Did NIST Cripple SHA-3? 169
An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."
Why do we even go to these orgs anymore... (Score:4, Interesting)
I say we just use the algorithms Schneier has invented and nothing else. Why do we even go to these standards approvers in the first place. The open source community should get together and hold they're own competition and forget anyone who's in anyway associated with any org starting with N*. Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?
-- stoops
Re:Why do we even go to these orgs anymore... (Score:5, Interesting)
I do most of my work in Perl, and I happen to heavily utilize Blowfish and Twofish. Perhaps you should think about what your application pipeline requirements actually need in terms of crypto and then look into the various modules that interoperate under the umbrella of Crypt::CBC [cpan.org].
Re: (Score:2)
are you serious?
Of course the manager does not know Blowfish, Twofish, AES ... you just tell him: We now use a more secure algorithm, and he goes "good, this will protect our customers. Continue to have such good ideas, please!"
Re: (Score:2)
I probably shouldn't be replying to a troll, but what the hell, this one is just too hard to pass up. Thousands of companies around the world, including many of your favorite Fortune 500s, use Perl for tasks ranging from mission critical systems programming, to application integration, to enterprise reporting and sure, web applications. You must be living a pretty sheltered life; if you truly work in an enterprise environment, have you bothered taking a look at what powers your company recently? Hint: there
Re: (Score:3)
Re: (Score:2)
Unless you know what you're doing and have a very good reason to use the modules under the Crypt namespace directly, you should generally be using Crypt::CBC with them, at least for most common purposes.
The actual Blowfish cryptography core of Crypt::Blowfish is written in C. You can verify this by downloading the tarball [cpan.org] and looking at the source. There is a pure Perl version [cpan.org] available as well, but it's slower.
The cores of Crypt::DES, Crypt::Rijndael, etc are also written in C.
Re: (Score:2)
I say we just trust Schneier unconditionally, because he's the good guy.
ALL HAIL CRYPTOTOAD!
Re:Why do we even go to these orgs anymore... (Score:5, Insightful)
Re:Why do we even go to these orgs anymore... (Score:5, Insightful)
And he, like everyone else who's reasonable, believes in standards processes to test and check each others' algorithms and pick the best ones. The problem is making sure these standards systems are open and above board.
Re: (Score:3)
Very prudent. By the way, it's a slim possibility that he's the NSA's Emmanuel Goldstein (https://en.wikipedia.org/wiki/Emmanuel_Goldstein). Not necessarily likely, but the point should be that rather than trusting a person it's better to trust the process of critical examination of all aspects of the crypto. That's not a task any one individual (even the most honest, most intelligent human alive) can do by themselves. In short, we need a large organization of dedicated folks operating transparently, wh
Re: (Score:2)
Re: (Score:2)
The same kind of argument goes for the NSA as well. Why do you think people accepted their recommendations?
Re: (Score:2)
I say we just trust Schneier unconditionally, because he's the good guy.
ALL HAIL CRYPTOTOAD!
I'm sure that if people did that en masse he would be immune to any threats or rewards offered by NIST
Re: (Score:2)
I think we can get a volunteer to do almost that. But they are insisting on calling the suito of routines the âoeNew Scheneier Algorithms" for some reason.
Seriously, one of the major problems to be surmounted is not just availability, but getting it accepted as a standard. The NSA is going to have Microsoft distributing their brand of protection: Microsoft is organized in the US, and will. Use the oS national standard.
But there are other countries out there. China, while a big producer of goods, is goi
Re: (Score:3)
IP was standardized, right? I mean, you don't have to have clearance, or be a government rep, to visit the IETF? Well, maybe IP is a bad example as such, but nowadays, there are many networking protocols that come out of the public domain. Why couldn't it be the same for cryptography?
Re: (Score:2)
But it doesn't have to be a NIST standard. It could be an ISO or ANSI standard (encryption may be used at least as much for communication as for storage, so that might make sense), for instance. ISO probably makes more sense anyway, as NIST is a purely US standards organization.
Then we can be in the weird position where only the NSA uses the NSA-weakened algorithms...
Re: (Score:2)
ISO can be bought, as shown so well by Microsoft. They've lost any trust they ever had.
Re: (Score:2)
"ISO can be bought, as shown so well by Microsoft. They've lost any trust they ever had."
Perhaps that's true. But the fact that NIST has been the instrument of Government interference with cryptography has been known since the early 90s, with the Skipjack/Clipper debacle.
Re: (Score:2)
I agree completely. I'm just advocating the use of a standards agency the isn't US government controlled and can't be bought. ISO fails on at least one of those requirements.
Re: (Score:2)
This is a war that the government has LOST. More than once. I really have to wonder why they keep trying.
Maybe the intelligence community is taking that word "intelligence" a bit too literally. They are NOT smarter than everybody else. And in fact that's why they try to be sneaky.
Re: (Score:2)
They shouldn't keep trying because strong encryption is good for domestic commerce and international trade. Since all wars are, ultimately, economic - when you run out of the ability to continue fighting, you're done - anything that weakens commerce should require significant, tangible and measurable benefits to justify.
Weakening the economy deliberately only makes sense if your enemy is the people who compose it....
Re: (Score:3)
"The question is why SHOULDN'T they keep trying ... the upside of winning is pure gold for them."
No, it isn't. Not even close. It's the opposite.
In the very short term they'd enjoy an advantage. Sure. BUT... as has been proven time and time again (which was part of my point), they really aren't the smartest guys in the room. The smartest guys won't even work for them.
So what inevitably happens is somebody else gets the technology -- because of leaks or parallel research -- and their advantage is not just lost, it's given to somebody else. Because now THEY can access all these things now, too, wit
Implementation (Score:2)
Re:Why do we even go to these orgs anymore... (Score:4, Informative)
Two reasons.
1) Because having a standard means that everyone using SHA-3 will get the same result, instead of every implementation coming out with a different answer of totally unknown integrity. With a standard, I can verify the integrity of program-X's hashing simply by comparing it to a small sample of know plantexts and hash values.
2) Because most software houses dream of someday getting a government contract - Maybe military, but don't forget about the 14% of Americans that in some way work for the government. Any software they use needs to adhere to the standards issued by the government, or no dice.
And really, simple as that.
Re: (Score:3)
I'm against placing one person in charge of anything important but I'd trust a Schneier standard a hell of a lot more than a government standard. If I could believe he hadn't been leaned upon by the government. Can we responsibly believe that?
Re: (Score:3)
Unfortunately, I would have to say conclusively "no". We've already seen quite a few big names on our side tacitly admit that the NSA has pushed on them - Phil Zimmerman, PJ of Groklaw, even Linux Torvalds.
Currently, I'd say we've reached the point where we can't trust any software in the wild. At an absolute minimum, if we didn't personally compile something, it goes in the "likely compromised" pile. An
Re: (Score:2)
Re: (Score:2)
We don't know that there was any direct pressure. We don't know there wasn't, either. And there was clearly indirect pressure.
They're guilty, we just aren't sure exactly HOW guilty.
Re: (Score:2)
Why do we have to go with Schneier? Why not have a standardized version of all the final candidate algorithms?
Re: (Score:2)
Having support for a large number of different algorithms in a program or standard increases the risk of downgrade attacks. If just one of the algorithms turns out to be weak, an attacker might be able to lure the two parties into picking a less secure algorithm when they negotiate.
Re: (Score:2)
You can just use NSA standard when doing work for the government and something else when doing other work, what's the big deal?
Re: (Score:2)
With a standard you can have confidence that everyone's implementation of SHA-3 has been compromised and crippled by the NSA.
Re:Why do we even go to these orgs anymore... (Score:5, Informative)
In case you haven't noticed, the NSA are spies. They do nothing but infiltrate groups of interest all day long.
Such a group of OS programmers would be the perfect target. And why do we trust Schneier more than anyone else such that his involvement means something is acceptable? I love the guy, but no, that's not how trust works for mass-public security systems. If the NSA/GCHQ spies are working at anywhere near the levels they were back in their heyday of WW2, then Bruce would be my prime candidate for "beyond suspicion" and thus my first inclination that - somewhere, somehow - he could be a shill for them. I'm not seriously saying he is or isn't, but the point of security is that NOBODY should hold any special power over anyone else, certainly not the ability to single-handedly "approve" a worldwide security standard.
No, what we do is carry on as normal. Put all the algorithms to public testing. As attacks are found, knock out the vulnerable ones like a game of Guess Who, and only ever use whatever is still standing. You can't defend against attacks that you do not know about and if such agencies really ARE as worried as we think they might be about the world moving to encryption they can't break, then my first thought would be "what are they moving us towards, without trying to look like they are doing so?" - and there you run into Blowfish/Twofish and similar algorithms that they've had the opportunity to analyse for years now. It would be the perfect coup - make people think you are attacking them, then "be involved" with the only alternative of elliptic-curves and thus make everyone think that's your preference and hence subtly move them onto something else of your choice without even MENTIONING it or being involved with it.
Don't try to out-think a bunch of geniuses working with military-level funding and a real interest in keeping you on something broken. Just follow procedure - stay on what you've got until there's actual evidence it's broken. Don't jump ship to new and interesting and relatively untested things for no reason other than you feel uncomfortable.
Re:Why do we even go to these orgs anymore... (Score:4, Interesting)
It would be an insanely unlikely coup. Think about what you are suggesting: First they get the entire world to use AES, to the point where leading CPU manufacturers have even included special instructions in the hardware specifically for encoding and decoding AES. They do this only so that an alternative algorithm (Twofish) would get less scrutiny by independent researchers for a number of years. They then orchestrate an elaborate leak indicating that they have attacks against some unnamed publicly used crypto algorithm. Meanwhile, or even before that, they have recruited an established and well known writer and cryptographist, and have him attack them openly in the public debate, only to give an apparent credibility to the algorithms he has designed. The intent of this is to get everyone in the industry to suddenly switch all cryptography to his somewhat less scrutinised algorithm (probably after reading about it on Slashdot), despite the fact that the author, who they had recruited to attack them, still claims that the math behind AES is solid, and despite the fact that replacing AES would now require replacing hardware and software that permeates our entire society at enormous costs.
If there is ever a time for the tinfoil hat metaphor...
Re: (Score:2)
It would be an insanely unlikely coup. (...) If there is ever a time for the tinfoil hat metaphor...
"Professor Quirrell had remarked over their lunch that Harry really needed to conceal his state of mind better than putting on a blank face when someone discussed a dangerous topic, and had explained about one-level deceptions, two-level deceptions, and so on. So either Severus was in fact modeling Harry as a one-level player, which made Severus himself two-level, and Harry's three-level move had been successful; or Severus was a four-level player and wanted Harry to think the deception had been successful.
Re:Why do we even go to these orgs anymore... (Score:4, Interesting)
If they found a weakness in Twofish, and wanted the world to migrate to a crypto algorithm that they have an attack against, then wouldn't it just have been easier to select Twofish instead of Rijndael for the AES specification in the first place? They were both finalists.
Look, it certainly seems like the NSA has tried to meddle with crypto standards in order to have an attack vector, and I can agree that a certain amount of paranoia is in order, but the theories you propose are so convoluted that, of all things the NSA might have cooked up, that has to go far down on the list. What is even to say people switch to Twofish if they switch, and not one of the other AES finalists? Or use both Twofish and Rijndael simultaneously for that matter?
Besides, the weakest part of most crypto systems (disregarding implementation and usage for a moment), is probably the key exchange/management algorithms. And from what I have understood, that is where the indications of standards manipulations have been.
I'm not suggesting that people should necessarily switch from AES to Twofish, or that Twofish is more secure. I don't even think Bruce is saying that. But I find the idea that the NSA would somehow be behind some kind of covert manipulation scheme to get people to switch to Twofish simply extremely unlikely. If nothing else, for the simple reason that I don't see it happening anyway. Could the NSA be sitting quietly on a weakness? Sure. But in that case I would be more worried about EC, and to an extent RSA. That is, if we limit ourselves to the theoretical component, and disregard the obvious target: implementations.
"why do we trust Schneier more than anyone else"? (Score:2)
In addition to Alef's comment
That Guardian article where he teaches everyone, including terrorists, how to avoid the NSA, undoing 10 years of infiltration work:
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance [theguardian.com]
Also, he's been helping anti-surveillance campaigns including NO2ID for years.
Re: (Score:2)
One time pad is, of course, best, *if* you can use it. But it requires that both the sender and the receiver have a copy, and that the interceptor *NOT* have a copy. (Or not be able to determine that they do. Dostoyevski's "Crime and Punishment" would make a decent one time pad, until it was known that that was what you were using. Then you might as well have been sending in clear.
Re: (Score:2)
If your clever and use a non networked computer to create your message you may still have googled versions of "Crime and Punishment" providing a hint for a later home search.
Government contracts (Score:3)
Because if your software does not comply with FIPS or whatever other standard of the day is in effect, the government can not purchase it. When hundreds of millions (sometimes billions) of dollars in revenue are on the line, people will make a lot of concessions.
Re: (Score:3, Insightful)
Pfft. A single checkbox is all that's needed:
"Reduce effectiveness to comply with US Government standards."
Re: (Score:3)
Because the US government has requirements about what it accepts.
You can't just implement whatever algorithm you like, then sell a router with that to the government. It must comply with whatever standard the government decided to adopt. And given that the government buys a lot of things, it wouldn't make economical sense to make equipment you could never sell to them.
This snowballs, and effectively sets a global standard for encryption. Sure, in your home you can do whatever you like, but the important thi
Re: (Score:3)
Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?
Working on it for my master thesis ;)
Just a "Schneier Suite" would be limiting, though. We need more than just the basic algorithms, and not only from Schneier.
Anyway, I'm developing a new transport/encryption/authentication/federated protocol, which combines ideas from SSL, Kerberos and a lot more, plus some new...
I already have written all the specification, I'm starting to code it now.
Keep your ears open for the "Fenrir" project, I'll probably release something in 3-4 months... Although the stable r
Re: (Score:2)
Good luck with that, it's not like I'm in the U.S.A., and once the project goes public, I doubt you can really influence it without people noticing. :)
Also, as with everything working with encryption, you need a way to distribute keys, a "trust model". And the trust model will not be too different from todays X.509 certificates, so the NSA might still be able to compromise the trust of this protocol (assuming that the NSA has compromised the trust model in X.509 certificate handling).
Still, with my new prot
Re: (Score:2)
Please do not make a single hierarchy like X.509, where one particular key can only be certified by one authority. Instead, at minimum allow multiple signatures if you do not want to implement the complete web-of-trust like PGP/GPG.
Re: (Score:2)
No worries, X.509 are big and bulky, and the management of the certificates authorities kinda sucks anyway.
Nah, I don't use X.509, but the trust model is granted and secure. And bonus points: its free of charge and already existing :)
Re:Why do we even go to these orgs anymore... (Score:5, Insightful)
It appears that the most difficult part of cryptography is key management.
You could say that key management is the only really difficult problem in cryptography. If it weren't for the key management problem we'd all be using one-time pads, which are both trivial to implement and provably unbreakable, even by brute force. Unfortunately, to use them each pair of individuals must first securely exchange keys at least as large as all the messages they'll ever want to send.
Symmetric crypto algorithms exist to cut down on the amount of key material which must be exchanged by reusing the key, while asymmetric crypto addresses the N^2 problem by allowing many-to-one communication with a single public/private key pair. Both accept the risk of cryptoanalysis in exchange for more convenient key management.
Re: (Score:2)
Because if the NSA points out a cryptographic weakness, it's there.
Re: (Score:2)
FTFY.
Re: (Score:2)
Probably because with a name like National Institute of Standards and Technology, it sounds like a neutral organization. Some kind of innocuous academic committee or such. Not to mention, when it was first named, there was probably a benevolent view of such government agencies.
Now though, people who seem to be paying attention are distrustful of the government's "national security" policies. And with good reason, considering what the NSA has been doing since (and probably before) 9/11.
Now anything that ment
Avoid eleptic curve algoritms (Score:5, Interesting)
The way I see it, I think its wise to avoid all PKI standards using Elliptic curve cryptography algoritms. In contrast to the mathematical basis of prime based algorithms, these mathematics are relatively recent - and have been pushed by the NSA (who is known to be decenia ahead of publicly known mathematics).
There is no mathematical indication for me to believe that Eleptic curve cryptography is fundamentally broken. But why use 'new mathematics' when hundreds of years of public mathematic geniusses have been thinking about fast factoring of prime numbers?
I don't get that...
The most important argument used is that key length is more manageable. One could also interprete it as an indication that there might be security bit reduction attacks still unknown to us, but known by the NSA. Possibly. Possibly not.
But why take the risk?
Some more info about elliptic-curve-cryptography:
http://www.linuxjournal.com/content/elliptic-curve-cryptography
Re: (Score:3)
"""
They do this by splitting the shared secret key used in traditional cryptography into two parts: a public key for identifying oneself and a secret key for proving an identity electronically.
"""
That's bordering on the "not even wrong" level of fucked-upness. Alas it falls on the side of being woefully incorrect. Possibly dangerounsly misleading too.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Not this year. Massive computer arrays will never handle factoring large numbers with large prime factors until there is a major theoretical breakthrough (which can't be predicted).
Quantum computers ARE a major threat, but not this year. The NSA has publicly ordered a large one, but large this year is probably only large enough to test their approach. So if your data is time sensitive, you are still safe.
Two or three years from now...who can say. Progress *is* being made on quantum computers. Perhaps i
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
hundreds of years of public mathematic geniusses have been thinking about fast factoring of prime numbers
There is a pretty fast algorithm for factoring prime numbers.
Re: (Score:2)
And it's already down again ... any way, I'm inclined to agree, lets stick to discrete logarithms and primes.
Re: (Score:2)
BTW, even if ECC can be secure, ECC as used in practice seems to suffer from the same problem as Dual_EC_DRBG, magic number coefficients chosen by the NSA ...
http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf [hyperelliptic.org]
Re: (Score:2)
But factoring, while hard, is reasonably handleable if you have a quantum computer. Which, as it happens, the NSA has recently contracted for (publicly).
Is this also true of the elliptic curves? (On the one hand, I don't know, but on the other hand, the NSA chose the magic numbers.)
Twofish and blowfish are probably the best choices if you need to worry about that kind of thing. But I'm no cryptographer, and haven't studied the problem, so don't take that seriously.
As someone earlier suggested, if you are
Re:Avoid eleptic curve algoritms (Score:4, Informative)
Re: (Score:3)
Sinister (Score:5, Informative)
Re: (Score:2)
actually, it's about assword security. and the "pre image" problem.
more collisions mean it's easier to find a password that gives a stored hash
but it's not crippled, its just that a 512 key gives you n/2 security - 256bit security
afaics, anyway
Re: (Score:2)
In a crippled hash function, you can add a Trojan horse to a downloaded while keeping the same hash value. Even Linux repositories would be vulnerable (the hashes are usually gpg-signed, but the hash doesn't change), and allow execution of arbitrary code.
either they crippled it or put a backdoor in (Score:2)
i wonder how much data and info the US Govt spys stea
Brother in law works at NIST (Score:2, Informative)
He has told me stories of NSA personnel coming by for meetings. He said he had no idea why they were there, so YYMV.
That said, NSA had indeed been on the NIST campus.
Re: (Score:2)
NIST is required by law to consult with the NSA before publishing cryptographic standards. What "consult" means is unknown.
More conventionally, it stands to reason that NSA personnel would be participating in NIST projects on computer security, cryptography, and theoretically math, since they [NSA] have a lot of experts in those fields working for them.
sPh
Re: (Score:2)
Re: (Score:2)
>> NSA has two arms: an offensive arm and a defensive arm
Wouldn't that be CYBERCOM?
eat THEIR dog food? (Score:5, Interesting)
so why don't we just look at what organizations like the US military use to secure and sign their data, and use that? (the methods of course, not their keys) That sounds to me like the only way to make sure they're not suggesting or influencing us to use something they (or their opponents) could easily break?
Re: (Score:2)
Indeed, that's been SOP among cypherphreaks for some time. Even coming down to using "military-strength" encryption keys and the like; if the government says 1024 bits is enough, use 4096. And so on.
Re: (Score:3)
Because who says they're using what they tell uncleared opponents they are using? Maybe the wrapper is what they say they're using and underneath there's a more secure method that they have never disclosed to the public.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
so why don't we just look at what organizations like the US military use to secure and sign their data, and use that? (the methods of course, not their keys)
Well if we're going for the spectacularly evil I'd pick an algorithm that has many subtly flawed weak keys and a small number of secure keys, then secretly implement additional key generation checks in military software. You both use the same cipher, but they can still read your data and you can't read theirs. Vendors can even supply software built on public cipher standards to be used with government-provided keys and be none the wiser. As long as the ones issuing the keys is in on the charade, it could be
Re: (Score:2)
Because you can't trust that either. The US military is not fighting enemies at its own level, thus it can afford to risk operational data leaking, especially if it still takes a while to decode. And even if it doesn't want to risk it, who's to say the NSA wouldn't? It's not like they are the ones at risk of lead poisoning, and it'll make their job easier.
That's the problem with corruption:
Short memories (Score:2)
Doesn't anyone here remember all that footage from planes in Bosnia that was sent unencrypted and downloaded by people with slightly tweaked satellite TV gear? Some stuff isn't even encoded at all.
Re: (Score:2)
Like the domestic and international codes sold and made weak, why would the US military staff get a free pass to real crypto?
As long as it kept the Russians out- what is at the base/camp/fort is fair game
Would US political leaders not want some insights into the mind sets of their top generals (or emerging top staff) using US gov networks?
They could be under the influence of a charismatic leader/"spy" or new fait
Here's why... (Score:3, Insightful)
When the SHA-3 competition was announced, the pretty much only working method of getting a hash function was using the Merkle-Damgård construction. Bit security limits where set under the assumption that the submitted proposals use MD, since nothing else was known. However, Keccak does not use it and gains better security guarantees. For this reason, NIST had an opportunity to weaken it a bit while still keeping the old security requirements and making the hash function much more efficient in the process.
Re: (Score:2)
Just like that time A5/1 GSM encryption was weakened from 64 to 56 bits in US to make it "much more efficient".
Implement Keccak, ignore SHA-3 (Score:2)
Completely misunderstood and FUD to boot! (Score:2)
The real truth in the slides is that the algorithms are expected to have a collision and pre-image resistance that is 1 half the digest size. In this case the 128 and 256 numbers mean that the collision resistance is 2^128 and 2^256.
Of course NOT, and please don't blame NIST! (Score:5, Informative)
NIST's proposal (presented at last CHES conference) is NOT reducing the internal strength of Keccak.
NIST proposes some standard values for a parameter called "capacity" in Keccak, and for which Keccak's authors always said that it can be freely chosen by the designers. A high capacity means a higher security, and a lower capacity means a better performance. NIST's current forecast for FIPS202 specifies 2 values for the capacity, namely 256 and 512, that would bring the SHA-3 standard to an equivalent security level as the AES (2^128 operations required to break c=256 and 2^256 operations required to break c=512). One may actually consider that these security levels are the same as the ones in the original submission, because these are the minimum security levels offered by *ALL* finalists (including Keccak). Indeed all candidates for SHA3-256 offers a collision resistance of 2^128 operations, and 2^256 operations for SHA3-512.
The discussion here is that actually choosing c=256 means that the cost to find pre-image is also reduced to 2^128 operation, instead of 2^256 as in say SHA2-256. There are ongoing discussions on the mailing list about the theoretical consequences of this choice, but what strikes me most is why people are so much focusing on the strongest security bound of a primitive (pre-image here) and are completely ignoring the weakest security bound (collision resistance). Of course one may always design an application that would be immune to collision resistance, but if one only looks at the primitive, saying that SHA2-256 offers a security of 2^256 because it has a pre-image resistance of that level is clearly fooling himself. In that sense, NIST proposal was to level the security bound of the primitive to its guaranteed minimum as for block ciphers, and allows a security bound of either 2^128 (c=256) or 2^256 (c=512). Those with an ounce of common sense will observe that 2^128 is completely astronomical, and absolutely out of reach of any thinkable devices in the future, even for the NSA! And if you don't care about performance (you probably don't design products then), and are absolutely paranoïd, there is then still the freedom to chose a capacity c=512, as allowed in current proposal, and probably waste computer cycles for no gain whatsoever.
I of course have no clue on the possible influence of the NSA, but for having attended to SHA-3 and similar conferences, I must say that NIST's work in SHA-3 is remarkable and *unprecedented* in the cryptographic community. NIST ran the most *OPEN* process ever for the evaluation and selection of the new SHA-3 standard. I think that the intention of NIST is to write a standard that will satisfy the majority of the community (hence their openness and presentation at CHES), and that will offer the most of potential of the winner candidate. Keccak is really a "new" object in the cryptographic community, that is quite different from previous proposals, and no wonder to me that its adoption triggers some questions. However the hidden suggestion that NIST would have a secret agenda is clearly participating to current tin-foil propaganda of some would-be security specialists that are trying to acquire attention, and brings zero to the current standardization process.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have an idea (Score:2)
The implementations should keep parameters open (Score:2)
We should not have one SHA-3 with the security parameters selected by NIST or anyone else.
For the vast majority of usages the speed of the hashing is a non-issue, they are all plenty fast enough
yet some implementations, specifically those with limited hardware my have other concerns.
We should approve the basic algorithm, and have a family of hash functions with different security parameters
to be selected for each usage.
Most of us should use an extra secure variant most of the time.
Your reply (Score:3)
Re: (Score:2)
Most of the needs for encryption actually come from the various departments of the government. A lot of software introduces encryption just to be able to be compliant to government regulations and sell on the federal market.
Re:Uninformed nonsense (Score:4, Interesting)
Why didn't they think of that before asking for "224, 256, 384, and 512 bits" in the first place?
They included included Dual_EC_DRBG into a standard despite it being slow and obviously backdoored, they have no credibility to make changes to encryption algorithms any more. They have to rebuild their credibility at this point, any changes they make have to be explained, any coefficients they pick have to be shown to be free from NSA meddling, any reduction in hash length from the contest requirements ... well, they just shouldn't even try to do that at this point.
They can try to rebuild their credibility or they can become irrelevant.
Re: (Score:2)
NIST should NEVER be trusted again.
You need to put your effort into encrypting things with triple ROT-13 encryption. The NSA have never put any effort at all into trying to break that!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We already know the NIST has crippled some of its standards in response to NSA pressure.
http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/ [arstechnica.com]
It was assumed for years, but we never had proof till recently.
Re: (Score:2)
So you can have your ideally resistant selling points and easy plaintext in the same commercial grade standard.
Re: (Score:2)