NIST Releases SHA-256, SHA-512

An Anonymous Coward writes: "The National Institute of Standards and Technology (NIST) has just released a series of cryptographic hash functions (SHA-256, SHA-384, SHA-512) to work with the new Advanced Encryption Standard. Of course, they must be secure since they're designed by our good friends at the NSA."

Cryptographic hashes

[Pseudonym]

Remember that this is the same NSA who produced the original SHA, then made a small modification (SHA-1) to secure it against some attack which they wouldn't tell us about, and nobody outside the NSA has yet been able to work out what the problem actually was.

What gets me is that to qualify for AES, you had to provide (virtual) reams of documentation about the creators' attempts to break it, and with good reason. What did the NSA provide as evidence that their new hashes are secure?

The problem with SHA-0 was found.

[Paul+Crowley]

I can't remember the details now, but an attack on SHA-0 was found that does not work on SHA-1. Perhaps this means that the open crypto field is not as far behind the NSA as people think?

As a cryptographer I *am* inclined to trust these hash functions. Designing a back door would essentially require inventing a whole new - and much faster - way of doing public key crypto, and then hiding it from the world. And a back door into a hash function isn't as much use as one into, say, a block cipher - though we now know that all the secret tweaks NSA did on DES were aimed at increasing its strength. SHA-1 has stood the test of time where other hash functions (MD5 for example) look shaky. I strongly suspect that these are good for the purposes advertised.
--