On Tue, Aug 11, 2015 at 11:47 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Tue, 11 Aug 2015 15:21, pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz
said:
What's the clear need for -512? By which I mean a demonstrated
practical need
for a hash size of 64 bytes, not a hypothesised need given an imaginary
attack. I can see a need for SHA-256 (to replace SHA-1), but for
something
like SHA3-512 all I can see are downsides (compared to SHA2-256).
One advantage of SHA-512 (SHA2) is that it faster than SHA-256 on modern
machines. Thus SHA-512 truncated to 256 might be an option. This would
eventually allow to write a small application which uses SHA-512 as its
only hash algorithm.
Yes, oddly enough, this is a case where the pressure seems to be behind 512
being the default strength.
We definitely need 512 bits and adding 256 in addition seems like its the
thing to do. While the CFRG crypto is going for the 512 bit hash
internally, there is still a lot of ECDSA based stuff using the NIST curves
and that expects the 256 bit digest.
I can't see any particular reason for any of the other key strengths.
Talking of constrained devices BTW, I'm just trying out the new Windows 10
on a Raspberry Pi 2. Of course its going to have all the NIST curve
generation ECC and we are likely 3 years off the point where the CFRG stuff
is ubiquitous.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp