NISTFor the last five years, NIST, the government body charged with developing new standards for computer security, among other things, has been searching for a new hash function to replace the aging SHA-2 function. Fives years is a long time, but this is the federal government and things move at their own pace in Washington, but NIST soon will be announcing the winner from the five finalists that were chosen last year. Despite the problems that have cropped up with some versions of SHA-2 in the past and the long wait for the new function, there doesn’t seem to be much in the way of breathless anticipation for this announcement. So much so, in fact, that Bruce Schneier, a co-author of one of the finalists not only isn’t hoping that his entry wins, he’s hoping that none of them wins.

That may sound like an odd way to approach a competition like this, but it’s not because Schneier doesn’t think the finalists are worthy of winning. In fact, he says, they’re all good and fast and perfectly capable. The problem is, he doesn’t think that the world needs a new hash function standard at all. SHA-512, the stronger version of the SHA-2 function that’s been in use for more than a decade, is still holding up fine, Schneier said, which was not what cryptographers anticipated would be the case when the SHA-3 competition was conceived.

“When we started this process back in 2006, it looked as if we would be needing a new hash function soon. The SHA family (which is really part of the MD4 and MD5 family), was under increasing pressure from new types of cryptanalysis. We didn’t know how long the various SHA-2 variants would remain secure. But it’s 2012, and SHA-512 is still looking good,” Schneier said in a blog post.

Schneier co-authored Skein, one of the five finalists for the SHA-3 function, and said that he’s happy with the entry, as well as with the others, many of which are faster than SHA-2. However, he said there’s no compelling reason to adopt a new standard, regardless of which of the finalists ultimately is chosen.

“I expect SHA-2 to be still acceptable for the foreseeable future. That’s the problem. It’s not like AES. Everyone knew that DES was dead — and triple-DES was too slow and clunky — and we needed something new. So when AES appeared, people switched as soon as they could. This will be different,” Schneier said via email.

Hash functions are important, if lesser-known, members of the cryptographic family. They’re used in several ways, but at their core, they’re designed to protect information but running it through a function that computes a digest based on the data in such a way that if the original message is changed, the digest also will be changed. It should be impossible for there to be two unique messages that produce identical hashes.

Though there are five finalists for the SHA-3 competition, there’s no guarantee that NIST will select a winner. The agency could choose none of the above, something that Schneier said would be OK him. Matthew Green, an assistant research professor of computer science at Johns Hopkins University, said he’d rather not see that, as it may not bode well for future competitions.

“My practical concern would be that if NIST doesn’t pick a winner this time, we probably couldn’t expect the same level of enthusiasm the next time NIST announces a competition. This would be a very bad thing,” Green said.

In 2007, when the SHA-3 competition was announced, there were serious concerns about the future security of the existing hash functions. Though the attacks against SHA-1 and SHA-2 that had cryptographers worried then haven’t really turned up yet, Green said he’s still happy that NIST chose to hold the SHA-3 competition.

“First, the SHA-3 competition was launched at a time when MD5 had just been seriously broken and SHA1 looked to be next. Since SHA2 shares a lot of the key features of SHA1, people felt that we needed some better ideas. This was the right judgement,” he said. 

“Now it’s a few years later and the expected attacks on SHA1 and SHA2 haven’t materialized. This is good news, but it’s still important that the competition happened. The hash functions it gave us are manifestly better than SHA2 and SHA1. They’re even faster.”
NIST hasn’t given an exact date for the SHA-3 announcement, but it’s expected soon.

Categories: Cryptography

Comments (9)

  1. Anonymous

    “It should be impossible for there to be two unique messages that produce identical hashes.”  This is demonstrably untrue.  If the messages are longer than the hash, at *SOME* point, there will be a collision.  Collisions, however, should be both (very, very) rare, and hard/impossible to intuit how to derive.

  2. Anonymous

    SHA-1 is weak, and should not be used for new applications.  See the wikipedia page for a roundup of papers, and footnote two on the page for a good analysis of one of the flaws as an overview.  

    SHA-2 (and it’s variants SHA-256 and SHA-512)is related, and everyone thought it was likely similar weaknesses would be discovered soon, but they haven’t been.  That’s the point of the article.

  3. David A. Wheeler

    I disagree. You don’t wait to build a fire escape until the building is on fire. Similarly, we need a good alternative hash algorithm *now*.

    In general, we should always have *two* crypto algorithms for any purpose that are widely implemented. That way, if one breaks, everyone just switches their configuration to the other one. If you only have one algorithm… you have nothing to switch to.

    Today, symmetric key encryption is widely implemented in AES. But lots of people still implement 3DES. 3DES is really slow, but there’s no known MAJOR break in it, so in a pinch people could switch to it.

    Similarly, we have known concerns about SHA-2, SHA-256, and SHA-512. Maybe there will never be a problem. So what? Build the fire escape NOW, thank you.

  4. mgb

    “What’s wrong with having a Plan B?”

    – You incur the expense of having multiple implemented standards 

    and simultaneously

    – You give potential attackers a concrete target on which to unleash their analysis

  5. PrearmaSoto


Comments are closed.