[cryptography] workaround for length extension attacks (was: Doubts over necessity of SHA-3 cryptography standard)

Wed Apr 18 21:00:50 PDT 2012

On 04/14/2012 06:39 AM, David Adamson wrote:
>
> NSA designed SHA-2 to stay in libraries for a long time. Length
> extension is not an issue for SHA-2 anymore with SHA-512/256. That is
> a double-pipe hash function perfectly secure against length-extension
> attack. On 64-bit platforms SHA512 and SHA512/256 is almost as fast as
> Skein and Blake (one of which will be the next SHA-3), and according
> to [1], "Furthermore, even the fastest finalists will probably offer
> only a small performance advantage over the current SHA-256 and
> SHA-512 implementations."

And they seem to be significantly less efficient in hardware than SHA-2.

Gee, it's almost as if the NSA knows a thing or two about designing and  
implementing hash functions! :-)

> However, since SHA-2 and (to be SHA-3) are 2, 3 or even 4 times slower
> than MD5 or SHA-1, and NIST running the SHA-3 competition changed
> their own initial goal SHA-3 to be significantly faster than SHA-2, I
> expect in the following period several other influential international
> players in the area of standardizing cryptographic primitives to use
> that strategic mistake done by NIST, and to push for a hash standard
> that will be significantly faster than SHA-2 and SHA-3.
> [...]
> Now I expect EU to use the opportunity and finally back up a
> hash function that industry will prefer. But I see also that Russia,
> China and Japan can also use the NIST's screw up with the performance
> of SHA-3 and will try to take over the industrial primacy with their
> own hash function.

Honest question: why should we think they can do it?

Everyone was invited to take part in the SHA-3 competition, and many  
international teams did. In fact, most of the finalists aren't US teams.

Of all the hundreds of entrants there are 5 left. It seems that most were 
weeded out because they were less-that-maximally efficient or had attacks 
on their security.

Beating SHA-2-256 or SHA-2-512/256 is turning out to be harder than anyone 
expected.

> At the end, supremacy in setting up cryptographic
> standards is what will bring reputation, trust and strategic
> positioning in the world that in the following years will digest
> exabytes per hour.

No one spends more money on info systems than the US Government. Vendors  
can implement whatever they want in the own (or extensible) protocols, but 
if USG requires SHA-3, it's going to be implemented in gear designed for 
sale in N. America.

Still, China is an increasing market too and their rulers are not afraid  
of "intelligent design". We have them to thank for killing off proprietary 
incompatible cellphone chargers. They simply mandated that all mobiles 
charge via mini-USB.
> http://en.wikipedia.org/wiki/USB#Mobile_device_charger_standards

We may be seeing signs of a fork in data security protocols too.
> http://www.nytimes.com/2012/03/27/technology/symantec-dissolves-alliance-with-huawei-of-china.html?_r=1

> SO: I expect a new hash competition (run by EU, Russia, China or
> Japan) where US SHA-3 standard will be a reference point and the goal
> will be to design 256 and 512 bits hash function that is 3-4 times
> faster than SHA-3.

Alternatively, NIST could say "we've learned so much about hash functions 
over the past few years that we're going to allow designers another round 
of submissions."

- Marsh
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE