I won't re-iterate what your other replier said (e.g. size vs. truncated being moot), but add, at my company we still have customers thinking of dropping down 8051s (8-bit micro from the 70s!!!).
Basically crypto usually is an afterthought, and really a "cost" not a benefit. So size/area matters. We often have customers looking for the "most free" ish solution they can get.
And sometimes it makes the decision between good crypto and bad. Look what happens when people can't use ECC. They use very small RSA keys. Many designs call for a good MAC and often use homebrew (e.g. WEP, SNOW3G's UIA2, etc) instead of something nice and simple like an HMAC.
So yes, even 10 years from now, size will matter, and while feature size gets smaller, it's still all relative. Once feature size goes down costs go down which also means margins get tighter. not only that but people will pack more non-crypto things in there.
Anyways, a good MAC-only 128-bit hash could out perform AES-CMAC, and still be just as secure.
The problem is you're drawing the wrong conclusions. MD4 and MD5 weren't weak because the hash is only 128-bits. They're weak because the design is not cryptographically strong.
Well if you can use one design that is extendible like Rijndael then good.
But dropping down a 256-bit or 512-bit hash just to do 96-bit MACs is stupid. And believe it or not, there are people looking for custom gear that does one thing but not the other [e.g. MAC but not signatures].
omg you're being dense. Not every application needs signatures. For example, imagine hardware that accelerates IPsec. Why would it need a 256-bit hash? And where gates are dollars (e.g. area == cost) you'd much rather have a 128-bit algorithm.
Just accept what I'm saying. I work with cryptographic hardware ALL DAY LONG. You probably don't. So just accept what I'm saying.
The only reason 128-bit hashes are weak is because they're not conservatively designed. And in the case of a MAC (like what I was saying) collision resistance IS NOT IMPORTANT. Only one-wayness. I'm not proposing we invent a 128-bit hash for signatures. Only for HMAC'ing.
And no, not everything is magically efficient in hardware (hint: I work in a hardware/software crypto firm). A 128-bit circuit (with presumably fewer registers, temporaries, operations, etc) will consume less area and energy than a 256-bit circuit, that's just simple logic (sorry excuse the pun).
You're not thinking of MACs though. Say I'm doing IPSEC with a 96-bit MAC, why would I waste the time and energy to compute a 256 or 512 bit hash just to throw away over half of the bits? Why not start with a 128-bit hash from the get go?
Also, even in the "256 vs 512" debate, sure you might pad up to 2048-bits when doing RSA signatures, but you're at least not wasting energy in computing the hash. Not every user of the hash standard will be on a 3GHz multi-pipelined [relative] super computer. Some will be on lowly 16MHz ARM or MIPS, or even trying to do the hash in hardware.
Actually I think we could use a short hash function, solely for the purpose of HMAC. Being one-way means we can use a primitive with more input than output (unlike CMAC). So I'd really like to see a 128-bit hash as well as [say] a 256-bit or 512 bit hash.
Personally I think anything over 256 is overkill. But that's just me...
I used to get calls from Chinese people [in Toronto] wanting to place calling card calls. At all hours too, like 3am!!! Sometimes I'd tell them "wrong number" and they'd just call back!!! Eventually I just shut the ringer off at night. If someone really needed to call me they could just call my cell.
Now that I moved out of toronto I don't get any sort of rubbish calls, except for the first 6 months on my cell I'd get calls for someone else. Again same deal, "wrong number" then 20 seconds later they'd call again in case they "misdialed". Same solution, I don't pick up the cell unless I recognize the number or am expecting it. Of course, then Rogers charges me $6 [used to be $5] for the privilege of seeing the number. It's a rotten scam if you ask me. They recycle freshly dropped numbers, then charge you money to avoid the "wrong number" hell.
Fortunately, I'm not listed anywhere useful so I don't get telemarketer calls.
Ok, I have no idea what you're talking about. I write my music usually in a combination of on staff sheets and on the computer (using Lilypond). Granted, I'm not a pro composer, but I can't imagine doing it another way. You have to at some point put your music on a staff sheet. Otherwise, how can others read it?
Lilypond can also make midi renders of the music which is useful to quickly hear something back (granted lacking dynamics).
Anyways, I disproved your little notion there. I'm not only a composer, but I'm a composer who uses Linux, and not only linux, but I use Ubuntu.
Suck donkey wang ya poser. Ubuntu was hardly difficult to install. Plomp cd in, click install, hit next a bunch of times, make a user account (via gui), reboot, voila.
Just because you're turd munching lack of knowledge rhetoric breathing no-brain loser doesn't mean the rest of us can't master the nature of "point and click."
Maybe you losers can realize that the world isn't all or nothing. RMS is probably a good comp.sci fellow but he's not a fucking god. And small though my "following" may be, I don't define myself by it, heck I'm barely involved in it anymore. I'm quite content being an even LESSER KNOWN student pianist than "coding legend."
All of the tools you take for granted today are not the product of RMS'es hard work. They just aren't. What? You think without RMS that no C compiler would have been written for the OSS community? His achievement was spearheading the FSF movement when it was still a radical idea. And for that I say kudos. But this is 2007, not 1982. Get with the times.
Shannon might have invented information theory, but I wouldn't give him credit for the AES design [for example], nor the MPEG series of codecs.
I know of quite a few comp.sci folk. "who's who" means people of great importance. Just because I know of RMS doesn't mean he's relevant, or that his attention whoring activities are newsworthy events.
All thankful for the FSF movement, but nowadays it's more irrelevant than ever.
The "new" bit was a joke, I realized his UID was smaller, just figured he would have remembered that funny doesn't get karma [and hasn't since I joined in 2001 as far as I know].
I agree that more flash != better game. Sadly people will notice the lack of HD in the Wii, they will notice the lack of 5.1 sound, etc, etc.
Eventually Nintendo will up the ante with better AV. not that I think that makes any better games.
Shitty games make bad games. Like the GT racer I got for the wii [forgot the whole name it's that bad]. It drives like a shopping cart, and the graphics are actually a lot worse than I expected (so much so that the cars are ugly to look at). I'd rather play Test Drive 3 (IBM PC, VGA) than this game... Actually even excite truck has an element of bad steering (though I like the game just the same). I think they should put an on screen indicator to show how much steering is being used, because often the mote gets into a "dead zone" (e.g. if you tilt it the wrong way) where steering seems to not work.
Anyways, people will annoy them enough to get an upgrade later down the road. It's not like it's outside their MO, the DS is a supped up GBA for all intents and purposes.
Well it will take time before a new process can cost the same as the current anyways.
So 4-6 [whatever] years down the road when they're using 65nm or 45nm parts, Wii 2.0 could come out with twice the clock/memory and be backwards compatible with Wii 1.0.
I agree that if they updated every six months they'd lose a lot of customers, but if they never update they will lose a lot of customers.
Slashdot Mirror
Because you're supporting a cause?
Using your logic, why would I donate $100 to the Red Cross when I could just as easily get a mickey of vodka and have a good time for less!!!
Tom
hmmm fly from Ottawa to Atlanta for a beer ... I've done worse. But sadly, can't. Stupid banks and their "pay your bills" philosophy hehehehe.
I won't re-iterate what your other replier said (e.g. size vs. truncated being moot), but add, at my company we still have customers thinking of dropping down 8051s (8-bit micro from the 70s!!!).
Basically crypto usually is an afterthought, and really a "cost" not a benefit. So size/area matters. We often have customers looking for the "most free" ish solution they can get.
And sometimes it makes the decision between good crypto and bad. Look what happens when people can't use ECC. They use very small RSA keys. Many designs call for a good MAC and often use homebrew (e.g. WEP, SNOW3G's UIA2, etc) instead of something nice and simple like an HMAC.
So yes, even 10 years from now, size will matter, and while feature size gets smaller, it's still all relative. Once feature size goes down costs go down which also means margins get tighter. not only that but people will pack more non-crypto things in there.
Anyways, a good MAC-only 128-bit hash could out perform AES-CMAC, and still be just as secure.
Sadly no. But if you want to take this "offline" let me know and I'll give you my work email addy.
The problem is you're drawing the wrong conclusions. MD4 and MD5 weren't weak because the hash is only 128-bits. They're weak because the design is not cryptographically strong.
Tom
Well if you can use one design that is extendible like Rijndael then good.
But dropping down a 256-bit or 512-bit hash just to do 96-bit MACs is stupid. And believe it or not, there are people looking for custom gear that does one thing but not the other [e.g. MAC but not signatures].
Tom
omg you're being dense. Not every application needs signatures. For example, imagine hardware that accelerates IPsec. Why would it need a 256-bit hash? And where gates are dollars (e.g. area == cost) you'd much rather have a 128-bit algorithm.
Just accept what I'm saying. I work with cryptographic hardware ALL DAY LONG. You probably don't. So just accept what I'm saying.
Tom
Wrong?
The only reason 128-bit hashes are weak is because they're not conservatively designed. And in the case of a MAC (like what I was saying) collision resistance IS NOT IMPORTANT. Only one-wayness. I'm not proposing we invent a 128-bit hash for signatures. Only for HMAC'ing.
And no, not everything is magically efficient in hardware (hint: I work in a hardware/software crypto firm). A 128-bit circuit (with presumably fewer registers, temporaries, operations, etc) will consume less area and energy than a 256-bit circuit, that's just simple logic (sorry excuse the pun).
You're not thinking of MACs though. Say I'm doing IPSEC with a 96-bit MAC, why would I waste the time and energy to compute a 256 or 512 bit hash just to throw away over half of the bits? Why not start with a 128-bit hash from the get go?
Also, even in the "256 vs 512" debate, sure you might pad up to 2048-bits when doing RSA signatures, but you're at least not wasting energy in computing the hash. Not every user of the hash standard will be on a 3GHz multi-pipelined [relative] super computer. Some will be on lowly 16MHz ARM or MIPS, or even trying to do the hash in hardware.
Tom
Actually I think we could use a short hash function, solely for the purpose of HMAC. Being one-way means we can use a primitive with more input than output (unlike CMAC). So I'd really like to see a 128-bit hash as well as [say] a 256-bit or 512 bit hash.
Personally I think anything over 256 is overkill. But that's just me...
I used to get calls from Chinese people [in Toronto] wanting to place calling card calls. At all hours too, like 3am!!! Sometimes I'd tell them "wrong number" and they'd just call back!!! Eventually I just shut the ringer off at night. If someone really needed to call me they could just call my cell.
Now that I moved out of toronto I don't get any sort of rubbish calls, except for the first 6 months on my cell I'd get calls for someone else. Again same deal, "wrong number" then 20 seconds later they'd call again in case they "misdialed". Same solution, I don't pick up the cell unless I recognize the number or am expecting it. Of course, then Rogers charges me $6 [used to be $5] for the privilege of seeing the number. It's a rotten scam if you ask me. They recycle freshly dropped numbers, then charge you money to avoid the "wrong number" hell.
Fortunately, I'm not listed anywhere useful so I don't get telemarketer calls.
Ok, I have no idea what you're talking about. I write my music usually in a combination of on staff sheets and on the computer (using Lilypond). Granted, I'm not a pro composer, but I can't imagine doing it another way. You have to at some point put your music on a staff sheet. Otherwise, how can others read it?
Lilypond can also make midi renders of the music which is useful to quickly hear something back (granted lacking dynamics).
Anyways, I disproved your little notion there. I'm not only a composer, but I'm a composer who uses Linux, and not only linux, but I use Ubuntu.
Tom
It's funny you say that, because I *DO* compose music with my Ubuntu powered laptop.
Lilypond FTW!
Tom
Suck donkey wang ya poser. Ubuntu was hardly difficult to install. Plomp cd in, click install, hit next a bunch of times, make a user account (via gui), reboot, voila.
Just because you're turd munching lack of knowledge rhetoric breathing no-brain loser doesn't mean the rest of us can't master the nature of "point and click."
Tom
yeah because no other distro has [reading apple website]... a terminal, text editor, web browser, C compiler, etc...
...
right
Wow, you really hurt my feelings, oy, the pain.
Maybe you losers can realize that the world isn't all or nothing. RMS is probably a good comp.sci fellow but he's not a fucking god. And small though my "following" may be, I don't define myself by it, heck I'm barely involved in it anymore. I'm quite content being an even LESSER KNOWN student pianist than "coding legend."
All of the tools you take for granted today are not the product of RMS'es hard work. They just aren't. What? You think without RMS that no C compiler would have been written for the OSS community? His achievement was spearheading the FSF movement when it was still a radical idea. And for that I say kudos. But this is 2007, not 1982. Get with the times.
Shannon might have invented information theory, but I wouldn't give him credit for the AES design [for example], nor the MPEG series of codecs.
Greatest programmer of all time?
Let's see, he doesn't maintain GCC or most GNU projects anymore. And hasn't for a long time.
We don't run HURD last time I checked.
He hasn't invented any new algorithms or techniques that I know of (please correct me if I'm wrong).
Seems to me we owe a lot of the OSS scene to people OTHER THAN RMS.
I know of quite a few comp.sci folk. "who's who" means people of great importance. Just because I know of RMS doesn't mean he's relevant, or that his attention whoring activities are newsworthy events.
All thankful for the FSF movement, but nowadays it's more irrelevant than ever.
The "new" bit was a joke, I realized his UID was smaller, just figured he would have remembered that funny doesn't get karma [and hasn't since I joined in 2001 as far as I know].
Sorry, what's stallmans academic background again? Being a throwback hippie from the 60s? I didn't realize being nostalgic was a major.
Playah hating!
Tom
Funny votes don't get you karma. Are you new here?
Got fed up with Vista and installed $SOME_DISTRO instead. :-)
:-(
Somehow this is gonna cost me karma...
I agree that more flash != better game. Sadly people will notice the lack of HD in the Wii, they will notice the lack of 5.1 sound, etc, etc.
... Actually even excite truck has an element of bad steering (though I like the game just the same). I think they should put an on screen indicator to show how much steering is being used, because often the mote gets into a "dead zone" (e.g. if you tilt it the wrong way) where steering seems to not work.
Eventually Nintendo will up the ante with better AV. not that I think that makes any better games.
Shitty games make bad games. Like the GT racer I got for the wii [forgot the whole name it's that bad]. It drives like a shopping cart, and the graphics are actually a lot worse than I expected (so much so that the cars are ugly to look at). I'd rather play Test Drive 3 (IBM PC, VGA) than this game
Anyways, people will annoy them enough to get an upgrade later down the road. It's not like it's outside their MO, the DS is a supped up GBA for all intents and purposes.
Annnnnnnnnnd we're done here folks.
Well it will take time before a new process can cost the same as the current anyways.
So 4-6 [whatever] years down the road when they're using 65nm or 45nm parts, Wii 2.0 could come out with twice the clock/memory and be backwards compatible with Wii 1.0.
I agree that if they updated every six months they'd lose a lot of customers, but if they never update they will lose a lot of customers.
Tom