NIST Opens Competition for a New Hash Algorithm

Invisible Pink Unicorn writes "The National Institute of Standards and Technology has opened a public competition for the development of a new cryptographic hash algorithm, which will be called Secure Hash Algorithm-3 (SHA-3), and will augment the current algorithms specified in the Federal Information Processing Standard (FIPS) 180-2. This is in response to serious attacks reported in recent years against cryptographic hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a similar design. Submissions are being accepted through October 2008, and the competition timeline indicates that a winner will be announced in 2012."

hash algorithm hash recipe

[Briden]

i prefer the bubble bag method for making hash

huh?

[subk]

Somebody care to help me figure out this sentence phragment?

"This is in response to serious attacks reported in recent years against cryptographic hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a similar design."

Re:huh?

[ByOhTek]

what fragment of that sentance? There's a subject, main verb, helper verbs and objects!

Maybe you didn't mean fragment, but I don't know what a phragment is...

Re:huh?

[cliveholloway]

And I don't know what a sentance is either.

If you're going to be a grammar Nazi, at least spell-check your post :)

Re:huh?

[iminplaya]

But if he was critiquing the misspelled word, wouldn't that make him a spelling Nazi?

Call him a Nazi, he won't even frown,
"Ha, Nazi, Schmazi," says Wernher von Braun.

Re:huh?

[fuzzix]

Call him a Nazi, he won't even frown,
"Ha, Nazi, Schmazi," says Wernher von Braun.

Ha! More anti-establishment mathematician music on Slashdot! :)

I know I'm paranoid, but...

[mollog]

I know I'm being paranoid, but did anybody else think that this is a way for the gummint to get a look at the various methods people are using to secure their data? What better way to get the methods than to have a 'competition', something that will stroke the egos of crackers?

Re:I know I'm paranoid, but...

Or even worse build a standard based on their work where there are very specific weaknesses built in- you know to fight ""terrorism""

Re:I know I'm paranoid, but...

[kebes]

I know I'm being paranoid, but did anybody else think that this is a way for the gummint to get a look at the various methods people are using to secure their data? I think you are being a bit paranoid! NIST is proposing an open competition to develop a new open standard for hashing. Anyone who wants to participate can do so. Anyone who wants to retain their "secret hashing method" can continue to keep it secret. It's not like the government is demanding anything. This is just a research agency promoting open research.

Not to mention that I sincerely doubt that anyone is currently using some super-secret ultra-elite hashing algorithm that no one else knows about. This field of mathematics and security is quite mature and very much open to scrutiny currently. The current solutions are fully documented. I think the point here is that further progress isn't going to be made by lone researchers hiding their results: the only way forward is via more open collaboration.

What better way to get the methods than to have a 'competition', something that will stroke the egos of crackers? If a cracker wants to sell his secrets at the cost of an ego-stroke, that's his choice. Nothing nefarious here. Again, NIST is not going to take these results and use them for evil ends (or even for commercial gain): they are hoping to create an open, public standard that everyone will benefit from (and which international experts in mathematics, cryptography, and computer security will analyze in detail). That's what NIST does.

Sorry, but I think your paranoia is unfounded in this case!

(Disclosure: I work with NIST, but have nothing to do with this project. Note that my opinions are my own and should not be construed as official statements from NIST.)

Re:I know I'm paranoid, but...

Or even worse build a standard based on their work where there are very specific weaknesses built in- you know to fight ""terrorism""

That would be hard to do with an open standard.

Re:I know I'm paranoid, but...

[Cairnarvon]

Even if that were plausible, it'd definitely be a risk worth taking. Cryptographic methods that are kept secret are never as secure as methods that are scrutinised by thousands of cryptanalysts around the world, as even the NSA itself has experienced on more than one occasion. Cryptographers, more than anyone else, are very much aware of the fact that security through obscurity just doesn't work.

Re:I know I'm paranoid, but...

[jddj]

You are being paranoid.

It's actually IMPORTANT to open the algorithm. An open algorithm is open to analysis for how well it performs its job, and for any bugs or short-circuits, any methods of recovering the input data from the hash. It's provably secure or insecure. You can analyze an open hash algorithm mathematically to determine how likely it is that two given input data items will evaluate to the same hash.

With a closed algorithm, you can't perform this analysis. In the related discipline of encryption, this has tainted the reputation of the closed-algorithm Skype uses for its VOIP encryption. Skype can say its encryption is secure and free of backdoors all day long, but you'd be well advised not to believe this if its algorithm is not open for inspection.

An open algorithm is ONLY secure if an attacker can know the entire algorithm and STILL not turn the hash back into the input data or engineer a hash collision in a reasonable amount of time even with, say, a huge bot farm. A closed algorithm may have any number of compromises, may not be secure in any real sense. The closed algorithm is protected only by the thin veil of obscurity.

Re:I know I'm paranoid, but...

[Cristofori42]

I've got one mod point left but I can't seem to find the "paranoid" option in the drop-down box here..

Re:I know I'm paranoid, but...

[UID30]

Not to mention that I sincerely doubt that anyone is currently using some super-secret ultra-elite hashing algorithm that no one else knows about. You have obviously never heard of my ROT-13.5 algorithm. They never figure out that extra .5

Re:I know I'm paranoid, but...

[Bob-taro]

I know I'm being paranoid, but

Admitting you have a problem is the first step ...

Seriously, though, while your suspicion of their motives is not entirely unfounded, this probably won't help them crack anything. The best thing about a good encryption algorithm is that just knowing the algorithm isn't enough to allow you to crack it.

Re:I know I'm paranoid, but...

[fuliginous]

You are also being stupid. A good method of securing things is one that they cannot break even with knowing the method. So it makes no difference if they do know it.

Having been rude enough to suggest you are being stupid I see a valid point if you meant they are attempting to get some of the methods used by bad guys out into the open, because currently they have no clue what they are as the first stage in looking for vulnerabilities.

But to me it sounds far too like a TV, genius bad guys out there that have invented encryption strategies vastly superior to anyone else. In which case they aren't so smart if they come out and let people have it instead of just sitting there watching the protected data of the banking system whilst passing around their own inside information?

Here's my hash algorithm:

INGREDIENTS:

        * 2 to 3 tablespoons butter
        * 2 cups cooked corned beef, finely chopped
        * 3 cups cooked, chopped potatoes
        * 2 tablespoons minced onion
        * 2 tablespoons chopped parsley, optional
        * salt, pepper and brown gravy

PREPARATION:
Melt butter in a large skillet over medium-low heat. Add corned beef, potatoes, and minced onion; spread evenly in the skillet. Brown on one side; turn with a spatula and brown the other side. Continue turning until most of the meat and potatoes are well-browned.

Re:Here's my hash algorithm:

[flanman]

Oh c'mon!!!

MOD this up it's funny.

SHA2?

I know SHA0 and SHA1 are broken but SHA2? I thought they're still secure to use, especially the SHA2-512. What I am missing?

Re:SHA2?

SHA-2 is a more secure version of SHA-1. A serious weakness in SHA-1 could lead to a similar weakness in SHA-2.
A completely different algorithm probably wont have the same flaws.

Also, they're looking for an algorithm that will be secure until probably 2020. I doubt thats the case for most hashes in use today.

Re:SHA2?

[InvisiBill]

I know SHA0 and SHA1 are broken but SHA2? I thought they're still secure to use, especially the SHA2-512. What I am missing? From TFS:

because SHA-1 and the SHA-2 family share a similar design

Re:SHA2?

Like they said, SHA2 is related to SHA1, so they fear that problems in SHA1 indicate problems in SHA2.

Encryption == Something to Hide

[explosivejared]

Why does the government promote creating new encryption methods when encrypting data so clearly means you have something to hide and are therefore guilty? I mean COME ON!

Re:Encryption == Something to Hide

[Ang31us]

LOL! You should be writing material for Colbert ;-) . All you're missing is the sarcasm tags...you are kidding, right? hehehe

Re:Encryption == Something to Hide

Duh! They need some way of finding the terrorists. Everyone who enters can be arrested for treason because they're aiding the terrorists hide their terrorist plots!

Re:Encryption == Something to Hide

Encryption hardly means you have "something to hide" and are "therefore guilty," as you say it - it only implies that the information being passed between parties is sensitive and confidential, if anything. For just one brief example, think about every time you used a password on a website - it doesn't in any way imply that you are engaged in criminal activity, it is used to determine whether you should have access to your account. The site could store this information as plain-text. A more secure way of doing it, however, would be to create a hash of your password when you log in, and check it against the one stored on the server to determine whether to allow access. The use of a good hashing algorithm means that you can log onto your favorite website without it storing your password in plain-text, for an insider (or skilled attacker) to find and exploit.

Re:Encryption == Something to Hide

[lukesky321]

their is a difference between encryption and hashing.

encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key.

hashing: The production of a "hash value" to ensure that information or software is protected against tampering.

hashing is not used to encrypt data instead it is used to ensure the integrity of the data.

Re:Encryption == Something to Hide

[explosivejared]

That's splitting hairs there. Why would anyone encrypt something unless they wanted it to remain untampered with?

Re:Encryption == Something to Hide

[lukesky321]

it is possible for files transfered over any interface to become corrupted, not necessarily by human malice. for example I've burned a copy of fedora 6 onto a disc and I had bad ram which caused it to become corrupted and not install on a machine. I got another fedora 6 disc that I knew worked, performed a hash on both discs and they were not the same.

Re:Encryption == Something to Hide

[mattpalmer1086]

It seems like splitting hairs, but actually it matters. People used to think that if you encrypted something, it was safe from modification, but that's just not true. They thought that if it was encrypted, it would be impossible for an attacker to create useful changes in it, but it turns out that isn't true.

One very simple attack was changing the grades in a school system. The school encrypted the grades, so they thought they were safe from change. The failed students hacked into the system, and just changed their data to the same data held against students they knew had done well. Anyway, that's just one way that encryption doesn't protect you against malicious modification. It gets a lot sneakier the more you look into it.

Re:Encryption == Something to Hide

[flosofl]

One very simple attack was changing the grades in a school system. The school encrypted the grades, so they thought they were safe from change. The failed students hacked into the system, and just changed their data to the same data held against students they knew had done well. Anyway, that's just one way that encryption doesn't protect you against malicious modification. It gets a lot sneakier the more you look into it.

What was the school using, ROT13? It sounds like they were using a substitution cipher not a modern algorithm. If they had been using any kind of real encryption, there would be no way that technique would be possible. Some of the tests that modern encryption algorithms have to face are frequency analysis (which substitution ciphers fail) and known plain text attacks (I assume the students had access to the encrypted txt and their real information). Other than the school using a centuries old, easily defeated technique I call bullshit.

Modern encryption *does* protect you from malicious altering of information. I encourage you to read up on Message Authentication Code (and all it's sundry relatives, UMAC, HMAC, CMAC). By changing just one character in an encrypted block, you have just caused the MAC to show a mismatch and invalidate the integrity and authenticity of the data. Unless they have the key used for encryption (which would raise the question of why they simply substituted characters in an encrypted field), they are shit out of luck trying to fool anyone. Yes, the cipher block is useless, but no one will be "tricked" by the changed grade, either.

Re:Encryption == Something to Hide

What was the school using, ROT13? It sounds like they were using a substitution cipher not a modern algorithm. If they had been using any kind of real encryption, there would be no way that technique would be possible.

The attack described is perfectly feasible using a modern block cipher used in an unsuitable mode such as ECB, or CBC with a static or inappropriately reused IV.

Modern encryption *does* protect you from malicious altering of information.

No! A MAC is not encryption (though it may be implemented using a block cipher) -- you cannot decrypt a MAC tag and produce the original message! There are certain constructions known as authenticated encryption which do provide this property such as Galois Counter Mode, but they're not exactly commonly used as yet.

Re:Encryption == Something to Hide

[maxwell+demon]

Why would anyone encrypt something unless they wanted it to remain untampered with?

Because they want the content to be unknown to third parties.

Re:Encryption == Something to Hide

[flosofl]

The attack described is perfectly feasible using a modern block cipher used in an unsuitable mode such as ECB, or CBC with a static or inappropriately reused IV.

Yes, I will grant you that figuring it out given weak edge conditions or due to a poor implementation is possible, but it's still not as simple as just opening a file and changing a couple of characters.

No! A MAC is not encryption (though it may be implemented using a block cipher) -- you cannot decrypt a MAC tag and produce the original message! There are certain constructions known as authenticated encryption which do provide this property such as Galois Counter Mode, but they're not exactly commonly used as yet.

And I never said that. What I said was, that altering the encrypted data (even 1 bit) will cause it to not validate against the MAC when the data is decrypted. In other words, the data will not longer be considered as having any integrity or authenticity (or being nonrepudiable). I consider this "protected". Yes, I will probably have to restore from a backup, but I won't be relying on bogus information. Plus, minus your edge cases above, the block of the edit onward would most likely decrypt to nothing but gibberish. The OP seemed to think that someone could alter data in a non-detectable way simply by editing a file. The only way to do it in a non-detectable manner would be to actually have the key used for encryption. And if that's the case, what the hell were they doing editing the encrypted file?

Re:Encryption == Something to Hide

[DarkOx]

Why would anyone encrypt something unless they wanted it to remain untampered with? Because they want the content to be unknown to third parties.

And in what case would I want the content to be unknow to third parties but not care if third parties tampered with it?

Re:Encryption == Something to Hide

[maxwell+demon]

Of course you don't want your content to be tampered with, but that doesn't mean that the use of encryption is for that goal. The fact that you encrypt something doesn't mean that you can't use other measures to prevent tampering with it.

Re:Encryption == Something to Hide

[mattpalmer1086]

In this case, each student's grades were encrypted independently of each other. The hackers just literally copied the encrypted grade for a good student over their own. The school assumed that because the grades were encrypted they were "secure", when in fact you can attack without having to decrypt or alter existing encryption at all. I did say it was a simple example, but it illustrates how "security" is hard for people who are untrained. There are more complex attacks on encryption itself that can produce useful alterations inside encrypted data without decrypting it.

HMACs aren't encryption by the way, but they are cryptography. They are hashing algorithms combined with a secret key. Unlike encryption, you can't recover the original information from them, even with the secret key. Modern *cryptography* protects from malicious alteration, but modern encryption does not - it protects confidentiality of information. They are intentionally separate - any good cryptographer knows you have to protect integrity and confidentiality using separate security primitives. Splitting hairs? Not really - that's how the crypto community understands it.

Re:Encryption == Something to Hide

[INT_QRK]

OK, so, I assume that you really do understand the utility of hash algorithms, but others may not, so it's worth being serious for a second, just for their sake. NIST is concerned with information assurance in toto, which encompasses not just the confidentiality of information (e.g., with good cyphers), but also other aspects of that information such as its assured availability, integrity, authenticity and even non-repudiation. Hash algorithms, by the fact that they compute presumably unique one-way "digests" of an information set, provide a basis for comparing an original information set, with its copy. If a recomputed digest at destination matches the digest computed at origin, then the information can be presumed (given other conditions) to have retained its integrity (and potentially also its authenticity and even non-repudiation). The reason that new improved algorithms are needed from time to time is that smart people with sufficient computing resources, apropos "Moore's Law," will eventually find a way to produce "collisions," or two different data sets computing to the same digest. Once a collision has been found, not withstanding how difficult it was to produce, the authenticity of a digest produced by that algorithm will always be suspect from then on, to some degree at least. Further, NIST, by promoting an open competition, better assures widespread, transparent, peer review of competing algorithms. Everybody gets a crack at trying to crack the code, so to speak. Security is better assured through the validity of the math and methods, rather than reliance on non-valid factors such as the reputation of the source and the obscurity of the code.

Re:Encryption == Something to Hide

[SnowZero]

Clearly you are a hat-wearing terrorist.

I don't get it

[eclectro]

Once I develope the winning uber hash function, what do I get? I can't find in the timeline where it mentions a large cash prize with strippers jumping out of cake. Some balloons too.

Where is the link in the story to this part? Anyone?

Re:I don't get it

[bmac83]

Pay attention. You will be given a short string of characters that describes how to get from the prize to where you currently are, but from the directions it will be impossible to find your way back to the prize.

Re:I don't get it

[Lord+Ender]

If you can claim to be the author of the US government standard cryptographic hash, you get to charge pretty much whatever you want in consulting fees.

Re:I don't get it

[click2005]

The cake is a lie
The cake is a lie
The cake is a lie
The cake is a lie

Re:I don't get it

[ajlitt]

If you cannot comprehend the string, assume the party escort submission position. A party representative will arrive shortly to escort you to your prize and a party celebrating your reception of said prize. There will be cake.

Re:I don't get it

[Chapter80]

If you can accurately claim to be the author of the US government standard cryptographic hash, you get to charge pretty much whatever you want in consulting fees.

There, I fixed it for ya.

Re:I don't get it

[Gat0r30y]

Screw it, I'm gonna have my own hashing algorithm competition, with strippers, and booze. Ah, forget the competition.

Weird parallel structure

[timster]

This is
    in response to serious attacks reported in recent years against cryptographic hash algorithms, including SHA-1
and
    because SHA-1 and the SHA-2 family share a similar design.

You won't catch me defending this abomination of a sentence, but that's how I'd parse such a thing.

I have it!

[0100010001010011]

Jung qb V jva?

Re:I have it!

[treeves]

You win nothing.

Re:I have it!

[sconeu]

Lbh snvy vg!

Re:I have it!

[Nibbler999]

Mod parent -1 Erqhaqnagn.

Re:I have it!

[maxwell+demon]

I think you have a redundant a.

What would happen if...

[caluml]

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold. It must be possible for computers to create formulas that "add up" - i.e. that work?

Re:What would happen if...

[SigILL]

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold.

Yes, and you'd spend most of your time trying to prove those algorithms are any good. That's the hard part anyhow, coming up with new algorithms isn't.

Re:What would happen if...

[sveard]

Wouldn't it take a very long time to create a decent algorithm? Like, for example, generating a random piece of music that was not only generated at random but also good to listen to? Or like generating random strings and combine the ones that aren't rubbish into crap, like a Harry Potter book or something?

Re:What would happen if...

This has already been done several times. The most popular approach is genetic programming.

Re:What would happen if...

[hey]

Automate the testing (of the algorithms).

Re:What would happen if...

[Urza9814]

...is there a limit on how many you can submit? :)

Re:What would happen if...

[springbox]

That's the idea behind genetic algorithms. Although the approach is a bit "smarter." Actually, I had the idea of making a hashing algorithm using a GA for the (second) time yesterday.

Re:What would happen if...

[xZgf6xHx2uhoAj9D]

I'll go out on a limb and say that if you were to come up with automated tests, those tests would show that SHA-1 is an absolutely glorious hashing algorithm, perfectly 100% without defects. In other words, your automated testing won't really have bought any more security.

Proving properties about algorithms is HARD. Writing an algorithm to prove properties about algorithms is HARDER. Unfortunately this idea still seems to pervade much of AI research, such as in machine learning: "well I'm not smart enough to solve this problem, but surely the AI I designed will be!" No. It won't. Whatever AI you create, it will be dumber than you are.

Re:What would happen if...

This already exists. There is a field within Machine Learning (a distinct branch of Artificial Intelligence) called Genetic Programming which is a kind of evolutionary algorithm that generates programs and promotes those that are the most successful at solving the given problem. It is related to the more well known Genetic Algorithms and has a few notable variants/

Re:What would happen if...

[Non-Huffable+Kitten]

The problem is that it's impossible to write a fixed algorithm that will decide whether the algorithm you generated computes a function with a given property (it's impossible for any non-trivial property). E.g. you can't even systematically decide whether or not the algorithm you generated will ever halt.

Re:What would happen if...

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold.

Yes, and you'd spend most of your time trying to prove those algorithms are any good. That's the hard part anyhow, coming up with new algorithms isn't.

That's simple enough to fix. Just make a program which attempts to randomly prove algorithms. Every so often it would get the proof right, and then you'd hit gold. :)

Re:What would happen if...

[SiliconEntity]

What would happen if you wrote a program to randomly create algorithms?

This brings up a few interesting facts. The vast majority of random functions (restricting to ones with the right input and output sizes) would make 100% perfect hash functions. In fact this is true virtually by definition. So in a way, finding a new hash function is easy - just pick one at random. (The same is true for encryption functions.)

However, there are two small problems. First, the vast majority of random functions take more room to implement than there are atoms in the universe. And they will take longer to execute than there have been nanoseconds since the beginning of time.

So the pick-a-random-function idea has a problem. This leads to plan B: pick a random function from among those that can be specified concisely, and which have reasonable running times. How well would that work?

That's an interesting question that I don't think anyone has an answer to. It's possible that this would work pretty well, and that virtually all of the resulting functions would be so clumpy and irregular and messy that (a) they could never be proven secure, but (b) they could never be found insecure via analytic attack. In other words, the sheer messiness of the functions might actually be a strength.

However it's also possible that this method would not work well and that most such random functions would be weak. It's well known that amateur-designed ciphers do not have a good track record, and they sometimes seem to use a similar methodology. ;-)

But even if it does work, it faces another problem. Hand-crafted hash functions from the experts have another desirable property: performance. They are fine-tuned to provide the best speed possible with the greatest strength possible. They are, in effect, works of art that balance two competing goals and attempt to find the perfect harmony between them. Random, kludgy, messy hash functions might work, they might even be reasonably fast, but the chances are very low that they will ever offer the exquisite combination of speed and strength that will be exhibited by the best of the candidate algorithms in this competition.

Re:What would happen if...

[BenBoy]

Actually there are methods of using computers to create new programs that do, in fact, involve a stochastic element (mutation and randomized mating (the latter if the computer has access to beer, I suppose)).

Re:What would happen if...

This is 100% true. The weaknesses discovered in these hashing algorithims are never really found because someone notices them, it's because someone notices some flaw that can be exploited in some way in theory, which quickly moves to in practice. It takes careful study and observation to find them. MD5 for example has a weakness in its vulnerability to the birthday attack.

Re:What would happen if...

[Gat0r30y]

These sorts of "Genetic" algorithm creating programs have been used previously. I have no link, but i do recall a guy writing one such program (i believe the intent was to create a checkers playing program) which would randomly 'inherit' traits from previous generations of the program, then the population of programs competes (by playing checkers), winners live, losers die, and the winners go on to 'breed' (in the way that the next generation will 'inherit' some of the traits of the winners. After thousands of generations i believe he actually succeeded in getting a pretty good program.

Re:What would happen if...

[maxwell+demon]

No. What's impossible is to write an algorithm which can tell for every algorithm if it will halt. It's definitively possible to write an algorithm which can tell for some algorithms whether they can halt (a very simple example would be an algorithm which returns "yes" for "int main() {}", "no" for "int main() { while(true); }" and "maybe" otherwise). Now given that humans cannot tell for every given algorithm as well (a human can only handle a certain amount of complexity), the crucial question is if algorithms can be better than humans in doing so. Existing algorithms obviously are not, but AFAIK there's no known reason why it should be impossible in principle.

Re:What would happen if...

[Non-Huffable+Kitten]

Hint: Notice the words "fixed" and "systematically". I thought mentioning the issue casually like that would be a good balance between confusing the newcomers and triggering the computability theorists. Unfortunately I seem to have overestimated their reading comprehension skills compared to their desire to write condescending posts.

No hard feelings ;)

Re:What would happen if...

[TheRaven64]

Genetic algorithms only work in cases where you have a clear criteria for 'better.' I suppose such a for hashing algorithms would be fewer collisions on random data but then you would be more likely to find flaws in your random number generator than get a good hashing algorithm.

Re:What would happen if...

[stratjakt]

1000 monkeys and 1000 typewriters..

If you knew enough to analyze the randomness getting spewed out, you'd think you'd know enough to just write the algorithm/novel/play in the first place.

Re:What would happen if...

[zippthorne]

Yeah but the problem is that the monkeys tend to pick the same three keys most of the time.

Re:What would happen if...

[maxwell+demon]

Well, I'm not a native English speaker, so I might miss some other meaning of the words, but I'd consider the simple (but utterly useless) explicit algorithm I described both as fixed (you can run it as-is on every program you want; you'll just get no useful answer in almost all cases) and systematic (the system is quite simple - just two comparisons -, but there's nothing random about it).

Re:What would happen if...

[Non-Huffable+Kitten]

Granted, what I wrote wasn't exactly unambiguous (and I'm not a native speaker myself), but as far as I'm aware, if you have some statement involving some variables x and y, "fixed x" is used to emphasize that x may not depend on y (the quantifier for x is to the left of the one for y). But yeah, actually in this case the distinction is somewhat important so maybe I should have wrote it out more explicitly.

Re:What would happen if...

[k.ovaska]

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold. It must be possible for computers to create formulas that "add up" - i.e. that work?

Doesn't work. The search space for feasible hash algorithms is astronomically large and if you pick one randomly, chances are it's not very good. Humans are good at pruning out most of the search space and concentrating on algorithms that look promising. Of course, human pruning isn't perfect since otherwise we would already have a perfect hash algorithm - if one exists. Also, designing an algorithm is easy but showing that it's secure is hard. The competition timeline has several years reserved for public analysis of proposed algorithms.

Re:What would happen if...

[GPL4ever]

Genetic algorithms perhaps?

Encryption != Hashing

[rock217]

Encryption implies that you can reconstruct the original string from the encoded. Methods like md5, sha1, etc are one way algorithms that cannot be reversed* in a realistic amount of time.



* - Rainbow tables

Re:Encryption != Hashing

[explosivejared]

My bad, maybe I should think about it before I post something meant to be funny... NAH! This is slashdot. Anyways, thanks for the correction.

Re:Encryption != Hashing

[TechyImmigrant]

When hashing a data set larger than the resulting digest, it cannot be reversed at all. However you can find collisions which is handy if you want to subvert the PKI hierarchy that protects web transactions.

Re:Encryption != Hashing

[Kjella]

It can only be reversed for the wierd case where you're trying to make a few bits (30-40 bits of a password) into many (160/256/384/512 bits), which is of course impossible and the quality of the hash method doesn't matter. The only thing rainbow tables do is try to make a universal lookup table, and the only thing that helps is (cryptographic) salt. Most of the time hashes are used to make checksums of e.g. your linux distro, which obviously can't be reversed.

Re:Encryption != Hashing

[Comatose51]

Rainbow tables won't help you get the old message back since pretty much by definition or pigeonhole theorem there is more than one plaintext that can generate the same hash. Breaking a hash algorithm usually involves finding a plaintext that generates the specific hash, thus fooling the victim into thinking that plaintext was the original one.

Or imagine this: you have a simple hash function that takes all the letters in a message, turns them into number based on their place in the alphabet, and adds them up to generate the sum. If that sum goes over 10,000 then it would do a mod 10,000 to wrap it around. There's an infinite number of plaintexts that can generate the exact same hash based on this hash algorithm. However, what you can never do is figure out which specific one generated it.

Re:Encryption != Hashing

[ultranova]

Methods like md5, sha1, etc are one way algorithms that cannot be reversed* in a realistic amount of time.

Nitpick: they can't be reversed in any amount of time, because for any given hash, there are propably an infinite amount of strings which hash to that hash.

Re:New Hash Algorithm Submission #1

[Archangel+Michael]

Democratic version: Note, I'm l[L]ibertarian, and find the humor in parent post.

1. Declare war on Social Ill Y with a bogus slogan "_______ Crisis"
2. Announce increase in taxes and/or entitlement spending
3. Repeat 2 as often as necessary for the domestic brain dead.
4. Use to increase political power locally and abroad by showing how "enlightened" you are.
5. Profit!
6. We all lose.

Cheers,
Hillary Roddam C.

Oblig. xkcd link

[hellergood]

http://xkcd.com/257/

rot13

[kupesoft]

All right, the first to make a rot13 joke is going straight to hell.

Re:rot13

[Skapare]

Any rot13 joke is pointless. We all know rot13 is reversable. What hashing is all about is non-reversability. That is, given some large string of content, produce a smaller string that cannot re-create the original content. So why not combine things: md5 -> triple-rot13

Re:rot13

[cdrguru]

MD5 is reversable. All you have to do is randomly generate every bit combination up to some maximum length until you have a matching MD5. There will be a number of collsions but these will not pass other tests on the content. It is therefor possible to reverse an MD5 hash value into the original data.

This would consume considerable finite time. Yes, considerable but finite.

Re:rot13

[Daffy+Duck]

No, there can be collisions from multiple sources that do "pass other tests". The demonstrated vulnerability in MD5 was precisely that you can construct multiple meaningful pre-images that give the same hash value.

Re:rot13

[Nevyn]

Ok, assume you have a 4KB XML document ... and you get an MD5. Even knowing those two pieces of information (valid XML and roughly 4K) do you think you could reverse that given "considerable" but finite time? (hint: you have to prove that there is only one possible input that doesn't fail those limiters ... and I don't think you can).

Re:rot13

[CTalkobt]

Anytime that you know the format, or partial content of the original document (such as knowing it's XML and hence will have the same opening and closing tags, and presumably a DTD declaration) you make life much much easier for those attempting to crack it.

Based upon the md5 routine in a software package, I can get the initial set of random sequences and stepping for the first so many characters - that will allow me a much higher chance of calculating the rest of the random sequencing / stepping that is occurring instead of having to approach the problem brute force.

Take the paragraphs above and replace all words less than 6 characters with long mathmatical sounding ones and if it doesn't make sense now it'll sound right then. :-)

There is no such thing as security - only illusions of security - someone's always watching.

Re:rot13

No, that's how you find a collision by brute force. There will be more than one collision. So without additional information, you'd never be able to differ between a random collision and the original data.

Re:rot13

[grumbel]

The only way you can revert MD5 or for that matter any hash is by constructing a huge database of all known files, hash them all then just find the one that has the same hash as the one that is given. Of course that won't be all that useful, you might find a Linux source tarball that way, because its publicly available, but thats it. Unless you already know the file you don't have any chance of ever reversing a hash. Its just a matter of information loss, if you have 128bit of 'storage', you can't store a 1MB file in that and get it back, its not a matter of time, its simply impossible for any file much larger then the size of the hash.

Re:rot13

[plover]

Anytime that you know the format, or partial content of the original document (such as knowing it's XML and hence will have the same opening and closing tags, and presumably a DTD declaration) you make life much much easier for those attempting to crack it.

Two things: Kerckhoff's principle states that the security of a routine must come from only the secrecy of the key, not the secrecy of the algorithm and certainly not the secrecy of the original document. "Known plaintext" and "chosen plaintext" attacks are commonly used to attempt to break a key. The second thing to note is: "cracking" in the sense you're using it is applicable only to encryption, not hashing.

Regardless of what hashing routine you're using, the attacker always has the original plaintext document. That's the point of a hash: it's a tamper-evident mechanism that should prove the document hasn't been altered. So the reason secure hashes are needed is to make sure digital signatures are secure.

Think about how digital signatures work: I have a plaintext document to sign, so I calculate a hash of the document. I encrypt the hash with my RSA private key, and ship it with the plaintext document. To verify that I signed it, you calculate a hash of the document yourself. You then use my public RSA key to decrypt the signature, and out pops my original hash value. If the two are the same, you can trust that my private key was used to generate the signature.

The problem with a weak hash is if an attacker can replace my document with a document of his own design that yields the same hash value, he can put a copy of my signature on his document and claim I signed it. This is a "collision attack", and is exactly the nature of the breaks into SHA-1 the Chinese researchers discovered.

While this probably isn't much of an issue for a digital signature on a Word document claiming that I invented a better mousetrap, automated signature validation is critical to SSL security and digitally signed code. If I create a certificate that has my own public key on it and put microsoft.com in the name field, and stick a copy of a legitimate Verisign signature on the certificate, I could fool any computer system into believing that Microsoft has granted approval to use my key.

Elliptical Curve?

[graviplana]

It should probably be based on http://en.wikipedia.org/wiki/Elliptic_curve_cryptography . Unless they want something that only they can break. :O

Re:Elliptical Curve?

[TechyImmigrant]

> It should probably be based on http://en.wikipedia.org/wiki/Elliptic_curve_cryptography . Unless they want something that only they can break. :O

That would be for signatures, not hashes.

Re:Elliptical Curve?

[Abcd1234]

It would also be heavily patent encumbered.

Re:Elliptical Curve?

[SnowZero]

Quick, someone invent hyperbolic encryption! I think I've already seen that used here on slashdot to encode comments. Oh no wait, that's hyperbole...

DIfferent kinds of hash

[HomelessInLaJolla]

Crude hash:

Take a full stalk from the marijuana plant--bud, leaves, and all. Strip the bud and the leaves away from the bulk fiber stem. Discard the stem. Roll and crush the bud and leaves together. Compress, twist, and tear. Compress, twist, and tear. Wring the water out of the bulk pulp. Leave the bulk pulp to demoisturize (not dry completely). This is the crudest form of hash and probably the oldest form known to man.

Leftover hash:

Take just the leaves from the marijuana plant. Repeat the process described for crude hash. Use the marijuana buds for normal smoking or cooking. This method allows one to make use of the leaves as well as the bud in separate form.

Crude chemical extract:

Take the buds from the marijuana plant. Break them apart but do not crush or damage the glands (trichomes). Place the broken up buds in ice water, swirl and mix, and scoop out the material which rises to the top. Dry gently (air dry, no heat).

Supercritical chemical extract:

Take the buds from the marijuana plant. Break them apart but do not crush or damage the glands (trichomes). Pack the material into a sealed cylinder. Attach a tube of compressed butane to the sealed cylinder. Discharge the butane through the sealed cylinder. Collect the effluent and allow the butane to evaporate (air dry, no heat).

Sohxlet extract (honey blond hash oil):

Obtain a sohxlet extraction apparatus. Use the buds, possibly the leaves, maybe even the stems from the plant. Extract for at least five cycles using pentane, hexane, or heptane. Collect and dry the extraction solution (air dry, preferably with attached vacuum, as little heat as possible). This is the finest hash oil you'll come across.

In all cases avoid temperatures over 50C. The desireable components, technically, boil around 110-120C but significant amounts may be lost at temperatures over 50C.

ENJOY!

The point of making hash is to denature the typical plant products, such as chlorophyll, and extract them into a water layer (which is removed) or to extract the desireable hydrophobic products away from the bulk plant material. Smoking untreated or uncured marijuana plant material is somewhat flavorful (depending upon personal taste) but usually causes a digestive or nervous reaction (tummyache or headache).

Argh.

[TechyImmigrant]

I put a SHA-1 based KDF in 802.16 because NIST SP800-56 told me to.

Argh.

Re:Argh.

I assume meant you read this paragraph then...

Note: Some domain parameters have been generated using SHA-1, and SHA-1 will be
required during their validation. At some time in the future, it is expected that SHA-1 will
no longer be an Approved hash function. However, if a set of domain parameters was
successfully validated with SHA-1 while it was still an Approved hash function, then
those domain parameters will continue to qualify as valid even after the use of SHA-1 is
no longer Approved. In particular, this is true of the NIST Recommended Elliptic Curves.

Re:Argh.

[TechyImmigrant]

I decided to go back and look at the spec so I could respond with the specific requirement. Rather than dig in my files I went to google to find the document. I put in "nist SP800-56" and up pops the message I posted two steps earlier in this thread.

That's some quick indexing.

Note to Google. When I put in "nist SP800-56" I want you to take me to the NIST spec.

Re:Argh.

[TechyImmigrant]

You're reading 800-56A. Not 800-56.

800-56 was around at the time. It was not so much withdrawn, as snuck away, destoyed and the remains buried in a shallow grave somewhere in Maryland. NIST won't admit to its existence these days.

Re:Argh.

SP 800-56A is 800-56. The "A" was added because there's going to be an SP 800-56B on key establishment using RSA.

Also, SHA-1 is fine for KDFs, and should be for some time. Collision attacks aren't important for KDFs, and people aren't expecting any second preimage attacks against SHA-1 in the foreseeable future. SP 800-57 discusses the security strengths of hash functions for the various applications.

Re:Argh.

[TechyImmigrant]

That's what I told the person from NIST.

Re:Argh.

Note to Google. When I put in "nist SP800-56" I want you to take me to the NIST spec. If you don't want to see your own posts, then just say so. With a slight tweak to get the revision (A), you get can get it as the top post using "SP 800-56A site:nist.gov". Without the "A", it doesn't show up, but some related documents from the same site do. Looks like there's still work to do to make search perfect.

Disclaimer: IWAG,BNOS

Just use Identity...

[GeekDork]

With hash values getting longer and longer, wouldn't it be more economic to just use Identity as the hashing function?

Here's your grain of salt...

Re:Just use Identity...

[tomstdenis]

Actually I think we could use a short hash function, solely for the purpose of HMAC. Being one-way means we can use a primitive with more input than output (unlike CMAC). So I'd really like to see a 128-bit hash as well as [say] a 256-bit or 512 bit hash.

Personally I think anything over 256 is overkill. But that's just me...

Re:Just use Identity...

[marcello_dl]

No.

Re:Just use Identity...

[TechyImmigrant]

>Personally I think anything over 256 is overkill. But that's just me...

It's moot in certs. It's going to be padded out to 2048 bits anyway.

Re:Just use Identity...

[Surt]

A 1024 byte hash is not large compared to the gigabyte file it signs.

Re:Just use Identity...

[TechyImmigrant]

I was thinking of the 1600 byte cert it forms the digest in.

Re:Just use Identity...

[tomstdenis]

You're not thinking of MACs though. Say I'm doing IPSEC with a 96-bit MAC, why would I waste the time and energy to compute a 256 or 512 bit hash just to throw away over half of the bits? Why not start with a 128-bit hash from the get go?

Also, even in the "256 vs 512" debate, sure you might pad up to 2048-bits when doing RSA signatures, but you're at least not wasting energy in computing the hash. Not every user of the hash standard will be on a 3GHz multi-pipelined [relative] super computer. Some will be on lowly 16MHz ARM or MIPS, or even trying to do the hash in hardware.

Tom

Re:Just use Identity...

[lgw]

Take the first half of the 256-bit hash and you have a stronger 128-bit hash than a 128-bit hash using the same algorithm. The only point of a true 128-bit hash would be performance, but if you really care about crypto performance you do everything in hardware, and you might as well buy the 256-bit chip these days.

Re:Just use Identity...

[secPM_MS]

Hashes are used directly in essentially all forms of signatures and integrity verifications, as you hash the data being represented and then sign or protect the hash value. HMAC's are (or should be) used with strong keys for protecting the integrity of communications. As such, hashes should be fast and resistant to capable assault with massive computational resources. Given the birthday effect, collisions will occur with a when a message pool is ~ sqrt(hash size).

The attacks against SHA-1 have reduced the work of collison from 2^80 to 2^6i, where i is a small integer (such as 1, 2 or 3). The SHA2 family is adequately resistant against extant attacks, but given the similarities between SHA-1 and SHA-2, NIST is being wise in starting the design of a successor.

The constant paranoia about backdoors is misplaced here. If you can engineer in a backdoor, somebody else can reverse engineer it, and the Russians and Chinese have a lot of very good mathmeticians. The NSA currently recommends the use of SHA-2 for governmental applications and can be expected to support the use of SHA-3 when it becomes available. They wouldn't be recommending its use if there were a backdoor that would allow compromise of signatures.

Re:Just use Identity...

[tomstdenis]

Wrong?

The only reason 128-bit hashes are weak is because they're not conservatively designed. And in the case of a MAC (like what I was saying) collision resistance IS NOT IMPORTANT. Only one-wayness. I'm not proposing we invent a 128-bit hash for signatures. Only for HMAC'ing.

And no, not everything is magically efficient in hardware (hint: I work in a hardware/software crypto firm). A 128-bit circuit (with presumably fewer registers, temporaries, operations, etc) will consume less area and energy than a 256-bit circuit, that's just simple logic (sorry excuse the pun).

Re:Just use Identity...

[Cairnarvon]

Take the first half of the 256-bit hash and you have a stronger 128-bit hash than a 128-bit hash using the same algorithm.

I hope you don't actually believe that.

Re:Just use Identity...

[lgw]

A 256-bit chip you can by off-the-shelf is better than the 128-bit chip you can't, but then I guess that's why you want to see a 128-bit standard. But using a 256-bit chip and only taking half the bits would be just as strong.

Re:Just use Identity...

[lgw]

If you disagree, you might explain why. In a good hash, each bit of the output equally "represents" all bits of the input. Taking the result of a large hash mod a smaller value, or just taking some of the bits, does not make a strong hash weaker.

If you have a weak hash, and all of the input bits don't participate in forming each output bit, of course you should first hash that output with a real hash algorithm before discarding bits.

Re:Just use Identity...

[TechyImmigrant]

I'm not disagreeing. A hash algorithm can cover a sensible range of widths would be useful for situations not needing bigger hashes.

AES has this property in the key length. Its parent spec Reignwatchamacallit has it in block size also.

Someone with a lowly ARM should design their chip so the crypto can run at the needed rate. If RTL is needed, go design the RTL. It's not hard.

Re:Just use Identity...

[tomstdenis]

omg you're being dense. Not every application needs signatures. For example, imagine hardware that accelerates IPsec. Why would it need a 256-bit hash? And where gates are dollars (e.g. area == cost) you'd much rather have a 128-bit algorithm.

Just accept what I'm saying. I work with cryptographic hardware ALL DAY LONG. You probably don't. So just accept what I'm saying.

Tom

Re:Just use Identity...

[tomstdenis]

Well if you can use one design that is extendible like Rijndael then good.

But dropping down a 256-bit or 512-bit hash just to do 96-bit MACs is stupid. And believe it or not, there are people looking for custom gear that does one thing but not the other [e.g. MAC but not signatures].

Tom

Re:Just use Identity...

[tomstdenis]

The problem is you're drawing the wrong conclusions. MD4 and MD5 weren't weak because the hash is only 128-bits. They're weak because the design is not cryptographically strong.

Tom

Re:Just use Identity...

[lgw]

That's not what I'm saying at all. I'm saying that, for the difficulty of reversing a hash, you don't lose any strength by using a larger-blocksize hash and just taking the bits you want from the result. You may get a few more collisions, but that's been stated as unimportant in this thread.

From cost/performance perspecive, it might be nice to have a 128-bit hash standard as well as a 256-bit hash standard, but from a "how safe is my hash" perspective a 256-bit algorithm is fine if you only need a 128-bit result. Using SHA-3 256 mod 2^160-1 to get a 160 bit hash will be stronger than using the native-160-bit SHA-0, since it's the algorithm that really matters.

Even from a cost perspective, the difference matters now, but in 10 years?

Re:Just use Identity...

[TechyImmigrant]

Are you going to be in Atlanta next week?

Re:Just use Identity...

[GrievousMistake]

What you said though, wasn't just that a truncated 256-bit algorithm was 'fine', but that it would actually be stronger than a native 128-bit hash.
That's what you're being called out on, because it is bullshit assuming that both hashes are secure.
Of course it's going to be more secure if the 128-bit algorithm is broken and the 256-bit one is not, but that's not what was suggested.

Re:Just use Identity...

[tomstdenis]

Sadly no. But if you want to take this "offline" let me know and I'll give you my work email addy.

Re:Just use Identity...

[tomstdenis]

I won't re-iterate what your other replier said (e.g. size vs. truncated being moot), but add, at my company we still have customers thinking of dropping down 8051s (8-bit micro from the 70s!!!).

Basically crypto usually is an afterthought, and really a "cost" not a benefit. So size/area matters. We often have customers looking for the "most free" ish solution they can get.

And sometimes it makes the decision between good crypto and bad. Look what happens when people can't use ECC. They use very small RSA keys. Many designs call for a good MAC and often use homebrew (e.g. WEP, SNOW3G's UIA2, etc) instead of something nice and simple like an HMAC.

So yes, even 10 years from now, size will matter, and while feature size gets smaller, it's still all relative. Once feature size goes down costs go down which also means margins get tighter. not only that but people will pack more non-crypto things in there.

Anyways, a good MAC-only 128-bit hash could out perform AES-CMAC, and still be just as secure.

Re:Just use Identity...

[TechyImmigrant]

I was more thinking of getting a beer than discussing crypto

Re:Just use Identity...

[tomstdenis]

hmmm fly from Ottawa to Atlanta for a beer ... I've done worse. But sadly, can't. Stupid banks and their "pay your bills" philosophy hehehehe.

Re:Just use Identity...

[TechyImmigrant]

I figured dot1 would be enjoying your presence.

Re:Just use Identity...

[lgw]

A truncated 256-bit hash would IMO be at least as strong as a 128-bit hash assuming they're both equally secure algorithms, and at least 256-bits of input data was used (the situation concerning the OP of the thread).

With just 128 bits of input data I guess the 256-bit hash would have more collisions, thought it should still be a statistically tiny amount.

Re:Just use Identity...

[isham]

The problem with identity is that it's easily reversible: not a good quality for a hashing function.

Yes, I know the OP was a joke.

Re:New Hash Algorithm Submission #1

[spun]

As you've admitted to being a libertarian, I suppose I should make one for you, too:

1. Declare war on Big Government with bogus slogan "Let the free market fix __________"
2. Announce plans to decrease funding to social programs
3. Figure out that you have no one in any elected office in any country anywhere who can carry out 2.
4. Announce that someone who has never professed to be a libertarian but holds a few libertarian ideals, is in fact a libertarian. Do the same for historical figures, especially anarchists.
5. Make up bogus arguments about the magical free market that will never be put to any sort of test, due to 3., above.
6. Parrot back tired arguments that were disproved hundreds of years ago, back in the days of lassez-faire. Conveniently forget about child labor, horrid working conditions, rampant pollution, institutionalized racism, debt slavery, and any other facts that show unregulated free market capitalism destroys lives.
7. Cherry pick examples of deregulation and privatization, ignoring any cases that prove libertarian methods wrong.
8. Try to convince other libertarians to all move to the same state so you can remedy point 2.
9. Realize that convincing self-centered libertarians to do anything is like trying to herd cats.
10. The rest of us grow bored with your childish, self involved, "Nyah nyah, you're not the boss of me!" political stance and ignore you, as libertarians have never managed to do anything more than talk.

Wait, that's not funny, it's just sad.

No, you're right.

[wattrlz]

There is such a thing as a one-way encryption and hashing is a form of doing so. By definition encryption is the act of writing something in an alternative manner. There's no requirement it be decryptable (or secure, for that matter).

Re:No, you're right.

[mattpalmer1086]

I think you're mixing up the definition of cryptography with that of encryption. Cryptography encompasses encryption, hashing, key exchange, zero-knowledge proofs and other stranger things. A hash algorithm is a one-way function by definition - you can't reverse it even with knowledge of what was done. En-cryption is a two-way function - it always implies the possibility of de-cryption.

Re:No, you're right.

[masterzora]

While the term encryption usually implies a decryption method, it's not necessarily so. In fact, the etymology shows that "encrypt" basically means "to cause something to be hidden", which a hash function definitely succeeds at.

Re:No, you're right.

[smallfries]

Maybe you should chase the etymology one level deeper. If the original data cannot be recovered then it is not "hidden" but "destroyed". You may not believe that the term encryption means a two-way process with an available decryption function - but that is the definition that the crypto community uses, and so it's good enough for me.

Yep

[Sycraft-fu]

That's why you'll see even the authors of cryptosystems that lost to AES recommending AES. In some cases, the losers are theoretically more secure. However what they are not is more tested. AES is probably the most tested cryptosystem next to DES. As such, people are pretty sure there aren't any lurking holes.

Very similar to the AES competition

[Sycraft-fu]

Also done by NIST. I suppose you could be all paranoid and claim that AES was chosen so the that US government could snoop on you since, after all, the NSA signed off on it as being secure and they'd never tell the truth, right? Well, except for the fact that it was designed by a couple of Belgians and has also been signed off on by essentially every other respected crypto expert and organization there is.

So that leaves you with two possible situations:

1) That the NSA is so amazingly far ahead of everyone else in crypto that they were able to find something in AES that no one else has in over a decade. Also they are so confident in their knowledge that they believe nobody else will find it since if they did the results would be a big problem (AES is approved for classified data, and is used by US financial institutions).

or

2) AES is really secure, and the NSA is telling the truth.

Now which is more likely? Also, supposing you believe option #1 then why trust any crypto? If the NSA really is so good that they can outdo the entire rest of the crypto community, well then they can probably break pretty much any of the cryptosystems out there. You can't trust any of them since the only people who would really know if they were insecure won't say.

Seems extremely unlikely.

Well, same deal with this hash competition. If you believe that the government will be able to pick one that is in fact something they can break, but that nobody else in the world will know about this then it doesn't matter, because their understanding is so far advanced that all hashes would have to be suspect.

Given the extremely public, international, nature of things like this there really isn't any room for mistrust. I again point to the results of the AES competition. You want to talk about a cypher that has stood up to some extreme scrutiny, there you go.

Re:Very similar to the AES competition

[lgw]

1) That the NSA is so amazingly far ahead of everyone else in crypto that they were able to find something in AES that no one else has in over a decade. When the DES standard was created, the NSA was so amazing far ahead of everyone else that they were able to find somehting in DES that no one else found for over a decade. The NSA provided very specific technical advice (without explanation) that was followed in the creation of DES. Many years later, the rest of the world caught up and discovered that the NSA had corrected a very subtle weakness in DES.

The NSA has an actual track record here, and their motives have proven good so far. However, they claim that (due to lack of funding and too much competition from financial firms for math PhDs) they aren't so far ahead any more.

Re:Very similar to the AES competition

[Llywelyn]

It is worth emphasizing that the NSA has said that AES 128/192/256 can be used to protect information up to the secret level, and that top secret information can be secured with AES 192 or 256. That's a pretty strong statement coming from the NSA, which if acting rationally they would not want to leave weaknesses in something that is used to secure information that would be, by definition, "very damaging to the US and its interests if released."

Now, it is possible that such statements are just for show, but it takes a belief that they are playing an incredulously deep game that they would make those statements as a denial and deception practice.

Re:Very similar to the AES competition

[morgan_greywolf]

Exactly. The NSA has always had cryptography as one of their charters, and as a result, they have traditionally been able to hire the best of the best in cryptography and cryptoanalysis. If the NSA says it's good enough for top secret data, believe me, at least at the time they said it, it is.

I wouldn't doubt that the NSA isn't constantly trying to break cryptos like AES 192 or 256, if, for no other reason, than to test to see if they really are that secure. One thing is for certain though -- if they knew how to break it, they certainly wouldn't tell anyone. That, in itself, would be the highest level of top secret classified information, since knowledge of breaking these algorithms would represent a threat to national security and, well, they are National Security :)

Re:Very similar to the AES competition

[ceswiedler]

I'm too lazy to find the quote, but Bruce Schneier said that the NSA's comments on DES effectively started the field of modern academic cryptography, and that many researchers 'made their bones' analyzing why the changes to DES were important. Thus at the time, the NSA was over a decade ahead, but it's very unlikely they're that far ahead now.

Re:Very similar to the AES competition

[evilviper]

However, they claim that (due to lack of funding and too much competition from financial firms for math PhDs) they aren't so far ahead any more.

You've got it wrong. They were decades ahead because nobody outside of the NSA was doing cryptography AT ALL. There was no real effort at all from the private sector.

DES was really the ONE cryptographic algorithm that existed, anywhere, and even that could only be found internal to IBM, which was by far the biggest digital equipment company anywhere at the time.

It isn't "too much competition" now, it's simply that, for the first time, they've got any competition at all.

Re:Very similar to the AES competition

[James+Youngman]

If the NSA really is so good that they can outdo the entire rest of the crypto community, well then they can probably break pretty much any of the cryptosystems out there.

Actually I think you're right, but to play Devil's Advocate for a moment, I will note that the UK government agency GCHQ developed a public-key cryptosystem between 1969 and 1973, significantly before Diffie and Hellman's (apparently) ground-breaking paper. So, government agencies are quite capable of beating the public state of the art and not telling anyone about it.

Re:Very similar to the AES competition

[mentaldrano]

You are referring to linear cryptanalysis, developed publicly more than 10 years after the NSA submitted its "suggestion" to the DES standard committee. At that time (not so much now), the NSA was the world's largest employer of Ph.D. mathematicians.

Also note: the NSA can secretly patent things with the USPTO. If anyone else tries to patent the same idea, the NSA patent becomes public and THEN enters its 17 year patent period, giving the NSA an even further head start!

Re:Very similar to the AES competition

... you could be all paranoid and claim that AES was chosen so the that US government could snoop on you ...

Which would be surprising since AES can be used to protect information that is classified at both SECRET (128-, 192-, and 256-bits) and TOP SECRET (192- or 256-bit).

If the NSA could break it then so could someone else, and it wouldn't be wise to protect your own information with something that weak.

If agencies want to listen to you they'll uses bugs and laser mics.

No doubt

[JustNiz]

part of the reason for the long delay is to allow the CIA and NSA to evaluate all contenders for suitability of being crackable/backdoorable by them.

Re:No doubt

[Llywelyn]

The NSA has approved AES for encrypting secret data (128+ bits) and top secret data (192+ bits). Unless they are playing a very deep denial and deception game, it stands to reason that they can't find a way through it either.

Re:No doubt

[JustNiz]

Of course the NSA are going to claim they can't crack any encryption they've already cracked. It means something new won't come along and blow away all their hard work. Also, they're hoping such statements will cause criminals to choose an encryption that the NSA has cracked.

Re:No doubt

[Llywelyn]

That would require an unbelievable degree of denial and deception.

Top Secret is defined as information that would seriously damage the US if released. They would not trust encrypting such secrets in it if, at the time they made that decision, they had discovered a weakness that would allow them to break it. Thus, the only way this would happen if they are behaving rationally is if they were lying. For them to do that successfully it would require having something classified at a level no higher than Confidential that this was not the real algorithm.

The complexity of such a scheme given how they would then have to communicate the correct algorithm, the need to classify all software that encrypted or decrypted classified information to the level of data being classified, combined with the hit to productivity and the risk of a leak...

Not likely. Much more likely that they do not have a way around it that concerns them--or at least did not when they made that announcement.

Re:No doubt

[k.ovaska]

The NSA has approved AES for encrypting secret data (128+ bits) and top secret data (192+ bits). Unless they are playing a very deep denial and deception game, it stands to reason that they can't find a way through it either. By the way, there are side channel attacks for AES, but they only work if the attacker has access to the computer doing encryption. I suppose NSA is not too worried about them, since if someone has access to computers handling top-secret data, there are much bigger problems than encryption algorithms.

Cool! A Minnie Driver/Anne Hathaway love scene.

[Impy+the+Impiuos+Imp]

> This is in response to serious attacks reported in recent years against cryptographic
> hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a
> similar design. Submissions are being accepted through October 2008, and the competition timeline
> indicates that a winner will be announced in 2012 ...to follow in early 2013 with a competition to develop SHA-4.

A working solution today: whirlpool

[wherrera]

See http://en.wikipedia.org/wiki/WHIRLPOOL

Re:A working solution today: whirlpool

[anilg]

Algorithms like Whirlpool(and Tiger) havent been tested as thouroughly as SHA and MD families. Thus it'd be foolish to put equal trust in them as SHA, etc. That however doesnt stop the whirlpool guys from submitting it for this contest.

Specs!

[Bromskloss]

So, what requirements should a submission fulfill? I can't find them!

Re:Specs!

[anilg]

Just google up Bruce Schneier's excellent Cryptogram newsletter and search it's archives for hash contest

Re:New Hash Algorithm Submission #1

[Archangel+Michael]

First off, Touche. I love a good ribbing ... :-D

1) Never been tried.
2) What's wrong with this?
3) Sad, isn't it?
4) Huh?
5) Again haven't been tried in a while
6) I actually believe GVMT Roll in some of these things
7) No Cherry Picking here
8) Whatever
9) Whatever
10) Too many people being (D) or (R) because of Fear and Fear.

Lets just deal with #1

Free Markets are easy to control. Corporate Charters are given by the GVMT, why aren't they revoked more often? Why aren't assets seized? Why aren't boards of directors arrested and charged for lack of proper stewardship?

Much of the problems seen in the free market isn't the fault of free markets. It is the fault of interference when it isn't needed, and non-interference when it is needed. Indeed, there hasn't really been a "free market" in 150 years or so. Closest we have right now is the Internet, and with Congress getting involved it's only going to ruin it.

We don't need more laws, we need more responsibility.

Re:hash algorithm hash recipe

[darkcatalyst]

This reminds me of an altogether disturbing (yet somehow hilarious) hash recipe that recently came into the public eye - butthash - yeah you heard right. Butthash.

More ambiguity

Why add to the ambiguity? We already have SHA-1 (160 bits) and the SHA-2 family. A lot of people think that SHA-2 refers to just SHA-256, even though there is also a SHA-224. The SHA-2 family also includes SHA-384 and SHA-512. So now we will have this SHA-3, which will be confused with SHA-384 from the SHA-2 family. Why keep the SHA- prefix?

Re:Cool! A Minnie Driver/Anne Hathaway love scene.

[Detritus]

Who the f*** decided that sentences on the Internet shall no longer be formatted with two spaces after a period?!

The typewriter cabal.

Are you a Unicorn?

[spun]

Oh, I see. You're a smart libertarian who can take a joke. Even rarer than a Unicorn. ;-)

I'll I got to say is...

[ShakaUVM]

I'll I got to say is...

SHA right!

Re:I'll I got to say is...

[Ox0065]

SHA whatever!

Old news?

[kasperd]

The timeline which is being linked to starts in 2006. But it is still not too late to get started developing a new algorithm, the submission deadline is a year from now. I guess people with the required skills have probably known about it for a while though, so anybody who intend to submit something is probably already working on it.

according to archive.org

http://web.archive.org/web/20051220092744/csrc.nist.gov/publications/drafts/SP800-56_7-5-05.pdf

Nice try, but this exact paragraph was in the draft version of SP800-56 as well...

Swing and a miss...

Re:according to archive.org

[TechyImmigrant]

Not *exactly* the same..

I'm still hunting for the document saying it's deprecated for hashing but it's fine as a PRNG. It's in there somewhere.

SHA3 = SHA1(data) + SHA2(data)

[cpeterso]

I have a patent.

Re:SHA3 = SHA1(data) + SHA2(data)

[Unnngh!]

SHA3 = SHA1(data) xor SHA2(data)

My patent trumps your patent!

Re:SHA3 = SHA1(data) + SHA2(data)

[owlstead]

You must be trying to be funny, because that would be significantly weaker than SHA-2. First of all, I hope you are trying to do adding, because concatenation is directly publishing the weaker hash. If you are adding, I would do so modulus the larger hash, because otherwise you might get 257 bits of SHA-2. But mainly if you look at crypto-analysis techniques, adding another algorithm normally weakens the original algorithm. It is much better to just add more calculations or more rounds. Even then I would rather use two completely different algorithms, like the AES based whirlpool algorithm and SHA-2.

Re:SHA3 = SHA1(data) + SHA2(data)

[k.ovaska]

It is possible to prove this relationship using the finite ring {0, 1, 2, 3, SHA}, which is isomorphic to ring {0, 1, 2, 3, 4}: SHA3 = 3*SHA = 1*SHA + 2*SHA = SHA1 + SHA2. I have submitted this novel result to Journal of Advanced Abstract Algebra (JAAA, or JA^3).

How about Tiger?

[drfreak]

After reading about the MD5 and SHA vulnerabilities, I've been looking to Tiger as a hash algorithm. Anyone else have experience with it?

Let the "You should really check out the new Leopard algorithm" jokes fly.. :)

Re:How about Tiger?

Would you really trust Apple to do a hash algorithm given the bug-ridden-pig-with-lipstick that is Leopard?

$,$,$,$ and more $

[sh3l1]

ctrl+f "$" Not interested.

Oh no doubt

[Sycraft-fu]

And there's evidence that the NSA understood quite a bit more about cryptography back in the DES days based on a change they made ot it that hardened it against an as of yet unknown kind of attack.

However being a bit ahead in terms of creating a system is real different form being far enough ahead to break systems. To mistrust the NSA on AES means you figure that they know enough to know how to break it, and that they figure the knowledge is so far advanced that no one else will figure it out. One of the NSA's jobs is actually "To achieve information assurance for information infrastructures critical to U.S. national security interests." They are tasked with things like making sure that US financial systems aren't broken in to, hence things like DES/AES. As such if they knowingly allowed a breakable cryptosystem to become the standard and it was in fact broken, they'd have failed in that and have shit to answer for.

So while I certainly believe they are the best in the business, and while I'd not be surprised to discover they know things that public does not, it would imply a staggering advance in cryptography for them to be able to break AES and figure that the public can't. In fact, it would probably imply something along the Tom Clancy lines of a computer that could break ANY machine based cypher and as such no matter what crypto you used short of a one time pad, you'd be screwed.

I just don't find it reasonable to believe that. I find it more reasonable to believe that since good crypto is out there anyhow, and since their job is to protect US interests, that they did an honest analysis of AES and found it to be highly secure, just as everyone else did.

I know, I know!

[billcopc]

How about we just add more bits ? :P

(no, I'm not serious!)

In the many years since I've been writing code (and I started on an Atari 400!), I've always sided with caution when dealing with outside-interfacing code. CRC-16 was easy to smash, then CRC-32 lasted just a teeny bit longer, then MD5 collisions, and now SHA-1/2. The one thing about computing power is that it is constantly growing; the hash that protects you today will be a script kiddie's joke tomorrow.

There is one thing that can throw them for a loop: combinations. It's a heck of a lot harder to reverse three interlocked hashes... you might be able to fudge one, but the other one (or two, three, ten) will trip. It also spreads the risk of weaknesses in the individual algorithms.

Now I'm not negating the need for a better hash, but there are very functional things we can do in the meantime to cover our asses.

Re:I know, I know!

There is one thing that can throw them for a loop: combinations. It's a heck of a lot harder to reverse three interlocked hashes... you might be able to fudge one, but the other one (or two, three, ten) will trip. Not really. When a hash gets really broken you usually don't get just a few collisions but a method of manufacturing practically infinite number of them cheaply. At this point the security of the chained hash is pretty much equal to the non-broken parts of it.

BOINC Project to Find SHA-1 Collision(s)

[MrKevvy]

The linked NIST report mentions only the work of Prof. Yang with which no one has yet found a collision, but a team from Graz University of Technology (Austria) has proposed a significantly faster algorithm for producing SHA-1 collisions and is running a BOINC project to find one.

Re:New Hash Algorithm Submission #1

I make this suggestion on Slashdot every so often. If you think that free markets are so great, and government is so bad, then why don't you go to a place where there is no government interference and you can buy and sell anything: the tribal areas in Pakistan, or the non-government controlled areas of Sudan or Ethiopia. There are places in Iraq where the government is absent. Also there is an area in South America, in north western Brazil, where anarchy reigns. Go to one of those places.

Every place without government control is a hell hole where violence runs amok, there is no commerce and death and destruction rule. This is as true now as it has been in history. You sit in your house or office protected by the police, law, courts, fire and emergency services and then you whine about how the government and the rule of law are oppressing you. I just wish that there was some way to give the right wing morons a taste of real anarchy, and watch the few who survive crawl back and beg to be allowed back into civilization. You are disgusting.

Re:New Hash Algorithm Submission #1

[Bloke+down+the+pub]

I actually believe GVMT Roll

Never heard of him, what did he say?

Re:Cool! A Minnie Driver/Anne Hathaway love scene.

[Thundersnatch]

Who the f*** decided that sentences on the Internet shall no longer be formatted with two spaces after a period?!

They never were formatted with two spaces, or at least never should have been. Most browsers automatically reduce two spaces to one in any case.

With a proportinal-width font, you are supposed to use one space after a period (sometimes auto-kerned to 1.5 spaces in higher-end software). With a mono-spaced font, you use two spaces. I used to run the IT shop at a newspaper, and I was quickly elnightened that "single space after full stop" was the way things have always been done by everyone in the publishing industry, going back to the days of mechanical type in the 1800s. Why? Because it looks better on the page.

This seems to support my experience. As most web fonts are proportional-width, a single space after period would seem to be the correct usage.

The problem is implementing them.

[bcrowell]

There are already good hash functions out there that don't share the basic design of SHA. I've been using whirlpool for applications where security is important. (Good old md5 is fine for applications that don't involve security.) The problem is getting these newer hash functions widely implemented. For instance, here is my request to get the perl Digest::Whirlpool module packaged for debian/ubuntu. Until better hashes are conveniently packaged, authors of applications actually have a disincentive to move to more secure hash functions.

The Shakespeare hash

[Nazlfrag]

Just get 1000 monkeys and 1000 numeric keypads. Where's my prize?

NIST code quality

[alexo]

I have an anecdote to share.

Recently I was asked to provide some info about the quality of a PRNG generator used in one of our programs.
One of the questions was how well it does on the NIST Statistical Test Suite.

So, I head over to the NIST site and download the latest version for Windows, dated March 22, 2005.

First thing that I notice is that it does not compile under Visual Studio 2005.
OK, I understand, they only had about two and a half years to fix this which is obviously not enough for an organization of their size and with their budget. Never mind, let's see what I can do.

Add some missing #include statements, comment out a test function that passes a string instead of a pointer to structure, fix some implicit ints, add some casts to remove ambiguity in calling math functions and everything seems in order.

Or is it?

It crashes on every run. Debugging time...

The code looks like a horrible mix of MFC C++ and C written by a FORTRAN programmer doing an assignment for the dailyWTF.

Gems like

char assignment[7];

followed by

strcpy(assignment,"SUCCESS");

Zero termination anyone? Nah... Let's overflow the buffer for real!

strcpy(assignment,"REJECTION");

Or how about

char fn[32];

followed by

sprintf(fn, "experiments/%s/output%d.dat", generatorDir[option], counter/100);

when generatorDir[option] is hardcoded to be "AlgorithmTesting"? Try counting the characters.

Or this allocation

X = (double*) calloc(n,sizeof(double))

and the following access

for( i=0; i<n/2; i++ ) {
    m[i+1] = sqrt( pow(X[2*i+1],2) + pow(X[2*i+2],2) );
}

Remember boys and girls, C arrays are zero based.

Amazing!

NIST proudly proclaims that "This software was developed at the National Institute of Standards and Technology by employees of the Federal Government in the course of their official duties".
At least they have the decency to add that "NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic."