[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
ianG
iang at iang.org
Fri Aug 14 23:39:01 EDT 2015
On 13/08/2015 00:55 am, dj at deadhat.com wrote:
>
>> addition: afaik nist at one point considered adding a remark that
>> shakes are the preferred primitives. it is apparently missing from the
>> final document. which i find unfortunate.
>
> However in my experience so far, the shakes are the preferred primitives.
> When you're getting a room of people in a standards group to first agree
> on a minimum security strength (say O(2^128)) then to agree on a hash,
> taking recent history into account and looking to the future deployments,
> the shakes are the obvious choice and shake128 has already been adopted in
> one standards body I'm involved in.
Ever since the Lenstra & Verheul 2001 paper, people have been arguing
about how to match up strengths. To little consistent and
methodological effect.
Keccak may be the most significant step since then. It at least claims
an internally consistent methodology.
(I might be wrong. Maybe they stole if from somewhere else. But
keylength.com is testament to a 15 year history of ad hoc methods.)
iang
More information about the cryptography
mailing list