Doubts over necessity of SHA-3 cryptography standard
With a successor to Secure Hash Algorithm 2 (SHA-2) due to be crowned in the summer, questions are being asked as to whether a new cryptographic standard is really necessary. Hash functions, used to calculate short numbers from large data sets to allow the authenticity of the large data set to be verified, form the basis of many security mechanisms. The National Institute of Standards and Technology (NIST), which is responsible for the process, has moved from talking of a successor to talking of 'augmentation'.
The search for SHA-3 was initiated because successful attacks on SHA-1 and MD5 were, in principle, also applicable to SHA-2, denting confidence in the security of the successor to the former algorithms. NIST computer scientist Tim Polk has told the 83rd meeting of the Internet Engineering Task Force (IETF) that none of the five finalists are affected by known attacks on MD5, SHA-1 and SHA-2 and the Merkle-Damgård construction on which all three are based. But the competition and the over 400 scientific papers and tests which have been submitted over the course of the competition have shown that SHA-2 is faster than the five finalists – Blake, Grøstl, JH, Keccak and Skein – for many tasks. SHA-3 comes out on top only for short hash-based Message Authentication Codes (MACs).
Each of the finalists has its own strengths compared to SHA-2, but none is better overall. This is another reason why NIST is starting to ask whether the winner of the SHA-3 competition would be better marketed as an "augmentation" of SHA-2, particularly as the competition has also had the result of reinforcing trust in SHA-2. Polk says that they expected SHA-2 to have been cracked by the time the competition had finished, adding that SHA-2 currently still appears to offer an excellent level of security.
This admission was one factor in causing IETF security experts to ask whether the augmentation was really necessary at all. It believes that it would be unreasonable to expect users to undertake a time-consuming migration process just for the sake of the competition and the work put into it. Russ Housley, vice-chairman of the IETF, warned against pushing the introduction of SHA-3 at a time when many administrators had yet to make the jump from SHA-1 to SHA-2. Migration costs would, he noted, be many times higher than those of the performance tests over the two years of the competition process. Many of the experts at the Paris talks were opposed to the idea of introducing yet another algorithm just to cover the worse case scenario of SHA-2 becoming compromised.
(Monika Ermert / crve)