New cryptographic hash function not needed, Schneier says

As the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) prepares to announce the winner of its competition to find the next-generation cryptographic hash algorithm, renowned cryptographer Bruce Schneier doesn’t think that a new hash function is needed at this time.

“It’s probably too late for me to affect the final decision, but I am hoping for ‘no award,'” Schneier said Monday in a blog post. “It’s not that the new hash functions aren’t any good, it’s that we don’t really need one.”

Cryptographic hash functions have many applications in information security and are commonly used to verify data authenticity. Such functions convert a piece of information into a unique, fixed-length bit string, and should make it impossible for two different messages to result in the same string.

For example, user passwords are commonly stored in hashed form inside databases in order to prevent their exposure if the database is compromised. Every time a user attempts to authenticate against an application, a hash is computed for the password he supplies and is compared to the one already stored in the application’s database.

NIST announced its public cryptographic hash algorithm competition in November 2007 with the goal of finding a new hash algorithm that would be standardized as a Federal Information Processing Standard (FIPS) called SHA-3 (Secure Hash Algorithm 3).

After five years and three selection rounds that reduced the number of candidates from 64 initially submitted functions to only five, NIST is expected to announce the winner sometime this year.

Schneier is part of the team of cryptographers who created Skein, a family of cryptographic hash functions that has been selected as one of the competition’s five finalists.

The idea of standardizing a new hash function came in 2006, when it seemed like the SHA-2 family of functions wouldn’t be secure for much longer because of new types of cryptanalysis, Schneier said.

“We didn’t know how long the various SHA-2 variants would remain secure,” the cryptographer said. “But it’s 2012, and SHA-512 is still looking good.”

Schneier also favors a “no award” decision at this time because, according to him, none of the SHA-3 final candidates is significantly better than the current standardized hash functions.

“Some are faster, but not orders of magnitude faster,” Schneier said. “Some are smaller in hardware, but not orders of magnitude smaller.”

“When SHA-3 is announced, I’m going to recommend that, unless the improvements are critical to their application, people stick with the tried and true SHA-512,” the cryptographer said. “At least for a while.”

“I’d say that the world could live without SHA-3, for SHA-1 and SHA-2 resisted cryptanalysis better than expected,” said cryptographer Jean-Philippe Aumasson, who designed BLAKE, one of the other five SHA-3 finalist hash functions, Monday via email. “However, I often say that this is due to the ‘denial of service attack’ of SHA-3: these last years, most cryptanalysts focused on SHA-3 candidates, instead of SHA-1 or SHA-2.”

Aumasson believes that SHA-3 will be more secure than SHA-2 in certain aspects and, if Skein or BLAKE will be chosen as a winner, it will also be noticeably faster on the latest desktop and server CPUs from Intel and AMD.

“All the five SHA-3 finalists are believed to satisfy the strongest theoretical security definition, unlike SHA-2,” Aumasson said. “However, this does not undermine SHA-2’s actual security when used properly.”

The fact that the expected attacks against SHA-1 and SHA-2 never materialized is a good thing, but the cryptographic community shouldn’t be complacent about it, Matthew D. Green, an assistant research professor who teaches cryptography at the Johns Hopkins Information Security Institute, said Monday via email.

“The point of this competition was not just to replace SHA2, but to develop a collection of new defensive techniques so that we can deal with attacks if they ever arrive,” Green said. “And it was also intended to advance our knowledge in the area of hash function design. It’s done a great job of that.”

Green is concerned that if NIST doesn’t select a winner this time, a future competition of this nature would not be met with the same level of enthusiasm from cryptographers.

“One place I absolutely agree with Bruce is that we should take our time transitioning from SHA2 to whichever function becomes SHA3,” Green said. “But what’s great about this competition is that we’ll at least have something to transition to.”