IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

Markku-Juhani Olavi Saarinen <mjos@iki.fi> Fri, 22 March 2019 15:30 UTC

Return-Path: <mjos.crypto@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086FC130EEE for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 08:30:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66sP-6mZ3c0Z for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 08:30:35 -0700 (PDT)
Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ED00130EED for <cfrg@irtf.org>; Fri, 22 Mar 2019 08:30:35 -0700 (PDT)
Received: by mail-ed1-f51.google.com with SMTP id q3so2051184edg.0 for <cfrg@irtf.org>; Fri, 22 Mar 2019 08:30:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vTCCJA8pHvDfM+V2FruXQX15OZ7v6bPb+rQhG92c/bc=; b=rzYPhyxA1BQsf9IYVwSHooafUXrHepJOWa7wy3AtuapH6vVoD8T94R4fumCoGNwYhm lIC+NrPw1PvJsZu73+nKILpcGkp8XS9SqGayC/i9xvP4SzC3E7n7nwZtmz+gRjE7Qmwz 3vOdk7a3KZX76XdBx6V/fnSxE5vGkZLLNP4df/sW0KijSwIRylhcXpudobsQbqb/ZFkN epr5KlOd7bF03W03Vchy6fPY1fAbE0VTZmpeNWddHTRfLS56uEf0GOhLec1PiHN+TdSM iWsZqD7m7Pty3pxec6dPe4/Y5S7JB2ozLS1SswbxW4RSkIV5Gf4HnQx5NSpGybBFS8e7 XV4g==
X-Gm-Message-State: APjAAAVir2IA3owB8fVz5r6OiCJ72uTYsfMDgFMe3Vu0+M6ytLLEpOhk q6p0GchkBPcouMAsMKfzcCPe92iLprGCCMHIy+0=
X-Google-Smtp-Source: APXvYqxaDDKA47fUg0du6nQC4gIBiDDn2AO6k5kiV6jK5HlmYzLSa/hUM+gzX5ZuQeT3Ck7vZAEDCo29jEgWxLvB4yo=
X-Received: by 2002:a17:906:a12:: with SMTP id w18mr5960078ejf.70.1553268633846; Fri, 22 Mar 2019 08:30:33 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.3617.1553248218.6143.cfrg@irtf.org> <CALNOPK+SmbcVHz49D1ZUV8cdq81YEUn5Xrmn4kB3dftrV7Ygbg@mail.gmail.com> <CA+iU_qkh1qOyxm6j0gjy28wP4QMbX5GBmsPZ082etB7nCW2Kjg@mail.gmail.com> <7cf999fd-9074-f9b0-91c1-4eab09fbcef1@st.com>
In-Reply-To: <7cf999fd-9074-f9b0-91c1-4eab09fbcef1@st.com>
From: Markku-Juhani Olavi Saarinen <mjos@iki.fi>
Date: Fri, 22 Mar 2019 15:30:22 +0000
Message-ID: <CA+iU_q=wacCkqDV8jr8dmSSSTU_PTodAsajSSPUa=hmDr6mEQg@mail.gmail.com>
To: Gilles Van Assche <gilles.vanassche@st.com>
Cc: cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3usHPbc1oZqC_sdmrouL1grCodA>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 15:30:37 -0000

Gilles,

Thanks for clarifications. The name Keccak, of course, is entirely
appropriate when we discuss the family of cryptographic primitives,
the permutation, and other internal hashing operations.

> However, for the sake of completeness, I wanted to point out that the
> padding scheme wasn't changed between the final-round proposal and the
> FIPS 202 standard. As you know, the FIPS 202 functions are merely
> appending a suffix to the input before calling the original final-round
> proposal Keccak, for the purpose of domain separation between SHA-3 and
> SHAKE.

It is indeed very unfortunate that adding these padding suffix bits is
not possible via the byte-oriented API calling interfaces commonly in
use. Therefore a higher-level "Keccak" primitive -- as understood and
used by the cryptocurrency people -- can only rarely be used to
compute an SHA-3 hash.

Cheers,
- markku

Dr. Markku-Juhani O. Saarinen <mjos@iki.fi>

v2.23.0 | Report a Bug | By Email