The cr.yp.to microblog: 2017.06.14 22:37:42

2017.06.14 22:37:42 (875089888416288770) from Daniel J. Bernstein, replying to "Brian Smith (@BRIAN_____)" (875071469511778304):

NIST demanded 2^256 preimage security for SHA3-256 through the whole competition, then suddenly proposed dropping to 2^128 for 1.2x speedup.

2017.06.14 22:43:12 (875091271093821440) from Daniel J. Bernstein:

The current dispute between @agl__ and @keccakteam is about a much bigger SHA-3 speedup, namely vectorization, which NIST SP 800-185 allows.

2017.06.14 22:48:35 (875092628852887552) from Daniel J. Bernstein:

NIST SP 800-185 vectorizes not by changing the security level but by changing the order of processing input blocks. Breaks interoperability.

2017.06.14 22:52:34 (875093631987830784) from Daniel J. Bernstein:

Now @agl__ correctly observes that this fast (vectorized) function isn't SHA-3, while @keccakteam correctly observes that it's standardized.