Re: [openpgp] SHA3 algorithm ids.

Phillip Hallam-Baker <> Tue, 11 August 2015 14:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 84F981A8AC2 for <>; Tue, 11 Aug 2015 07:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KL5lj0HX_oTj for <>; Tue, 11 Aug 2015 07:16:45 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B4C61A8A99 for <>; Tue, 11 Aug 2015 07:16:45 -0700 (PDT)
Received: by lagz9 with SMTP id z9so71772013lag.3 for <>; Tue, 11 Aug 2015 07:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=iraCo0HiTRoerlbgMe+2RMxZGTFxr2/HsxHWAYUM26g=; b=p9g29MkXlt0vBVDR+rM3XiywVBEe2jL1lWgpYzFAgDDIS6NM6bnCnRpWymqiLW45G5 Vhf0AczWME9/4hipwySOSi/t83cEY3KfslSF1PZPQ4S3btF3i/oFppWmJIfxDgNbHjUO 1ntPLjAx3vcs6HNAf2Li1fopsPcsylO/RnpwXMAW2V6faeMKH4j/JQdvWTUfJo2+2+GQ GLHCp4CI6faTNKTLxaBewGQwky47zYodYieTK93hnJ3empH3zZHhWotS6KTFFrRSUX4o dt8QosU/LoHNH9gGxFlImueMtBhiEePlA+KlRAUfYDZwzeLrlXAtmPEL7VbwXRvsK23C 2SiQ==
MIME-Version: 1.0
X-Received: by with SMTP id mw1mr9591934lbb.124.1439302603350; Tue, 11 Aug 2015 07:16:43 -0700 (PDT)
Received: by with HTTP; Tue, 11 Aug 2015 07:16:43 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Tue, 11 Aug 2015 10:16:43 -0400
X-Google-Sender-Auth: _ckGu9yHXPTMtNASHkGjSXASLIs
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Peter Gutmann <>
Content-Type: multipart/alternative; boundary=001a11c3693665aaa6051d09c043
Archived-At: <>
Cc: IETF OpenPGP <>, Derek Atkins <>, ianG <>
Subject: Re: [openpgp] SHA3 algorithm ids.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Aug 2015 14:16:46 -0000

On Tue, Aug 11, 2015 at 9:21 AM, Peter Gutmann <>

> Phillip Hallam-Baker <> writes:
> >There is a very clear need for 512 bits and there is a case for 256 bits.
> What's the clear need for -512?  By which I mean a demonstrated practical
> need
> for a hash size of 64 bytes, not a hypothesised need given an imaginary
> attack.  I can see a need for SHA-256 (to replace SHA-1), but for something
> like SHA3-512 all I can see are downsides (compared to SHA2-256).

The CFRG replacement for ECDSA will almost certainly use the 512 bit wide
pipe hash internally.

Dan Bernstein put together a Perl script that shows every algorithm and
every option. If you are going to sign a 1Gb file then you are going to
need multiple trips through the digest function. Now there is of course a
good argument to be made for a faster 256 bit hash for the bulk digest on
that 1Gb file. But you also need one or more digests of fixed bits of data

So the practical upshot is that if we were to define an absolutely minimal
cryptolib it would almost certainly include the 512 bit digest. The 256 bit
is optional.

Constrained devices still exist. But the constraint on processing speed is
easing up much more quickly than the constraint on code space and working