that tweaking be under the control of the submitters, not 
NIST itself.  In order to maintain the faith of the result.)



iang