[Cryptography] NIST about to weaken SHA3?

Viktor Dukhovni cryptography at dukhovni.org
Mon Sep 30 10:44:17 EDT 2013


On Mon, Sep 30, 2013 at 05:45:52PM +1000, James A. Donald wrote:

> On 2013-09-30 14:34, Viktor Dukhovni wrote:
> >On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote:
> >
> >>Not sure whether this has been pointed out / discussed here already (but
> >>I guess Perry will reject my mail in case it has):
> >>
> >>https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3
> >I call FUD.  If progress is to be made, fight the right fights.
> >
> >The SHA-3 specification was not "weakened", the blog confuses the
> >effective security of the algorithtm with the *capacity* of the
> >sponge construction.
> 
> SHA3 has been drastically weakened from the proposal that was
> submitted and cryptanalyzed:  See for example slides 43 and 44 of
> https://docs.google.com/file/d/0BzRYQSHuuMYOQXdHWkRiZXlURVE/edit

Have you read the SAKURA paper?

    http://eprint.iacr.org/2013/231.pdf

In section 6.1 it describes 4 capacities for the SHA-2 drop-in
replacements, and in 6.2 these are simplified to two (and strengthened
for the truncated digests) i.e. the proposal chosen by NIST.

Should one also accuse ESTREAM of maliciously weakening SALSA?  Or
might one admit the possibility that winning designs in contests
are at times quite conservative and that one can reasonably
standardize less conservative parameters that are more competitive
in software?

If SHA-3 is going to be used, it needs to offer some advantages
over SHA-2.  Good performance and built-in support for tree hashing
(ZFS, ...) are acceptable reasons to make the trade-off explained
on slides 34, 35 and 36 of:

    https://ae.rsaconference.com/US13/connect/fileDownload/session/397EA47B1FB103F0B3E87D6163C7129E/CRYP-W23.pdf

-- 
	Viktor.


More information about the cryptography mailing list