1 / 13

Some Current Thinking on Hash Functions Within NIST

John Kelsey, NIST, June 2005. Some Current Thinking on Hash Functions Within NIST. Overview. How We Got Here Impact of Recent Attacks Short-Term Reactions Long-Term: New Algorithms?] The Workshop (Oct 31-Nov 1, 2005). How We Got Here: Recent Attacks. Crypto 2004

johnavon-gavin
Download Presentation

Some Current Thinking on Hash Functions Within NIST

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. John Kelsey, NIST, June 2005 Some Current Thinking on Hash Functions Within NIST

  2. Overview • How We Got Here • Impact of Recent Attacks • Short-Term Reactions • Long-Term: New Algorithms?] • The Workshop (Oct 31-Nov 1, 2005)

  3. How We Got Here: Recent Attacks • Crypto 2004 • Wang rump session talk (aka mass die-off of hash functions) • Joux, Biham/Chen analyses of SHA0/1 • Joux multicollision result • In 2005 (so far): • Wang announced break of SHA1 • Many clever applications of MD5 collisions • 2nd preimage attacks • Full details of MD4/MD5/RIPEMD attacks published

  4. Impact of Attacks • MD5 Attack: • Attack is practical, and MD5 still widely used • Huge need to quickly migrate to something stronger! • But NIST never had recommended MD5.... • SHA1 Attack: • Attack not (yet) very practical (about 269) • Need to migrate to something stronger, but not urgent. • SHA1's life was almost over anyway.... • ...but NIST got burned!

  5. Impact of Attacks(2) • Damgard-Merkle Construction attacks • Joux multicollisions • 2nd preimages • More to come.... • Impact: • When can we trust n-bit iterated hash with attacker who can do 2n/2 work? • HMAC unaffected • How much do we really know about our hash constructions?

  6. Impact of Attacks: Summary • Urgent need to migrate from MD5 • Less urgent need to migrate from SHA1 • SHA1 result may undermine confidence in SHA256 • Same organization designed it (NSA) • Same organization standardized on it (NIST) • Similar enough design to raise concerns • ...but is public crypto community doing any better? • How well do we understand hash functions?

  7. How to React to Attacks? • Short-Term: • Migration to SHA256 and truncated SHA256 • A few special-purpose workarounds • Evaluate SHA256/512 for security • Long-Term: • Existing alternatives to SHA family? • Developing new algorithms?

  8. Short-Term Reaction:Migration and Workarounds • Migration to SHA256 • Urgent need for cryptanalysis before mass migration • Truncated SHA256 (SHA-x): Drop in replacement for SHA1 and maybe MD5 • Change certificate signing and other protocols to minimize impact of collisions on applications. • Problems: • SHA256 confidence? • Hard to migrate twice. • MD5 and SHA1 apps in very different situations.

  9. Long-Term Reaction:New Algorithms? • SHA256/512 already in protocols and products • Won't be withdrawn unless a real attack appears • Do we need another algorithm? • Few existing choices with required parameters • {256, 384, 512} bit output for {128, 192, 256} bit collision resistance • A few possibilities: • Whirlpool (256/384/512) • GOST hash (256) • Existing generic block cipher constructions w/ AES

  10. New Algorithms:Requirements We Know About • Drop-in Replacement for SHA family • Output size = {224,256,384,512} • (Truncation OK) • n-bit output must correspond to n/2-bit collision (Needed for DSA, ECDSA) • Usable in other common hash places • Pseudorandom Bit Generation • Key Derivation • Public, unpatented, full disclosure of analysis and design process

  11. New Algorithms:Requirements/Ideas to Discuss • Possible security requirements • Block multicollisions and 2nd preimage attacks? • Fixing the length-extension property? • What should be the performance requirements? • Parallelizeability? • 8/32/64 bit architectures? • Side channels? (S-boxes, multiplies, etc.) • Should we have multiple standards? • Block cipher construction from AES? • Special purpose provable hash functions?

  12. Big Questions about New Algorithms • Where will they come from? • NSA (like SHA family)? • Existing/published designs? • Other standards? • Should there be an AES-like contest? • Not clear we can do this within our budget/manpower constraints! • Is hash function design/analysis mature enough field to do this? • Nailing down requirements up front

  13. The Workshop: Oct 31-Nov 1 This is where we'll discuss all these issues and try to get some consensus! • Assess SHA1 and SHA256/512 strength • Discuss short-term workarounds • Long-term strategy • Use SHA256/512? • Use existing alternative? • Contest/process for designing new hash? • Requirements on new hash?

More Related