[Cryptography] NIST about to weaken SHA3?

Viktor Dukhovni cryptography at dukhovni.org
Mon Sep 30 00:34:50 EDT 2013

On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote:

> Not sure whether this has been pointed out / discussed here already (but
> I guess Perry will reject my mail in case it has):
> https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3

I call FUD.  If progress is to be made, fight the right fights.

The SHA-3 specification was not "weakened", the blog confuses the
effective security of the algorithtm with the *capacity* of the
sponge construction.

The actual NIST Proposal strengthens SHA-3 relative to the authors'
most performant proposal (http://eprint.iacr.org/2013/231.pdf
section 6.1) by rounding up the capacity of the sponge construction
to 256 bits for both SHA3-224 and SHA3-256, and rounding up to 512
bits for both SHA3-384 and SHA3-512 (matching the proposal in
section 6.2).

The result is that the 256-capacity variant gives 128-bit security
against both collision and first preimage attacks, while the 512-bit
capacity variant gives 256-bit security.  This removes the asymmetry
in the security properties of the hash.  Yes, this is a performance
trade-off, but it seems entirely reasonable.  Do you really need
256 bits of preimage resistance with 128-bit ciphersuites, or 512
bits of preimage resistance with 256-bit ciphersuites?

SHA2-256's  O(256) bits of preimage resistance was not a design
requirement, rather it needed 128-bits of collision resistance,
the stronger preimage resistance is an artifact of the construction.

For a similar sentiment see:



More information about the cryptography mailing list