ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NIST publishes new DSA draft

2006-03-27 14:49:40
from [Jon Callas] [Permanent Link] 


On 27 Mar 2006, at 12:36 PM, Ben Laurie wrote:



I'm not going to argue with this, but it clearly ain't much more. You
would be out on a limb to argue that it provided usefully more than 112 
bits - though I won't hesitate to agree that 2DES < 3DES.



Ben, I think we're far closer to agreeing than disagreeing.
During The Crypto Wars, we crypto-proponents made a point of saying that the minimum crypto we'd live with was 128-bit. The reasons for this had as much to do with the simple mathematical fact that 128 was the next convenient power of two as anything else. So therefore, viva IDEA, viva CAST, viva Blowfish. A lot of it was also just sheer politics.
But what about three-key 3DES? Collectively, we agreed to include it as a "128-bit" cipher (the quotes are there to mean quasi-, or so- called). The reasons for this were also mostly politics. It would have been unwise to say, "ooo, ick, 3DES" and in fact in this group, arguably the most political standards group of them all, we not only *accepted* 3DES as 128-bit cipher, but made it the MUST. That was also mostly a political decision. It saved us a long, acrimonious argument about Blowfish and CAST with side trips along 3DES itself, DES/X, SAFER and others. Bravi us. (Personally, I say "3DES" to mean three-key-3DES. I consider the two-key version to be some unmentioned step-down, kinda the way that Blowfish will work with 32-bit keys. It's true, but we don't even grace it with a mention.) Reality is a collective hunch, especially in the IETF. The hunch is that 3DES is as good as IDEA, CAST, Blowfish, etc.
Now, a decade later, we all mostly use AES. In fact, we mostly use AES-256, and that for marketing reasons. AES-128 runs faster than single-DES, and AES-256 is only 20% slower than -128, so there is pressure to step up to 256-bit keys. People do it because all the other kids are doing it, not for security.
You are right that we've *agreed* that 3DES is a "128"-bit algorithm and there's no math to back it up. As fantasies (or collective hunches) go, it's not a bad one. The strength of 3DES all revolves around how much it's not a group. It appears to be enough of a non- group that this isn't a mad thought. Better, though, to just use AES. Or Twofish. Or petition the group to put Serpent in.
Nonetheless, getting back to the hash functions, the *only* reason to use SHA-224 is that you have an application where a 28-byte hash will work and a 32-byte one will not. If one person thinks that's important for engineering reasons, I'm happy to have it in. If zero people think it has engineering value, then less is more. We don't need another hash function with no obvious value because in the future there will be more hash functions. Save room on the bus for the ones that aren't born yet. 

        Jon
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Suggested changes for DSA2, Jon Callas
Next by Date:  [no subject], Sean Heeger
Previous by Thread:  Re: NIST publishes new DSA draft, Ben Laurie
Next by Thread:  Re: NIST publishes new DSA draft, James Couzens
Indexes:  [Date] [Thread] [Top] [All Lists]