Re: Speed of hashing doesn't matter?
- From: Scott Contini <the_great_contini@xxxxxxxxx>
- Date: Sun, 4 Jan 2009 17:16:23 -0800 (PST)
On Jan 5, 1:54 am, Simon Johnson <simon.john...@xxxxxxxxx> wrote:
The point about HMAC is well taken, but what about digital signatures?
Aren't they the poster application for hash functions, and are there
any signature schemes that don't use hashing?
It's instructive to look at the AES competition. Twofish was, in my
view, the best designed cipher. It was secure, reasonably fast and had
a good security margin. It was a fairly conventional design for the
time. Rijndael was a much riskier design and it's only real
improvement on Twofish was its speed. We're still worried today,
nearly ten years later, if there's some clever algebra that can solve
AES!
Which one won? Rijndael, of course! Why? Because it was the fastest of
the ciphers!
I completely disagree with you. Have you looked
at the proofs Rijndael has on its resistance to
differential and linear cryptanalysis? None of
the other AES finalists had such proofs.
Have you noticed that submitters of most other
AES finalists which lost to Rijndael have now
submitted SHA-3 candidate hash functions that
have proofs of resistance to differential/
linear attacks? Look at the security claims
of the designs ECHO, Fugue, Grøstl, and MD6.
The science of cryptology is evolving and the
burden is moving more heavily to the designer to
say why the cipher should be trusted. Having
proofs of resistance to attacks that have been
most effective against other algorithms is a
stronger justification than saying "it resists
all attacks that I can think of" or "nobody has
been able to attack it [in some short period of
time]".
Rijndael won the AES not only because it was
fast, but because it had well justified security.
Yes, it is true people found some concerns about
algebraic attacks (the major one -- XSL was
discovered after Rijndael was already standarized
as the AES), but none that have broken it.
Yes, ideally we would like to prove that such
designs resist algebraic attacks also, but the
science is not at that stage yet. Maybe some
day. Regardless, Rijndael offered better security
justification than the other AES finalists.
Mark my words, show me the fastest unbroken hash and I'll show you the
winner of the contest!
Well if that design has security justification
similar to what Rijndael has, then it may. But
if not, then it may not!
If speed didn't matter, you'd get people submitting designs that
reduce to the discrete logarithm problem. I think DJB is just upset
that his design is slower than other peoples' designs.
Speed matters, but not more than security.
Security should be the top priority so long as
the speed and engineering properties are
reasonable.
Scott
.
- References:
- Speed of hashing doesn't matter?
- From: Paul Rubin
- Re: Speed of hashing doesn't matter?
- From: Simon Johnson
- Speed of hashing doesn't matter?
- Prev by Date: Re: Speed of hashing doesn't matter?
- Next by Date: Re: Fast non-cryptographic hash
- Previous by thread: Re: Speed of hashing doesn't matter?
- Next by thread: Workshop "Medical Imaging Systems" within EUROMEDIA 2009 – Announce & Call for Papers
- Index(es):
Relevant Pages
|
