[Cryptography] Sha3

Christoph Anton Mitterer calestyo at scientia.net
Tue Oct 1 18:05:25 EDT 2013 

On Tue, 2013-10-01 at 02:34 -0700, Ray Dillinger wrote:
> What I don't understand here is why the process of selecting a
> standard algorithm for cryptographic primitives is so highly focused
> on speed. 
> 
> 
> We have machines that are fast enough now that while speed isn't a non
> issue, it is no longer nearly as important as the process is giving it
> precedence for.  
> 
> 
> Our biggest problem now is security,  not speed. I believe that it's a
> bit silly to aim for a minimum acceptable security achievable within
> the context of speed while experience shows that each new class of
> attacks is usually first seen against some limited form of the cipher
> or found to be effective only if the cipher is not carried out to a
> longer process.  

Absolutely agreeing... I mean that is the most important point about
crypto at all - being secure.
And if one is in doubt (and probably even when not), better use a very
big security margin, which in the SHA3 case would mean, rather take high
multiples of bit lengths and capacity than what seems conservatively
secure enough.

The argument, that attackers don't penetrate but rather circumvent
cryptography doesn't count much at all, IMHO.
Sure that's what happens in practise, but if we hook up on that, we
could more or less drop any cryptography for say 98% of mankind which
use insecure (or even backdoored) systems like Windows, MacOS, Flash,
etc. pp..

Obviously, performance is an issue for some systems (especially
embedded) but an algo that is fast enough, but potentially not secure
enough is absolutely worthless[0].

Sure, some people utilise the FUD argument now,... basically pointing
that we have no strong reason to believe that e.g. Keccack with the
newly proposed parameters from NIST isn't secure enough.
But when we should have learned one thing from the whole NSA/friends
scandal is ... we really don't have much of an idea how far these guys
are up to - neither in terms of mathematics, nor in terms of raw
computing power (when the public already knows about facilities like
that Utah data centre - one can probably fairly well expect that dozens
of these exist which are unknown).

Cheers,
Chris.


[0] And if you want a fast hash algorithm that is not to be used in
cryptography, we have plenty of other solutions already.

More information about the cryptography mailing list