Op 30 sep. 2013, om 05:12 heeft Christoph Anton Mitterer <cales...@scientia.net> het volgende geschreven: > > Not sure whether this has been pointed out / discussed here already (but > I guess Perry will reject my mail in case it has): > > https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 > This makes NIST seem somehow like liars,... on the one hand they claim
Do keep in mind that in this case the crux is not around SHA-3 as a specification/algorithm - but about the number of bits one should use. One aspect in all this is into what engineering culture standards (such as those created by NIST) finally land. Is it in one which is a bit insecure and just does the absolute minimum; or is it in one where practitioners have certain gut-feels - and take them as absolute minimums ? I do note that in crypto (possibly driven by the perceived expense of too many bits) we tend to very carefully observe the various bit lengths found in 800-78-3, 800-131A , etc etc. And rarely go much beyond it*. While in a lot of other fields - it is very common for 'run of the mill' constructions; such as when calculating a floor, wooden support beam, a joist, to take the various standards and liberally apply safety factors. A factor 10 or 20x too strong is quite common *especially* in 'consumer' constructions. It is only when one does large/complex engineering works that you take the time to really calculate strength; and even then - a factor 2 or 3 is still very common; and barely raises an eyebrow with a cost conscious customer. So perhaps we need to look at those NIST et.al. standards in crypto and do the same - take them as a absolute minimum; but by default and routinely not feel guilty when we add a 10x or more. And at the same time evoke a certain 'feeling' of strength with our users. A supporting column can just 'look' right or too thin; a BMW car door can just make that right sound on closing***. And :) :) people like (paying for/owning) tools that look fit for purpose :) :) :). Dw *) and yes; compute power may have been an issue - but rarely is these days; I have a hard time measuring symmetric AES on outbound packet flows relative to all other stuff. **) and yes; compute, interaction/UI/UX & joules may be a worry - but at the same time - CPU's have have gotten faster and clever UI's can background things or good engineers can device async/queues and what not. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
