New hashes wanted

The race for the future official hash algorithm of the National Institute of Standards and Technology (NIST) has entered a new phase. The deadline for new entries lapsed on the night of November 1st. As the NIST's formal testing will take another few weeks, no official statements about the entered proposals have become available, but scientific circles expect between 30 and 50 entries. So far 16 developer teams have themselves released details of their proposals. A growing list can be found in the wiki of the Institute for Applied Information Processing and Communications (Institut für Angewandte Informationsverarbeitung und Kommunikation, IAIK) at Graz University of Technology.

In 2007, the NIST invited proposals for new hash designs after the widely used SHA-1 hash function gained a reputation for being unsafe. Because of its strong similarities with SHA-1, the crypto community does not fully trust SHA-2 either, although no weaknesses have been discovered so far. As a consequence, cryptographers worldwide are researching a new generation of hash functions for the "SHA-3" successor standard. The decision on a successor is currently scheduled for 2012.

Many of the current heated discussions revolve around the Skein proposal, a joint project by Bruce Schneier – co-developer of the Twofish AES finalist – as well as academics and developers at companies like Intel and Microsoft. While this algorithm appears to be very fast, the basic operations it uses are similar to those of SHA-2. Also worth mentioning is the MD6 proposal by cryptographer Ron "the R in RSA" Rivest, who was already instrumental in the development of the MD4 and MD5 hashes as well as the RC6 AES finalist. MD6 stands out because of its conservative design and its comparatively low speed, and because its standard operating mode is the tree mode designed for parallel processors.

European teams have also submitted remarkable proposals. Grøstl is the entry of a Danish-Austrian team already involved in the design of the Serpent AES finalist and experienced in designing and analysing modern hash functions. This team also developed telltale attacks on GOST and SHA-1. In an interview with heise Security, co-developer Christian Rechberger explained "Unlike many others, the Grøstl algorithm offers verifiable arguments to prove it is safe from various classes of attacks. And yet it is as fast as SHA-2". An interesting proposal is reportedly also expected from the Belgian group of scientists who designed the Rijndael AES winner, although no information about their entry has become available so far.

A few basic differences can be noted when comparing this competition to the NIST's AES competition which was in a similar phase ten years ago. The main motivation for switching from DES to AES was not so much a structural weakness of the DES algorithm, but rather its short key length. With SHA-3, the structural weaknesses of the current hash algorithms are the main incentive for change.

Many proposals are likely to be entered by inexperienced developers. The WaMM hash was cracked in less than 24 hours. While this is, of course, a definite reason for its exclusion, the final criteria for finding a winner have not been determined. It is, therefore, likely that discussions in the coming months will not only revolve around the choice of best candidates, but also around the criteria that need to be met. The next step will be the first "SHA-3 Candidate Conference" in February 2009.

See also:

• New successor to SHA-1 hash algorithm to be developed

(trk)