NIST prepares to hash out new standard

Invites public input in upgrading cryptographic algorithm.

The National Institute of Standards and Technology will conduct a public competition to select new hashing algorithms for the Federal Information Processing Standard.


The agency in January published for public comment a draft of minimum requirements for candidates for the new standard, along with guidelines for submission and evaluation criteria. They are available at www.nist.gov/hash-function. NIST hopes to have the new standard in place by 2012.


The new standard would replace the current FIPS-180-2, which now specifies several versions of the Secure Hash Algorithm, SHA-1; and SHA-224, SHA-256, SHA-384 and SHA-512, known collectively as SHA-2. The decision to upgrade the standard comes in the wake of successful attacks developed against some unrelated algorithms, as well as a partial compromise of SHA-1.


A hashing algorithm is a cryptographic formula for generating a unique, fixed-length numerical digest, or hash, of a message. Because the contents of the message cannot be derived from the digest and because the digest is (to a high degree of probability) unique for each message, the hash can be used to securely confirm that a document has not been altered. This can be used to effectively “sign” an electronic document and link the signature to the contents.


FIPS-180-2 was issued in 2002 and is scheduled for a routine review of its functionality and security this year and again in 2012. NIST started the upgrade process prior to the review because of reports in 2005 that researchers had discovered weaknesses in some algorithms. In response, NIST hosted two public workshops on cryptographic hash functions in 2005 and 2006. Although SHA-2 has not been compromised, its algorithms are similar to those of SHA-1 and could prove susceptible to future attacks. In the meantime, the agency last year advised federal users to migrate away from use of SHA-1 as quickly as possible and no later than by 2010, except for limited functions.


The numerical suffixes in the SHA algorithms refer to the length of the digest produced by each algorithm. SHA-1 has a 160-bit digest length. The longer the digest, the more likely it is to be unique to a given message.


The National Security Agency developed the SHA algorithms now recognized in the federal standard. Selection of a new standard will follow the process used by NIST in developing the Advanced Encryption Standard (FIPS-140-2). Rather than rely on a proprietary algorithm developed in-house, NIST will consider only formulas that already have been publicly disclosed, on the assumption that public scrutiny by the cryptographic research community will result in a more rigorous evaluation process and a more robust product.


The technical requirements proposed for submitted algorithms are minimal. They must:


  • Be publicly disclosed and available without a royalty
  • Be capable of being implemented in a wide range of hardware and software platforms
  • Support 224-, 256-, 384- and 512-bit message digests.


Comments on the draft requirements are due by April 27. Additional information is available from Shujen Chang at NIST, Stop 8930, Gaithersburg, MD 20899, (301) 975-2940; or at www. nist.gov/hash-function.


Written comments should be mailed to William Burr, attn: Hash Algorithm Requirements and Evaluation Criteria, NIST, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899, or e-mailed to hash-function @nist.gov with “Hash Algorithm Requirements and Evaluation Criteria” in the subject line.


A tentative timeline for the process calls for submissions of algorithms to be made by the third calendar quarter of 2008 and selection of the first round of candidates the following quarter. The final round of evaluations would begin in the second quarter of 2010, with a final decision in the third quarter of 2012. The process would include several public workshops.