[16980] in cryptography@c2.net mail archive
Re: [IP] One cryptographer's perspective on the SHA-1 result
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Mar 3 18:51:30 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 23 Feb 2005 19:48:01 EST."
<BE428E71.1DD62%dave@farber.net>
Date: Wed, 23 Feb 2005 21:37:25 -0500
Burt Kaliski posted the following to Dave Farber's IP list. I was =
about to post something similar myself.
>Beyond that, it is now clear that the industry needs an open evaluation
>process -- like the Advanced Encryption Standard competition -- to estab=
lish
>a new hash function standard for the long term, or at least an alternati=
ve
>if SHA-256 and above turn out still to be good enough after review.
>
As he quite eloquently pointed out, we have a near-monoculture of hash =
algorithms. Virtually every well-known hash algorithm, with the =
exception of Whirlpool, is derived from MD2/MD4/MD5. At the time SHA-0 =
was released, in fact, there was a great deal of speculation that NSA =
had copied Rivest's framework to avoid disclosing any new principles =
for hash function construction.
I have no idea if that's true or not. As we all know, even NSA found =
SHA more problematic than they would have hoped; witness the release of =
SHA-1 not all that long afterwards.
When NIST released SHA256/384/512 shortly after AES, but without a =
public competition, the word was that they didn't have the resources to =
run two simultaneous large-scale, open processes. That's a fair =
statement, and given the choice between an openly-chosen encryption =
algorithm and an openly-chosen hash function I think most of us would =
have made the same decision.
I don't know if there's quite the need for open process for a hash =
function as there was for a secrecy algorithm. The AES process, after =
all, had to cope with the legacy of Clipper and key escrow, to say =
nothing of the 25 years of DES paranoia that was only laid to rest by =
the reinvention of differential cryptanalysis. (The Deep Crack machine =
only confirmed another part of the paranoia, of course, but the =
essential parameter it exploited -- key size -- was both obviously =
insufficient in 1979 and obviously sufficient from the requirements of =
the AES competition.) It is clear, as Burt said, that we need a =
large-scale effort to produce new and better hash functions. To try to =
repair the MD*/SHA* family is to risk the cry of "epicycles".
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
