Slashdot Mirror

← Back to Stories (view on slashdot.org)

Did NIST Cripple SHA-3?

Posted by timothy on from the who-do-you-trust-and-why? dept.

An anonymous reader writes "In the process of standardizing the SHA-3 competition winning algorithm Keccak, the National Institute of Standards and Technology (NIST) may have lowered the bar for attacks, which might be useful for or even initiated by NSA. 'NIST is proposing a huge reduction in the internal strength of Keccak below what went into final SHA-3 comp,' writes cryptographer Marsh Ray on Twitter. In August, John Kelsey, working at NIST, described (slides 44-48) the changes to the algorithm, including reduction of the bit length from 224, 256, 384 and 512-bit modes down to 128 and 256-bit modes."

17 of 169 comments (clear)

  1. Why do we even go to these orgs anymore... by Anonymous Coward · · Score: 4, Interesting

    I say we just use the algorithms Schneier has invented and nothing else. Why do we even go to these standards approvers in the first place. The open source community should get together and hold they're own competition and forget anyone who's in anyway associated with any org starting with N*. Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?

    -- stoops

    1. Re:Why do we even go to these orgs anymore... by philip.paradis · · Score: 4, Interesting

      I do most of my work in Perl, and I happen to heavily utilize Blowfish and Twofish. Perhaps you should think about what your application pipeline requirements actually need in terms of crypto and then look into the various modules that interoperate under the umbrella of Crypt::CBC.

      --
      Write failed: Broken pipe
    2. Re:Why do we even go to these orgs anymore... by smittyoneeach · · Score: 5, Insightful

      Schneier, ever time I read him, seems to be making sense. No need to deify the chap, though.

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    3. Re:Why do we even go to these orgs anymore... by pla · · Score: 4, Informative

      I say we just use the algorithms Schneier has invented and nothing else. Why do we even go to these standards approvers in the first place.

      Two reasons.
      1) Because having a standard means that everyone using SHA-3 will get the same result, instead of every implementation coming out with a different answer of totally unknown integrity. With a standard, I can verify the integrity of program-X's hashing simply by comparing it to a small sample of know plantexts and hash values.
      2) Because most software houses dream of someday getting a government contract - Maybe military, but don't forget about the 14% of Americans that in some way work for the government. Any software they use needs to adhere to the standards issued by the government, or no dice.

      And really, simple as that.

    4. Re:Why do we even go to these orgs anymore... by ledow · · Score: 5, Informative

      In case you haven't noticed, the NSA are spies. They do nothing but infiltrate groups of interest all day long.

      Such a group of OS programmers would be the perfect target. And why do we trust Schneier more than anyone else such that his involvement means something is acceptable? I love the guy, but no, that's not how trust works for mass-public security systems. If the NSA/GCHQ spies are working at anywhere near the levels they were back in their heyday of WW2, then Bruce would be my prime candidate for "beyond suspicion" and thus my first inclination that - somewhere, somehow - he could be a shill for them. I'm not seriously saying he is or isn't, but the point of security is that NOBODY should hold any special power over anyone else, certainly not the ability to single-handedly "approve" a worldwide security standard.

      No, what we do is carry on as normal. Put all the algorithms to public testing. As attacks are found, knock out the vulnerable ones like a game of Guess Who, and only ever use whatever is still standing. You can't defend against attacks that you do not know about and if such agencies really ARE as worried as we think they might be about the world moving to encryption they can't break, then my first thought would be "what are they moving us towards, without trying to look like they are doing so?" - and there you run into Blowfish/Twofish and similar algorithms that they've had the opportunity to analyse for years now. It would be the perfect coup - make people think you are attacking them, then "be involved" with the only alternative of elliptic-curves and thus make everyone think that's your preference and hence subtly move them onto something else of your choice without even MENTIONING it or being involved with it.

      Don't try to out-think a bunch of geniuses working with military-level funding and a real interest in keeping you on something broken. Just follow procedure - stay on what you've got until there's actual evidence it's broken. Don't jump ship to new and interesting and relatively untested things for no reason other than you feel uncomfortable.

    5. Re:Why do we even go to these orgs anymore... by MikeBabcock · · Score: 4, Insightful

      And he, like everyone else who's reasonable, believes in standards processes to test and check each others' algorithms and pick the best ones. The problem is making sure these standards systems are open and above board.

      --
      - Michael T. Babcock (Yes, I blog)
    6. Re:Why do we even go to these orgs anymore... by Alef · · Score: 3, Interesting

      It would be an insanely unlikely coup. Think about what you are suggesting: First they get the entire world to use AES, to the point where leading CPU manufacturers have even included special instructions in the hardware specifically for encoding and decoding AES. They do this only so that an alternative algorithm (Twofish) would get less scrutiny by independent researchers for a number of years. They then orchestrate an elaborate leak indicating that they have attacks against some unnamed publicly used crypto algorithm. Meanwhile, or even before that, they have recruited an established and well known writer and cryptographist, and have him attack them openly in the public debate, only to give an apparent credibility to the algorithms he has designed. The intent of this is to get everyone in the industry to suddenly switch all cryptography to his somewhat less scrutinised algorithm (probably after reading about it on Slashdot), despite the fact that the author, who they had recruited to attack them, still claims that the math behind AES is solid, and despite the fact that replacing AES would now require replacing hardware and software that permeates our entire society at enormous costs.

      If there is ever a time for the tinfoil hat metaphor...

    7. Re:Why do we even go to these orgs anymore... by Alef · · Score: 3, Interesting

      If they found a weakness in Twofish, and wanted the world to migrate to a crypto algorithm that they have an attack against, then wouldn't it just have been easier to select Twofish instead of Rijndael for the AES specification in the first place? They were both finalists.

      Look, it certainly seems like the NSA has tried to meddle with crypto standards in order to have an attack vector, and I can agree that a certain amount of paranoia is in order, but the theories you propose are so convoluted that, of all things the NSA might have cooked up, that has to go far down on the list. What is even to say people switch to Twofish if they switch, and not one of the other AES finalists? Or use both Twofish and Rijndael simultaneously for that matter?

      Besides, the weakest part of most crypto systems (disregarding implementation and usage for a moment), is probably the key exchange/management algorithms. And from what I have understood, that is where the indications of standards manipulations have been.

      I'm not suggesting that people should necessarily switch from AES to Twofish, or that Twofish is more secure. I don't even think Bruce is saying that. But I find the idea that the NSA would somehow be behind some kind of covert manipulation scheme to get people to switch to Twofish simply extremely unlikely. If nothing else, for the simple reason that I don't see it happening anyway. Could the NSA be sitting quietly on a weakness? Sure. But in that case I would be more worried about EC, and to an extent RSA. That is, if we limit ourselves to the theoretical component, and disregard the obvious target: implementations.

    8. Re:Why do we even go to these orgs anymore... by JesseMcDonald · · Score: 4, Insightful

      It appears that the most difficult part of cryptography is key management.

      You could say that key management is the only really difficult problem in cryptography. If it weren't for the key management problem we'd all be using one-time pads, which are both trivial to implement and provably unbreakable, even by brute force. Unfortunately, to use them each pair of individuals must first securely exchange keys at least as large as all the messages they'll ever want to send.

      Symmetric crypto algorithms exist to cut down on the amount of key material which must be exchanged by reusing the key, while asymmetric crypto addresses the N^2 problem by allowing many-to-one communication with a single public/private key pair. Both accept the risk of cryptoanalysis in exchange for more convenient key management.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  2. Avoid eleptic curve algoritms by Anonymous Coward · · Score: 5, Interesting

    The way I see it, I think its wise to avoid all PKI standards using Elliptic curve cryptography algoritms. In contrast to the mathematical basis of prime based algorithms, these mathematics are relatively recent - and have been pushed by the NSA (who is known to be decenia ahead of publicly known mathematics).

    There is no mathematical indication for me to believe that Eleptic curve cryptography is fundamentally broken. But why use 'new mathematics' when hundreds of years of public mathematic geniusses have been thinking about fast factoring of prime numbers?
    I don't get that...

    The most important argument used is that key length is more manageable. One could also interprete it as an indication that there might be security bit reduction attacks still unknown to us, but known by the NSA. Possibly. Possibly not.

    But why take the risk?

    Some more info about elliptic-curve-cryptography:

    http://www.linuxjournal.com/content/elliptic-curve-cryptography

    1. Re:Avoid eleptic curve algoritms by fatphil · · Score: 3, Informative

      Discrete logarithms are spelt "division" in elliptic curves. They're just as mathematically pure and well studied as finite fields and prime product rings.

      --
      Also FatPhil on SoylentNews, id 863
  3. Sinister by pterry · · Score: 5, Informative

    A crippled cipher can be used to read your private data. A crippled hash function can be used to substitute bad data for good.

  4. eat THEIR dog food? by v1 · · Score: 5, Interesting

    so why don't we just look at what organizations like the US military use to secure and sign their data, and use that? (the methods of course, not their keys) That sounds to me like the only way to make sure they're not suggesting or influencing us to use something they (or their opponents) could easily break?

    --
    I work for the Department of Redundancy Department.
  5. Here's why... by Anonymous Coward · · Score: 3, Insightful

    When the SHA-3 competition was announced, the pretty much only working method of getting a hash function was using the Merkle-Damgård construction. Bit security limits where set under the assumption that the submitted proposals use MD, since nothing else was known. However, Keccak does not use it and gains better security guarantees. For this reason, NIST had an opportunity to weaken it a bit while still keeping the old security requirements and making the hash function much more efficient in the process.

  6. Re:Uninformed nonsense by Pinky's+Brain · · Score: 3, Interesting

    Why didn't they think of that before asking for "224, 256, 384, and 512 bits" in the first place?

    They included included Dual_EC_DRBG into a standard despite it being slow and obviously backdoored, they have no credibility to make changes to encryption algorithms any more. They have to rebuild their credibility at this point, any changes they make have to be explained, any coefficients they pick have to be shown to be free from NSA meddling, any reduction in hash length from the contest requirements ... well, they just shouldn't even try to do that at this point.

    They can try to rebuild their credibility or they can become irrelevant.

  7. Re:Government contracts by Volguus+Zildrohar · · Score: 3, Insightful

    Pfft. A single checkbox is all that's needed:

    "Reduce effectiveness to comply with US Government standards."

    --
    When confronted with one problem, some think "I'll use recursion". Now they are confronted with one problem.
  8. Of course NOT, and please don't blame NIST! by fuujuhi · · Score: 5, Informative

    NIST's proposal (presented at last CHES conference) is NOT reducing the internal strength of Keccak.

    NIST proposes some standard values for a parameter called "capacity" in Keccak, and for which Keccak's authors always said that it can be freely chosen by the designers. A high capacity means a higher security, and a lower capacity means a better performance. NIST's current forecast for FIPS202 specifies 2 values for the capacity, namely 256 and 512, that would bring the SHA-3 standard to an equivalent security level as the AES (2^128 operations required to break c=256 and 2^256 operations required to break c=512). One may actually consider that these security levels are the same as the ones in the original submission, because these are the minimum security levels offered by *ALL* finalists (including Keccak). Indeed all candidates for SHA3-256 offers a collision resistance of 2^128 operations, and 2^256 operations for SHA3-512.

    The discussion here is that actually choosing c=256 means that the cost to find pre-image is also reduced to 2^128 operation, instead of 2^256 as in say SHA2-256. There are ongoing discussions on the mailing list about the theoretical consequences of this choice, but what strikes me most is why people are so much focusing on the strongest security bound of a primitive (pre-image here) and are completely ignoring the weakest security bound (collision resistance). Of course one may always design an application that would be immune to collision resistance, but if one only looks at the primitive, saying that SHA2-256 offers a security of 2^256 because it has a pre-image resistance of that level is clearly fooling himself. In that sense, NIST proposal was to level the security bound of the primitive to its guaranteed minimum as for block ciphers, and allows a security bound of either 2^128 (c=256) or 2^256 (c=512). Those with an ounce of common sense will observe that 2^128 is completely astronomical, and absolutely out of reach of any thinkable devices in the future, even for the NSA! And if you don't care about performance (you probably don't design products then), and are absolutely paranoïd, there is then still the freedom to chose a capacity c=512, as allowed in current proposal, and probably waste computer cycles for no gain whatsoever.

    I of course have no clue on the possible influence of the NSA, but for having attended to SHA-3 and similar conferences, I must say that NIST's work in SHA-3 is remarkable and *unprecedented* in the cryptographic community. NIST ran the most *OPEN* process ever for the evaluation and selection of the new SHA-3 standard. I think that the intention of NIST is to write a standard that will satisfy the majority of the community (hence their openness and presentation at CHES), and that will offer the most of potential of the winner candidate. Keccak is really a "new" object in the cryptographic community, that is quite different from previous proposals, and no wonder to me that its adoption triggers some questions. However the hidden suggestion that NIST would have a secret agenda is clearly participating to current tin-foil propaganda of some would-be security specialists that are trying to acquire attention, and brings zero to the current standardization process.