Comments: NIST Competition to create new Hash algorithm

At 8:22 PM -0500 1/23/07, Ivan KrstiÁ wrote:
> Perry E. Metzger wrote:
>> http://www.csrc.nist.gov/pki/HashWorkshop/index.html
>
> I'm completely unfamiliar with the way NIST operates, but I've been
> wondering for years why they haven't organized this competition already.
> Do we have a list veteran who can shed some light on why it took them
> this long? My curiosity demands to know.

At the Second Hash Workshop this summer, NIST explained this a bit. (There were a bunch of regulars from this list there who can correct me if I'm wrong.)

First, there is SHA-2 (SHA-256, -384, and -512). Nearly everyone thinks they are good enough unless there is an unexpected attack. So NIST was not hot to create something that competes with this.

More important, however, is the lack of sureness in the community that we know what will make a good hash function, much less one that is better than SHA-2. See for much more on that.

Also, remember that we don't know much about the design of SHA-2. In fact, unless the NSA tells the world a whole lot more, it will not be able to compete in the NIST competition due to requirement B1 in the proposal.

At the end of the workshop, there were at least two camps: those who wanted a competition in case Wang-esque attacks degrade SHA-2, and those who didn't want a competition until we knew more about how to judge it because we don't know enough now. Some of the Big Names In Crypto are in the second group. It looks like NIST sided with the first group, but it will be interesting if the folks in the second group are vocal during the coming few years.

--Paul Hoffman, Director
--VPN Consortium

Posted by Seen on crypto group at January 25, 2007 02:22 PM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x561ea5053f68) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.