From nobody Fri Jun 20 06:22:00 2014 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ACD81B27EB for ; Fri, 20 Jun 2014 06:21:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.199 X-Spam-Level: X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6DU5oCTlkpM for ; Fri, 20 Jun 2014 06:21:56 -0700 (PDT) Received: from mail-pd0-x22c.google.com (mail-pd0-x22c.google.com [IPv6:2607:f8b0:400e:c02::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 132F41B27EA for ; Fri, 20 Jun 2014 06:21:47 -0700 (PDT) Received: by mail-pd0-f172.google.com with SMTP id w10so2985434pde.17 for ; Fri, 20 Jun 2014 06:21:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:openpgp:crypto-challenge:crypto-hint:user-agent; bh=cFfM7nRzhsDs1AM59iYI7/c6OK3/UgNucE7sTm37L/0=; b=eXmUJaKiZ+Ry0ep+hTtFq/+/qHhLJ5i/Y851K8TCxyJUPE4uOC+3gqV9YBsWRRwrX3 eyLoHtuzgSoqCaFbfGlUAvdKKgIiWO1yofjtjw5/8Kt+JJBAVgvGU8pT63x9fPveDVeb eMviSmZrFb+YJ5OX0g4TL9HjXga+h5kWqqKZbMBcN5d3bfiV2Ews+QI29r7h7SWwX5pu J3PVrLsAXkpHQYT6VRza9WNEc+cB9/wien1FO3w3YQKkkKFJ+z+bKTva9EVPBG30FiYm GCammHs9SbSyw6WMq1dYoC2n3Msi0uEdHDLqmrM2xXshQHKHWyxeRMFRhDRmoaLgAMM3 Az+g== X-Received: by 10.66.182.69 with SMTP id ec5mr4640938pac.125.1403270506743; Fri, 20 Jun 2014 06:21:46 -0700 (PDT) Received: from irc.ae7.st (pinyin.ae7.st. [166.70.136.40]) by mx.google.com with ESMTPSA id lq6sm43418737pab.48.2014.06.20.06.21.45 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 20 Jun 2014 06:21:45 -0700 (PDT) Date: Fri, 20 Jun 2014 07:21:43 -0600 From: Aaron Toponce To: openpgp@ietf.org Message-ID: <20140620132142.GB16781@irc.ae7.st> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="AdjLlRqdF7kYRNze" Content-Disposition: inline X-Hashcash: 1:20:140620:openpgp@ietf.org::AOAkCAZsH36hvkYb:0jve X-Hashcash: 1:20:140620:aaron.toponce@gmail.com::mqyQk43b4BqIL4zO:00pg OpenPGP: id=8086060F; url=http://ae7.st/s/pgp; preference=signencrypt Crypto-Challenge: iVBORw0KGgoAAAANSUhEUgAAAFwAAABcAQMAAADZIUAbAAAABlBMVEX///8A AABVwtN+AAAAS0lEQVQ4jbXSUQoAIAhEwYXuf2NhS1O6QM+EnH4qUfoaK2bBcJysnUUVWY lGput3JGxPD1H00byAQ17r20YW8QaChXr2UHgiUHyNDSRgxkgDsThDAAAAAElFTkSuQmCC Crypto-Hint: image/png User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/SW-qwK0G90tovDyxIS59AEua_-o Subject: [openpgp] =?utf-8?q?Support_for_alternatives_to_Merkle=E2=80=93Da?= =?utf-8?b?bWfDpXJk?= X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2014 13:21:57 -0000 --AdjLlRqdF7kYRNze Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Last night, I was playing around with rhash(1), and noticed that not only d= oes it support SHA3 (specifically, Keccak-n that does not append the additional '01' bits at the end before padding), but it also supports Whirlpool. Are there any plans on integrating Whirlpool and/or SHA3 into the OpenPGP standard? The reason I ask, is because of the supported algorithms, MD5, SH= A1, SHA224, SHA256, SHA384, and SHA512 are all built using the Merkle=E2=80=93D= amg=C3=A5rd construction. This seems like putting all of your eggs into one basket, and seems like a bad idea to me. Further, because MD4 and MD5 are broken, which both are built around Merkle=E2=80=93Damg=C3=A5rd, and there exist theoretical attacks on SHA1 an= d SHA2, it seems like there may be some fundamental, abstract flaw with Merkle=E2=80=93Damg= =C3=A5rd. Whirlpool uses the Miyaguchi-Preneel construction while SHA3 uses the sponge construction. It would seem that adding in support for these constructions would be wise for OpenPGP, provided there is some breakthrough cryptanalysi= s on Merkle=E2=80=93Damg=C3=A5rd, and every hash OpenPGP supports falls victim, = other than RIPEMD-160 perhaps. Of course, SHA3 hasn't been standardized yet by NIST. I understand that. Ei= ther OpenPGP could wait for the standardization, which is just a subset of Kecca= k, or use Keccak directly. I could see both sides of the argument equally here. Anyway, just curious. Thanks, --=20 =2E o . o . o . . o o . . . o . =2E . o . o o o . o . o o . . o o o o . o . . o o o o . o o o --AdjLlRqdF7kYRNze Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: http://ae7.st/s/pgp iQEcBAABCgAGBQJTpDVmAAoJEM55Ebf8BAiPQDIH/3pkCqmqnKYKXjtsAcChxRXH CyeBCcmRT1LYph3QpPtuEQAN30hxR6NZbe/3VKeMD3ehs4Kq/wZeX2Wt0qW6vDJS N84uLODON/FcCA8vVhEZvvF8gOn0pfIp99eXcVEx5/tIICqssyL+RivU71oPw/pQ T0d5y217pQObDZPK/IAF7lNDRj8oImxk8lqmMhw9QkmJjCijpgKyL/moZRwjbxXI vcV49vv58IqGVA1w82ea1TA/WDl/YgxzbuLA5+EQjNfgfd2y0MA4wt1x2x9wX6GE KMeVpc1prMkqZVkuzCmX/9ifq6EOj1jMY94f2xmo/O+4/FWBluiMu/Eg0ul6MNQ= =2uf6 -----END PGP SIGNATURE----- --AdjLlRqdF7kYRNze-- From nobody Fri Jun 20 07:09:58 2014 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8351A03B7 for ; Fri, 20 Jun 2014 07:09:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.699 X-Spam-Level: X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4w0GIIHomq34 for ; Fri, 20 Jun 2014 07:09:26 -0700 (PDT) Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB29F1B27B7 for ; Fri, 20 Jun 2014 07:09:26 -0700 (PDT) Received: by mail-ig0-f173.google.com with SMTP id uq10so550985igb.12 for ; Fri, 20 Jun 2014 07:09:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=vTZcad9J++OiGi6mgL++JU7oUEYl9ocGM4a03J0hYW8=; b=t+KPFbEiJHnkIV7h63M406LeMcZkiO8uWF9A6zd2ZlhvtQjKHyhl/S/fVMNLXQy1nX Qgr611JGRGp8ymkAWJuvSafPWah8/PBr0HCGoPjo8l+ToDwjHlHRgKCPVJrYys8b0j2r jwl8XtxHFc2cMJdbMkgUMKHOILtwm/T81rSod9MmVQuVSIf7yoCSQHi34c3/Xz37/ICJ Q6rCQbRc0OS+oLXUfj2XRRC+oS/bOm/2mvSzsfoM7g4QH2Uzx5Gl3eSU6S2Mhwb+svIx b12a1Yx77lDBRoFWC/Bqz9eB5nuQ19PRO9FmfRgJA4LFAc4lDxUaJ8DPSrKrSjADuviJ ajMA== X-Received: by 10.50.43.167 with SMTP id x7mr4814007igl.36.1403273366145; Fri, 20 Jun 2014 07:09:26 -0700 (PDT) Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.3.110]) by mx.google.com with ESMTPSA id f9sm4685438igc.15.2014.06.20.07.09.25 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 20 Jun 2014 07:09:25 -0700 (PDT) Message-ID: <53A44089.1050602@gmail.com> Date: Fri, 20 Jun 2014 10:09:13 -0400 From: Rene Struik User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Aaron Toponce , openpgp@ietf.org References: <20140620132142.GB16781@irc.ae7.st> In-Reply-To: <20140620132142.GB16781@irc.ae7.st> Content-Type: multipart/alternative; boundary="------------070708040908060902070701" Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/BQnouKgg4FJjuJeTrdiiY3sRInQ Subject: Re: [openpgp] =?windows-1252?q?Support_for_alternatives_to_Merkle=96D?= =?windows-1252?q?amg=E5rd?= X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2014 14:09:28 -0000 This is a multi-part message in MIME format. --------------070708040908060902070701 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Hi Aaron: FYI - while SHA-3 has indeed not been standardized yet, a draft has been published (FIPS Pub 202) on May 28, 2014 with comment period ending August 26, 2014, just after the SHA-3 workshop in Santa Barbara. Best regards, Rene On 6/20/2014 9:21 AM, Aaron Toponce wrote: > Last night, I was playing around with rhash(1), and noticed that not only does > it support SHA3 (specifically, Keccak-n that does not append the additional > '01' bits at the end before padding), but it also supports Whirlpool. > > Are there any plans on integrating Whirlpool and/or SHA3 into the OpenPGP > standard? The reason I ask, is because of the supported algorithms, MD5, SHA1, > SHA224, SHA256, SHA384, and SHA512 are all built using the Merkle–Damgård > construction. This seems like putting all of your eggs into one basket, and > seems like a bad idea to me. > > Further, because MD4 and MD5 are broken, which both are built around > Merkle–Damgård, and there exist theoretical attacks on SHA1 and SHA2, it seems > like there may be some fundamental, abstract flaw with Merkle–Damgård. > > Whirlpool uses the Miyaguchi-Preneel construction while SHA3 uses the sponge > construction. It would seem that adding in support for these constructions > would be wise for OpenPGP, provided there is some breakthrough cryptanalysis on > Merkle–Damgård, and every hash OpenPGP supports falls victim, other than > RIPEMD-160 perhaps. > > Of course, SHA3 hasn't been standardized yet by NIST. I understand that. Either > OpenPGP could wait for the standardization, which is just a subset of Keccak, > or use Keccak directly. I could see both sides of the argument equally here. > > Anyway, just curious. > > Thanks, > > > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 --------------070708040908060902070701 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit
Hi Aaron:

FYI - while SHA-3 has indeed not been standardized yet, a draft has been published (FIPS Pub 202) on May 28, 2014 with comment period ending August 26, 2014, just after the SHA-3 workshop in Santa Barbara.

Best regards, Rene


On 6/20/2014 9:21 AM, Aaron Toponce wrote:
Last night, I was playing around with rhash(1), and noticed that not only does
it support SHA3 (specifically, Keccak-n that does not append the additional
'01' bits at the end before padding), but it also supports Whirlpool.

Are there any plans on integrating Whirlpool and/or SHA3 into the OpenPGP
standard? The reason I ask, is because of the supported algorithms, MD5, SHA1,
SHA224, SHA256, SHA384, and SHA512 are all built using the Merkle–Damgård
construction. This seems like putting all of your eggs into one basket, and
seems like a bad idea to me.

Further, because MD4 and MD5 are broken, which both are built around
Merkle–Damgård, and there exist theoretical attacks on SHA1 and SHA2, it seems
like there may be some fundamental, abstract flaw with Merkle–Damgård.

Whirlpool uses the Miyaguchi-Preneel construction while SHA3 uses the sponge
construction. It would seem that adding in support for these constructions
would be wise for OpenPGP, provided there is some breakthrough cryptanalysis on
Merkle–Damgård, and every hash OpenPGP supports falls victim, other than
RIPEMD-160 perhaps.

Of course, SHA3 hasn't been standardized yet by NIST. I understand that. Either
OpenPGP could wait for the standardization, which is just a subset of Keccak,
or use Keccak directly. I could see both sides of the argument equally here.

Anyway, just curious.

Thanks,




_______________________________________________
openpgp mailing list
openpgp@ietf.org
https://www.ietf.org/mailman/listinfo/openpgp



-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
--------------070708040908060902070701--