On Tue, Oct 01, 2013 at 07:21:03AM +1000, James A. Donald wrote: > On 2013-10-01 00:44, Viktor Dukhovni wrote: > >Should one also accuse ESTREAM of maliciously weakening SALSA? Or > >might one admit the possibility that winning designs in contests > >are at times quite conservative and that one can reasonably > >standardize less conservative parameters that are more competitive > >in software? > > "less conservative" means weaker.
Weakening SHA3 to gain cryptanalytic advantage does not make much sense. SHA3 collisions or preimages even at 80-bit cost don't provide anything interesting to a cryptanalyst, and MITM attackers will attack much softer targets. We know exactly why it was "weakened". The the proposed SHA3-256 digest gives 128 bits of security for both collisions and preimages. Likewise the proposed SHA3-512 digest gives 256 bits of security for both collisions and preimages. > Weaker in ways that the NSA has examined, and the people that chose > the winning design have not. The lower capacity is not weaker in obscure ways. If Keccak delivers substantially less than c/2 security, then it should not have been chosen at all. If you believe that 128-bit preimage and collision resistance is inadequate in combination with AES128, or 256-bit preimage and collision resistance is inadequate in combination with AES256, please explain. > Why then hold a contest and invite outside scrutiny in the first place.? The contest led to an excellent new hash function design. > This is simply a brand new unexplained secret design emerging from > the bowels of the NSA, which already gave us a variety of backdoored > crypto. Just because they're after you, doesn't mean they're controlling your brain with radio waves. Don't let FUD cloud your judgement. -- Viktor. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography