[IP] One cryptographer's perspective on the SHA-1 result

Steven M. Bellovin smb at cs.columbia.edu
Wed Feb 23 21:37:25 EST 2005


Burt Kaliski posted the following to Dave Farber's IP list.  I was 
about to post something similar myself.

>Beyond that, it is now clear that the industry needs an open evaluation
>process -- like the Advanced Encryption Standard competition -- to establish
>a new hash function standard for the long term, or at least an alternative
>if SHA-256 and above turn out still to be good enough after review.
>

As he quite eloquently pointed out, we have a near-monoculture of hash 
algorithms.  Virtually every well-known hash algorithm, with the 
exception of Whirlpool, is derived from MD2/MD4/MD5.  At the time SHA-0 
was released, in fact, there was a great deal of speculation that NSA 
had copied Rivest's framework to avoid disclosing any new principles 
for hash function construction.

I have no idea if that's true or not.  As we all know, even NSA found 
SHA more problematic than they would have hoped; witness the release of 
SHA-1 not all that long afterwards.

When NIST released SHA256/384/512 shortly after AES, but without a 
public competition, the word was that they didn't have the resources to 
run two simultaneous large-scale, open processes.  That's a fair 
statement, and given the choice between an openly-chosen encryption 
algorithm and an openly-chosen hash function I think most of us would 
have made the same decision.

I don't know if there's quite the need for open process for a hash 
function as there was for a secrecy algorithm.  The AES process, after 
all, had to cope with the legacy of Clipper and key escrow, to say 
nothing of the 25 years of DES paranoia that was only laid to rest by 
the reinvention of differential cryptanalysis.  (The Deep Crack machine 
only confirmed another part of the paranoia, of course, but the 
essential parameter it exploited -- key size -- was both obviously 
insufficient in 1979 and obviously sufficient from the requirements of 
the AES competition.)  It is clear, as Burt said, that we need a 
large-scale effort to produce new and better hash functions.  To try to 
repair the MD*/SHA* family is to risk the cry of "epicycles".

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list