Re: [Cryptography] NIST about to weaken SHA3?
excerpting, we have James A. Donald wrote: Weaker in ways that the NSA has examined, and the people that chose the winning design have not. Viktor Dukhovni replies: Just because they're after you, doesn't mean they're controlling your brain with radio waves. Don't let FUD cloud your judgement. As we (here) are fond of saying, anything can be broken, therefore the question at hand is Who can break what at this strength? This question does not have a time-invariant answer, and, in any case, as Adi Shamir so adequately said, Cryptography is typically bypassed, not penetrated.[*] Nevertheless, the value of scepticism is profound; it is the chastity of the intellect. --dan [*] www.financialcryptography.com/mt/archives/000147.html ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 2013-10-01 08:51, Watson Ladd wrote: On Mon, Sep 30, 2013 at 2:21 PM, James A. Donald jam...@echeque.com mailto:jam...@echeque.com wrote: Weaker in ways that the NSA has examined, and the people that chose the winning design have not. This isn't true: Keccak's designers proposed a wide range of capacity parameters for different environments. This is not Keccak's design. This a new unexamined design somewhat resembling Keccak's design. Or perhaps Keccak's design somewhat resembled what the NSA had already decided to do. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 2013-10-01 10:17, John Kelsey wrote: Yeah, that plot to weaken sha3 is so secretive, we've been discussing it in public slide presentations and on public mailing lists for six months. All big conspiracies get exposed - I would make a list, but that would derail the conversation. It does not follow that there are no big powerful conspiracies. On the contrary, we have compelling evidence of more big powerful conspiracies than one can shake a stick at. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 1/10/13 00:21 AM, James A. Donald wrote: On 2013-10-01 00:44, Viktor Dukhovni wrote: Should one also accuse ESTREAM of maliciously weakening SALSA? Or might one admit the possibility that winning designs in contests are at times quite conservative and that one can reasonably standardize less conservative parameters that are more competitive in software? less conservative means weaker. Weaker in ways that the NSA has examined, and the people that chose the winning design have not. Why then hold a contest and invite outside scrutiny in the first place.? This is simply a brand new unexplained secret design emerging from the bowels of the NSA, which already gave us a variety of backdoored crypto. The design process, the contest, the public examination, was a lie. Therefore, the design is a lie. This could be the uninformed opinion over unexpected changes. It could also be the truth. How then to differentiate? Do we need to adjust the competition process for a tweak phase? Let's whiteboard. Once The One is chosen, have a single round + conference where each of the final contestants propose their optimised version. They then vote on the choice. (OK, we can imagine many ways to do this ... point being that if NIST are going to tweak the SHA3 then we need to create a way for them to do this, and have that tweaking be under the control of the submitters, not NIST itself. In order to maintain the faith of the result.) iang ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 9/30/13 at 4:09 PM, cryptogra...@dukhovni.org (Viktor Dukhovni) wrote: Just because they're after you, doesn't mean they're controlling your brain with radio waves. Don't let FUD cloud your judgement. ROTFLOL! --- Bill Frantz| Since the IBM Selectric, keyboards have gotten 408-356-8506 | steadily worse. Now we have touchscreen keyboards. www.pwpconsult.com | Can we make something even worse? ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Oct 1, 2013, at 4:48 AM, ianG i...@iang.org wrote: ... This could be the uninformed opinion over unexpected changes. It could also be the truth. How then to differentiate? Do we need to adjust the competition process for a tweak phase? Let's whiteboard. Once The One is chosen, have a single round + conference where each of the final contestants propose their optimised version. They then vote on the choice. I like the general idea here, but I suspect a vote at the end of a conference isn't going to yield great results. I'd hate to see something the designers opposed get adopted because they were outvoted by (say) a larger team. (OK, we can imagine many ways to do this ... point being that if NIST are going to tweak the SHA3 then we need to create a way for them to do this, and have that tweaking be under the control of the submitters, not NIST itself. In order to maintain the faith of the result.) The Keccak designers proposed reducing the capacity. You can find public statements about this online, including in the slides on their website. Also, the capacity is a parameter defined in the standard to allow an easy to understand performance/security tradeoff. Setting c=256 gives an across the board security level of 128 bits, if you believe the underlying Keccak permutation is good. The actual technical question is whether an across the board 128 bit security level is sufficient for a hash function with a 256 bit output. This weakens the proposed SHA3-256 relative to SHA256 in preimage resistance, where SHA256 is expected to provide 256 bits of preimage resistance. If you think that 256 bit hash functions (which are normally used to achieve a 128 bit security level) should guarantee 256 bits of preimage resistance, then you should oppose the plan to reduce the capacity to 256 bits. If you think a 256 bit hash function should only promise 128 bits of security, except in specific applicaitons like keyed hashes where it has been analyzed specifically and shown to get more, then you should (at least on technical grounds) like the proposal to reduce the capacity to 256 bits for a 256-bit hash output. --John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Tue, 2013-10-01 at 12:47 -0400, John Kelsey wrote: The actual technical question is whether an across the board 128 bit security level is sufficient for a hash function with a 256 bit output. This weakens the proposed SHA3-256 relative to SHA256 in preimage resistance, where SHA256 is expected to provide 256 bits of preimage resistance. If you think that 256 bit hash functions (which are normally used to achieve a 128 bit security level) should guarantee 256 bits of preimage resistance, then you should oppose the plan to reduce the capacity to 256 bits. If you think a 256 bit hash function should only promise 128 bits of security, except in specific applicaitons like keyed hashes where it has been analyzed specifically and shown to get more, then you should (at least on technical grounds) like the proposal to reduce the capacity to 256 bits for a 256-bit hash output. I think the question is rather, what is the exact benefit NIST expects from this? AFAIU, performance wasn't the major priority during the competition, was it? And even were, then Keccak has won already with the higher values, hasn't it? So when c roughly gives the performance/security tradeoff... then from a pure security POV, we should obviously set a high c, right? So has NIST experienced some real world scenarios where the previous values of c yielded in a too slow algorithm, that made it unusable for the job? Cause if not,... then I'm back to the argument, why moving the performance/security tradeoff towards performance, if there was no strong reason,... Even(!) if one says, that from a crypto POV, 128 bits would be enough for a 256 bit hash... as long as we aren't forced due to some strong performance reasons... rather waste the extra security margin than dropping it. Cheers, Chris. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 2013-09-30 14:34, Viktor Dukhovni wrote: On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote: Not sure whether this has been pointed out / discussed here already (but I guess Perry will reject my mail in case it has): https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 I call FUD. If progress is to be made, fight the right fights. The SHA-3 specification was not weakened, the blog confuses the effective security of the algorithtm with the *capacity* of the sponge construction. SHA3 has been drastically weakened from the proposal that was submitted and cryptanalyzed: See for example slides 43 and 44 of https://docs.google.com/file/d/0BzRYQSHuuMYOQXdHWkRiZXlURVE/edit ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Mon, Sep 30, 2013 at 05:45:52PM +1000, James A. Donald wrote: On 2013-09-30 14:34, Viktor Dukhovni wrote: On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote: Not sure whether this has been pointed out / discussed here already (but I guess Perry will reject my mail in case it has): https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 I call FUD. If progress is to be made, fight the right fights. The SHA-3 specification was not weakened, the blog confuses the effective security of the algorithtm with the *capacity* of the sponge construction. SHA3 has been drastically weakened from the proposal that was submitted and cryptanalyzed: See for example slides 43 and 44 of https://docs.google.com/file/d/0BzRYQSHuuMYOQXdHWkRiZXlURVE/edit Have you read the SAKURA paper? http://eprint.iacr.org/2013/231.pdf In section 6.1 it describes 4 capacities for the SHA-2 drop-in replacements, and in 6.2 these are simplified to two (and strengthened for the truncated digests) i.e. the proposal chosen by NIST. Should one also accuse ESTREAM of maliciously weakening SALSA? Or might one admit the possibility that winning designs in contests are at times quite conservative and that one can reasonably standardize less conservative parameters that are more competitive in software? If SHA-3 is going to be used, it needs to offer some advantages over SHA-2. Good performance and built-in support for tree hashing (ZFS, ...) are acceptable reasons to make the trade-off explained on slides 34, 35 and 36 of: https://ae.rsaconference.com/US13/connect/fileDownload/session/397EA47B1FB103F0B3E87D6163C7129E/CRYP-W23.pdf -- Viktor. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Mon, 2013-09-30 at 14:44 +, Viktor Dukhovni wrote: If SHA-3 is going to be used, it needs to offer some advantages over SHA-2. Good performance and built-in support for tree hashing (ZFS, ...) are acceptable reasons to make the trade-off explained on slides 34, 35 and 36 of: Well I think the most important advantage would be more security... performance can only have far lower priority,... otherwise the whole thing is rubbish. Sure, SHA2 is far from being broken, but we've seen some first scratches in SHA1 already... so it doesn't hurt if we have an algo which is based on different principles, and has a high security margin. I guess we've seen that in the most recent developments... better take twice or three times than what we expect to be the reasonable security margins, since we don't exactly know what NSA and friends is capable of. Better try to combine different algos, for the same reason. NIST has somewhat proven, that they can't be trusted, IMHO, regardless of whether they just didn't notice what the NSA did, whether they happily helped the agency, or whether they were forced so by law. For us this doesn't matter. To my understanding, performance wasn't the top-priority during the SHA3 competition, otherwise other algos might have been even better than Keccack. So this move now is highly disturbing and people should question, what does NIST/NSA know what we don't. Can you really exclude for sure, that they haven't found some weaknesses which only apply at lower capacities? I a way, that reminds me to ECC and the issues with the curves (not from a mathematical POV, of course)... we have some (likely) fine algorithm,... but the bad[0] guys standardise some parameters (like the curves)... At some point we smell the scandal and start wondering, if we wouldn't be far better off with a different set of curves... but in practise it's more or less too late then (well at least it's very problematic), since all world is using that set of standardised curves. It seems a bit as if we now to the same,... following NIST/NSA like sheep. Keccack seems to be a fine algorithm... perhaps it would be better the scree SHA3 altogether an let the community decide upon a common set of concrete algos (i.e. a community-SHA3) which is then to be standardised by IETF, or whatever else. An better take two or four times the capacity and/or bit-lenghts than what we optimistically consider to be very secure. Cheers, Chris. [0] In contrast to the evil guys, like terrorists and so on. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 2013-10-01 00:44, Viktor Dukhovni wrote: Should one also accuse ESTREAM of maliciously weakening SALSA? Or might one admit the possibility that winning designs in contests are at times quite conservative and that one can reasonably standardize less conservative parameters that are more competitive in software? less conservative means weaker. Weaker in ways that the NSA has examined, and the people that chose the winning design have not. Why then hold a contest and invite outside scrutiny in the first place.? This is simply a brand new unexplained secret design emerging from the bowels of the NSA, which already gave us a variety of backdoored crypto. The design process, the contest, the public examination, was a lie. Therefore, the design is a lie. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Tue, Oct 01, 2013 at 07:21:03AM +1000, James A. Donald wrote: On 2013-10-01 00:44, Viktor Dukhovni wrote: Should one also accuse ESTREAM of maliciously weakening SALSA? Or might one admit the possibility that winning designs in contests are at times quite conservative and that one can reasonably standardize less conservative parameters that are more competitive in software? less conservative means weaker. Weakening SHA3 to gain cryptanalytic advantage does not make much sense. SHA3 collisions or preimages even at 80-bit cost don't provide anything interesting to a cryptanalyst, and MITM attackers will attack much softer targets. We know exactly why it was weakened. The the proposed SHA3-256 digest gives 128 bits of security for both collisions and preimages. Likewise the proposed SHA3-512 digest gives 256 bits of security for both collisions and preimages. Weaker in ways that the NSA has examined, and the people that chose the winning design have not. The lower capacity is not weaker in obscure ways. If Keccak delivers substantially less than c/2 security, then it should not have been chosen at all. If you believe that 128-bit preimage and collision resistance is inadequate in combination with AES128, or 256-bit preimage and collision resistance is inadequate in combination with AES256, please explain. Why then hold a contest and invite outside scrutiny in the first place.? The contest led to an excellent new hash function design. This is simply a brand new unexplained secret design emerging from the bowels of the NSA, which already gave us a variety of backdoored crypto. Just because they're after you, doesn't mean they're controlling your brain with radio waves. Don't let FUD cloud your judgement. -- Viktor. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Mon, Sep 30, 2013 at 2:21 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-01 00:44, Viktor Dukhovni wrote: Should one also accuse ESTREAM of maliciously weakening SALSA? Or might one admit the possibility that winning designs in contests are at times quite conservative and that one can reasonably standardize less conservative parameters that are more competitive in software? less conservative means weaker. Weaker in ways that the NSA has examined, and the people that chose the winning design have not. This isn't true: Keccak's designers proposed a wide range of capacity parameters for different environments. Why then hold a contest and invite outside scrutiny in the first place.? This is simply a brand new unexplained secret design emerging from the bowels of the NSA, which already gave us a variety of backdoored crypto. No, it is the Keccak construction with a different rate and capacity. The design process, the contest, the public examination, was a lie. Therefore, the design is a lie. I'm sorry, but the tradeoffs in capacity and their implications were part of the Keccak submission from the beginning. During the entire process commentators were questioning the difference between collision security and preimage security, as it was clear that collisions kill a hash as dead as preimages. This was a topic of debate on the SHA-3 list between DJB and others, because DJB designed Cubehash to have the same tradeoff as the design NIST is proposing to standardize. __**_ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/**mailman/listinfo/cryptographyhttp://www.metzdowd.com/mailman/listinfo/cryptography Sincerely, Watson -- Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety. -- Benjamin Franklin ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] NIST about to weaken SHA3?
Hey. Not sure whether this has been pointed out / discussed here already (but I guess Perry will reject my mail in case it has): https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 This makes NIST seem somehow like liars,... on the one hand they claim to surprised by the alleged NSA-conspiracy around Dual_EC_DRBG and that this would be against their intentions... on the other hand it looks as if they'd be trying the same thing again. Cheers, Chris. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On 2013-09-30 13:12, Christoph Anton Mitterer wrote: https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 This makes NIST seem somehow like liars If one lie, all lies. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NIST about to weaken SHA3?
On Mon, Sep 30, 2013 at 05:12:06AM +0200, Christoph Anton Mitterer wrote: Not sure whether this has been pointed out / discussed here already (but I guess Perry will reject my mail in case it has): https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 I call FUD. If progress is to be made, fight the right fights. The SHA-3 specification was not weakened, the blog confuses the effective security of the algorithtm with the *capacity* of the sponge construction. The actual NIST Proposal strengthens SHA-3 relative to the authors' most performant proposal (http://eprint.iacr.org/2013/231.pdf section 6.1) by rounding up the capacity of the sponge construction to 256 bits for both SHA3-224 and SHA3-256, and rounding up to 512 bits for both SHA3-384 and SHA3-512 (matching the proposal in section 6.2). The result is that the 256-capacity variant gives 128-bit security against both collision and first preimage attacks, while the 512-bit capacity variant gives 256-bit security. This removes the asymmetry in the security properties of the hash. Yes, this is a performance trade-off, but it seems entirely reasonable. Do you really need 256 bits of preimage resistance with 128-bit ciphersuites, or 512 bits of preimage resistance with 256-bit ciphersuites? SHA2-256's O(256) bits of preimage resistance was not a design requirement, rather it needed 128-bits of collision resistance, the stronger preimage resistance is an artifact of the construction. For a similar sentiment see: http://crypto.stackexchange.com/questions/10008/why-restricting-sha3-to-have-only-two-possible-capacities -- Viktor. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography