|
|
|
|
|
|
by copsarebastards
3964 days ago
|
|
|
> BLAKE(2) is not open to length-extension attacks---in fact resistance to those was a requirement of any SHA-3 submission. I did make a mistake understanding the algorithm. You're mostly right: no length extension attack has yet been found. However, HAIFA is far more similar to MD than the sponge construction, and this is widely cited as a reason for Keccak's selection. > As far as security goes, Keccak and BLAKE are mostly in equal standing both in security margin (number of rounds attacked vs total number of rounds) and cryptanalytic attention received. Then why was Keccak selected? It's clear that at least some analysts think Keccak has significant advantages over BLAKE. And ultimately my point still stands: a comparison of cryptographic hashes should start with a discussion of their security properties. Glibly stating "it's faster therefore it's better!" is highly dangerous. |
|
|
It is in the compression function (resp. permutation) that Keccak differs the most from BLAKE. BLAKE is ARX-based---like SHA-2---while Keccak only uses bitwise operations. Since SHA-2 is not being deprecated by NIST, they figured that having a 'different' SHA-3 would hedge their bets against an attack against ARX primitives that could potentially break both SHA-2 and {BLAKE, Skein}. This is stated in [1, ยง3.4]. This has nothing to do with the MD structure.
Sure, when discussing these things security does come first. But all of these functions have been thoroughly vetted already, so the differentiators are elsewhere: sponges are flexible, BLAKE is faster in software, etc.
[1] http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf