[22c]

> a highwayhash is only cryptographically strong (but not cryptographically secure)

Can you let me know what you mean by strong vs. secure? When would you use one vs. the other? I've heard both of these terms used but they seem almost interchangeable[1].

I've also heard things like "this would be suitable for encrypting a password which is stored at rest" vs. "this could be suitable for a short lived one-time key", but I don't know what the correct terminology is there.

[1] https://en.wikipedia.org/wiki/Strong_cryptography

[tptacek]

It's weird terminology. highwayhash aims to be cryptographically secure for its problem domain. But it's designed by (afaik) non-cryptographers, has weird security claims (they gauge security from statistical tests) and hasn't (afaik) received any formal peer review; it can also be instantiated in sub-secure hash sizes. You shouldn't use it to protect secrets, beyond the kind of incident secrecy you'd ask from something like SipHash.

It would be better if people would be clear about this stuff; you see the same thing from the PCG RNG people, who say that their generator isn't a CSPRNG, but is somehow more secure than other non-CSPRNGs.

[d110af5ccf]

Without intending to endorse the wording, I suspect what's being communicated might be something related to the difficulty for an attacker to derail your system by cheaply predicting hashes. IIRC, the standard Java runtime HashMap implementation was susceptible to this at one point - an attacker could easily and cheaply force all values into only a few buckets.

The idea being, you might not care about actual cryptographic security but instead only the feasibility of some sort of cheap online collision attack.

[tptacek]

Right, that's what SipHash tries to do too (SipHash was designed by two very reputable cryptographers).

[22c]

In layman's terms, sounds like it's something which is difficult to guess but not necessarily difficult to crack?