[Cryptography] please dont weaken pre-image resistance of SHA3 (Re: NIST about to weaken SHA3?)

Adam Back adam at cypherspace.org
Tue Oct 15 17:59:32 EDT 2013


On Tue, Oct 15, 2013 at 05:47:27PM -0400, John Kelsey wrote:
>On Oct 15, 2013, at 2:22 PM, Adam Back <adam at cypherspace.org> wrote:
>> would SHA3-512 STILL have 256-bit preimage security if truncated to 256-bit ie
>
> Yes.  The 2^{c/2} preimage attack on Keccak/SHA3 is a meet in the middle
> attack on the internal hash state, and it has nothing to do with the
> output size.

OK.

> More broadly, anything you can do to a SHA3 version with much less than
> 2^{c/2} work, you could also do to *any* hash function with the same
> output size.

I think what you just said is an attack of work less than 2^128 is harmless
on both a weakened SHA3 preimage and SHA2.  But that is not an argument for
reducing the preimage strength to 2^128.  Actually I dont understand the
argument for weakening it.  Is there a pointer to a rationale? - so far it
makes no sense - unless its micro-optimization to the massive detriment of
preimage security if you care about that.

Adam


More information about the cryptography mailing list