Did NIST Cripple SHA-3? 169
An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."
Re:Why do we even go to these orgs anymore... (Score:5, Insightful)
Here's why... (Score:3, Insightful)
When the SHA-3 competition was announced, the pretty much only working method of getting a hash function was using the Merkle-Damgård construction. Bit security limits where set under the assumption that the submitted proposals use MD, since nothing else was known. However, Keccak does not use it and gains better security guarantees. For this reason, NIST had an opportunity to weaken it a bit while still keeping the old security requirements and making the hash function much more efficient in the process.
Re:Why do we even go to these orgs anymore... (Score:5, Insightful)
And he, like everyone else who's reasonable, believes in standards processes to test and check each others' algorithms and pick the best ones. The problem is making sure these standards systems are open and above board.
Re:Government contracts (Score:3, Insightful)
Pfft. A single checkbox is all that's needed:
"Reduce effectiveness to comply with US Government standards."
Re:Why do we even go to these orgs anymore... (Score:5, Insightful)
It appears that the most difficult part of cryptography is key management.
You could say that key management is the only really difficult problem in cryptography. If it weren't for the key management problem we'd all be using one-time pads, which are both trivial to implement and provably unbreakable, even by brute force. Unfortunately, to use them each pair of individuals must first securely exchange keys at least as large as all the messages they'll ever want to send.
Symmetric crypto algorithms exist to cut down on the amount of key material which must be exchanged by reusing the key, while asymmetric crypto addresses the N^2 problem by allowing many-to-one communication with a single public/private key pair. Both accept the risk of cryptoanalysis in exchange for more convenient key management.