[Cryptography] NIST about to weaken SHA3?

Viktor Dukhovni cryptography at dukhovni.org
Mon Sep 30 19:09:27 EDT 2013


On Tue, Oct 01, 2013 at 07:21:03AM +1000, James A. Donald wrote:

> On 2013-10-01 00:44, Viktor Dukhovni wrote:
> >Should one also accuse ESTREAM of maliciously weakening SALSA?  Or
> >might one admit the possibility that winning designs in contests
> >are at times quite conservative and that one can reasonably
> >standardize less conservative parameters that are more competitive
> >in software?
> 
> "less conservative" means weaker.

Weakening SHA3 to gain cryptanalytic advantage does not make much
sense.  SHA3 collisions or preimages even at 80-bit cost don't
provide anything interesting to a cryptanalyst, and MITM attackers
will attack much softer targets.

We know exactly why it was "weakened".  The the proposed SHA3-256
digest gives 128 bits of security for both collisions and preimages.
Likewise the proposed SHA3-512 digest gives 256 bits of security
for both collisions and preimages.

> Weaker in ways that the NSA has examined, and the people that chose
> the winning design have not.

The lower capacity is not weaker in obscure ways.  If Keccak delivers
substantially less than c/2 security, then it should not have been
chosen at all.

If you believe that 128-bit preimage and collision resistance is
inadequate in combination with AES128, or 256-bit preimage and
collision resistance is inadequate in combination with AES256,
please explain.

> Why then hold a contest and invite outside scrutiny in the first place.?

The contest led to an excellent new hash function design.

> This is simply a brand new unexplained secret design emerging from
> the bowels of the NSA, which already gave us a variety of backdoored
> crypto.

Just because they're after you, doesn't mean they're controlling
your brain with radio waves.  Don't let FUD cloud your judgement.

-- 
	Viktor.


More information about the cryptography mailing list