more on NIST hash competition
Paul Hoffman
paul.hoffman at vpnc.org
Wed Jan 24 17:26:34 EST 2007
At 8:22 PM -0500 1/23/07, Ivan Krstiç wrote:
>Perry E. Metzger wrote:
>> http://www.csrc.nist.gov/pki/HashWorkshop/index.html
>
>I'm completely unfamiliar with the way NIST operates, but I've been
>wondering for years why they haven't organized this competition already.
>Do we have a list veteran who can shed some light on why it took them
>this long? My curiosity demands to know.
At the Second Hash Workshop this summer, NIST explained this a bit.
(There were a bunch of regulars from this list there who can correct
me if I'm wrong.)
First, there is SHA-2 (SHA-256, -384, and -512). Nearly everyone
thinks they are good enough unless there is an unexpected attack. So
NIST was not hot to create something that competes with this.
More important, however, is the lack of sureness in the community
that we know what will make a good hash function, much less one that
is better than SHA-2. See
<http://www.proper.com/lookit/hash-futures-panel-notes.html> for much
more on that.
Also, remember that we don't know much about the design of SHA-2. In
fact, unless the NSA tells the world a whole lot more, it will not be
able to compete in the NIST competition due to requirement B1 in the
proposal.
At the end of the workshop, there were at least two camps: those who
wanted a competition in case Wang-esque attacks degrade SHA-2, and
those who didn't want a competition until we knew more about how to
judge it because we don't know enough now. Some of the Big Names In
Crypto are in the second group. It looks like NIST sided with the
first group, but it will be interesting if the folks in the second
group are vocal during the coming few years.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list