[Top] [All Lists]

Re: [openpgp] Support for alternatives to Merkle–Damgård

2014-06-20 09:10:01
Hi Aaron:

FYI - while SHA-3 has indeed not been standardized yet, a draft has been published (FIPS Pub 202) on May 28, 2014 with comment period ending August 26, 2014, just after the SHA-3 workshop in Santa Barbara.

Best regards, Rene

On 6/20/2014 9:21 AM, Aaron Toponce wrote:
Last night, I was playing around with rhash(1), and noticed that not only does
it support SHA3 (specifically, Keccak-n that does not append the additional
'01' bits at the end before padding), but it also supports Whirlpool.

Are there any plans on integrating Whirlpool and/or SHA3 into the OpenPGP
standard? The reason I ask, is because of the supported algorithms, MD5, SHA1,
SHA224, SHA256, SHA384, and SHA512 are all built using the Merkle–Damgård
construction. This seems like putting all of your eggs into one basket, and
seems like a bad idea to me.

Further, because MD4 and MD5 are broken, which both are built around
Merkle–Damgård, and there exist theoretical attacks on SHA1 and SHA2, it seems
like there may be some fundamental, abstract flaw with Merkle–Damgård.

Whirlpool uses the Miyaguchi-Preneel construction while SHA3 uses the sponge
construction. It would seem that adding in support for these constructions
would be wise for OpenPGP, provided there is some breakthrough cryptanalysis on
Merkle–Damgård, and every hash OpenPGP supports falls victim, other than
RIPEMD-160 perhaps.

Of course, SHA3 hasn't been standardized yet by NIST. I understand that. Either
OpenPGP could wait for the standardization, which is just a subset of Keccak,
or use Keccak directly. I could see both sides of the argument equally here.

Anyway, just curious.


openpgp mailing list

email: rstruik(_dot_)ext(_at_)gmail(_dot_)com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

openpgp mailing list
<Prev in Thread] Current Thread [Next in Thread>