1. 9
  1. 2

    I’m not sure of the NIST process. Can SHA-3 be trusted to be free of NSA backdoors?

    1. 8

      What would an NSA backdoor in SHA-3 look like? How would they use it?

      If SHA-3 bothers you, you can always stick with SHA-2, which the NSA simply dropped off one day. No compromised selection process to worry about. :)

      1. 8

        It was the winner of an open contest, and presumably one could read the public comment threads from when it was proposed if interested. And probably everyone should, just on the principle of not trusting people to mention if negatives came up during review, but personally I don’t have time.

        Being a hash function, the idea of a backdoor doesn’t make sense in any obvious way. There could be a mathematical weakness, either secretly-known or brand-new, that lowers its effective strength - but that’s exactly what the public process was looking for.

        1. 4

          I was thinking along the lines of a reduced keyspace attack being possible if certain techniques were used - presumably techniques which the NSA thinks no-one else knows or is capable of (for now).

          1. 3

            European cryptographers designed it. People from all over the world attacked it, and made almost embarrassingly little progress. Schneier worked on a competitor but says “I have absolutely no reservations about [Keccak’s] security.” Thomas Ptacek said “No cryptographer I know takes these particular ‘what-if’s’ [re: NSA involvement] seriously.”

            The very idea of a backdoor doesn’t make a ton of sense, because 1) if not for SHA-3 we’d go on using the NSA’s SHA-{1,2} (though really, they’re tweaks to MD5’s basic design), 2) Keccak would have to be almost surreally weak to actually, like, allow forging SSL certs today, and yet appear very strong, 3) as leaks indicate, it’s way simpler to just exploit bad software or mess with hardware. :(

            Finally, the public crypto community has some reason to be confident they can design a working hash function now. 20 years passed since MD4 came out (and MD5 and SHA-[012] were derivatives of MD4)–lots of things have been attacked; classes of attack are much better understood; some things stood up pretty well, others not; target security criteria increased a ton, leaving a lot more security margin.

        2. 2

          If you’re worried the NSA has somehow rooted SHA-3 because it’s the winner, there are still at least 4 other “losers” which are all still valid algorithms. For example, I recommend the Skein hash from everyone’s favorite cryptologist Bruce Schneier:


          1. 2

            Worth noting Schneier said “Keccak is a fine hash function; I have absolutely no reservations about its security.”