[Cryptography] SHA-3 FIPS-202: no SHAKE512 but SHAKE128; confusing SHAKE security
Krisztián Pintér
pinterkr at gmail.com
Sat Aug 15 14:21:45 EDT 2015
Phillip Hallam-Baker (at Saturday, August 15, 2015, 6:11:03 PM):
> I think we will settle on a new defacto consensus. But I think its
> going to be centered on the 256 bit algorithms:
> SHA-3-512
> AES256-GCM
> CFRG-SIG-448
> CFRG-DH-448
first of all using sha-3-512 seems very weird, it is the one primitive
most suffering the most severe performance hit from the overised
preimage. SHAKE256 seems to be the better option.
but the more interesting question is: why aes-gcm if you already have
keccak in there? keccak supports a one-pass authenticated encryption
scheme. http://keccak.noekeon.org/KeccakDIAC2012.pdf
getting rid of gcm seems to be a good thing in itself.
More information about the cryptography
mailing list