I continue to be impressed by the turnout at this workshop. There are lots of people here whom I haven't seen in a long time. It's like a cryptographers' family reunion.
The afternoon was devoted to cryptanalysis papers. Nothing earth-shattering; a lot of stuff that's real interesting to me and not very exciting to summarize.
The list of papers is here. NIST promises to put the actual papers online, but they make no promises as to when.
Right now there is a panel discussing how secure SHA-256 is. "How likely is SHA-256 to resist attack for the next ten years?" Some think it will be secure for that long, others think it will fall in five years or so. One person pointed out that if SHA-256 lasts ten years, it will be a world record for a hash function. The consensus is that any new hash function needs to last twenty years, though. It really seems unlikely that any hash function will last that long.
But the real issue is whether there will be any practical attacks. No one knows. Certainly there will be new cryptanalytic techniques developed, especially now that hash functions are a newly hot area for research. But will SHA-256 ever have an attack that's faster than 280?
Everyone thinks that SHA-1 with 160 rounds is a safer choice than SHA-256 truncated to 160 bits. The devil you know, I guess.
Niels Ferguson, in a comment from the floor, strongly suggested that NIST publish whatever analysis on SHA-256 it has. Since this is most likely by the NSA and classified, it would be a big deal. But I agree that it's essential for us to fully evaluate the hash function.
Tom Berson, in another comment, suggested that NIST not migrate to a single hash function, but certify multiple alternatives. This has the interesting side effect of forcing the algorithm agility issue. (We had this same debate regarding AES. Negatives are: 1) you're likely to have a system that is as strong as the weakest choice, and 2) industry will hate it.)
If there's a moral out of the first day of this workshop, it's that algorithm agility is an essential feature in any Internet protocol.
(Via Schneier on Security.)