1

Some Current Thinking on Hash Functions Within NIST

John Kelsey, NIST, June 2005

2

Overview

● How We Got Here● Impact of Recent Attacks● Short-Term Reactions● Long-Term: New Algorithms?]● The Workshop (Oct 31-Nov 1, 2005)

3

How We Got Here: Recent Attacks● Crypto 2004

– Wang rump session talk (aka mass die-off of hash functions)

– Joux, Biham/Chen analyses of SHA0/1– Joux multicollision result

● In 2005 (so far):– Wang announced break of SHA1– Many clever applications of MD5 collisions– 2nd preimage attacks – Full details of MD4/MD5/RIPEMD attacks published

4

Impact of Attacks● MD5 Attack:

– Attack is practical, and MD5 still widely used– Huge need to quickly migrate to something stronger!– But NIST never had recommended MD5....

● SHA1 Attack:– Attack not (yet) very practical (about 269)– Need to migrate to something stronger, but not urgent.– SHA1's life was almost over anyway....– ...but NIST got burned!

5

Impact of Attacks(2)

● Damgard-Merkle Construction attacks– Joux multicollisions– 2nd preimages – More to come....

● Impact:– When can we trust n-bit iterated hash with attacker

who can do 2n/2 work? – HMAC unaffected– How much do we really know about our hash

constructions?

6

Impact of Attacks: Summary

● Urgent need to migrate from MD5● Less urgent need to migrate from SHA1● SHA1 result may undermine confidence in SHA256

– Same organization designed it (NSA)– Same organization standardized on it (NIST)– Similar enough design to raise concerns

● ...but is public crypto community doing any better?– How well do we understand hash functions?

7

How to React to Attacks?● Short-Term:

– Migration to SHA256 and truncated SHA256– A few special-purpose workarounds– Evaluate SHA256/512 for security

● Long-Term:– Existing alternatives to SHA family?– Developing new algorithms?

8

Short-Term Reaction:Migration and Workarounds

● Migration to SHA256– Urgent need for cryptanalysis before mass migration– Truncated SHA256 (SHA-x): Drop in replacement for

SHA1 and maybe MD5● Change certificate signing and other protocols to

minimize impact of collisions on applications.● Problems:

– SHA256 confidence?– Hard to migrate twice.– MD5 and SHA1 apps in very different situations.

9Long-Term Reaction:

New Algorithms?● SHA256/512 already in protocols and products

– Won't be withdrawn unless a real attack appears– Do we need another algorithm?

● Few existing choices with required parameters– {256, 384, 512} bit output for

{128, 192, 256} bit collision resistance● A few possibilities:

– Whirlpool (256/384/512)– GOST hash (256)– Existing generic block cipher constructions w/ AES

10

New Algorithms:Requirements We Know About

● Drop-in Replacement for SHA family● Output size = {224,256,384,512}

– (Truncation OK)– n-bit output must correspond to n/2-bit collision

(Needed for DSA, ECDSA)● Usable in other common hash places

– Pseudorandom Bit Generation– Key Derivation

● Public, unpatented, full disclosure of analysis and design process

11New Algorithms:

Requirements/Ideas to Discuss● Possible security requirements

– Block multicollisions and 2nd preimage attacks?– Fixing the length-extension property?

● What should be the performance requirements?– Parallelizeability?– 8/32/64 bit architectures?– Side channels? (S-boxes, multiplies, etc.)

● Should we have multiple standards?– Block cipher construction from AES?– Special purpose provable hash functions?

12

Big Questions about New Algorithms

● Where will they come from?– NSA (like SHA family)?– Existing/published designs?– Other standards?

● Should there be an AES-like contest?– Not clear we can do this within our budget/manpower

constraints!– Is hash function design/analysis mature enough field

to do this? – Nailing down requirements up front

13

The Workshop: Oct 31-Nov 1

This is where we'll discuss all these issues and try to get some consensus!

● Assess SHA1 and SHA256/512 strength● Discuss short-term workarounds● Long-term strategy

– Use SHA256/512?– Use existing alternative?– Contest/process for designing new hash?– Requirements on new hash?