Re: NIST publishes new DSA draft

[Ben Laurie <ben@algroup.co.uk>]

Jon Callas wrote:
> On 26 Mar 2006, at 3:12 AM, Ben Laurie wrote:
> 
>> Jon Callas wrote:
>>>
>>> I think we ought to keep it with the same algorithm number.
>>>
>>> I'm happy to put in SHA-224 (meaning it's trivial work), but I don't
>>> like it, myself. The reason is that SHA-224 is really a truncated
>>> SHA-256. Thus, it has no advantages over SHA-256 except being smaller by
>>> 32-bits with 112 bits of security. The reason it exists at all is for
>>> crypto-balance with 2-key 3DES (which is not TDEA), which we don't allow
>>> at all.
>>
>> <pedantic>
>>
>> 3-key DES also has a strength of 112 bits.
>>
>> </pedantic>
>>
> 
> There are certainly good arguments for that, but if 3-key 3DES is no
> stronger than 2-key, then there shouldn't be any harm in dropping the
> third key. Right? If you don't like this idea (that 2-key and 3-key are
> equivalent), which I don't, then 3-key must be some stronger. It just
> isn't easy to know how much more.

I'm not going to argue with this, but it clearly ain't much more. You
would be out on a limb to argue that it provided usefully more than 112
bits - though I won't hesitate to agree that 2DES < 3DES.

Cheers,

Ben.


-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff