more on NIST hash competition

Paul Hoffman paul.hoffman at
Wed Jan 24 17:26:34 EST 2007

At 8:22 PM -0500 1/23/07, Ivan Krstiç wrote:
>Perry E. Metzger wrote:
>I'm completely unfamiliar with the way NIST operates, but I've been
>wondering for years why they haven't organized this competition already.
>Do we have a list veteran who can shed some light on why it took them
>this long? My curiosity demands to know.

At the Second Hash Workshop this summer, NIST explained this a bit. 
(There were a bunch of regulars from this list there who can correct 
me if I'm wrong.)

First, there is SHA-2 (SHA-256, -384, and -512). Nearly everyone 
thinks they are good enough unless there is an unexpected attack. So 
NIST was not hot to create something that competes with this.

More important, however, is the lack of sureness in the community 
that we know what will make a good hash function, much less one that 
is better than SHA-2. See 
<> for much 
more on that.

Also, remember that we don't know much about the design of SHA-2. In 
fact, unless the NSA tells the world a whole lot more, it will not be 
able to compete in the NIST competition due to requirement B1 in the 

At the end of the workshop, there were at least two camps: those who 
wanted a competition in case Wang-esque attacks degrade SHA-2, and 
those who didn't want a competition until we knew more about how to 
judge it because we don't know enough now. Some of the Big Names In 
Crypto are in the second group. It looks like NIST sided with the 
first group, but it will be interesting if the folks in the second 
group are vocal during the coming few years.

--Paul Hoffman, Director
--VPN Consortium

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list