1. 1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005

2. 2 Overview ● How We Got Here ● Impact of Recent Attacks ● Short-Term Reactions ● Long-Term: New Algorithms?] ● The Workshop (Oct 31-Nov 1, 2005)

3. 3 How We Got Here: Recent Attacks ● Crypto 2004 – Wang rump session talk (aka mass die-off of hash functions) – Joux, Biham/Chen analyses of SHA0/1 – Joux multicollision result ● In 2005 (so far): – Wang announced break of SHA1 – Many clever applications of MD5 collisions – 2 nd preimage attacks – Full details of MD4/MD5/RIPEMD attacks published

4. 4 Impact of Attacks ● MD5 Attack: – Attack is practical, and MD5 still widely used – Huge need to quickly migrate to something stronger! – But NIST never had recommended MD5.... ● SHA1 Attack: – Attack not (yet) very practical (about 2 69 ) – Need to migrate to something stronger, but not urgent. – SHA1's life was almost over anyway.... –...but NIST got burned!

5. 5 Impact of Attacks(2) ● Damgard-Merkle Construction attacks – Joux multicollisions – 2 nd preimages – More to come.... ● Impact: – When can we trust n-bit iterated hash with attacker who can do 2 n/2 work? – HMAC unaffected – How much do we really know about our hash constructions?

6. 6 Impact of Attacks: Summary ● Urgent need to migrate from MD5 ● Less urgent need to migrate from SHA1 ● SHA1 result may undermine confidence in SHA256 – Same organization designed it (NSA) – Same organization standardized on it (NIST) – Similar enough design to raise concerns ●...but is public crypto community doing any better? – How well do we understand hash functions?

7. 7 How to React to Attacks? ● Short-Term: – Migration to SHA256 and truncated SHA256 – A few special-purpose workarounds – Evaluate SHA256/512 for security ● Long-Term: – Existing alternatives to SHA family? – Developing new algorithms?

8. 8 Short-Term Reaction: Migration and Workarounds ● Migration to SHA256 – Urgent need for cryptanalysis before mass migration – Truncated SHA256 (SHA-x): Drop in replacement for SHA1 and maybe MD5 ● Change certificate signing and other protocols to minimize impact of collisions on applications. ● Problems: – SHA256 confidence? – Hard to migrate twice. – MD5 and SHA1 apps in very different situations.

9. 9 Long-Term Reaction: New Algorithms? ● SHA256/512 already in protocols and products – Won't be withdrawn unless a real attack appears – Do we need another algorithm? ● Few existing choices with required parameters – {256, 384, 512} bit output for {128, 192, 256} bit collision resistance ● A few possibilities: – Whirlpool (256/384/512) – GOST hash (256) – Existing generic block cipher constructions w/ AES

10. 10 New Algorithms: Requirements We Know About ● Drop-in Replacement for SHA family ● Output size = {224,256,384,512} – (Truncation OK) – n-bit output must correspond to n/2-bit collision (Needed for DSA, ECDSA) ● Usable in other common hash places – Pseudorandom Bit Generation – Key Derivation ● Public, unpatented, full disclosure of analysis and design process

11. 11 New Algorithms: Requirements/Ideas to Discuss ● Possible security requirements – Block multicollisions and 2 nd preimage attacks? – Fixing the length-extension property? ● What should be the performance requirements? – Parallelizeability? – 8/32/64 bit architectures? – Side channels? (S-boxes, multiplies, etc.) ● Should we have multiple standards? – Block cipher construction from AES? – Special purpose provable hash functions?

12. 12 Big Questions about New Algorithms ● Where will they come from? – NSA (like SHA family)? – Existing/published designs? – Other standards? ● Should there be an AES-like contest? – Not clear we can do this within our budget/manpower constraints! – Is hash function design/analysis mature enough field to do this? – Nailing down requirements up front

13. 13 The Workshop: Oct 31-Nov 1 This is where we'll discuss all these issues and try to get some consensus! ● Assess SHA1 and SHA256/512 strength ● Discuss short-term workarounds ● Long-term strategy – Use SHA256/512? – Use existing alternative? – Contest/process for designing new hash? – Requirements on new hash?