| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.11.1502120945530.14964@debian>
Date: Thu, 12 Feb 2015 11:09:09 +0100 (CET)
From: Stefan.Lucks@...-weimar.de
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] PHC status report
On Thu, 12 Feb 2015, Donghoon Chang wrote:
> Let me share the process of SHA-3 selection.
[...]
>
> Till 5 were chosen, NIST focused only on evaluating each algorithm based
> on security, software and hardware performance based on clear
> comparison. Till 5 were chosen, NIST never considered additional
> features such as elegance and simplicity, etc. So, at least, we sure
> that the five algorithms sound fine in terms of security and
> performance.
As I understand your complaint, you argue that the SHA-3 process, at least
the down from 51 to 14, and the narrowing down from 14 to 5 candidates,
has been based on objective and verifiable comparisons regarding security
and performance? Or, as you put it in another mail, "the criteria of
standards or algorithms related to the security of system should be able
to be measured by scientific ways"?
Having been on the submitters side in SHA-3, this is not what I see when I
read the SHA-3 reports. Surely, there had been some candidates that where
actually broken or performed poor everywhere. But most choices where based
on subjective decisions, not on criteria measurable by scientific ways.
Mind you, I am not accusing you, or the other authors of the report, or
the NIST in general, of anything wrong. It would actually be completely
irresponsible to ignore soft "facts" for the decision.
Consider security, the hardest of all criteria. The SHA-3 round-1 report
<http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/sha3_NISTIR7620.pdf>
says:
"NIST considered not only attacks that directly demonstrated that a SHA-
3 candidate fell short of NIST’s stated security targets, but also
attacks that have historically been precursors to more severe attacks
on legacy hash algorithms."
This APPEARS like a rational foundations for decisions, doesn't it?
But it does mean nothing less than some seasoned cryptographer at NIST
looks at a reported attacks and thinks "oh, this feels bad" or "nice work,
but I don't think this will go much further". Anticipating the likelihood
that a reported weakness gets worse cannot be based on hard scientific
facts. Nevertheless, this is an important part of the decision process.
And if there is no reported weaknesses at all? Then surely the candidate
must be promoted to the next round, right? Actually, the lack of
cryptanalysis may be a reason not to promote a candidate either, since it
indicates either a lack of interest in the candidate from the
cryptographic community, or it shows that the candidate is difficult to
analyse.
This is, what NIST did and what it had to do. And it is, was what we, the
submitters, actually expected the NIST to do. When writing our submission,
we expected the SHA-3 contest to be as much a "beauty contest" based on
soft criteria, as a "demolition derby", based on hard facts -- not much
different from the AES process.
Please read the SHA-3 first-round report I quoted above. How many specific
reasons for not selecting a candidate does it give?
Perhaps, the PHC report has been too verbose giving specific reasons for
not promoting specific candidates?
So long
Stefan
------ I love the taste of Cryptanalysis in the morning! ------
uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--
Powered by blists - more mailing lists