[Cryptography] NIST about to weaken SHA3?

Christoph Anton Mitterer calestyo at scientia.net
Mon Sep 30 17:37:32 EDT 2013

On Mon, 2013-09-30 at 14:44 +0000, Viktor Dukhovni wrote:
> If SHA-3 is going to be used, it needs to offer some advantages
> over SHA-2.  Good performance and built-in support for tree hashing
> (ZFS, ...) are acceptable reasons to make the trade-off explained
> on slides 34, 35 and 36 of:

Well I think the most important advantage would be more security...
performance can only have far lower priority,... otherwise the whole
thing is rubbish.
Sure, SHA2 is far from being broken, but we've seen some first scratches
in SHA1 already... so it doesn't hurt if we have an algo which is based
on different principles, and has a high security margin.

I guess we've seen that in the most recent developments... better take
twice or three times than what we expect to be the reasonable security
margins, since we don't exactly know what NSA and friends is capable of.
Better try to combine different algos, for the same reason.

NIST has somewhat proven, that they can't be trusted, IMHO, regardless
of whether they just didn't notice what the NSA did, whether they
happily helped the agency, or whether they were forced so by law.
For us this doesn't matter.

To my understanding, performance wasn't the top-priority during the SHA3
competition, otherwise other algos might have been even better than
So this move now is highly disturbing and people should question, what
does NIST/NSA know what we don't.
Can you really exclude for sure, that they haven't found some weaknesses
which only apply at lower capacities?

I a way, that reminds me to ECC and the issues with the curves (not from
a mathematical POV, of course)... we have some (likely) fine
algorithm,... but the bad[0] guys standardise some parameters (like the
At some point we smell the scandal and start wondering, if we wouldn't
be far better off with a different set of curves... but in practise it's
more or less too late then (well at least it's very problematic), since
all world is using that set of standardised curves.

It seems a bit as if we now to the same,... following NIST/NSA like

Keccack seems to be a fine algorithm... perhaps it would be better the
scree SHA3 altogether an let the community decide upon a common set of
concrete algos (i.e. a community-SHA3) which is then to be standardised
by IETF, or whatever else.

An better take two or four times the capacity and/or bit-lenghts than
what we optimistically consider to be very secure.


[0] In contrast to the evil guys, like terrorists and so on.

More information about the cryptography mailing list