Re: [openpgp] SHA3 algorithm ids.

ianG <iang@iang.org> Sun, 09 August 2015 03:22 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDDD81A7034 for <openpgp@ietfa.amsl.com>; Sat, 8 Aug 2015 20:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HypQHjalZZxQ for <openpgp@ietfa.amsl.com>; Sat, 8 Aug 2015 20:22:09 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F3D21A21B7 for <openpgp@ietf.org>; Sat, 8 Aug 2015 20:22:09 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id D5C7A6D73B; Sat, 8 Aug 2015 23:22:07 -0400 (EDT)
Message-ID: <55C6C76F.3010502@iang.org>
Date: Sun, 09 Aug 2015 04:22:23 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <835832901.20150808225230@gmail.com> <55C68729.3050603@iang.org> <1439075830.20521.66.camel@scientia.net> <CAMm+LwgY9S7KgwP5q2FSPrdaLpsQ1E7LOvsC5OOJTwy5ZWGODw@mail.gmail.com>
In-Reply-To: <CAMm+LwgY9S7KgwP5q2FSPrdaLpsQ1E7LOvsC5OOJTwy5ZWGODw@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/iUM5CryAFdI-bNmLN2ReOlMM-q0>
Subject: Re: [openpgp] SHA3 algorithm ids.
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2015 03:22:10 -0000

On 9/08/2015 02:40 am, Phillip Hallam-Baker wrote:
> Thinking this through a bit further.
>
> Why is anyone going to move from SHA-2 to SHA-3 ? Only reason I can
> think of is a real or perceived weakness in SHA-2.


For which they ran a competition :)  OK so now thinking has changed a bit.

"It's not pressing."

But it's always worth going for the most recent work;  the thinking is 
that SHA2 is not broken, which isn't the same as "it's state of the art."

SHA2 is cerca late 1990s design.  SHA3 is early 2010s.  I'm guessing 
that difference is worth another 15 years on the lifespan.

My other reason for going for SHA3 is that then we could potentially do 
the one-symmetric-suite on one code base, as one obligatory set.

However, that's only a thought balloon.  I've not looked at the 
complexity of SHA3 as hash or as AE algorithm (Keyak), in code.  It 
could be that the total coding complexity of say SHA2 + Chacha/Poly is 
less than the new set, even with the same base.

As a coder, this is 99% of the worry - how complicated is the code, or 
worse, as a manager, how much do I have to pay someone to implement it?


> That being so, I can't see why they would go for a lower number of
> bits/rounds.


Only reason could be that discussion of SHAKEs versus SHAs, and some 
artifact that indicated that the longest rounds were actually 
inefficient and over the top.


> For OpenPGP, I think the case for 512 only or 256 and 512 is pretty strong.
>
>
> On Sat, Aug 8, 2015 at 7:17 PM, Christoph Anton Mitterer
> <calestyo@scientia.net <mailto:calestyo@scientia.net>> wrote:
>
>     On Sat, 2015-08-08 at 23:48 +0100, ianG wrote:
>     > My "position" is only one hash, as many know well.  I prefer the
>     > longest, because they are computers and they don't have enough work
>     > to
>     > do.
>     If only one is to be assigned a number, it should be definitely the
>     longest.
>
>     Cheers,
>     Chris.