[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Phillip Hallam-Baker
phill at hallambaker.com
Sat Aug 15 12:11:03 EDT 2015
On Fri, Aug 14, 2015 at 11:30 PM, ianG <iang at iang.org> wrote:
> On 14/08/2015 20:15 pm, ianG wrote:
>
> So if people want to go full IoT, can we ask: what does that mean? Can
>> we draw the line and say the OpenPGP offering here is CipherSuiteIoT
>> which means x/y/z in numbers and params and no more no less?
>>
>> PHB:
>> > IOT looks set to create a demand
>> > for an absolutely minimal cryptographic
>> > suite. One signature algorithm, one
>> > exchange algorithm, both on the same
>> > curve, one authenticated encryption
>> > mode, one digest/pseudorandom function.
>>
>>
>> Or are we offering full cipher flexibility to those IoT designers, and
>> thus forcing them to implement all the multiples, because they won't
>> know what other designers will choose, etc?
>>
>> My thinking right now is that (assuming we're doing this) we should put
>> in the draft a recommendation that precisely identifies a minimum
>> most-popular obligatory to implement suite that covers as far down as we
>> can get it. And leave the rest up to the market?
>>
>
>
>
> Wait - I'm on the wrong bloody list .. this was supposed to be a message
> to OpenPGP. Oh well.
Actually, it might be better to have that conversation here.
Something that really worries me about the OpenPGP discussion is the tone
of the discussion is 'prove to me that this attack is a problem' not 'prove
to me that this attack is not a concern'.
I think the IoT space is so diffuse that we risk ending up talking
nonsense. I see three distinct classes of machine:
1) Effectively unconstrained. Any desktop, smartphone or tablet. Anything
at or above Raspberry Pi capabilities.
2) Demanding thought and care
3) Ridiculously underpowered. Anything with an 8 bit core.
Yes, there will be devices in the third category. But guess what, they
don't have to do public key at all. Or if they do they only need do it
during one time initialization.
The hard bit is the bit in the middle. And even Windows 10 IoT is likely to
pose issues. Yes, you can use a Raspberry Pi2 to develop and the chip at
the center of the device only costs a buck. But that is a development
environment. If you went into production you would want to go for the
lowest power, lowest cost or otherwise best chip you can find.
Raspberry Pi can easily do AES256. But you might well want to ask yourself
if you really, really need AES128 and AES256. Every module you add to your
device means more memory, longer startup times and so on.
Right now we do have a defacto consensus algorithm suite:
SHA-2-256
HMAC-SHA-2-256
AES128 CBC
RSA-2048
ECDH-256
The main problem with this set is the RSA part and in particular key
generation which is difficult and painful. The strength is not ideal either
and RSA really hits diminishing returns above 2048 bits.
I think we will settle on a new defacto consensus. But I think its going to
be centered on the 256 bit algorithms:
SHA-3-512
AES256-GCM
CFRG-SIG-448
CFRG-DH-448
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150815/12933cc4/attachment.html>
More information about the cryptography
mailing list