[Cryptography] NIST about to weaken SHA3?
watsonbladd at gmail.com
Mon Sep 30 18:51:13 EDT 2013
On Mon, Sep 30, 2013 at 2:21 PM, James A. Donald <jamesd at echeque.com> wrote:
> On 2013-10-01 00:44, Viktor Dukhovni wrote:
>> Should one also accuse ESTREAM of maliciously weakening SALSA? Or
>> might one admit the possibility that winning designs in contests
>> are at times quite conservative and that one can reasonably
>> standardize less conservative parameters that are more competitive
>> in software?
> "less conservative" means weaker.
> Weaker in ways that the NSA has examined, and the people that chose the
> winning design have not.
This isn't true: Keccak's designers proposed a wide range of capacity
parameters for different environments.
> Why then hold a contest and invite outside scrutiny in the first place.?
> This is simply a brand new unexplained secret design emerging from the
> bowels of the NSA, which already gave us a variety of backdoored crypto.
No, it is the Keccak construction with a different rate and capacity.
> The design process, the contest, the public examination, was a lie.
> Therefore, the design is a lie.
I'm sorry, but the tradeoffs in capacity and their implications were part
of the Keccak submission from the beginning. During the entire process
commentators were questioning the difference between collision security and
preimage security, as it was clear that collisions kill a hash as dead as
preimages. This was a topic of debate on the SHA-3 list between DJB and
others, because DJB designed Cubehash to have the same tradeoff as the
design NIST is proposing to standardize.
> The cryptography mailing list
> cryptography at metzdowd.com
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography