I guess that their intent is to surf on the NSA conspiracy bandwagon, to create the buzz and to attract more customers. Bad taste buzz, but only money is driving the business, isn't it?

The following reference is obligatory tmo:

http://xkcd.com/538/

As security experts, suggesting that using another cipher suite would protect the customers from the NSA is either ridicule or ignorant of NSA's actual powers at best. Again, I've no clue of what these powers could be, but suggesting that they could break into secure systems by brute-forcing or cryptanalysing AES / SHA-2 does not make sense. Doing so would cost an overwhelming amount of energy, even for the NSA, when actually much much cheaper and conventional methods exist, like tapping into back-end systems (often with agreement from operators themselves), installing key logger into end user devices, etc. They certainly control some botnets, and maybe even some underground websites. Knowing that most users uses the same password over several websites, it's really a child game to penetrate systems for an organisation like the NSA. The NSA do not need to guess your secrets, they simply read it over your back.

If Silent Circles feel like doing something, what about playing the card of full transparency and proving to the community that they are indeed beyond any doubts? That would at least have the merit to elevate the current level of discussions and not to throw away the work of dozens if not hundreds of people around the world trying to bring real open peer-reviewed security.

NIST's proposal (presented at last CHES conference) is NOT reducing the internal strength of Keccak.

NIST proposes some standard values for a parameter called "capacity" in Keccak, and for which Keccak's authors always said that it can be freely chosen by the designers. A high capacity means a higher security, and a lower capacity means a better performance. NIST's current forecast for FIPS202 specifies 2 values for the capacity, namely 256 and 512, that would bring the SHA-3 standard to an equivalent security level as the AES (2^128 operations required to break c=256 and 2^256 operations required to break c=512). One may actually consider that these security levels are the same as the ones in the original submission, because these are the minimum security levels offered by *ALL* finalists (including Keccak). Indeed all candidates for SHA3-256 offers a collision resistance of 2^128 operations, and 2^256 operations for SHA3-512.

The discussion here is that actually choosing c=256 means that the cost to find pre-image is also reduced to 2^128 operation, instead of 2^256 as in say SHA2-256. There are ongoing discussions on the mailing list about the theoretical consequences of this choice, but what strikes me most is why people are so much focusing on the strongest security bound of a primitive (pre-image here) and are completely ignoring the weakest security bound (collision resistance). Of course one may always design an application that would be immune to collision resistance, but if one only looks at the primitive, saying that SHA2-256 offers a security of 2^256 because it has a pre-image resistance of that level is clearly fooling himself. In that sense, NIST proposal was to level the security bound of the primitive to its guaranteed minimum as for block ciphers, and allows a security bound of either 2^128 (c=256) or 2^256 (c=512). Those with an ounce of common sense will observe that 2^128 is completely astronomical, and absolutely out of reach of any thinkable devices in the future, even for the NSA! And if you don't care about performance (you probably don't design products then), and are absolutely paranoïd, there is then still the freedom to chose a capacity c=512, as allowed in current proposal, and probably waste computer cycles for no gain whatsoever.

I of course have no clue on the possible influence of the NSA, but for having attended to SHA-3 and similar conferences, I must say that NIST's work in SHA-3 is remarkable and *unprecedented* in the cryptographic community. NIST ran the most *OPEN* process ever for the evaluation and selection of the new SHA-3 standard. I think that the intention of NIST is to write a standard that will satisfy the majority of the community (hence their openness and presentation at CHES), and that will offer the most of potential of the winner candidate. Keccak is really a "new" object in the cryptographic community, that is quite different from previous proposals, and no wonder to me that its adoption triggers some questions. However the hidden suggestion that NIST would have a secret agenda is clearly participating to current tin-foil propaganda of some would-be security specialists that are trying to acquire attention, and brings zero to the current standardization process.