Did NIST Cripple SHA-3?

An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."

Re:Why do we even go to these orgs anymore...

[smittyoneeach]

Schneier, ever time I read him, seems to be making sense. No need to deify the chap, though.

Re:Why do we even go to these orgs anymore...

[MikeBabcock]

And he, like everyone else who's reasonable, believes in standards processes to test and check each others' algorithms and pick the best ones. The problem is making sure these standards systems are open and above board.

Re:Why do we even go to these orgs anymore...

[JesseMcDonald]

It appears that the most difficult part of cryptography is key management.

You could say that key management is the only really difficult problem in cryptography. If it weren't for the key management problem we'd all be using one-time pads, which are both trivial to implement and provably unbreakable, even by brute force. Unfortunately, to use them each pair of individuals must first securely exchange keys at least as large as all the messages they'll ever want to send.

Symmetric crypto algorithms exist to cut down on the amount of key material which must be exchanged by reusing the key, while asymmetric crypto addresses the N^2 problem by allowing many-to-one communication with a single public/private key pair. Both accept the risk of cryptoanalysis in exchange for more convenient key management.