NIST is about to name the winner of a four-year competition for SHA-3. But one of the finalists questions whether we need it.
The National Institute of Standards and Technology is near the end of a four-year competition for a new Secure Hash Algorithm -- SHA-3 -- that would augment currently approved algorithms used for digitally signing and ensuring the integrity of digital documents.
But security iconoclast Bruce Schneier asks, do we really need a new algorithm? Are the existing ones good enough, and are any of the candidates good enough to warrant the change?
"It's probably too late for me to affect the final decision, but I am hoping for 'no award,' " Schneier wrote in a recent blog post. It’s not that the candidates are bad, he says. He even has a horse in the race, an algorithm called Skein, which is one of the finalists and which he would like to see get the nod if a nod is given.
But SHA-2 is holding up well, he writes. “Even worse, none of the SHA-3 candidates is significantly better.”
All of which raises the question: How good is good enough?
Running a hash algorithm against a digital message creates a digest, or string of bits of a specific length, that is unique to the message and can be used to verify that the contents of a digital document have not been altered. If a message is changed by a third party, the hash digests will no longer match, exposing the fact that it has been altered.
The algorithms now specified in Federal Information Processing Standard 180-4, which are required for some government applications, are deemed secure because it is mathematically unlikely -- but not impossible -- that the contents of a "hashed" message could be derived from the message digest.
But cracks began to appear in 2007 in the algorithms that collectively make up SHA-2, and it was decided to begin a competition for a new, stronger SHA. SHA-2 is a set of cryptographic hashes, including SHA-224, SHA-256, SHA-384 and SHA-512, with the numbers in each indicating the number of bits in the algorithm, and the combined SHA-512/224 and SHA-512/256.
The weaknesses in SHA-2 were not critical, but why not use the available time to get a new one in place? The competition began with 64 submissions in 2008, of which 51 met the minimum criteria for being considered. That was whittled down to 14 strong contenders, which in late 2011 was reduced to five finalists. The decision is expected to be announced by the end of the year.
But Schneier points out that cryptanalysis techniques against SHA-2 have not advanced as expected. The finalists are incremental improvements, he said; a little faster, a little more efficient, but no order-of-magnitude improvements. Given that, they are not needed in the standard, he said.
"Standards are better with fewer options," he wrote. "Already there are too many hash function options -- more won’t help."
I don’t pretend to know how strong is strong enough for a secure hash function or whether the disadvantages of expanding the standards outweigh the advantages. It might be a little late in the SHA-3 game to raise the questions, but they do deserve consideration.