SHA-3 is KECCAK

[Chris Cain]

On Sunday, 19 January 2014 at 15:09:46 UTC, Kagamin wrote:
> Isn't it you, who insist on ignorance to how a collision attack 
> works and how it doesn't work? You insist on a magical approach 
> to cryptography, that MD5 magic doesn't work and SHA3 magic 
> works, but you should know that magic is a delusion, and 
> delusion leads to failures and damage, so by spreading 
> delusions, it's you who cause damage, not me.

Excuse me? Straw men arguments don't work here. Take that crap 
elsewhere. You keep asserting I say things that I don't say like 
crap like "You assume that Moores law doesn't work". Get out of 
here with that.

The fact that MD5 is weak against a collision attack means that 
it strictly provides weaker guarantees than the stronger SHA1, 
SHA2, and SHA3. No magic is necessary to know that with 
cryptography, attackers look for the weakest point in a chain to 
attack. Intentionally using something that provides weaker 
guarantees is foolish. And indeed a collision attack can cause 
problems, depending on what you want to do. I can't predict (nor 
can you) where some one will use a hash function expecting it to 
be secure, so the right thing to do is just suggest people use 
the stronger hash functions.

Furthermore, when talking about anything related to cryptography, 
we discuss things in terms of how much of a safety buffer we get. 
You're right that nothing is "perfectly safe" but when our 
estimations of safety suggest it should remain safe for at least 
20 years, then we're fine with it. That's why we don't use MD5. 
Because it has known flaws AND because it no longer has the 
"shield" of collision resistance. For a hash function, if it is 
"collision resistant" that strictly means that no pre image 
attack exists either. You'd have to break through two walls to 
break the hash function. With MD5, there is no such safety 
buffer. It's one discovery away from being destroyed. Ergo, don't 
use it because it can turn from "no pre image attacks exist" to 
"here's the pre image attack" overnight.

Preempting your counterargument: Indeed such a thing can happen 
with SHA2, but the the likelihood of such a thing is essentially 
non existent. If we haven't even discovered a single collision 
ever, we don't find the likelihood of generating collisions at 
will likely nor do we find the likelihood of generating a 
specific collision likely either.

Finally, I have never suggested anyone work off of "this stuff is 
magic so be ignorant of it while working with it". Quite the 
opposite. You should be well educated with this stuff prior to 
working with it or else you risk exposing confidential 
information which can be quite damaging. Part of this is _don't 
deliberately ignore the recommendations of cryptography experts_. 
What you suggest people do, "despite being a non-expert, I 
suggest you do use MD5 because those experts clearly don't know 
what they're talking about" is dangerous. And stop with the straw 
men attacks because I'm sick of it. Actually, I'm sick of all of 
your crap. You can have the last word and if it's "ignore the 
cryptography experts because I'm smarter than them", then so be 
it. You might want to also let your employer know as well so they 
can give you a raise *wink*.