On Oct 3, 2013, at 9:27 PM, David Johnston <d...@deadhat.com> wrote:
> On 10/1/2013 2:34 AM, Ray Dillinger wrote: >> What I don't understand here is why the process of selecting a standard >> algorithm for cryptographic primitives is so highly focused on speed. ~ > > What makes you think Keccak is faster than the alternatives that were not > selected? My implementations suggest otherwise. > I thought the main motivation for selecting Keccak was "Sponge good". I agree: Sponge Good, Merkle–Damgård Bad. Simple enough. I believe this thread is not about the choice of Keccak for SHA3, it is about NIST's changes of Keccak for SHA3. [Instead of pontificating at length based on conjecture and conspiracy theories and smearing reputations based on nothing other than hot air] Someone on this list must know the authors of Keccak. Why not ask them. They are the ones that know the most about the algorithm, why the parameters are what they are and what the changes mean for their vision. Here is my question for them: "Given the light of the current situation, what is your current opinion of NIST's changes of Keccak as you specified it to SHA-3 as NIST standardized it?" If the Keccak authors are OK with the changes, who are we to argue about these chances? If the Keccak authors don't like the changes, given the situation NIST is in, I bet NIST will have no recourse but to re-open the SHA3 discussion. Jim _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
