Re: [openpgp] WWhy or why not SHA{2, 3}-512 (was: SHA3 algorithm ids)

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 12 August 2015 20:05 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0BC71ACD81 for <openpgp@ietfa.amsl.com>; Wed, 12 Aug 2015 13:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-U1OSYjxfHx for <openpgp@ietfa.amsl.com>; Wed, 12 Aug 2015 13:05:38 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0F531ACD83 for <openpgp@ietf.org>; Wed, 12 Aug 2015 13:05:37 -0700 (PDT)
Received: by lagz9 with SMTP id z9so15209440lag.3 for <openpgp@ietf.org>; Wed, 12 Aug 2015 13:05:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=M9FcycAuFj5AYApCKYFc48PyRMS9S9YV2mqnCPLf6hM=; b=kcmpA5tjcsHlffcuH6/L9lACXho7qVfZUqplxxNeish04nThqkYrQHwU7akXqFvwX9 D2LtJwOTiHuqxQZ+L9jc77h+3IVMcdsF1Z7DdmYkU16pzbBuOe5/klB0LasIWwbd68GJ xP9TyE62L9XZZwcw+b9/sV7Li01Nti+zhwSkzWnB6SpxokbTfnpOuizEIKXvcZZe06+D dNpYZSYniB4zT2eezDpzAkAC9TVsE4wFzV9ktFkSAdCvN3EFCw8Sp1FGFTUESYoSftQ6 XmrQyNd0wRczGKmZ3Jtbdv/19E0iH2RbIgaiIm5e+//hRFqm7PtJ+/BXg/LQL7O49r2w Actg==
MIME-Version: 1.0
X-Received: by 10.152.178.229 with SMTP id db5mr34102956lac.55.1439409936366; Wed, 12 Aug 2015 13:05:36 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Wed, 12 Aug 2015 13:05:36 -0700 (PDT)
In-Reply-To: <87614lg72t.fsf_-_@vigenere.g10code.de>
References: <87y4hmi19i.fsf@vigenere.g10code.de> <7540C7A9-2830-4A63-8310-B684796DA279@nohats.ca> <55C681FC.9010100@iang.org> <sjma8tztbgo.fsf@securerf.ihtfp.org> <CAMm+Lwj7SxXTn+KD-eQSeZHwJB36tCgD1t0bodVsp3ovOaZ8mw@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD7C72@uxcn10-5.UoA.auckland.ac.nz> <87614lg72t.fsf_-_@vigenere.g10code.de>
Date: Wed, 12 Aug 2015 16:05:36 -0400
X-Google-Sender-Auth: 2FbrZH_hSArKkRnOyZ83WrNK22U
Message-ID: <CAMm+LwiK=yU9i-LBH0MdUbJZ81K5OFyK_mQBF8WAPzbhjhAxDQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Phillip Hallam-Baker <phill@hallambaker.com>, Derek Atkins <derek@ihtfp.com>, IETF OpenPGP <openpgp@ietf.org>, ianG <iang@iang.org>
Content-Type: multipart/alternative; boundary=001a113415eaf183a8051d22bdc4
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/GRlsKrpCtZ5Rf-wdhjQoo1wxEnA>
Subject: Re: [openpgp] WWhy or why not SHA{2, 3}-512 (was: SHA3 algorithm ids)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 20:05:39 -0000

On Tue, Aug 11, 2015 at 11:47 AM, Werner Koch <wk@gnupg.org>; wrote:

> On Tue, 11 Aug 2015 15:21, pgut001@cs.auckland.ac.nz said:
>
> > What's the clear need for -512?  By which I mean a demonstrated
> practical need
> > for a hash size of 64 bytes, not a hypothesised need given an imaginary
> > attack.  I can see a need for SHA-256 (to replace SHA-1), but for
> something
> > like SHA3-512 all I can see are downsides (compared to SHA2-256).
>
> One advantage of SHA-512 (SHA2) is that it faster than SHA-256 on modern
> machines.  Thus SHA-512 truncated to 256 might be an option.  This would
> eventually allow to write a small application which uses SHA-512 as its
> only hash algorithm.
>

Yes, oddly enough, this is a case where the pressure seems to be behind 512
being the default strength.

We definitely need 512 bits and adding 256 in addition seems like its the
thing to do. While the CFRG crypto is going for the 512 bit hash
internally, there is still a lot of ECDSA based stuff using the NIST curves
and that expects the 256 bit digest.

I can't see any particular reason for any of the other key strengths.


Talking of constrained devices BTW, I'm just trying out the new Windows 10
on a Raspberry Pi 2. Of course its going to have all the NIST curve
generation ECC and we are likely 3 years off the point where the CFRG stuff
is ubiquitous.