lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Feb 2015 11:09:09 +0100 (CET)
To: "" <>
Subject: Re: [PHC] PHC status report

On Thu, 12 Feb 2015, Donghoon Chang wrote:

> Let me share the process of SHA-3 selection.
> Till 5 were chosen, NIST focused only on evaluating each algorithm based 
> on security, software and hardware performance based on clear 
> comparison. Till 5 were chosen, NIST never considered additional 
> features such as elegance and simplicity, etc. So, at least, we sure 
> that the five algorithms sound fine in terms of security and 
> performance. 

As I understand your complaint, you argue that the SHA-3 process, at least 
the down from 51 to 14, and the narrowing down from 14 to 5 candidates, 
has been based on objective and verifiable comparisons regarding security 
and performance? Or, as you put it in another mail, "the criteria of 
standards or algorithms related to the security of system should be able 
to be measured by scientific ways"?

Having been on the submitters side in SHA-3, this is not what I see when I 
read the SHA-3 reports. Surely, there had been some candidates that where 
actually broken or performed poor everywhere. But most choices where based 
on subjective decisions, not on criteria measurable by scientific ways.

Mind you, I am not accusing you, or the other authors of the report, or 
the NIST in general, of anything wrong. It would actually be completely 
irresponsible to ignore soft "facts" for the decision.

Consider security, the hardest of all criteria. The SHA-3 round-1 report 
   "NIST considered not only attacks that directly demonstrated that a SHA-
    3 candidate fell short of NIST’s stated security targets, but also
    attacks that have historically been precursors to more severe attacks
    on legacy hash algorithms."

This APPEARS like a rational foundations for decisions, doesn't it?

But it does mean nothing less than some seasoned cryptographer at NIST 
looks at a reported attacks and thinks "oh, this feels bad" or "nice work, 
but I don't think this will go much further". Anticipating the likelihood 
that a reported weakness gets worse cannot be based on hard scientific 
facts. Nevertheless, this is an important part of the decision process.

And if there is no reported weaknesses at all? Then surely the candidate 
must be promoted to the next round, right? Actually, the lack of 
cryptanalysis may be a reason not to promote a candidate either, since it 
indicates either a lack of interest in the candidate from the 
cryptographic community, or it shows that the candidate is difficult to 

This is, what NIST did and what it had to do. And it is, was what we, the 
submitters, actually expected the NIST to do. When writing our submission, 
we expected the SHA-3 contest to be as much a "beauty contest" based on 
soft criteria, as a "demolition derby", based on hard facts -- not much 
different from the AES process.

Please read the SHA-3 first-round report I quoted above. How many specific 
reasons for not selecting a candidate does it give?

Perhaps, the PHC report has been too verbose giving specific reasons for
not promoting specific candidates?

So long


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
--Stefan.Lucks (at), Bauhaus-Universität Weimar, Germany--

Powered by blists - more mailing lists