Did NIST Cripple SHA-3?

An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."

Why do we even go to these orgs anymore...

I say we just use the algorithms Schneier has invented and nothing else. Why do we even go to these standards approvers in the first place. The open source community should get together and hold they're own competition and forget anyone who's in anyway associated with any org starting with N*. Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?

-- stoops

Re:Why do we even go to these orgs anymore...

[philip.paradis]

I do most of my work in Perl, and I happen to heavily utilize Blowfish and Twofish. Perhaps you should think about what your application pipeline requirements actually need in terms of crypto and then look into the various modules that interoperate under the umbrella of Crypt::CBC.

Re:Why do we even go to these orgs anymore...

[Alef]

It would be an insanely unlikely coup. Think about what you are suggesting: First they get the entire world to use AES, to the point where leading CPU manufacturers have even included special instructions in the hardware specifically for encoding and decoding AES. They do this only so that an alternative algorithm (Twofish) would get less scrutiny by independent researchers for a number of years. They then orchestrate an elaborate leak indicating that they have attacks against some unnamed publicly used crypto algorithm. Meanwhile, or even before that, they have recruited an established and well known writer and cryptographist, and have him attack them openly in the public debate, only to give an apparent credibility to the algorithms he has designed. The intent of this is to get everyone in the industry to suddenly switch all cryptography to his somewhat less scrutinised algorithm (probably after reading about it on Slashdot), despite the fact that the author, who they had recruited to attack them, still claims that the math behind AES is solid, and despite the fact that replacing AES would now require replacing hardware and software that permeates our entire society at enormous costs.

If there is ever a time for the tinfoil hat metaphor...

Re:Why do we even go to these orgs anymore...

[Alef]

If they found a weakness in Twofish, and wanted the world to migrate to a crypto algorithm that they have an attack against, then wouldn't it just have been easier to select Twofish instead of Rijndael for the AES specification in the first place? They were both finalists.

Look, it certainly seems like the NSA has tried to meddle with crypto standards in order to have an attack vector, and I can agree that a certain amount of paranoia is in order, but the theories you propose are so convoluted that, of all things the NSA might have cooked up, that has to go far down on the list. What is even to say people switch to Twofish if they switch, and not one of the other AES finalists? Or use both Twofish and Rijndael simultaneously for that matter?

Besides, the weakest part of most crypto systems (disregarding implementation and usage for a moment), is probably the key exchange/management algorithms. And from what I have understood, that is where the indications of standards manipulations have been.

I'm not suggesting that people should necessarily switch from AES to Twofish, or that Twofish is more secure. I don't even think Bruce is saying that. But I find the idea that the NSA would somehow be behind some kind of covert manipulation scheme to get people to switch to Twofish simply extremely unlikely. If nothing else, for the simple reason that I don't see it happening anyway. Could the NSA be sitting quietly on a weakness? Sure. But in that case I would be more worried about EC, and to an extent RSA. That is, if we limit ourselves to the theoretical component, and disregard the obvious target: implementations.

Avoid eleptic curve algoritms

The way I see it, I think its wise to avoid all PKI standards using Elliptic curve cryptography algoritms. In contrast to the mathematical basis of prime based algorithms, these mathematics are relatively recent - and have been pushed by the NSA (who is known to be decenia ahead of publicly known mathematics).

There is no mathematical indication for me to believe that Eleptic curve cryptography is fundamentally broken. But why use 'new mathematics' when hundreds of years of public mathematic geniusses have been thinking about fast factoring of prime numbers?
I don't get that...

The most important argument used is that key length is more manageable. One could also interprete it as an indication that there might be security bit reduction attacks still unknown to us, but known by the NSA. Possibly. Possibly not.

But why take the risk?

Some more info about elliptic-curve-cryptography:

http://www.linuxjournal.com/content/elliptic-curve-cryptography

eat THEIR dog food?

[v1]

so why don't we just look at what organizations like the US military use to secure and sign their data, and use that? (the methods of course, not their keys) That sounds to me like the only way to make sure they're not suggesting or influencing us to use something they (or their opponents) could easily break?

Re:Uninformed nonsense

[Pinky's+Brain]

Why didn't they think of that before asking for "224, 256, 384, and 512 bits" in the first place?

They included included Dual_EC_DRBG into a standard despite it being slow and obviously backdoored, they have no credibility to make changes to encryption algorithms any more. They have to rebuild their credibility at this point, any changes they make have to be explained, any coefficients they pick have to be shown to be free from NSA meddling, any reduction in hash length from the contest requirements ... well, they just shouldn't even try to do that at this point.

They can try to rebuild their credibility or they can become irrelevant.