Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NIST Opens Competition for a New Hash Algorithm

Zonk posted more than 6 years ago | from the not-that-long-to-wait dept.

Encryption 187

Invisible Pink Unicorn writes "The National Institute of Standards and Technology has opened a public competition for the development of a new cryptographic hash algorithm, which will be called Secure Hash Algorithm-3 (SHA-3), and will augment the current algorithms specified in the Federal Information Processing Standard (FIPS) 180-2. This is in response to serious attacks reported in recent years against cryptographic hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a similar design. Submissions are being accepted through October 2008, and the competition timeline indicates that a winner will be announced in 2012."

Sorry! There are no comments related to the filter you selected.

hash algorithm hash recipe (4, Funny)

Briden (1003105) | more than 6 years ago | (#21298871)

i prefer the bubble bag method for making hash

DIfferent kinds of hash (2, Informative)

HomelessInLaJolla (1026842) | more than 6 years ago | (#21299413)

Crude hash:

Take a full stalk from the marijuana plant--bud, leaves, and all. Strip the bud and the leaves away from the bulk fiber stem. Discard the stem. Roll and crush the bud and leaves together. Compress, twist, and tear. Compress, twist, and tear. Wring the water out of the bulk pulp. Leave the bulk pulp to demoisturize (not dry completely). This is the crudest form of hash and probably the oldest form known to man.

Leftover hash:

Take just the leaves from the marijuana plant. Repeat the process described for crude hash. Use the marijuana buds for normal smoking or cooking. This method allows one to make use of the leaves as well as the bud in separate form.

Crude chemical extract:

Take the buds from the marijuana plant. Break them apart but do not crush or damage the glands (trichomes). Place the broken up buds in ice water, swirl and mix, and scoop out the material which rises to the top. Dry gently (air dry, no heat).

Supercritical chemical extract:

Take the buds from the marijuana plant. Break them apart but do not crush or damage the glands (trichomes). Pack the material into a sealed cylinder. Attach a tube of compressed butane to the sealed cylinder. Discharge the butane through the sealed cylinder. Collect the effluent and allow the butane to evaporate (air dry, no heat).

Sohxlet extract (honey blond hash oil):

Obtain a sohxlet extraction apparatus. Use the buds, possibly the leaves, maybe even the stems from the plant. Extract for at least five cycles using pentane, hexane, or heptane. Collect and dry the extraction solution (air dry, preferably with attached vacuum, as little heat as possible). This is the finest hash oil you'll come across.

In all cases avoid temperatures over 50C. The desireable components, technically, boil around 110-120C but significant amounts may be lost at temperatures over 50C.

ENJOY!

The point of making hash is to denature the typical plant products, such as chlorophyll, and extract them into a water layer (which is removed) or to extract the desireable hydrophobic products away from the bulk plant material. Smoking untreated or uncured marijuana plant material is somewhat flavorful (depending upon personal taste) but usually causes a digestive or nervous reaction (tummyache or headache).

Re:hash algorithm hash recipe (1)

darkcatalyst (989389) | more than 6 years ago | (#21300391)

This reminds me of an altogether disturbing (yet somehow hilarious) hash recipe that recently came into the public eye - butthash [theregister.co.uk] - yeah you heard right. Butthash.

huh? (1)

subk (551165) | more than 6 years ago | (#21298891)

Somebody care to help me figure out this sentence phragment?

"This is in response to serious attacks reported in recent years against cryptographic hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a similar design."

Re:huh? (1)

ByOhTek (1181381) | more than 6 years ago | (#21299007)

what fragment of that sentance? There's a subject, main verb, helper verbs and objects!

Maybe you didn't mean fragment, but I don't know what a phragment is...

Re:huh? (1)

cliveholloway (132299) | more than 6 years ago | (#21299303)

And I don't know what a sentance is either.

If you're going to be a grammar Nazi, at least spell-check your post :)

Weird parallel structure (1)

timster (32400) | more than 6 years ago | (#21299043)

This is
    in response to serious attacks reported in recent years against cryptographic hash algorithms, including SHA-1
and
    because SHA-1 and the SHA-2 family share a similar design.

You won't catch me defending this abomination of a sentence, but that's how I'd parse such a thing.

I know I'm paranoid, but... (0, Flamebait)

mollog (841386) | more than 6 years ago | (#21298937)

I know I'm being paranoid, but did anybody else think that this is a way for the gummint to get a look at the various methods people are using to secure their data? What better way to get the methods than to have a 'competition', something that will stroke the egos of crackers?

Re:I know I'm paranoid, but... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21298987)

Or even worse build a standard based on their work where there are very specific weaknesses built in- you know to fight ""terrorism""

Re:I know I'm paranoid, but... (0)

Anonymous Coward | more than 6 years ago | (#21299591)

Or even worse build a standard based on their work where there are very specific weaknesses built in- you know to fight ""terrorism""
That would be hard to do with an open standard.

Re:I know I'm paranoid, but... (5, Insightful)

kebes (861706) | more than 6 years ago | (#21299261)

I know I'm being paranoid, but did anybody else think that this is a way for the gummint to get a look at the various methods people are using to secure their data?
I think you are being a bit paranoid! NIST is proposing an open competition to develop a new open standard for hashing. Anyone who wants to participate can do so. Anyone who wants to retain their "secret hashing method" can continue to keep it secret. It's not like the government is demanding anything. This is just a research agency promoting open research.

Not to mention that I sincerely doubt that anyone is currently using some super-secret ultra-elite hashing algorithm that no one else knows about. This field of mathematics and security is quite mature and very much open to scrutiny currently. The current solutions are fully documented. I think the point here is that further progress isn't going to be made by lone researchers hiding their results: the only way forward is via more open collaboration.

What better way to get the methods than to have a 'competition', something that will stroke the egos of crackers?
If a cracker wants to sell his secrets at the cost of an ego-stroke, that's his choice. Nothing nefarious here. Again, NIST is not going to take these results and use them for evil ends (or even for commercial gain): they are hoping to create an open, public standard that everyone will benefit from (and which international experts in mathematics, cryptography, and computer security will analyze in detail). That's what NIST does.

Sorry, but I think your paranoia is unfounded in this case!

(Disclosure: I work with NIST, but have nothing to do with this project. Note that my opinions are my own and should not be construed as official statements from NIST.)

Very similar to the AES competition (5, Insightful)

Sycraft-fu (314770) | more than 6 years ago | (#21299747)

Also done by NIST. I suppose you could be all paranoid and claim that AES was chosen so the that US government could snoop on you since, after all, the NSA signed off on it as being secure and they'd never tell the truth, right? Well, except for the fact that it was designed by a couple of Belgians and has also been signed off on by essentially every other respected crypto expert and organization there is.

So that leaves you with two possible situations:

1) That the NSA is so amazingly far ahead of everyone else in crypto that they were able to find something in AES that no one else has in over a decade. Also they are so confident in their knowledge that they believe nobody else will find it since if they did the results would be a big problem (AES is approved for classified data, and is used by US financial institutions).

or

2) AES is really secure, and the NSA is telling the truth.

Now which is more likely? Also, supposing you believe option #1 then why trust any crypto? If the NSA really is so good that they can outdo the entire rest of the crypto community, well then they can probably break pretty much any of the cryptosystems out there. You can't trust any of them since the only people who would really know if they were insecure won't say.

Seems extremely unlikely.

Well, same deal with this hash competition. If you believe that the government will be able to pick one that is in fact something they can break, but that nobody else in the world will know about this then it doesn't matter, because their understanding is so far advanced that all hashes would have to be suspect.

Given the extremely public, international, nature of things like this there really isn't any room for mistrust. I again point to the results of the AES competition. You want to talk about a cypher that has stood up to some extreme scrutiny, there you go.

Re:Very similar to the AES competition (5, Informative)

lgw (121541) | more than 6 years ago | (#21299877)

1) That the NSA is so amazingly far ahead of everyone else in crypto that they were able to find something in AES that no one else has in over a decade.
When the DES standard was created, the NSA was so amazing far ahead of everyone else that they were able to find somehting in DES that no one else found for over a decade. The NSA provided very specific technical advice (without explanation) that was followed in the creation of DES. Many years later, the rest of the world caught up and discovered that the NSA had corrected a very subtle weakness in DES.

The NSA has an actual track record here, and their motives have proven good so far. However, they claim that (due to lack of funding and too much competition from financial firms for math PhDs) they aren't so far ahead any more.

Re:Very similar to the AES competition (3, Informative)

Llywelyn (531070) | more than 6 years ago | (#21299969)

It is worth emphasizing that the NSA has said that AES 128/192/256 can be used to protect information up to the secret level, and that top secret information can be secured with AES 192 or 256. That's a pretty strong statement coming from the NSA, which if acting rationally they would not want to leave weaknesses in something that is used to secure information that would be, by definition, "very damaging to the US and its interests if released."

Now, it is possible that such statements are just for show, but it takes a belief that they are playing an incredulously deep game that they would make those statements as a denial and deception practice.

Re:Very similar to the AES competition (1)

morgan_greywolf (835522) | more than 6 years ago | (#21300521)

Exactly. The NSA has always had cryptography as one of their charters, and as a result, they have traditionally been able to hire the best of the best in cryptography and cryptoanalysis. If the NSA says it's good enough for top secret data, believe me, at least at the time they said it, it is.

I wouldn't doubt that the NSA isn't constantly trying to break cryptos like AES 192 or 256, if, for no other reason, than to test to see if they really are that secure. One thing is for certain though -- if they knew how to break it, they certainly wouldn't tell anyone. That, in itself, would be the highest level of top secret classified information, since knowledge of breaking these algorithms would represent a threat to national security and, well, they are National Security :)

Re:I know I'm paranoid, but... (1)

jddj (1085169) | more than 6 years ago | (#21300243)

You are being paranoid.

It's actually IMPORTANT to open the algorithm. An open algorithm is open to analysis for how well it performs its job, and for any bugs or short-circuits, any methods of recovering the input data from the hash. It's provably secure or insecure. You can analyze an open hash algorithm mathematically to determine how likely it is that two given input data items will evaluate to the same hash.

With a closed algorithm, you can't perform this analysis. In the related discipline of encryption, this has tainted the reputation of the closed-algorithm Skype uses for its VOIP encryption. Skype can say its encryption is secure and free of backdoors all day long, but you'd be well advised not to believe this if its algorithm is not open for inspection.

An open algorithm is ONLY secure if an attacker can know the entire algorithm and STILL not turn the hash back into the input data or engineer a hash collision in a reasonable amount of time even with, say, a huge bot farm. A closed algorithm may have any number of compromises, may not be secure in any real sense. The closed algorithm is protected only by the thin veil of obscurity.

Re:I know I'm paranoid, but... (1)

UID30 (176734) | more than 6 years ago | (#21300683)

Not to mention that I sincerely doubt that anyone is currently using some super-secret ultra-elite hashing algorithm that no one else knows about.
You have obviously never heard of my ROT-13.5 algorithm. They never figure out that extra .5

Re:I know I'm paranoid, but... (1)

Cairnarvon (901868) | more than 6 years ago | (#21300051)

Even if that were plausible, it'd definitely be a risk worth taking. Cryptographic methods that are kept secret are never as secure as methods that are scrutinised by thousands of cryptanalysts around the world, as even the NSA itself has experienced on more than one occasion. Cryptographers, more than anyone else, are very much aware of the fact that security through obscurity just doesn't work.

Re:I know I'm paranoid, but... (1)

Cristofori42 (1001206) | more than 6 years ago | (#21300569)

I've got one mod point left but I can't seem to find the "paranoid" option in the drop-down box here..

Re:I know I'm paranoid, but... (1)

Bob-taro (996889) | more than 6 years ago | (#21300855)

I know I'm being paranoid, but

Admitting you have a problem is the first step ...

Seriously, though, while your suspicion of their motives is not entirely unfounded, this probably won't help them crack anything. The best thing about a good encryption algorithm is that just knowing the algorithm isn't enough to allow you to crack it.

Here's my hash algorithm: (0)

Anonymous Coward | more than 6 years ago | (#21298941)

INGREDIENTS:

        * 2 to 3 tablespoons butter
        * 2 cups cooked corned beef, finely chopped
        * 3 cups cooked, chopped potatoes
        * 2 tablespoons minced onion
        * 2 tablespoons chopped parsley, optional
        * salt, pepper and brown gravy

PREPARATION:
Melt butter in a large skillet over medium-low heat. Add corned beef, potatoes, and minced onion; spread evenly in the skillet. Brown on one side; turn with a spatula and brown the other side. Continue turning until most of the meat and potatoes are well-browned.

SHA2? (0, Interesting)

Anonymous Coward | more than 6 years ago | (#21298971)

I know SHA0 and SHA1 are broken but SHA2? I thought they're still secure to use, especially the SHA2-512. What I am missing?

Re:SHA2? (0)

Anonymous Coward | more than 6 years ago | (#21299309)

SHA-2 is a more secure version of SHA-1. A serious weakness in SHA-1 could lead to a similar weakness in SHA-2.
A completely different algorithm probably wont have the same flaws.

Also, they're looking for an algorithm that will be secure until probably 2020. I doubt thats the case for most hashes in use today.

Re:SHA2? (1)

InvisiBill (706958) | more than 6 years ago | (#21299329)

I know SHA0 and SHA1 are broken but SHA2? I thought they're still secure to use, especially the SHA2-512. What I am missing?
From TFS:

because SHA-1 and the SHA-2 family share a similar design

Re:SHA2? (0)

Anonymous Coward | more than 6 years ago | (#21299553)

Like they said, SHA2 is related to SHA1, so they fear that problems in SHA1 indicate problems in SHA2.

Encryption == Something to Hide (4, Funny)

explosivejared (1186049) | more than 6 years ago | (#21298973)

Why does the government promote creating new encryption methods when encrypting data so clearly means you have something to hide and are therefore guilty? I mean COME ON!

Encryption != Hashing (4, Informative)

rock217 (802738) | more than 6 years ago | (#21299135)

Encryption implies that you can reconstruct the original string from the encoded. Methods like md5, sha1, etc are one way algorithms that cannot be reversed* in a realistic amount of time.



* - Rainbow tables

Re:Encryption != Hashing (1)

explosivejared (1186049) | more than 6 years ago | (#21299163)

My bad, maybe I should think about it before I post something meant to be funny... NAH! This is slashdot. Anyways, thanks for the correction.

No, you're right. (1)

wattrlz (1162603) | more than 6 years ago | (#21299559)

There is such a thing as a one-way encryption and hashing is a form of doing so. By definition encryption is the act of writing something in an alternative manner. There's no requirement it be decryptable (or secure, for that matter).

Re:No, you're right. (1)

mattpalmer1086 (707360) | more than 6 years ago | (#21300263)

I think you're mixing up the definition of cryptography with that of encryption. Cryptography encompasses encryption, hashing, key exchange, zero-knowledge proofs and other stranger things. A hash algorithm is a one-way function by definition - you can't reverse it even with knowledge of what was done. En-cryption is a two-way function - it always implies the possibility of de-cryption.

Re:No, you're right. (1)

masterzora (871343) | more than 6 years ago | (#21300761)

While the term encryption usually implies a decryption method, it's not necessarily so. In fact, the etymology shows that "encrypt" basically means "to cause something to be hidden", which a hash function definitely succeeds at.

Re:No, you're right. (3, Informative)

smallfries (601545) | more than 6 years ago | (#21301013)

Maybe you should chase the etymology one level deeper. If the original data cannot be recovered then it is not "hidden" but "destroyed". You may not believe that the term encryption means a two-way process with an available decryption function - but that is the definition that the crypto community uses, and so it's good enough for me.

Re:Encryption != Hashing (2, Informative)

TechyImmigrant (175943) | more than 6 years ago | (#21299575)

When hashing a data set larger than the resulting digest, it cannot be reversed at all. However you can find collisions which is handy if you want to subvert the PKI hierarchy that protects web transactions.

Re:Encryption == Something to Hide (1)

Ang31us (1132361) | more than 6 years ago | (#21299147)

LOL! You should be writing material for Colbert ;-) . All you're missing is the sarcasm tags...you are kidding, right? hehehe

Re:Encryption == Something to Hide (0)

Anonymous Coward | more than 6 years ago | (#21299229)

Duh! They need some way of finding the terrorists. Everyone who enters can be arrested for treason because they're aiding the terrorists hide their terrorist plots!

Re:Encryption == Something to Hide (0)

Anonymous Coward | more than 6 years ago | (#21299401)

Encryption hardly means you have "something to hide" and are "therefore guilty," as you say it - it only implies that the information being passed between parties is sensitive and confidential, if anything. For just one brief example, think about every time you used a password on a website - it doesn't in any way imply that you are engaged in criminal activity, it is used to determine whether you should have access to your account. The site could store this information as plain-text. A more secure way of doing it, however, would be to create a hash of your password when you log in, and check it against the one stored on the server to determine whether to allow access. The use of a good hashing algorithm means that you can log onto your favorite website without it storing your password in plain-text, for an insider (or skilled attacker) to find and exploit.

Re:Encryption == Something to Hide (1)

lukesky321 (1092369) | more than 6 years ago | (#21299545)

their is a difference between encryption and hashing.

encryption: The process of converting information into a form unintelligible to anyone except holders of a specific cryptographic key.

hashing: The production of a "hash value" to ensure that information or software is protected against tampering.

hashing is not used to encrypt data instead it is used to ensure the integrity of the data.

Re:Encryption == Something to Hide (1)

explosivejared (1186049) | more than 6 years ago | (#21299733)

That's splitting hairs there. Why would anyone encrypt something unless they wanted it to remain untampered with?

Re:Encryption == Something to Hide (1)

lukesky321 (1092369) | more than 6 years ago | (#21299901)

it is possible for files transfered over any interface to become corrupted, not necessarily by human malice. for example I've burned a copy of fedora 6 onto a disc and I had bad ram which caused it to become corrupted and not install on a machine. I got another fedora 6 disc that I knew worked, performed a hash on both discs and they were not the same.

Re:Encryption == Something to Hide (1)

mattpalmer1086 (707360) | more than 6 years ago | (#21300525)

It seems like splitting hairs, but actually it matters. People used to think that if you encrypted something, it was safe from modification, but that's just not true. They thought that if it was encrypted, it would be impossible for an attacker to create useful changes in it, but it turns out that isn't true.

One very simple attack was changing the grades in a school system. The school encrypted the grades, so they thought they were safe from change. The failed students hacked into the system, and just changed their data to the same data held against students they knew had done well. Anyway, that's just one way that encryption doesn't protect you against malicious modification. It gets a lot sneakier the more you look into it.

I don't get it (1)

eclectro (227083) | more than 6 years ago | (#21298995)

Once I develope the winning uber hash function, what do I get? I can't find in the timeline where it mentions a large cash prize with strippers jumping out of cake. Some balloons too.

Where is the link in the story to this part? Anyone?

Re:I don't get it (4, Funny)

bmac83 (869058) | more than 6 years ago | (#21299307)

Pay attention. You will be given a short string of characters that describes how to get from the prize to where you currently are, but from the directions it will be impossible to find your way back to the prize.

Re:I don't get it (4, Funny)

ajlitt (19055) | more than 6 years ago | (#21300533)

If you cannot comprehend the string, assume the party escort submission position. A party representative will arrive shortly to escort you to your prize and a party celebrating your reception of said prize. There will be cake.

Re:I don't get it (4, Insightful)

Lord Ender (156273) | more than 6 years ago | (#21299317)

If you can claim to be the author of the US government standard cryptographic hash, you get to charge pretty much whatever you want in consulting fees.

Re:I don't get it (0)

Chapter80 (926879) | more than 6 years ago | (#21300951)

If you can accurately claim to be the author of the US government standard cryptographic hash, you get to charge pretty much whatever you want in consulting fees.
There, I fixed it for ya.

Re:I don't get it (2, Funny)

click2005 (921437) | more than 6 years ago | (#21299587)

The cake is a lie
The cake is a lie
The cake is a lie
The cake is a lie

New Hash Algorithm Submission #1 (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21299013)


1. Declare war on country X with a bogus slogan "War on ________________"
2. Announce FREEDOM and Captalism are linked ( please ignore China) .
3. Repeat Step 2 as often as necessary for the domestic brain-dead.
4. Use invaded country for hash imports and cheap U.S. exports
5. Profit !
6. I win

Cheers,
George W. Bush [whitehouse.org]

Re:New Hash Algorithm Submission #1 (1)

Archangel Michael (180766) | more than 6 years ago | (#21299175)

Democratic version: Note, I'm l[L]ibertarian, and find the humor in parent post.

1. Declare war on Social Ill Y with a bogus slogan "_______ Crisis"
2. Announce increase in taxes and/or entitlement spending
3. Repeat 2 as often as necessary for the domestic brain dead.
4. Use to increase political power locally and abroad by showing how "enlightened" you are.
5. Profit!
6. We all lose.

Cheers,
Hillary Roddam C. [hillaryclinton.com]

Re:New Hash Algorithm Submission #1 (3, Insightful)

spun (1352) | more than 6 years ago | (#21299519)

As you've admitted to being a libertarian, I suppose I should make one for you, too:

1. Declare war on Big Government with bogus slogan "Let the free market fix __________"
2. Announce plans to decrease funding to social programs
3. Figure out that you have no one in any elected office in any country anywhere who can carry out 2.
4. Announce that someone who has never professed to be a libertarian but holds a few libertarian ideals, is in fact a libertarian. Do the same for historical figures, especially anarchists.
5. Make up bogus arguments about the magical free market that will never be put to any sort of test, due to 3., above.
6. Parrot back tired arguments that were disproved hundreds of years ago, back in the days of lassez-faire. Conveniently forget about child labor, horrid working conditions, rampant pollution, institutionalized racism, debt slavery, and any other facts that show unregulated free market capitalism destroys lives.
7. Cherry pick examples of deregulation and privatization, ignoring any cases that prove libertarian methods wrong.
8. Try to convince other libertarians to all move to the same state so you can remedy point 2.
9. Realize that convincing self-centered libertarians to do anything is like trying to herd cats.
10. The rest of us grow bored with your childish, self involved, "Nyah nyah, you're not the boss of me!" political stance and ignore you, as libertarians have never managed to do anything more than talk.

Wait, that's not funny, it's just sad.

Re:New Hash Algorithm Submission #1 (2, Interesting)

Archangel Michael (180766) | more than 6 years ago | (#21300199)

First off, Touche. I love a good ribbing ... :-D

1) Never been tried.
2) What's wrong with this?
3) Sad, isn't it?
4) Huh?
5) Again haven't been tried in a while
6) I actually believe GVMT Roll in some of these things
7) No Cherry Picking here
8) Whatever
9) Whatever
10) Too many people being (D) or (R) because of Fear and Fear.

Lets just deal with #1

Free Markets are easy to control. Corporate Charters are given by the GVMT, why aren't they revoked more often? Why aren't assets seized? Why aren't boards of directors arrested and charged for lack of proper stewardship?

Much of the problems seen in the free market isn't the fault of free markets. It is the fault of interference when it isn't needed, and non-interference when it is needed. Indeed, there hasn't really been a "free market" in 150 years or so. Closest we have right now is the Internet, and with Congress getting involved it's only going to ruin it.

We don't need more laws, we need more responsibility.

I have it! (1)

0100010001010011 (652467) | more than 6 years ago | (#21299079)

Jung qb V jva?

Re:I have it! (1)

treeves (963993) | more than 6 years ago | (#21299159)

You win nothing.

Re:I have it! (1)

sconeu (64226) | more than 6 years ago | (#21299225)

Lbh snvy vg!

Re:I have it! (1)

Nibbler999 (1101055) | more than 6 years ago | (#21299693)

Mod parent -1 Erqhaqnagn.

What would happen if... (1, Interesting)

caluml (551744) | more than 6 years ago | (#21299093)

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold. It must be possible for computers to create formulas that "add up" - i.e. that work?

Re:What would happen if... (4, Insightful)

SigILL (6475) | more than 6 years ago | (#21299161)

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold.

Yes, and you'd spend most of your time trying to prove those algorithms are any good. That's the hard part anyhow, coming up with new algorithms isn't.

Re:What would happen if... (1)

hey (83763) | more than 6 years ago | (#21299539)

Automate the testing (of the algorithms).

Re:What would happen if... (1)

xZgf6xHx2uhoAj9D (1160707) | more than 6 years ago | (#21300059)

I'll go out on a limb and say that if you were to come up with automated tests, those tests would show that SHA-1 is an absolutely glorious hashing algorithm, perfectly 100% without defects. In other words, your automated testing won't really have bought any more security.

Proving properties about algorithms is HARD. Writing an algorithm to prove properties about algorithms is HARDER. Unfortunately this idea still seems to pervade much of AI research, such as in machine learning: "well I'm not smart enough to solve this problem, but surely the AI I designed will be!" No. It won't. Whatever AI you create, it will be dumber than you are.

Yep (1)

Sycraft-fu (314770) | more than 6 years ago | (#21299565)

That's why you'll see even the authors of cryptosystems that lost to AES recommending AES. In some cases, the losers are theoretically more secure. However what they are not is more tested. AES is probably the most tested cryptosystem next to DES. As such, people are pretty sure there aren't any lurking holes.

Re:What would happen if... (1)

Urza9814 (883915) | more than 6 years ago | (#21299923)

...is there a limit on how many you can submit? :)

Re:What would happen if... (0)

Anonymous Coward | more than 6 years ago | (#21300453)

What would happen if you wrote a program to randomly create algorithms? Most of them would be rubbish, but occasionally you'd hit gold.

Yes, and you'd spend most of your time trying to prove those algorithms are any good. That's the hard part anyhow, coming up with new algorithms isn't.

That's simple enough to fix. Just make a program which attempts to randomly prove algorithms. Every so often it would get the proof right, and then you'd hit gold. :)

Re:What would happen if... (1)

sveard (1076275) | more than 6 years ago | (#21299257)

Wouldn't it take a very long time to create a decent algorithm? Like, for example, generating a random piece of music that was not only generated at random but also good to listen to? Or like generating random strings and combine the ones that aren't rubbish into crap, like a Harry Potter book or something?

Re:What would happen if... (0)

Anonymous Coward | more than 6 years ago | (#21299389)

This has already been done several times. The most popular approach is genetic programming [wikipedia.org] .

Re:What would happen if... (1)

springbox (853816) | more than 6 years ago | (#21299993)

That's the idea behind genetic algorithms [wikipedia.org] . Although the approach is a bit "smarter." Actually, I had the idea of making a hashing algorithm using a GA for the (second) time yesterday.

Re:What would happen if... (0)

Anonymous Coward | more than 6 years ago | (#21300091)

This already exists. There is a field within Machine Learning (a distinct branch of Artificial Intelligence) called Genetic Programming which is a kind of evolutionary algorithm that generates programs and promotes those that are the most successful at solving the given problem. It is related to the more well known Genetic Algorithms and has a few notable variants/

Re:What would happen if... (1)

Non-Huffable Kitten (1142561) | more than 6 years ago | (#21300309)

The problem is that it's impossible [wikipedia.org] to write a fixed algorithm that will decide whether the algorithm you generated computes a function with a given property (it's impossible for any non-trivial property). E.g. you can't even systematically decide whether or not the algorithm you generated will ever halt.

Re:What would happen if... (1)

SiliconEntity (448450) | more than 6 years ago | (#21300549)

What would happen if you wrote a program to randomly create algorithms?

This brings up a few interesting facts. The vast majority of random functions (restricting to ones with the right input and output sizes) would make 100% perfect hash functions. In fact this is true virtually by definition. So in a way, finding a new hash function is easy - just pick one at random. (The same is true for encryption functions.)

However, there are two small problems. First, the vast majority of random functions take more room to implement than there are atoms in the universe. And they will take longer to execute than there have been nanoseconds since the beginning of time.

So the pick-a-random-function idea has a problem. This leads to plan B: pick a random function from among those that can be specified concisely, and which have reasonable running times. How well would that work?

That's an interesting question that I don't think anyone has an answer to. It's possible that this would work pretty well, and that virtually all of the resulting functions would be so clumpy and irregular and messy that (a) they could never be proven secure, but (b) they could never be found insecure via analytic attack. In other words, the sheer messiness of the functions might actually be a strength.

However it's also possible that this method would not work well and that most such random functions would be weak. It's well known that amateur-designed ciphers do not have a good track record, and they sometimes seem to use a similar methodology. ;-)

But even if it does work, it faces another problem. Hand-crafted hash functions from the experts have another desirable property: performance. They are fine-tuned to provide the best speed possible with the greatest strength possible. They are, in effect, works of art that balance two competing goals and attempt to find the perfect harmony between them. Random, kludgy, messy hash functions might work, they might even be reasonably fast, but the chances are very low that they will ever offer the exquisite combination of speed and strength that will be exhibited by the best of the candidate algorithms in this competition.

Re:What would happen if... (1)

BenBoy (615230) | more than 6 years ago | (#21300561)

Actually there are methods [wikipedia.org] of using computers to create new programs that do, in fact, involve a stochastic element (mutation and randomized mating (the latter if the computer has access to beer, I suppose)).

rot13 (2, Insightful)

kupesoft (1028532) | more than 6 years ago | (#21299293)

All right, the first to make a rot13 joke is going straight to hell.

Re:rot13 (1)

Skapare (16644) | more than 6 years ago | (#21300259)

Any rot13 joke is pointless. We all know rot13 is reversable. What hashing is all about is non-reversability. That is, given some large string of content, produce a smaller string that cannot re-create the original content. So why not combine things: md5 -> triple-rot13

Re:rot13 (1)

cdrguru (88047) | more than 6 years ago | (#21300517)

MD5 is reversable. All you have to do is randomly generate every bit combination up to some maximum length until you have a matching MD5. There will be a number of collsions but these will not pass other tests on the content. It is therefor possible to reverse an MD5 hash value into the original data.

This would consume considerable finite time. Yes, considerable but finite.

Re:rot13 (1)

Daffy Duck (17350) | more than 6 years ago | (#21301009)

No, there can be collisions from multiple sources that do "pass other tests". The demonstrated vulnerability in MD5 was precisely that you can construct multiple meaningful pre-images that give the same hash value.

Elliptical Curve? (1)

graviplana (1160181) | more than 6 years ago | (#21299383)

It should probably be based on http://en.wikipedia.org/wiki/Elliptic_curve_cryptography [wikipedia.org] . Unless they want something that only they can break. :O

Re:Elliptical Curve? (1)

TechyImmigrant (175943) | more than 6 years ago | (#21299647)

> It should probably be based on http://en.wikipedia.org/wiki/Elliptic_curve_cryptography [wikipedia.org] . Unless they want something that only they can break. :O

That would be for signatures, not hashes.

Re:Elliptical Curve? (1)

Abcd1234 (188840) | more than 6 years ago | (#21299987)

It would also be heavily patent encumbered.

Argh. (1)

TechyImmigrant (175943) | more than 6 years ago | (#21299421)

I put a SHA-1 based KDF in 802.16 because NIST SP800-56 told me to.

Argh.

Re:Argh. (0)

Anonymous Coward | more than 6 years ago | (#21300619)

I assume meant you read this paragraph then...

Note: Some domain parameters have been generated using SHA-1, and SHA-1 will be
required during their validation. At some time in the future, it is expected that SHA-1 will
no longer be an Approved hash function. However, if a set of domain parameters was
successfully validated with SHA-1 while it was still an Approved hash function, then
those domain parameters will continue to qualify as valid even after the use of SHA-1 is
no longer Approved. In particular, this is true of the NIST Recommended Elliptic Curves.

Just use Identity... (1)

GeekDork (194851) | more than 6 years ago | (#21299497)

With hash values getting longer and longer, wouldn't it be more economic to just use Identity as the hashing function?

Here's your grain of salt...

Re:Just use Identity... (1)

tomstdenis (446163) | more than 6 years ago | (#21299603)

Actually I think we could use a short hash function, solely for the purpose of HMAC. Being one-way means we can use a primitive with more input than output (unlike CMAC). So I'd really like to see a 128-bit hash as well as [say] a 256-bit or 512 bit hash.

Personally I think anything over 256 is overkill. But that's just me...

Re:Just use Identity... (1)

TechyImmigrant (175943) | more than 6 years ago | (#21299697)

>Personally I think anything over 256 is overkill. But that's just me...

It's moot in certs. It's going to be padded out to 2048 bits anyway.

Re:Just use Identity... (1)

tomstdenis (446163) | more than 6 years ago | (#21300001)

You're not thinking of MACs though. Say I'm doing IPSEC with a 96-bit MAC, why would I waste the time and energy to compute a 256 or 512 bit hash just to throw away over half of the bits? Why not start with a 128-bit hash from the get go?

Also, even in the "256 vs 512" debate, sure you might pad up to 2048-bits when doing RSA signatures, but you're at least not wasting energy in computing the hash. Not every user of the hash standard will be on a 3GHz multi-pipelined [relative] super computer. Some will be on lowly 16MHz ARM or MIPS, or even trying to do the hash in hardware.

Tom

Re:Just use Identity... (1)

lgw (121541) | more than 6 years ago | (#21300031)

Take the first half of the 256-bit hash and you have a stronger 128-bit hash than a 128-bit hash using the same algorithm. The only point of a true 128-bit hash would be performance, but if you really care about crypto performance you do everything in hardware, and you might as well buy the 256-bit chip these days.

Re:Just use Identity... (1)

tomstdenis (446163) | more than 6 years ago | (#21300095)

Wrong?

The only reason 128-bit hashes are weak is because they're not conservatively designed. And in the case of a MAC (like what I was saying) collision resistance IS NOT IMPORTANT. Only one-wayness. I'm not proposing we invent a 128-bit hash for signatures. Only for HMAC'ing.

And no, not everything is magically efficient in hardware (hint: I work in a hardware/software crypto firm). A 128-bit circuit (with presumably fewer registers, temporaries, operations, etc) will consume less area and energy than a 256-bit circuit, that's just simple logic (sorry excuse the pun).

Re:Just use Identity... (1)

lgw (121541) | more than 6 years ago | (#21300451)

A 256-bit chip you can by off-the-shelf is better than the 128-bit chip you can't, but then I guess that's why you want to see a 128-bit standard. But using a 256-bit chip and only taking half the bits would be just as strong.

Re:Just use Identity... (1)

Cairnarvon (901868) | more than 6 years ago | (#21300109)

Take the first half of the 256-bit hash and you have a stronger 128-bit hash than a 128-bit hash using the same algorithm.
I hope you don't actually believe that.

Re:Just use Identity... (1)

lgw (121541) | more than 6 years ago | (#21300511)

If you disagree, you might explain why. In a good hash, each bit of the output equally "represents" all bits of the input. Taking the result of a large hash mod a smaller value, or just taking some of the bits, does not make a strong hash weaker.

If you have a weak hash, and all of the input bits don't participate in forming each output bit, of course you should first hash that output with a real hash algorithm before discarding bits.

Re:Just use Identity... (2, Insightful)

marcello_dl (667940) | more than 6 years ago | (#21299621)

No.

Re:Just use Identity... (1)

secPM_MS (1081961) | more than 6 years ago | (#21300041)

Hashes are used directly in essentially all forms of signatures and integrity verifications, as you hash the data being represented and then sign or protect the hash value. HMAC's are (or should be) used with strong keys for protecting the integrity of communications. As such, hashes should be fast and resistant to capable assault with massive computational resources. Given the birthday effect, collisions will occur with a when a message pool is ~ sqrt(hash size).

The attacks against SHA-1 have reduced the work of collison from 2^80 to 2^6i, where i is a small integer (such as 1, 2 or 3). The SHA2 family is adequately resistant against extant attacks, but given the similarities between SHA-1 and SHA-2, NIST is being wise in starting the design of a successor.

The constant paranoia about backdoors is misplaced here. If you can engineer in a backdoor, somebody else can reverse engineer it, and the Russians and Chinese have a lot of very good mathmeticians. The NSA currently recommends the use of SHA-2 for governmental applications and can be expected to support the use of SHA-3 when it becomes available. They wouldn't be recommending its use if there were a backdoor that would allow compromise of signatures.

Re:Just use Identity... (1)

Surt (22457) | more than 6 years ago | (#21299837)

A 1024 byte hash is not large compared to the gigabyte file it signs.

Re:Just use Identity... (1)

TechyImmigrant (175943) | more than 6 years ago | (#21299995)

I was thinking of the 1600 byte cert it forms the digest in.

YUOX FAIL IT? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21299743)

No doubt (1)

JustNiz (692889) | more than 6 years ago | (#21299751)

part of the reason for the long delay is to allow the CIA and NSA to evaluate all contenders for suitability of being crackable/backdoorable by them.

Re:No doubt (1)

Llywelyn (531070) | more than 6 years ago | (#21300069)

The NSA has approved AES for encrypting secret data (128+ bits) and top secret data (192+ bits). Unless they are playing a very deep denial and deception game, it stands to reason that they can't find a way through it either.

Cool! A Minnie Driver/Anne Hathaway love scene. (1)

Impy the Impiuos Imp (442658) | more than 6 years ago | (#21299759)

> This is in response to serious attacks reported in recent years against cryptographic
> hash algorithms, including SHA-1, and because SHA-1 and the SHA-2 family share a
> similar design. Submissions are being accepted through October 2008, and the competition timeline
> indicates that a winner will be announced in 2012 ...to follow in early 2013 with a competition to develop SHA-4.

Re:Cool! A Minnie Driver/Anne Hathaway love scene. (1)

Detritus (11846) | more than 6 years ago | (#21300623)

Who the f*** decided that sentences on the Internet shall no longer be formatted with two spaces after a period?!

The typewriter cabal.

Specs! (1)

Bromskloss (750445) | more than 6 years ago | (#21300015)

So, what requirements should a submission fulfill? I can't find them!

c0m (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#21300159)

you are a scr3aming All along. *BSD

More ambiguity (0)

Anonymous Coward | more than 6 years ago | (#21300441)

Why add to the ambiguity? We already have SHA-1 (160 bits) and the SHA-2 family. A lot of people think that SHA-2 refers to just SHA-256, even though there is also a SHA-224. The SHA-2 family also includes SHA-384 and SHA-512. So now we will have this SHA-3, which will be confused with SHA-384 from the SHA-2 family. Why keep the SHA- prefix?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?