ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] V5 Fingerprint again

2017-03-03 11:12:46
from [KellerFuchs] [Permanent Link] 
On Wed, Mar 01, 2017 at 07:12:20PM -0500, Derek Atkins wrote:

On  Wed, Mar 1, 2017 6:27 PM, Leo Gaspard <leo(_at_)gaspard(_dot_)io> wrote:

On 03/01/2017 06:30 PM, Phillip Hallam-Baker wrote:

H(x) = SHA-2-512(x)


Hoping this hasn't been discussed before, but... is there a reason for
not picking SHA3-512? (or SHAKE256 with 25*8 bits of output if willing
to stay at 25 octets for the fingerprint)


Because the SHA3 competition showed us that SHA2 is a good hash...  and SHA2 
is much faster than SHA3.


BLAKE2 is faster than either (2-3× faster than SHA-2, depending on 
configuration,
and about 3-5× faster than SHA-3), and designed for ease-of-implementation on a
variety of platforms, and was standardized as [RFC 7693].

It's widely-regarded as secure; quoting the SHA-3 final report [0]:


BLAKE and Keccak have very large security margins. [...]
Skein and BLAKE have no known distinguishing attacks that come close to 
threatening their
full-round versions.  Grøstl, Skein, and BLAKE have a large number of attack 
papers reflecting
considerable depth of analysis.



Moreover, quite a few projects already picked it as their hash function of
choice, due to said advantages, so there is existing library support and
we can likely expect that to be true for quite some time.


In that context, is there something I missed which says
we can't have our cake and eat it too?


Best,

  kf


[0]: http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf
[RFC 7693]: https://tools.ietf.org/html/rfc7693



-derek

Sent from my mobile device. Please excuse any typos.

----- Reply message -----
From: "Leo Gaspard" <leo(_at_)gaspard(_dot_)io>
To: <openpgp(_at_)ietf(_dot_)org>
Subject: [openpgp] V5 Fingerprint again
Date: Wed, Mar 1, 2017 6:27 PM

On 03/01/2017 06:30 PM, Phillip Hallam-Baker wrote:

H(x) = SHA-2-512(x)


Hoping this hasn't been discussed before, but... is there a reason for
not picking SHA3-512? (or SHAKE256 with 25*8 bits of output if willing
to stay at 25 octets for the fingerprint)

This should push back the next required switch to a v6 key.



_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] V5 Fingerprint again, Vincent Breitmoser
Next by Date:  [openpgp] Version 5 key and fingerprint proposal, Werner Koch
Previous by Thread:  Re: [openpgp] V5 Fingerprint again, Leo Gaspard
Next by Thread:  [openpgp] Version 5 key and fingerprint proposal, Werner Koch
Indexes:  [Date] [Thread] [Top] [All Lists]