On 3/23/17, 7:18 AM, "openpgp on behalf of Nicholas Cole"
<openpgp-bounces(_at_)ietf(_dot_)org on behalf of
nicholas(_dot_)cole(_at_)gmail(_dot_)com> wrote:
On Thu, Mar 23, 2017 at 7:53 AM, Werner Koch <wk(_at_)gnupg(_dot_)org>
wrote:
>> Hi!
>>
>> I try to summarize the positions on the v5 fingerprint porposal:
>> . . .
>> In favor of SHA-256 truncated to 200 bits:
>>
>> - Vincent: Even wants to truncate to 160 bits.
>>
>> - Derek: Better for small systems. He gave numbers and showed that
>> for fingerprints SHA-256 is even faster on systems where
>> SHA-512 is in general faster.
>> . . .
>> Other comments:
>>
>> - Jon: Use SHA-512/t to have a well defined truncation scheme.
>>
>> - Peter Todd: Do not truncated because the saving is not worth using a
>> non-standard scheme.
>>
>> - Brian: Use SHAKE128 or 256, will be needed anyway if we add
>> Curve448.
>>
>> - Werner: Using SHA-512 would allow compliant applications in case
>> Ed25519 would be a mandatory algorithm.
I'd add this one:
any time a spec does something non-standard it is a lightening rod for
criticism and FUD. Even if there are good and rational reasons for
doing something else, I'd advocate using a standard hash without
truncating for that reason.
I’m with Jon on this one – if you’re going to do truncation, then use a scheme
that’s DESIGNED to generate a truncated value. And the only one that’s been
discussed that meets that criteria is SHA2-512/t.
But I also find Derek’s desire to use SHA2-256 to be compelling because of
performance.
Tony Hansen
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp