SHA-3 is KECCAK

Kagamin spam at here.lot
Fri Jan 17 06:04:28 PST 2014


On Friday, 17 January 2014 at 13:11:57 UTC, Chris Cain wrote:
> On Friday, 17 January 2014 at 11:37:26 UTC, Kagamin wrote:
>> MD5 is good enough for most cases.
>
> For any use where security isn't an actual concern, sure. If 
> it's just to casually verify that a file transferred 
> successfully (like an alternative to a checksum), then it's 
> fine to use. But don't use it to secure anything against an 
> attacker at this point.

There's no successful preimage attack on MD5, which is the only 
deadly attack on a hash function. SHA3 is just more convenient 
than MD5 because when you want to change the hash function, you 
don't have to ditch the whole system, only change its parameters.

>> AFAIK, keccak uses weird bit fiddling. Wasn't it considered a 
>> bad practice since DES because a specialized hardware would 
>> give a considerable speedup, which will help in brute force 
>> attacks?
>
> Actually, the idea is that it _should_ be implemented in 
> specialized hardware to make it faster.

That's rather inconvenient, that you can't have an efficient 
implementation of the algorithm on common hardware. MD5 family 
has no such flaw.

> And improving brute force attacks in this manner will only 
> provide a multiplicative increase in speed, and that's not a 
> concern. The overall strategy of using brute force isn't going 
> to be turned from infeasible to feasible because of that. It's 
> still completely infeasible to find two different messages s.t. 
> their SHA-3 hash is equal.

You assume that Moore's law doesn't and won't work. Write asserts 
for assumptions.


More information about the Digitalmars-d mailing list