[Cryptography] please dont weaken pre-image resistance of SHA3 (Re: NIST about to weaken SHA3?)

John Kelsey crypto.jmk at gmail.com
Mon Oct 14 11:55:36 EDT 2013


Adam,

I guess I should preface this by saying I am speaking only for myself.  That's always true here--it's why I'm using my personal email address.  But in particular, right now, I'm not *allowed* to work.  But just speaking my own personal take on things....

We go pretty *overwhelming* feedback in this direction in the last three weeks.  (For the previous several months, we got almost no feedback about it at all, despite giving presentations and posting stuff on hash forum about our plans.).  But since we're shut down right now, we can't actually make any decisions or changes.  This is really frustrating on all kinds of levels.

Personally, I have looked at the technical arguments against the change and I don't really find any of them very convincing, for reasons I described at some length on the hash forum list, and that the Keccak designers also laid out in their post.  The core of that is that an attacker who can't do 2^{128} work can't do anything at all to SHA3 with a 256 bit capacity that he couldn't also do to SHA3 with a 512 bit capacity, including finding preimages.  

But there's pretty much zero chance that we're going to put a standard out that most of the crypto community is uncomfortable with.  The normal process for a FIPS is that we would put out a draft and get 60 or 90 days of public comments.  As long as this issue is on the table, it's pretty obvious what the public comments would all be about.  

The place to go for current comments, if you think more are necessary, is the hash forum list.  The mailing list is still working, but I think both the archives and the process of being added to the list are frozen thanks to the shutdown.  I haven't looked at the hash forum since we shut down, so when we get back there will be a flood of comments there.  The last I saw, the Keccak designers had their own proposal for changing what we put into the FIPS, but I don't know what people think about their proposal. 

--John, definitely speaking only for myself


More information about the cryptography mailing list