[Cryptography] NIST about to weaken SHA3?
Viktor Dukhovni
cryptography at dukhovni.org
Mon Sep 30 00:34:50 EDT 2013
On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote:
> Not sure whether this has been pointed out / discussed here already (but
> I guess Perry will reject my mail in case it has):
>
> https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3
I call FUD. If progress is to be made, fight the right fights.
The SHA-3 specification was not "weakened", the blog confuses the
effective security of the algorithtm with the *capacity* of the
sponge construction.
The actual NIST Proposal strengthens SHA-3 relative to the authors'
most performant proposal (http://eprint.iacr.org/2013/231.pdf
section 6.1) by rounding up the capacity of the sponge construction
to 256 bits for both SHA3-224 and SHA3-256, and rounding up to 512
bits for both SHA3-384 and SHA3-512 (matching the proposal in
section 6.2).
The result is that the 256-capacity variant gives 128-bit security
against both collision and first preimage attacks, while the 512-bit
capacity variant gives 256-bit security. This removes the asymmetry
in the security properties of the hash. Yes, this is a performance
trade-off, but it seems entirely reasonable. Do you really need
256 bits of preimage resistance with 128-bit ciphersuites, or 512
bits of preimage resistance with 256-bit ciphersuites?
SHA2-256's O(256) bits of preimage resistance was not a design
requirement, rather it needed 128-bits of collision resistance,
the stronger preimage resistance is an artifact of the construction.
For a similar sentiment see:
http://crypto.stackexchange.com/questions/10008/why-restricting-sha3-to-have-only-two-possible-capacities
--
Viktor.
More information about the cryptography
mailing list