Re: [Cfrg] Task for the CFRG

zooko <zooko@zooko.com> Mon, 12 August 2013 19:35 UTC

Return-Path: <zooko@zooko.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8067F21F9F40 for <cfrg@ietfa.amsl.com>; Mon, 12 Aug 2013 12:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.754
X-Spam-Level: *
X-Spam-Status: No, score=1.754 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWqFcVnRiZJv for <cfrg@ietfa.amsl.com>; Mon, 12 Aug 2013 12:35:06 -0700 (PDT)
Received: from zooko.com (216-155-145-223.cinfuserver.com [216.155.145.223]) by ietfa.amsl.com (Postfix) with ESMTP id 4AD9E21F9F3A for <cfrg@irtf.org>; Mon, 12 Aug 2013 12:35:04 -0700 (PDT)
Received: by zooko.com (Postfix, from userid 1000) id 66A7271E001; Mon, 12 Aug 2013 23:34:59 +0400 (MSK)
Date: Mon, 12 Aug 2013 23:34:59 +0400
From: zooko <zooko@zooko.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <20130812193458.GF14392@zooko.com>
References: <BDE10FD9-A9EB-406D-A02E-29AD0888820C@krovetz.net> <CE297CE7.FF11%uri@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CE297CE7.FF11%uri@ll.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [Cfrg] Task for the CFRG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 19:35:26 -0000

Another point in favor of Salsa20 and especially ChaCha is that the latter
formed the core of the BLAKE candidate for SHA3. BLAKE was one of the three
most thoroughly-studied candidates in the SHA3 process (according to NIST's
final report ¹, the most "depthof analysis" was applied to BLAKE, Skein, and
Grøst).

¹ http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf

Of course, the requirements of a secure hash function aren't the same as those
for a cipher, but I still think that having all those cryptographers studying
that core function so closely, and not finding any major weakness in it when
used as a secure hash function, gives confidence that there isn't any major
weakness in it when used as a cipher.

Disclosure: I'm an author of a successor hash function based on BLAKE, named
"BLAKE2", but not an author of the original BLAKE. Here are my slides about
that, from ACNS'13, which includes a few quotes from the NIST report:

https://tahoe-lafs.org/~zooko/acns/slides.html

Regards,

Zooko