[13187] in cryptography@c2.net mail archive
my take on "PCP"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Sun May 4 10:13:01 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
Cc: Ralf Senderek <ralf@senderek.de>
From: "Perry E. Metzger" <perry@piermont.com>
Date: 04 May 2003 10:11:19 -0400
Ralf is very well meaning, but I think that anyone who invents their
own hash functions and puts them into a program that is expected to be
used by real people without first publishing them and subjecting them
to real world analysis first should not be trusted. They are in the
same category as people giving just invented experimental drugs to
humans without first testing them on other living things. No matter
how well meaning, they are likely to cause serious damage.
As for the motivation for not using a member of the SHA family or
something similar, there is no excuse. You can know that an
implementation of SHA-1 is correct, pretty trivially, by the fact that
it interoperates. If it passes a test suite and others can duplicate
what it does, it is almost certainly SHA-1. The damage if it failed --
lack of interoperation -- would be immediately obvious to a user.
There is no security gain whatsoever in picking something with a
"smaller implementation" in this instance. There is, however, a
substantial risk that a brand new basement-brew hash function will be
insecure. Even if you had a proof of security, publication would be
needed so others could check your proof -- "proven" security systems
have been broken in the past following publication.
If you do not recognize why all this is, you probably should not be
writing security critical systems.
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
