[Cryptography] please dont weaken pre-image resistance of SHA3 (Re: NIST about to weaken SHA3?)

[Arnold Reinhold]

On October 17, 2013 12:00 John Kelsey wrote:

...
> In the case of SHA3-512, it's hard to imagine any crypto application needing more than 256 bits of security, and almost nothing else in our crypto toolkit (NIST's or the bigger community's) tries to get higher security than that.  Personally, I think demanding a loss of performance to reach security levels higher than 256 bits is nuts.  It's trading real performance off against imaginary, cosmetic security. ...

Let's think for a moment about users who design to 256-bit security. There is nothing currently that comes close to compromising 128-bit systems. A trillion processors each testing a trillion keys a second would take 6 million years on average to recover or forge just one 128-bit key. Any rational choice for 256-bit security is seeking to protect data far into the future, against threats currently unknown or only imagined, like quantum computing, DNA processing, super algebra systems or other mathematical breakthroughs. How important is performance to such users? I submit such users want primitives with large margins of safety. Does larger internal state delay any quantum attack? Certainly. Does larger internal state complicate attacks on entropy collectors? Indeed. We've only had a few years to look at Keccak-like systems. Weaknesses that revealed less-than-nominal strength in other primitives have emerged after longer intervals. Those who express conservative instincts are being not foolish here.

Arnold Reinhold