The National Institute of Standards and Technology (NIST) has finally chosen a replacement for one of the most widely-used computer security algorithms, following a five year contest among the world’s leading cryptographers.
NIST hopes that the new algorithm will reassure those security experts who previously raised concerns over its existing Secure Hash Algorithm gold standard, although it admitted it could be several years before it’s put to any meaningful use.
The winning algorithm, Keccak (pronounced “catch-ack”), was chosen from among 63 other submissions made to the Secure Hash Algorithm (SHA-3) Competition at NIST’s headquarters in Gaithersburg, Maryland, on Tuesday. NIST’s algorithms are generally seen as the gold-standard in the cryptography world, with its previous winner the Advanced Encryption Standard (SHA-2) now widely used by everyone from the NSA and Skype, to the smallest of e-commerce stores.
NIST’s latest competition began back in 2007, shortly after fears were raised that the SHA-1 and SHA-2 algorithms could be cracked in the near future. These came following a number of increasingly successful attacks on the MD5 hash algorithm, leading to worries that SHA-2 could succumb to a similar fate. In the end, such a threat never materialized, but by that time NIST had gone so far down the road with SHA-3 that it saw the competition through to its finale anyway.
Following three years and several elimination rounds, NIST announced in 2010 that it had whittled down the competitors to just five candidates. The final stage of the competition saw cryptographers carefully reviewed each of the remaining five, probing for weaknesses and any other issues that needed improvements in a process that lasted another two years, before finally announcing Keccak, designed by a team comprising of Guido Bertoni, Joan Daemen, Gilles Van Assche and Michaël Peeters, as its overall winner.
NIST made the following statement when unveiling Keccak as its winner:
“Keccak was chosen over four other excellent finalists, for its elegant design, large security margin, good general performance, excellent efficiency in hardware implementations, and for its flexibility.”
“Keccak uses a new “sponge construction” chaining mode, based on a fixed permutation, that can readily be adjusted to trade generic security strength for throughput, and can generate larger or smaller hash outputs as required. The designers have also defined a modified chaining mode for Keccak that provides authenticated encryption.”
Tim Polk, a leading security expert at NIST, said in a statement that there is little risk of Keccak being compromised as it is not a derivative of SHA-2, meaning that it has none of the potential vulnerabilities seen in the older standard:
“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be. An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently.”
However, Polk admitted that it could still be some time before SHA-3 is widely used by the computer security industry, as SHA-2 is still considered to be completely secure at this juncture.
Indeed, even Bruce Schneier, one of the authors of losing finalist Skein, said in a recent blog post that there was no need for SHA-3 at this point in time, adding that he was hoping no winner would be chosen:
“It’s not that the new hash functions aren’t any good, it’s that we don’t really need one. When we started this process back in 2006, it looked as if we would be needing a new hash function soon. The SHA family (which is really part of the MD4 and MD5 family), was under increasing pressure from new types of cryptanalysis. We didn’t know how long the various SHA-2 variants would remain secure. But it’s 2012, and SHA-512 is still looking good.”
Another issue likely to hold back the adoption of Keccak is that engineers working on services that require cryptography generally dislike making changes to them when there are no flaws. As a result, it could be some years before the new algorithm becomes widely-used.
Even so, Polk insisted that SHA-3 had an important role to play in the future:
“The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network. SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”