[IP] One cryptographer's perspective on the SHA-1 result
Steven M. Bellovin
smb at cs.columbia.edu
Wed Feb 23 21:37:25 EST 2005
Burt Kaliski posted the following to Dave Farber's IP list. I was
about to post something similar myself.
>Beyond that, it is now clear that the industry needs an open evaluation
>process -- like the Advanced Encryption Standard competition -- to establish
>a new hash function standard for the long term, or at least an alternative
>if SHA-256 and above turn out still to be good enough after review.
>
As he quite eloquently pointed out, we have a near-monoculture of hash
algorithms. Virtually every well-known hash algorithm, with the
exception of Whirlpool, is derived from MD2/MD4/MD5. At the time SHA-0
was released, in fact, there was a great deal of speculation that NSA
had copied Rivest's framework to avoid disclosing any new principles
for hash function construction.
I have no idea if that's true or not. As we all know, even NSA found
SHA more problematic than they would have hoped; witness the release of
SHA-1 not all that long afterwards.
When NIST released SHA256/384/512 shortly after AES, but without a
public competition, the word was that they didn't have the resources to
run two simultaneous large-scale, open processes. That's a fair
statement, and given the choice between an openly-chosen encryption
algorithm and an openly-chosen hash function I think most of us would
have made the same decision.
I don't know if there's quite the need for open process for a hash
function as there was for a secrecy algorithm. The AES process, after
all, had to cope with the legacy of Clipper and key escrow, to say
nothing of the 25 years of DES paranoia that was only laid to rest by
the reinvention of differential cryptanalysis. (The Deep Crack machine
only confirmed another part of the paranoia, of course, but the
essential parameter it exploited -- key size -- was both obviously
insufficient in 1979 and obviously sufficient from the requirements of
the AES competition.) It is clear, as Burt said, that we need a
large-scale effort to produce new and better hash functions. To try to
repair the MD*/SHA* family is to risk the cry of "epicycles".
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list