ietf-openpgp
[Top] [All Lists]

Re: A review of hash function brittleness in OpenPGP

2009-01-13 06:52:30

Jon Callas wrote:

On Jan 9, 2009, at 4:16 PM, Ben Laurie wrote:

Jon Callas wrote:
(Let me put on my hash-designer's hat for a moment. In Skein, we
created a one-pass MAC construction that can replace HMAC. It also  
has
a proof of security.
I wish people would stop saying that things have "a proof of  
security".
Rot13 has a proof of security, but I don't want to use it. You need to
state what security properties you have proved.

If we're going to get picky, Rot-13 is not a cipher, it's a code.

So what?

It  
has similar security properies to ASCII, which is a related code. But  
you're right -- on another list I'm on, there was someone who made the  
comment that there's no theoretically perfect cryptography. I almost  
replied that the Caesar cipher (which is ROT-N) has perfect security,  
just an inadequate key space.

Nonetheless, you're right. Many people including me sneer at security  
proofs.

Then why mention them?

The list of things that have had proofs of security and then  
fallen over is large. There are plenty of proofs of security that have  
some people raise an eyebrow. For example, we say that HMAC is secure  
on today's slightly dodgy hash functions because of a proof of  
security, but that proof relies on properties of the hash function  
we're not sure they have. (Niels Ferguson was the first person I know  
to bring this up, and for the most part, we all whistle as we walk by  
his observations.)

I think that security proofs are fundamentally lacking in basic  
foundations. There's a sense in which you can start with the Peano  
postulates for arithmetic and end up with double entry bookkeeping. We  
can't do anything like that in security, and it's a huge lack.

Nonetheless, it's better to have a proof than not to have one.

If the proof proves something useful, then indeed it is better. But once
more, saying "it has a security proof" provides no useful information.

And I
didn't want to turn this into a Skein discussion, I was making the  
aside that there are people looking at verification constructions that  
have properties programmers like, and I know this because I've worked  
on one.

Go read the Skein paper. It's at <http://www.skein-hash.info>. I think  
we've addressed your comments, because we feel the same way.

I have read the Skein paper.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff