[13204] in cryptography@c2.net mail archive
Re: The Pure Crypto Project's Hash Function
daemon@ATHENA.MIT.EDU (John Kelsey)
Mon May 5 12:29:09 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 05 May 2003 12:30:59 -0400
To: Ralf Senderek <ralf@senderek.de>, Rich Salz <rsalz@datapower.com>
From: John Kelsey <kelsey.j@ix.netcom.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <Pine.LNX.4.31.0305040832050.993-100000@safe.senderek.de>
At 08:37 AM 5/4/03 +0200, Ralf Senderek wrote:
>On Sat, 3 May 2003, Rich Salz wrote:
...
> > Very simple: known to be cryptographically secure. SHA-1 is good. Your
> > invention is bad.
>
>So everything new must be bad, because it isn't "known to be .. secure"?
Suppose you're about to take a job as a policeman or security guard or
something, and believe there's a serious chance you'll be shot at. You're
trying to decide on which bulletproof vest to buy. Several vendors
demonstrate both safety arguments involving the tensile strength of Kevlar,
the way impacts are distributed across a large area, etc, and extensive
tests where various kinds of guns and knives are tried against the vest,
without penetrating it. Another vendor says "well, I decided to invent my
own bulletproof vest. I shot at it a couple times with my .22, and punched
it once, and it seems to hold up very well. Besides, it's conceptually
simpler than my competitors' vests, and I spent several days thinking over
the design without finding any weaknesses. Trust me." Which one do you
want to trust?
If you want to design a hash function, that's cool. In fact, designing
crypto primitives is one of the most fun things you can do. But doing it
right involves actually understanding the existing known attacks on the
primitives, and being capable of applying those attacks to a new
design. It also involves getting a lot of public comment--meaning writing
it up for submission to a good conference (FSE is great for new
primitives), and making your writeup so clear that you encourage lots of
people to look at it. And it still may be that people don't jump at the
chance to use your primitive, either for performance reasons, or because
they have a satisfactory alternative they trust more.
How much trust people have in some primitive is dependent on the reputation
of the designers, the amount of review it's seen, and even how well you
imagine the problem to be understood by the community. (Even very sharp
people designing block ciphers in 1985 were going to have a hard time
getting it right, because the public state of the art in cryptanalysis
wasn't all that great.)
...
>* Ralf Senderek <ralf@senderek.de> http://senderek.de * What is privacy *
--John Kelsey, kelsey.j@ix.netcom.com
PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
