SHA-3 is KECCAK
Chris Cain
clcain at uncg.edu
Fri Jan 17 08:44:08 PST 2014
Here, let me use an analogy. Note, this analogy comes from me so
it's not necessarily endorsed by any professional
cryptographers... but it explains where my concerns are coming
from.
Let's say that everyone has something very precious ... like a
diamond. Let's imagine a multiverse. Each universe can
"represent" an algorithm. One is for MD5, another is for SHA1 and
so on. In each universe, there exists a planet that holds a vault
that has your diamond. Some universes are similar to others (for
instance, the SHA1 universe has some passing resemblance to the
MD5 universe).
When you say "specialized hardware can be made to speed up the
process", I think "I can visit ten planets in this universe
looking for the vaults instead of just one at a time if I invest
in a special ship". Can you see why this doesn't concern me in
the slightest?
When you say "Moore's law", I think "every 18 months I can know
which half of the remaining universe contains the diamonds".
Again, can you see why this doesn't concern me?
The universe is _just too big_ for this stuff to matter. If you
can't find the vaults containing the diamonds, then these things
don't bother me nor should it bother you.
For the MD5 universe, people have found a way of discovering the
planet the diamonds are on very quickly (something like being
able to find which millionth of the remaining universe contains
the diamond each attempt ... a very fast solution). They've
overcome the challenge of finding the diamonds (collision
resistance) and now we wonder who is going to invent the
blowtorch capable of opening the vaults up (preimage attack). All
any cryptographer is saying is move the diamonds you care about
into another universe before the MD5 blowtorch is invented. It
may never get invented (we don't have any idea whether it's
possible or if it is possible, when it might materialize) but
moving it into another universe where the diamonds haven't even
been found yet is simply safer. Ideally you don't want a universe
that is too similar (such as MD5 and SHA1) because it might make
the planet easier to be found. Also note that despite their
similarities, no planets with diamonds have been found in the
SHA1 universe. Yet still cryptographers are recommending moving
on to SHA2 for new projects. Just food for thought.
Plus knowing which planet the diamond is on is dangerous enough
since it can be used in certain circumstances to do some
nefareous things (already showed the example where someone can
lie about a prediction for the future). It's only in special
circumstances, but ignoring subtleties isn't recommended in
cryptography since people almost always figure out a way to use
things incorrectly.
To summarize, do not use MD5 intending it to be secure against
attackers. Just don't. I'd also like to say that you really
shouldn't suggest to anyone that it's a reasonable approach
either. Obviously, I can't force you to, but do know that
generally people (not just me) are going to argue against you on
this, so you can save yourself a lot of trouble by just never
mentioning MD5 as being acceptable again. At this point I think
there's been enough discussion on the matter that exceptionally
few will wander into this topic and be mislead into accepting MD5
for security purposes, so I'm going to retire from this
discussion. If you use MD5 for its "security", just remember this
for later: You were warned™. (Also, remember that people have
been saying "Don't use MD5" since 1996, so when you do get bit by
it, not only "You were warned" but "you are 20 years out of date,
find a new job because you're fired" is also likely)
More information about the Digitalmars-d
mailing list