Re: [Hash] BOF Goals
Jon Callas <jon@pgp.com> Wed, 20 July 2005 22:17 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DvMsV-000124-5f; Wed, 20 Jul 2005 18:17:23 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DvMsT-00011F-Bq for hash@megatron.ietf.org; Wed, 20 Jul 2005 18:17:21 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA28051 for <hash@ietf.org>; Wed, 20 Jul 2005 18:17:17 -0400 (EDT)
Received: from mta3.pgp.com ([209.237.226.43]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1DvNMK-0005i3-5n for hash@ietf.org; Wed, 20 Jul 2005 18:48:13 -0400
Received: from localhost (ns1.pgp.com [63.251.255.3]) by mta3.pgp.com (Postfix) with ESMTP id 2A45BA663 for <hash@ietf.org>; Wed, 20 Jul 2005 15:16:56 -0700 (PDT)
Received: from mta3.pgp.com ([10.216.2.26]) by localhost (garfish-1.pgp.com [63.251.255.3]) (amavisd-new, port 10024) with LMTP id 01892-01-6 for <hash@ietf.org>; Wed, 20 Jul 2005 15:16:44 -0700 (PDT)
Received: from bonnie.pgp.com (keys.pgp.com [63.251.255.8]) by mta3.pgp.com (Postfix) with ESMTP id 0C9BCA66E for <hash@ietf.org>; Wed, 20 Jul 2005 15:16:42 -0700 (PDT)
Received: from exchange.corp.pgp.com ([10.214.0.35]) by bonnie.pgp.com (PGP Universal service); Wed, 20 Jul 2005 15:16:42 -0700
Received: from bonnie.pgp.com ([63.251.255.8]) by exchange.corp.pgp.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.211); Wed, 20 Jul 2005 15:16:10 -0700
Received: from [63.251.255.205] ([63.251.255.205]) by bonnie.pgp.com (PGP Universal service); Wed, 20 Jul 2005 15:16:10 -0700
X-PGP-Universal: processed; by bonnie.pgp.com on Wed, 20 Jul 2005 15:16:10 -0700
In-Reply-To: <p062309b0befb0d046503@[10.20.30.249]>
References: <54646b48339836e44f8917d434bb3e5b@pgp.com> <p062309b0befb0d046503@[10.20.30.249]>
Mime-Version: 1.0 (Apple Message framework v622)
Message-Id: <61c984f5d0b959ce1908b985a327a225@pgp.com>
From: Jon Callas <jon@pgp.com>
Subject: Re: [Hash] BOF Goals
Date: Wed, 20 Jul 2005 15:16:21 -0700
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.622)
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: 20 Jul 2005 22:16:10.0014 (UTC) FILETIME=[A1CDD3E0:01C58D78]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93df555cbdbcdae9621e5b95d44b301e
Content-Transfer-Encoding: quoted-printable
Cc: hash@ietf.org
X-BeenThere: hash@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: hash.lists.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hash>
List-Post: <mailto:hash@lists.ietf.org>
List-Help: <mailto:hash-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hash>, <mailto:hash-request@lists.ietf.org?subject=subscribe>
Sender: hash-bounces@lists.ietf.org
Errors-To: hash-bounces@lists.ietf.org
Paul's asked me to discuss more, particularly so we can have more email discussions prior to Paris. He's also rightly pointed out that my CFRG discussion isn't here, and without good cross-referencing, I shouldn't assume people here have read it. So here's the note that I sent some time ago: Begin forwarded message: From: Jon Callas <jon@callas.org> Date: 13 June 2005 3:38:10 PM PDT To: cfrg@ietf.org Subject: Re: [Cfrg] new i-d: randomized hashing On 13 Jun 2005, at 7:18 AM, Ben Laurie wrote: > D. J. Bernstein wrote: >> Ben Laurie writes: >>> It seems to me that life would be generally easier if you defined a >>> modified hash function H_r(m) and then constructed H'(m)=(r,H_r(m)). >>> This way transport of r happens automatically, but the hash gets >>> wider. >> Even better, use the extra space for a longer _deterministic_ hash. >> For >> example, instead of using 96 bits for r and 160 bits for SHA-1 output, >> simply use SHA-256. > > That assumes we're confident SHA-256 won't have similar flaws. > Ben brings up a good point, but I side with Dan Bernstein. I think SHA-256 is the right way to go, and we don't need anything else until we get new hash functions that have the attributes we want. I am quite confident that SHA-256 has similar flaws to SHA-1 and all the others, but I think the right thing to do for the time being is to just use it. This is what we've done in PGP. Here's my reasoning why: SHA-1 is supposed to have 80 bits of security. Our present knowledge of it has it around 69. (I will handwave what this means, because yes, I know that this isn't pre-image collision, it doesn't apply to hmacs or similar constructions, etc.) It's thus missing 11 bits of security. SHA-256 is supposed to have 128 bits of security. If we assume a similar flaw, SHA-256 should be missing about 17.6 bits of security. (That's (11/80) * 128.) Let's take that 17.6 and round it up to 38. Yup, thirty-eight. Not twenty-eight, not eighteen. I have a cynical rounding function. That gives us 90 bits of security. At 90 bits of security, I'm happy to live with SHA-256 for a while. I believe that the hash function we *want* to be using hasn't been written yet. (My guess is that it will be announced around the time of Asiacrypt '06, and papers published in FSE '07. We're not going to be comfortable with it until early '08, but will still whine and mutter about it until September '09. The FIPS for it won't appear -- sorry, I'm not going to make that cheap joke; NIST will actually make a FIPS before the whining stops.) At 90 bits of security, we can live with it for another five years. And this assumes my rounding function, which scopes the "similar" flaw in SHA-256 to actually be a million times more devastating than the SHA-1 one. If my rounding function should round 17.6 to 28 instead, then SHA-256 will last for another 15 years just fine. I think that factor of 1024 takes into account a additional decade of semiconductor improvements adequately. If my rounding function should round 17.6 to 18, then SHA-256, while flawed, can live out its natural life. Normal engineering improvements can dispose of it sometime in the indefinite future -- probably around '09. (Oh, and if it were 80, then we could use it for all the same things we expect SHA-1 to do at the mere cost of being slow and big.) We also know that there's no real mathematical insight that Wang and others have. It is true that attacks don't get worse, they only get better, but there's no reason to think that the attacks on any of the hash functions are going to get different in kind, merely in degree. I believe that SHA-256 has at least 100 bits of security in it. That's why my gedankenexperiment backs it down to 90. Any number of people have observed that we have taken one basic construction for hash functions has been a bunch of tweaks, rather than a design change. Everything we have has at some level the same architecture. My concern about randomized hashing is that I see it as another tweak. Yes, it's a tweak in a higher level construct, but it's still a tweak. It's a tweak that requires more fundamental changes to the protocols and systems that *use* hash functions than merely swapping in a new function. That one is bad enough. I also see no reason why this is going to change our core mechanisms of operating. If we learn how to make a good hash function sometime between 2010 and 2020, then that's within the pragmatic safety considerations of SHA-256. If something extraordinary happens, then gosh darnit, SHA-512 should work. I can't believe that SHA-512 will have less than 128 bits of security. I'm sorry, I don't. If I'm proved wrong, then we really, really don't know what we're doing, and there are many dramatic things in information security we have to change. So to sum up -- this is all interesting, to make randomized hashing, but why should I trust it, why should I convert to it? Why am I not jumping from the frying pan into another frying pan? Especially when my present plan is to use SHA-256, and if that is unacceptable, SHA-512. Does anyone believe that they're really that broken? Or to sum up my summary, in waiting for the right hash function, am I waiting for Godot? Jon _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg ________________________________________________________________ This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link: https://keys.pgp.com/b/b.e?r=hash%40ietf.org&n=I6LW%2FTFegliptjmtozrp%2Bg%3D%3D _______________________________________________ Hash mailing list Hash@lists.ietf.org https://www1.ietf.org/mailman/listinfo/hash
- Re: [Hash] BOF Goals D. J. Bernstein
- [Hash] BOF Goals Jon Callas
- [Hash] BOF Goals Jon Callas
- [Hash] BOF Goals Jon Callas
- [Hash] Sorry about multiples. Jon Callas
- Re: [Hash] BOF Goals Paul Hoffman
- Re: [Hash] BOF Goals william(at)elan.net
- Re: [Hash] BOF Goals Jon Callas
- Re: [Hash] BOF Goals Jon Callas
- RE: [Hash] BOF Goals Robert Zuccherato
- RE: [Hash] BOF Goals Paul Hoffman