For the last five years, NIST, the government body charged with developing new standards for computer security, among other things, has been searching for a new hash function to replace the aging SHA-2 function. Fives years is a long time, but this is the federal government and things move at their own pace in Washington, but NIST soon will be announcing the winner from the five finalists that were chosen last year. Despite the problems that have cropped up with some versions of SHA-2 in the past and the long wait for the new function, there doesn’t seem to be much in the way of breathless anticipation for this announcement. So much so, in fact, that Bruce Schneier, a co-author of one of the finalists not only isn’t hoping that his entry wins, he’s hoping that none of them wins.
That may sound like an odd way to approach a competition like this, but it’s not because Schneier doesn’t think the finalists are worthy of winning. In fact, he says, they’re all good and fast and perfectly capable. The problem is, he doesn’t think that the world needs a new hash function standard at all. SHA-512, the stronger version of the SHA-2 function that’s been in use for more than a decade, is still holding up fine, Schneier said, which was not what cryptographers anticipated would be the case when the SHA-3 competition was conceived.
“When we started this process back in 2006, it looked as if we would be needing a new hash function soon. The SHA family (which is really part of the MD4 and MD5 family), was under increasing pressure from new types of cryptanalysis. We didn’t know how long the various SHA-2 variants would remain secure. But it’s 2012, and SHA-512 is still looking good,” Schneier said in a blog post.
Schneier co-authored Skein, one of the five finalists for the SHA-3 function, and said that he’s happy with the entry, as well as with the others, many of which are faster than SHA-2. However, he said there’s no compelling reason to adopt a new standard, regardless of which of the finalists ultimately is chosen.
“I expect SHA-2 to be still acceptable for the foreseeable future. That’s the problem. It’s not like AES. Everyone knew that DES was dead — and triple-DES was too slow and clunky — and we needed something new. So when AES appeared, people switched as soon as they could. This will be different,” Schneier said via email.
Hash functions are important, if lesser-known, members of the cryptographic family. They’re used in several ways, but at their core, they’re designed to protect information but running it through a function that computes a digest based on the data in such a way that if the original message is changed, the digest also will be changed. It should be impossible for there to be two unique messages that produce identical hashes.
Though there are five finalists for the SHA-3 competition, there’s no guarantee that NIST will select a winner. The agency could choose none of the above, something that Schneier said would be OK him. Matthew Green, an assistant research professor of computer science at Johns Hopkins University, said he’d rather not see that, as it may not bode well for future competitions.
“My practical concern would be that if NIST doesn’t pick a winner this time, we probably couldn’t expect the same level of enthusiasm the next time NIST announces a competition. This would be a very bad thing,” Green said.
In 2007, when the SHA-3 competition was announced, there were serious concerns about the future security of the existing hash functions. Though the attacks against SHA-1 and SHA-2 that had cryptographers worried then haven’t really turned up yet, Green said he’s still happy that NIST chose to hold the SHA-3 competition.
“First, the SHA-3 competition was launched at a time when MD5 had just been seriously broken and SHA1 looked to be next. Since SHA2 shares a lot of the key features of SHA1, people felt that we needed some better ideas. This was the right judgement,” he said.