Re: NIST publishes new DSA draft
On 27 Mar 2006, at 12:36 PM, Ben Laurie wrote:
I'm not going to argue with this, but it clearly ain't much more. You
would be out on a limb to argue that it provided usefully more than
bits - though I won't hesitate to agree that 2DES < 3DES.
Ben, I think we're far closer to agreeing than disagreeing.
During The Crypto Wars, we crypto-proponents made a point of saying
that the minimum crypto we'd live with was 128-bit. The reasons for
this had as much to do with the simple mathematical fact that 128 was
the next convenient power of two as anything else. So therefore, viva
IDEA, viva CAST, viva Blowfish. A lot of it was also just sheer
But what about three-key 3DES? Collectively, we agreed to include it
as a "128-bit" cipher (the quotes are there to mean quasi-, or so-
called). The reasons for this were also mostly politics. It would
have been unwise to say, "ooo, ick, 3DES" and in fact in this group,
arguably the most political standards group of them all, we not only
*accepted* 3DES as 128-bit cipher, but made it the MUST. That was
also mostly a political decision. It saved us a long, acrimonious
argument about Blowfish and CAST with side trips along 3DES itself,
DES/X, SAFER and others. Bravi us. (Personally, I say "3DES" to mean
three-key-3DES. I consider the two-key version to be some unmentioned
step-down, kinda the way that Blowfish will work with 32-bit keys.
It's true, but we don't even grace it with a mention.) Reality is a
collective hunch, especially in the IETF. The hunch is that 3DES is
as good as IDEA, CAST, Blowfish, etc.
Now, a decade later, we all mostly use AES. In fact, we mostly use
AES-256, and that for marketing reasons. AES-128 runs faster than
single-DES, and AES-256 is only 20% slower than -128, so there is
pressure to step up to 256-bit keys. People do it because all the
other kids are doing it, not for security.
You are right that we've *agreed* that 3DES is a "128"-bit algorithm
and there's no math to back it up. As fantasies (or collective
hunches) go, it's not a bad one. The strength of 3DES all revolves
around how much it's not a group. It appears to be enough of a non-
group that this isn't a mad thought. Better, though, to just use AES.
Or Twofish. Or petition the group to put Serpent in.
Nonetheless, getting back to the hash functions, the *only* reason to
use SHA-224 is that you have an application where a 28-byte hash will
work and a 32-byte one will not. If one person thinks that's
important for engineering reasons, I'm happy to have it in. If zero
people think it has engineering value, then less is more. We don't
need another hash function with no obvious value because in the
future there will be more hash functions. Save room on the bus for
the ones that aren't born yet.