Hi Paul On Wed, Apr 05, 2017 at 07:24:11AM -0700, Paul Hoffman wrote: > On 5 Apr 2017, at 1:42, Mukund Sivaraman wrote: > > > > Name: draft-muks-dnsop-dnssec-sha3 > > NIST's use case for SHA3 algorithms is for when particular SHA2 algorithms > are weakened. This would mean that the fallback for RSASHA256 is RSASHA512, > not a SHA3 variant. Thus, the premise for this entire draft (which isn't > listed until the end...) is flawed.
From FIPS 202: "The four SHA-3 hash functions in this Standard supplement the hash functions that are specified in FIPS 180-4 [1]: SHA-1 and the SHA-2 family. Together, both Standards provide resilience against future advances in hash function analysis, because they rely on fundamentally different design principles." From the NIST press release: "SHA-3 is very different from SHA-2 in design," says NIST's Shu-jen Chang. "It doesn't replace SHA-2, which has not shown any problem, but offers a backup. It takes years to develop a new standard, and we wanted to be prepared in case problems do occur." Though RSA/SHA-256 vs. RSA/SHA-512 doesn't affect RRSIG lengths, there's the case of DS digest size where the fallback for SHA-256 would be SHA3-256 because SHA-512 is longer. SHA-512 hashing is known to be faster than SHA-256 on popular commodity hardware on inputs larger than a few bytes long, and though the algorithms are different, they are more siblings w.r.t. analysis. E.g., see the table below where each attack affects both SHA-256 and SHA-512: https://en.wikipedia.org/wiki/SHA-2#Cryptanalysis_and_validation > Also, it is weird that a draft that is about having a fallback if a hash > algorithm becomes weakened uses the RSASSA-PKCS1-v1_5 signature scheme, > given that PKCS1 1.5 is already known to be weakened. It was to allow simple addition of the algorithm to existing implementations. However, in light of your comment, we'll discuss revising it. Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
