Re: how to phase in new hash algorithms?
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: >We all understand the need to move to better hash algorithms than SHA1. At a >minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is >the right way to go. The problem is how to get there from here. > >So -- what should we as a community be doing now? Kick it upstairs to the political layer. Someone else's problem, we've already shown them what the solution is, our job is done. Peter :-). - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to phase in new hash algorithms?
Steven M. Bellovin wrote: >We all understand the need to move to better hash algorithms than SHA1. >At a minimum, people should be switching to SHA256/384/512; arguably, >Whirlpool is the right way to go. The problem is how to get there from >here. > > I've been rather continually pinging people, asking them for an explanation as to the design decisions of Whirlpool (namely -- it's similar but noticably not identical to AES/Rijndael, and isn't just a straightforward expansion of the block size up to 512 bits). I'm not saying anything bad about Whirlpool, but I get alot of people approaching me about the hash and I don't really know what to tell them. --Dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to phase in new hash algorithms?
Hi, Ian G wrote: Steven M. Bellovin wrote: So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. The wider question is how to get moving on new hash algorithms. That's a bit tricky. Normally we'd look to see NIST or the NESSIE guys lead a competition. But NESSIE just finished a comp, and may not have the appetite for another. NESSIE is now called Ecrypt and _does_ do something on Hash functions, see http://www.impan.gov.pl/BC/05Hash.html It's not a call for a new hash function, I admit this, but I guess it's too early for something like this anyway at the moment. CU, Christopher - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to phase in new hash algorithms?
As ex-NESSIE project manager: NESSIE was an EU-funded research project with funding for 40 months (2000-2003). The "NESSIE guys" still exist as individual organizations but the NESSIE project is no longer in existence. There is a follow-up, but with somewhat different goals, called ECRYPT (http://www.ecrypt.eu.org). We are organizing a kind of stream cipher competition. On June 23-24 there will be a workshop on hash functions in Przegorzaly (Krakow), Poland. Xiaoyun Wang, Eli Biham, and Hans Dobbertin are invited speakers. Deadline for submissions: 1st May 2005 Early registration deadline: 31st May 2005 We plan to discuss at this workshop also the way to go forward on hash functions (for example, should there be a new competition for hash functions?). Organizing this kind of competitions is beyond the current scope and financial means of IACR, but IACR could consider to sponsor events related to such an activity. --Bart COSIC - Katholieke Universiteit Leuven On Mon, 21 Mar 2005, Ian G wrote: > Steven M. Bellovin wrote: > > > So -- what should we as a community be doing now? There's no emergency > > on SHA1, but we do need to start, and soon. > > The wider question is how to get moving on new hash > algorithms. That's a bit tricky. > > Normally we'd look to see NIST or the NESSIE guys > lead a competition. But NESSIE just finished a > comp, and may not have the appetite for another. > NIST likewise just came out with SHA256 et al, and > they seem to have a full work load as it is trying > to get DSS-2 out. > > How about the IACR? Would they be up to leading > a competition? I don't know them at all myself, > but if the Shandong results are heard at IACR > conferences, then maybe it's time to take on a > larger role. > > Most of the effort could be volunteer, and it would > also be easy enough to schedule everything aligned > with the conference circuit. > > Just a thought. Anyone know anyone at the IACR? > > iang > -- > News and views on what matters in finance+crypto: > http://financialcryptography.com/ > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to phase in new hash algorithms?
- Original Message - From: "Steven M. Bellovin" <[EMAIL PROTECTED]> Subject: how to phase in new hash algorithms? We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. ... So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. Phase 1 is to change the hash function choice from implicit to explicit. Specifically instead of having hash = "457253W4568MM48AWA2346", move to hash = "SHA-1:lq23rbp8yaw4tilutqtipyu.". Then over time ratchet down the default. There is also an easy argument that it may be beneficial to skip SHA-256 entirely. The argument put succinctly is: 64-bit computing is arriving on 64-bit systems SHA-512 is nearly twice as fast as SHA-256 (crypto++ benchmarks). SHA-512 is at least as strong, and faster. Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to phase in new hash algorithms?
Steven M. Bellovin wrote: So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. The wider question is how to get moving on new hash algorithms. That's a bit tricky. Normally we'd look to see NIST or the NESSIE guys lead a competition. But NESSIE just finished a comp, and may not have the appetite for another. NIST likewise just came out with SHA256 et al, and they seem to have a full work load as it is trying to get DSS-2 out. How about the IACR? Would they be up to leading a competition? I don't know them at all myself, but if the Shandong results are heard at IACR conferences, then maybe it's time to take on a larger role. Most of the effort could be volunteer, and it would also be easy enough to schedule everything aligned with the conference circuit. Just a thought. Anyone know anyone at the IACR? iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
how to phase in new hash algorithms?
We all understand the need to move to better hash algorithms than SHA1. At a minimum, people should be switching to SHA256/384/512; arguably, Whirlpool is the right way to go. The problem is how to get there from here. OpenSSL 0.9.7 doesn't even include anything stronger than SHA1. As a practical matter, this means that no one can use anything stronger in certificates, especially root certificates. Worse yet, people can't use anything stronger for public consumption for at least five years after a stronger hash algorith is available -- we have to wait until most older software has died off, since most machines are never upgraded. This means that appearance of the code in client machines is on the critical path. I've heard that OpenSSL 0.9.8 will include stronger hashes, but there's no work in progress to backport the code to 0.9.7. So -- what should we as a community be doing now? There's no emergency on SHA1, but we do need to start, and soon. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
