At 6:44 PM +0200 5/25/09, Romascanu, Dan (Dan) wrote:
From an operational perspective, my major concern would be whether
specification of additional digest algorithms could be expected once
the new NIST digest algorithm is chosen in the not-too-distant future.
The date of release of SHA-3 (aka AHS) is unknown. NIST has a roadmap with a
timetable in it, but those are goals, not commitments of any sort.
While it's hard to fault the authors for not providing guidance relating to
a not-yet-chosen algorithm, much of motivation for deployment of
algorithms such as SHA-256 relates to a desire to address weaknesses
found in SHA-1. Given that it is possible that NIST will choose algorithm(s)
from another family, one wonders whether the additional digest algorithms
specified in this document will end up being more than a temporary
measure.
That is far from clear. NIST could, for example, choose a hash function that
sucks on one axis in exchange for it being provably wonderful on another, and
that would have a big effect on whether people would use the new algorithms in
different protocols.
Part of the purpose of the hash competition is to increase the crypto
community's understanding of hashes in general, not just coming up with a new
one. It is quite likely that the outcome of that is a greater understanding of
SHA-2, and therefore a greater understanding of its expected lifetime. Right
now, all of this is hand-waving.