1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005

2 Overview ● How We Got Here ● Impact of Recent Attacks ● Short-Term Reactions ● Long-Term: New Algorithms?] ● The Workshop (Oct 31-Nov 1, 2005)

3 How We Got Here: Recent Attacks ● Crypto 2004 –

Wang rump session talk (aka mass die-off of hash functions)

– Joux, Biham/Chen analyses of SHA0/1 – Joux multicollision result ● In 2005 (so far): – Wang announced break of SHA1 – Many clever applications of MD5 collisions – 2 nd preimage attacks – Full details of MD4/MD5/RIPEMD attacks published

4 Impact of Attacks ● MD5 Attack: – Attack is practical, and MD5 still widely used – Huge need to quickly migrate to something stronger!

– But NIST never had recommended MD5....

● SHA1 Attack: – Attack not (yet) very practical (about 2 69 ) – Need to migrate to something stronger, but not urgent.

– SHA1's life was almost over anyway....

– ...but NIST got burned!

5 Impact of Attacks(2) ● Damgard-Merkle Construction attacks – Joux multicollisions – 2 nd preimages – More to come....

● Impact: – When can we trust n-bit iterated hash with attacker who can do 2 n/2 work? – HMAC unaffected – How much do we really know about our hash constructions?

6 Impact of Attacks: Summary ● Urgent need to migrate from MD5 ● Less urgent need to migrate from SHA1 ● SHA1 result may undermine confidence in SHA256 – Same organization designed it (NSA) – Same organization standardized on it (NIST) – Similar enough design to raise concerns ● ...but is public crypto community doing any better?

– How well do we understand hash functions?

7 How to React to Attacks?

● Short-Term: – Migration to SHA256 and truncated SHA256 – A few special-purpose workarounds – Evaluate SHA256/512 for security ● Long-Term: – Existing alternatives to SHA family?

– Developing new algorithms?

8 Short-Term Reaction: Migration and Workarounds ● Migration to SHA256 –

Urgent need for cryptanalysis before mass migration

– Truncated SHA256 (SHA-x): Drop in replacement for SHA1 and maybe MD5 ● Change certificate signing and other protocols to minimize impact of collisions on applications.

● Problems: – SHA256 confidence?

– Hard to migrate twice.

– MD5 and SHA1 apps in very different situations.

9 Long-Term Reaction: New Algorithms?

● SHA256/512 already in protocols and products – Won't be withdrawn unless a real attack appears – Do we need another algorithm?

● Few existing choices with required parameters – {256, 384, 512} bit output for {128, 192, 256} bit collision resistance ● A few possibilities: – Whirlpool (256/384/512) – GOST hash (256) – Existing generic block cipher constructions w/ AES

10 New Algorithms: Requirements We Know About ● Drop-in Replacement for SHA family ● Output size = {224,256,384,512} – (Truncation OK) – n-bit output must correspond to n/2-bit collision (Needed for DSA, ECDSA) ● Usable in other common hash places – Pseudorandom Bit Generation – Key Derivation ● Public, unpatented, full disclosure of analysis and design process

11 New Algorithms: Requirements/Ideas to Discuss ● Possible security requirements – Block multicollisions and 2 nd preimage attacks?

– Fixing the length-extension property?

● What should be the performance requirements?

– Parallelizeability?

– 8/32/64 bit architectures?

– Side channels? (S-boxes, multiplies, etc.) ● Should we have multiple standards?

– Block cipher construction from AES?

– Special purpose provable hash functions?

12 Big Questions about New Algorithms ● Where will they come from?

– NSA (like SHA family)?

– Existing/published designs?

– Other standards?

● Should there be an AES-like contest?

– Not clear we can do this within our budget/manpower constraints!

– Is hash function design/analysis mature enough field to do this? – Nailing down requirements up front

13 The Workshop: Oct 31-Nov 1

This is where we'll discuss all these issues and try to get some consensus!

● Assess SHA1 and SHA256/512 strength ● Discuss short-term workarounds ● Long-term strategy – Use SHA256/512?

– Use existing alternative?

– Contest/process for designing new hash?

– Requirements on new hash?