Some Current Thinking on Hash Functions Within NIST

1
Some Current Thinking on Hash Functions Within
NIST

• John Kelsey, NIST, June 2005

2
Overview

• How We Got Here
• Impact of Recent Attacks
• Short-Term Reactions
• Long-Term New Algorithms?
• The Workshop (Oct 31-Nov 1, 2005)

3
How We Got Here Recent Attacks

• Crypto 2004
• Wang rump session talk (aka mass die-off of hash
  functions)
• Joux, Biham/Chen analyses of SHA0/1
• Joux multicollision result
• In 2005 (so far)
• Wang announced break of SHA1
• Many clever applications of MD5 collisions
• 2nd preimage attacks
• Full details of MD4/MD5/RIPEMD attacks published

4
Impact of Attacks

• MD5 Attack
• Attack is practical, and MD5 still widely used
• Huge need to quickly migrate to something
  stronger!
• But NIST never had recommended MD5....
• SHA1 Attack
• Attack not (yet) very practical (about 269)
• Need to migrate to something stronger, but not
  urgent.
• SHA1's life was almost over anyway....
• ...but NIST got burned!

5
Impact of Attacks(2)

• Damgard-Merkle Construction attacks
• Joux multicollisions
• 2nd preimages
• More to come....
• Impact
• When can we trust n-bit iterated hash with
  attacker who can do 2n/2 work?
• HMAC unaffected
• How much do we really know about our hash
  constructions?

6
Impact of Attacks Summary

• Urgent need to migrate from MD5
• Less urgent need to migrate from SHA1
• SHA1 result may undermine confidence in SHA256
• Same organization designed it (NSA)
• Same organization standardized on it (NIST)
• Similar enough design to raise concerns
• ...but is public crypto community doing any
  better?
• How well do we understand hash functions?

7
How to React to Attacks?

• Short-Term
• Migration to SHA256 and truncated SHA256
• A few special-purpose workarounds
• Evaluate SHA256/512 for security
• Long-Term
• Existing alternatives to SHA family?
• Developing new algorithms?

8
Short-Term ReactionMigration and Workarounds

• Migration to SHA256
• Urgent need for cryptanalysis before mass
  migration
• Truncated SHA256 (SHA-x) Drop in replacement for
  SHA1 and maybe MD5
• Change certificate signing and other protocols to
  minimize impact of collisions on applications.
• Problems
• SHA256 confidence?
• Hard to migrate twice.
• MD5 and SHA1 apps in very different situations.

9
Long-Term ReactionNew Algorithms?

• SHA256/512 already in protocols and products
• Won't be withdrawn unless a real attack appears
• Do we need another algorithm?
• Few existing choices with required parameters
• 256, 384, 512 bit output for 128, 192, 256
  bit collision resistance
• A few possibilities
• Whirlpool (256/384/512)
• GOST hash (256)
• Existing generic block cipher constructions w/
  AES

10
New AlgorithmsRequirements We Know About

• Drop-in Replacement for SHA family
• Output size 224,256,384,512
• (Truncation OK)
• n-bit output must correspond to n/2-bit collision
  (Needed for DSA, ECDSA)
• Usable in other common hash places
• Pseudorandom Bit Generation
• Key Derivation
• Public, unpatented, full disclosure of analysis
  and design process

11
New AlgorithmsRequirements/Ideas to Discuss

• Possible security requirements
• Block multicollisions and 2nd preimage attacks?
• Fixing the length-extension property?
• What should be the performance requirements?
• Parallelizeability?
• 8/32/64 bit architectures?
• Side channels? (S-boxes, multiplies, etc.)
• Should we have multiple standards?
• Block cipher construction from AES?
• Special purpose provable hash functions?

12
Big Questions about New Algorithms

• Where will they come from?
• NSA (like SHA family)?
• Existing/published designs?
• Other standards?
• Should there be an AES-like contest?
• Not clear we can do this within our
  budget/manpower constraints!
• Is hash function design/analysis mature enough
  field to do this?
• Nailing down requirements up front

13
The Workshop Oct 31-Nov 1

• This is where we'll discuss all these issues and
  try to get some consensus!
• Assess SHA1 and SHA256/512 strength
• Discuss short-term workarounds
• Long-term strategy
• Use SHA256/512?
• Use existing alternative?
• Contest/process for designing new hash?
• Requirements on new hash?