[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

[John Kelsey]

On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker <hallam at gmail.com> wrote:
...
> Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until the attack was dramatically improved and the second pre-image attack became feasible.

Just a couple nitpicks: 

a.  Dobbertin wasn't doing a birthday (brute force collision) attack, but rather a collision attack from a chosen IV.  

b.  Preimages with MD5 still are not practical.  What is practical is using the very efficient modern collision attacks to do a kind of herding attack, where you commit to one hash and later get some choice about which message gives that hash.  

...
> Proofs are good for getting tenure. They produce papers that are very citable. 

There are certainly papers whose only practical importance is getting a smart cryptographer tenure somewhere, and many of those involve proofs.  But there's also a lot of value in being able to look at a moderately complicated thing, like a hash function construction or a block cipher chaining mode, and show that the only way anything can go wrong with that construction is if some underlying cryptographic object has a flaw.  Smart people have proposed chaining modes that could be broken even when used with a strong block cipher.  You can hope that security proofs will keep us from doing that.  

Now, sometimes the proofs are wrong, and almost always, they involve a lot of simplification of reality (like most proofs aren't going to take low-entropy RNG outputs into account).  But they still seem pretty valuable to me for real-world things.  Among other things, they give you a completely different way of looking at the security of a real-world thing, with different people looking over the proof and trying to attack things.  

--John