[ietf-dkim] Supporting alternate algorithms

Jon Callas jon at callas.org
Wed Feb 22 11:56:24 PST 2006 

On 20 Feb 2006, at 3:09 PM, Daniel Dreymann wrote:

> I concur. Last week I used the opportunity of the RSA conference to  
> conduct
> an informal survey with many of the world's best known  
> cryptographers. They
> have no evidence that SHA-256 is more than marginally better than  
> SHA-1. The
> consensus was that SHA-1 can still be used in the next few years,  
> and that
> when looking for a replacement we have to look beyond SHA-256.

Well, you didn't ask me, and I think I can arrogate my way into that  
set without causing Senate investigations into abuses of power. :-)  
On the other hand, I've been pretty vocal with my opinions, so  
information-theoretically, there would have been no information in  
asking me. Heck, when Russ said, "walk, don't run," he was quoting me.

It matters a lot on who you ask and what you ask them. Let me give an  
example. Last fall at the NIST hash bash, a respected hash designer  
said that if we tripled the number of rounds in SHA-1, we'd all feel  
much better about its security than we do about SHA-256.

I agree with this statement. I think it is a wise and subtle thing  
that says a lot about algorithm design and its challenges. On the  
other hand, it also misses a very important point. I got up and said  
that I agree completely, but --- SHA-1 has 80 bits of security. With  
an infinite number of rounds it will have only 80 bits of security.  
Does this mean that we think that SHA-256 has *less* than 80 bits of  
security? No one said they think that SHA-256 has less than 80 bits  
of security. I went on a limb and said that my guess from licking my  
finger and sticking it in the wind is that SHA-256 has 90-110 bits of  
security. (Today, I feel less good about the 110, but it's still not  
daft.) If you have to pick an algorithm *today*, then SHA-256 is your  
best choice. (Note that I said "best" and not "good." Part of  
understanding the mess we're in is understanding that "best" does not  
mean "good." Donn Parker has a great rant on why we all should stop  
talking about Best Practices.) This is the difference between a  
cryptographer who is an algorithm designer and a cryptographer who is  
an engineer. I'm an engineer. I have to choose something.

Okay, that consensus you described is something that I also agree  
completely with. SHA-1 is okay to use right now, and we need to look  
beyond SHA-256.

I also agree with the statement that you don't have to worry about  
crop failure because next year there will be a new growing season. It  
is a wise an beautiful statement --- and also utterly missing the  
point, if you happen to be caught in the intervening food shortage.

Engineering is the art and discipline of applying science and  
mathematics within constraints. These constraints include time,  
money, effort, and the laws of nature. When we engineers have to  
select a hash function, our non-daft options include SHA-1, SHA-256,  
SHA-512, Whirlpool, and even Tiger. The *best* solution is to  
parameterize the heck out of the protocol; allow SHA-1, encourage  
SHA-256, hope you don't have to go to SHA-512, and put in MAYs for  
Whirlpool, Tiger, and maybe other outré things slipping my mind so  
that we don't have to go to lots of trouble discussing them. And then  
we get on with our lives, and deal with the Godot Hash when it arrives.

There are many obvious tweaks to this strategy. Most of them have  
very good reasons for why you might want to make that tweak. But you  
get my gist.

	Jon

More information about the ietf-dkim mailing list