On the need for new hash functions

Bruce Schneier writes:
We also need "SHA2," whatever that will look like. And a design competition is the best way to get a SHA2. (Niels Ferguson pointed out that the AES process was the best cryptographic invention of the past decade.) Unfortunately, we're in no position to have an AES-like competition to replace SHA right now. We simply don't know enough about designing hash functions. What we need is research, random research all over the map. Designs beget analyses beget designs beget analyses.... Right now we need a bunch of mediocre hash function designs. We need a posse of hotshot graduate students breaking them and making names for themselves. We need new tricks and new tools. Hash functions are a hot area of research right now, but anything we can do to stoke that will pay off in the future.

I think Bruce is mostly right here. Certainly, none of the cryptographers I know feel comfortable enough to recommend a new function for general use. And unlike block ciphers, we didn't have even a modest-sized pool of pre-existing algorithms that people felt were probably OK though not ideal (think IDEA, Blowfish, etc.) and were in wide use. Part of the problem here is the common heritage of so many of our hash functions and part of the problem is that the Wang attacks on SHA-1 took people by surprise, unlike with DES, where people had known it was aging for years and had had plenty of time to develop alternatives. Another part of the problem is that designing hashes wasn't very sexy. That's certainly changed, though.

