On 04/14/2012 06:39 AM, David Adamson wrote:
NSA designed SHA-2 to stay in libraries for a long time. Length extension is not an issue for SHA-2 anymore with SHA-512/256. That is a double-pipe hash function perfectly secure against length-extension attack. On 64-bit platforms SHA512 and SHA512/256 is almost as fast as Skein and Blake (one of which will be the next SHA-3), and according to [1], "Furthermore, even the fastest finalists will probably offer only a small performance advantage over the current SHA-256 and SHA-512 implementations."
And they seem to be significantly less efficient in hardware than SHA-2. Gee, it's almost as if the NSA knows a thing or two about designing and implementing hash functions! :-)
However, since SHA-2 and (to be SHA-3) are 2, 3 or even 4 times slower than MD5 or SHA-1, and NIST running the SHA-3 competition changed their own initial goal SHA-3 to be significantly faster than SHA-2, I expect in the following period several other influential international players in the area of standardizing cryptographic primitives to use that strategic mistake done by NIST, and to push for a hash standard that will be significantly faster than SHA-2 and SHA-3. [...] Now I expect EU to use the opportunity and finally back up a hash function that industry will prefer. But I see also that Russia, China and Japan can also use the NIST's screw up with the performance of SHA-3 and will try to take over the industrial primacy with their own hash function.
Honest question: why should we think they can do it? Everyone was invited to take part in the SHA-3 competition, and many international teams did. In fact, most of the finalists aren't US teams. Of all the hundreds of entrants there are 5 left. It seems that most were weeded out because they were less-that-maximally efficient or had attacks on their security. Beating SHA-2-256 or SHA-2-512/256 is turning out to be harder than anyone expected.
At the end, supremacy in setting up cryptographic standards is what will bring reputation, trust and strategic positioning in the world that in the following years will digest exabytes per hour.
No one spends more money on info systems than the US Government. Vendors can implement whatever they want in the own (or extensible) protocols, but if USG requires SHA-3, it's going to be implemented in gear designed for sale in N. America. Still, China is an increasing market too and their rulers are not afraid of "intelligent design". We have them to thank for killing off proprietary incompatible cellphone chargers. They simply mandated that all mobiles charge via mini-USB.
http://en.wikipedia.org/wiki/USB#Mobile_device_charger_standards
We may be seeing signs of a fork in data security protocols too.
http://www.nytimes.com/2012/03/27/technology/symantec-dissolves-alliance-wit...
SO: I expect a new hash competition (run by EU, Russia, China or Japan) where US SHA-3 standard will be a reference point and the goal will be to design 256 and 512 bits hash function that is 3-4 times faster than SHA-3.
Alternatively, NIST could say "we've learned so much about hash functions over the past few years that we're going to allow designers another round of submissions." - Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE