Schneier On the US Crypto Competition

Bruce Schneier has a commentary in Wired titled An American Idol for Crypto Geeks on the US government's competition for a new cryptographic hash function to become the national standard, covered here recently. He talks about how much the competition, slated to wrap up by 2011, will advance the cryptographic state of the art. And how much fun he expects to have.

Terrorists??

[MrShaggy]

But I though that it was only terrorists that use encryption??

Re:Terrorists??

Don't worry son. I'm sure they'll get to him anytime now.

Re:Terrorists??

"US government's competition for a new cryptographic hash function to become the national standard"

you are correct :)

Re:Terrorists??

[darkhitman]

Encryption is not the same as hashing.

Damn terrorists!

Re:Terrorists??

[skintigh2]

Back in my day, it was only pedophiles and drug runners that used encryption. Oh, how times and emotionally munipulative FUD have changd.

Well...

[tomstdenis]

I'm glad that Bruce has an opinion about this. Good lord, I don't know how I would make it through monday without hearing what Bruce thinks about something.

NEXT!

Tom

Donald Rumsfeld is the early favourite

[Timesprout]

After submitting some of his more cryptic speeches.

Re:Donald Rumsfeld is the early favourite

[ErikTheRed]

After submitting some of his more cryptic speeches.

Well, SHA's not a cipher... but considering the hash (see def #7) Rumsfeld & co made in Iraq....

tasty

[qwertphobia]

mmm.... hash browns

American Idol?

[CerebusUS]

Please, oh please oh please don't let there be a William Hung to spring from this.

Re:American Idol?

[Darth_brooks]

C'mon, You know you wanna hear someone do "She !'s, She !'s"

Re:American Idol?

[forkazoo]

Please, oh please oh please don't let there be a William Hung to spring from this.

Maybe this guy should submit his work. He'd be right about on William Hung's level of competetiveness....
http://xkcd.com/c153.html

Re:American Idol?

oh come on the Hung Algorithm:

byte *HungEncrypt(byte *data, int len)
{
byte *output = new byte[len];

for(int x=0; x < len; x++)
output[x] = data[x] + 256;

return output;
}

Re:American Idol?

[CerebusUS]

Ha! I love that guy.

Re:American Idol?

Please, oh please oh please don't let there be a William Hung to spring from this.

Rot13 Rot13, oh baby.
Rot13 Rot13, drive me crazy.

Re:American Idol?

C'mon, You know you wanna hear someone do "She !'s, She !'s"

Oh baby and she mv's! She mv's!

Re:American Idol?

[h4rm0ny]

Wow! Thank you. I'd never seen that series before. I love it! It's mathematical and yet so sweet!

Re:American Idol?

[strider44]

Alright, I love XKCD but I've got to ask someone for an explanation for that specific comic - I've never listened to Missy Elliot.

Re:American Idol?

[CerebusUS]

Missy Elliot's Work It lyrics:

This is a Missy Elliott one-time exclusive (Come on)

Is it worth it, let me work it
I put my thang down, flip it and reverse it
I put my thang down, flip it and reverse it

I'm not a huge rap fan, but I generally dig her stuff.

Fun ???

[jfbus]

And how much fun he expects to have. Sometimes, I wonder whether we live in the same world...

Re:Fun ???

[realnowhereman]

Repeat after me. It's okay. This is a site for geeks. I don't have to pretend to be cool here. Being interested in encryption does not make me a bad person. I am not in high school any more.

Re:Fun ???

[Goaway]

Yes, obviously intellectual exercise is always dull and boring. Who the hell wants to THINK when you could WATCH TV?

Re:Fun ???

[gkhan1]

You just gave me a flashback of me studying the DES standard during breaks and people looking weirdly at me. You know, "Look, these S-boxes are so cool!".

It was nice to impress people by cracking some simple ciphers though. That didn't last long, however....

Re:Fun ???

[An+ominous+Cow+art]

Don't think of it as 'American Idol', think of it as 'American 0x000001D0L'.

SHA-256?

[Bromskloss]

What about SHA-512?

Re:SHA-256?

[Phleg]

It uses a word size of 64 bits, so is not as fast on 32-bit computers. Also, I believe it's received less scrutiny than SHA-256. IANAC.

Re:SHA-256?

There should be a SHA-8196.

Re:SHA-256?

LOL! No you newb there should be a SHA-1337 cuz I'm so 313373 lolz rolfm!

AC FTW!

Re:SHA-256?

[archen]

If your algorithm is showing weaknesses, then throwing more bits at the problem is best reserved as a temporary solution. At the worst this competition will just give us an alternative hash algorithm, and that is probably reason enough to have it.

Re:SHA-256?

[kestasjk]

Also it's still based on the SHA-1 algorithm that was "broken".
For practical purposes even SHA-1 is still reasonably safe, but it'd be best to learn from the cryptanalysis and research of almost two decades if we're going to make everyone change their hashing algorithm anyway.

Re:SHA-256?

[Library+Spoff]

off topic(ish) but...

So what option should I be using in Truecrypt for my partition that i've got encrypted?
I'm using the default out the box encryption -can't remember what off the top of my head, i'm at work.

I'm not bothered about the government breaking it - it contains banking information and other stuff they could get at anyway, Just yer average cr/hacker.

My pc is a dualcore Athlon64 with 2 gig of ram if that makes a difference.

Re:SHA-256?

[draziw]

Select Tools->Benchmark, and run with one that is fastest on your system. :) - For protection from citizens, any of them will do fine for many years.

Re:SHA-256?

[DarthTaco]

"If your algorithm is showing weaknesses, then throwing more bits at the problem is best reserved as a temporary solution."

All cryptographic solutions are temporary.

Re:SHA-256?

[Chandon+Seldon]

All cryptographic solutions are temporary.

I'm not sure where this idea comes from, but it's largely false.

You hear a lot about cryptographic breaks because they make good news on Slashdot, but the fact of the matter is that if you encrypted something in 1978 using 3-DES it'd still be 100% secure today. If you encrypt something today using a secure 256-bit symmetric key encryption algorithm it will remain secure forever unless something really unexpected happens in computing (and no, quantum computers aren't unexpected enough).

Now, we don't yet have a good enough understanding of the math behind encryption to prove that a given algorithm is secure, so someone could always discover a serious design fuckup and crack an algorithm. That happens pretty rarely with major algorithms. We understand cryptographic hash algorithms even less than symmetric key encryption algorithms... that's why MD5 and SHA1 got cracked, and why this hash contest is really valuable.

I can't say that our crypto is secure, but I can say that it's not "temporarily secure". If it's broken, it will be because of a design flaw, not because computers got faster.

Re:SHA-256?

[Chandon+Seldon]

For practical purposes even SHA-1 is still reasonably safe.

That's a very dangerous statement. It can be much easier to extend theoretical attacks into practical attacks than you might think. Cryptographic algorithms only provide any security at all because they are supposed to have specific mathematical properties. SHA-1 doesn't have the ones it's supposed to.

That man gets everywhere

[hawkinspeter]

http://geekz.co.uk/schneierfacts/

Re:That man gets everywhere

Bruce Schneier knows you are reading this.

Whirlpool

[rumplet]

But I guess that's out since it's patent free.

Re:Whirlpool

[MostAwesomeDude]

The patents (or lack thereof) have not had effects on cryptography endorsements before. One of the more popular AES candidates in use is the 384-bit key-based cipher, Blowfish, which has a public domain specification and is very useful in slow key-rescheduling conditions. One common use is for LUKS or Truecrypt hard drive encryption, and another is in BSD password hashes (the idea being that it takes the cipher about two seconds to reset itself internally each time a password is guessed, and so even with the ciphertext, the password takes a longer time to crack.)

Re:Whirlpool

Blowfish wasn't ever an AES candidate, it's not compliant with much of the AES criteria. Twofish was the AES candidate from that group.

Re:Whirlpool

[Ckwop]

The patents (or lack thereof) have not had effects on cryptography endorsements before.

Yes they have. In particular the AES competition required that submitters adhere to certain restrictions regarding patents.

One of the more popular AES candidates in use is the 384-bit key-based cipher, Blowfish, which has a public domain specification and is very useful in slow key-rescheduling conditions.

Blowfish was never an AES candiate

.. Blowfish, which has a public domain specification and is very useful in slow key-rescheduling conditions.

I'm not even sure what you mean here. On the whole, a slow key-schedule is a bad idea. You want your key schedule to be as fast as possible. The reason for this is that a fast key-schedule means you can target more platforms with the cipher (such as smart cards et al).

If you want to slow down dictionary attacks there are better ways to do this. Repeatedly hashing the passphrase is more sensible since the number of hashes can be scaled to the platform speed. Stopping a brute-force of a smart card is a world different to brute-force of a PGP disk.

Blowfish on the whole is a poor design. Now that we have AES I would recommend that over anything else.

Simon

Re:Whirlpool

[iabervon]

IIRC, the algorithm the same group chose for AES was patent-free. This was despite some people wanting them to choose a patented algorithm because the contest requirements included that the winner would have to license any necessary patents to everyone for free. So choosing a patented algorithm would have meant that you and I could use one more AES-finalist-quality algorithm.

I Win!

[lottameez]

73 32 76 105 110 33

Re:I Win!

[LordP]

Nooo... 4 8 15 16 23 42

Re:I Win!

'I Lin!' ? I don't get it.

Re:I Win!

[gkhan1]

447564652C207468617420776F756C64206861766520626565 6E207761792066756E6E69657220696620796F75206861646E 2774206D65737365642075702074686520617363696900

I've got the solution!!

[JimXugle]

[ASCII text in Binary string] + 1

It's so simple that it might just work!

Re:I've got the solution!!

That's amazing! I've got the same combination on my luggage!

Re:I've got the solution!!

[fuego451]

Funny. I was thinking md5sum-1.

Re:I've got the solution!!

[DamnStupidElf]

[ASCII text in Binary string] + 1

It's so simple that it might just work!

J think you're right! (this message hashed)

Theyre sking to find unSHA func or bigger word bit

[rogtioko]

NIST is either looking for an entirely revolutionary function to the SHA series, considering the emphasis that SHA-1 has been around since 1995, or seeking a function that supplies words greater than 64bits and also but albeit distantly 256bit and higher to counter higher chunk rate processors. If they're looking for something different than SHA, here are factors they are considering: the fact that all the SHA hashes after SHA-1 use part, maybe all, of SHA-1's 4 functions and vary only by the function's output word bit size, which SHA-256 and SHA-384-512 change with summation functions into the mix. For example, here is SHA-1's functions

f subscript t (x,y,z) =

Ch(x,y,z)=(x^y) xor (complement x^z) 0 less than or = t less than or = 19

Parity (x,y,z)=x xor y xor z 20 less than or = t less than or = 39

Maj (x,y,z)=(x^y) xor (x^z) xor (y^z) 40 less than or = t less than or = 59

Parity (x,y,z)=x xor y xor z 60 less than or = t less than or = 79

(4.1)

and SHA-384 and SHA-512 functions

Ch( x,y,z) = ( x^y) xor (complement x^z) (4.8)

Maj(x,y,z) = (x^y) xor (x^z) xor (y^z) (4.9)

(big sigma subscript 0) (superscript {512}) (x) = ROTR (superscript 28) (x) xor ROTR (superscript 34) (x) xor ROTR (superscript 39)(x) (4.10)

(big sigma subscript 1) (superscript {512}) (x) = ROTR (superscript 14) (x) xor ROTR (superscript 18) (x) xor ROTR (superscript 41) (x) (4.11)

(small sigma subscript 0) (superscript {512}) x = ROTR (superscript 1) (x) xor ROTR (superscript 8)(x) xor SHR (superscript 7) (x) (4.12)

(small sigma subscript 1) (superscript {512}) x = ROTR (superscript 19) (x) xor ROTR (superscript 61) (x) xor SHR (superscript 6) (x) (4.13)

Bruce could take the Simon Cowell role...

[mutterc]

... insulting the inferior entries.

(Search his site for "The Doghouse" for some smackdowns of snake-oil crypto products.)

The NSA's entry....

[slcdb]

I heard the NSA is entering a new hash algorithm, named AYBABTU, into the competition. Interestingly, reverse engineering of the algorithm has shown it to be very similar to an algorithm, tentatively named Eksore, that was submitted to the contest by a local Junior High cryptography team.

Fine. So where is sha2sum ?

Just did a quick search on google and I couldn't find anything regarding sha2sum... it ain't part of coreutils... So, how do we use SHA-256/512 on Linux ?

i for one,

[stupidsocialscientis]

cpx up pvs fodszqujpo pwfsmpstet!

Re:i for one,

[mbessey]

QNS-27 dmbqxoshnm, dg? H khjd hs. Ax sgd vzx, xnt lhrodkkdc "Nudqknqcr"