This morning we heard a variety of talks about hash function design. All are esoteric and interesting, and too subtle to summarize here. Hopefully the papers will be online soon; keep checking the conference website.
Lots of interesting ideas, but no real discussion about trade-offs. But it's the trade-offs that are important. It's easy to design a good hash function, given no performance constraints. But we need to trade off performance with security. When confronted with a clever idea, like Ron Rivest's dithering trick, we need to decide if this a good use of time. The question is not whether we should use dithering. The question is whether dithering is the best thing we can do with (I'm making these numbers up) a 20% performance degradation. Is dithering better than adding 20% more rounds? This is the kind of analysis we did when designing Twofish, and it's the correct analysis here as well.
Bart Preneel pointed out the obvious: if SHA-1 had double the number of rounds, this workshop wouldn't be happening. If MD5 had double the number of rounds, that hash function would still be secure. Maybe we've just been too optimistic about how strong hash functions are.
The other thing we need to be doing is providing answers to developers. It's not enough to express concern about SHA-256, or wonder how much better the attacks on SHA-1 will become. Developers need to know what hash function to use in their designs. They need an answer today. (SHA-256 is what I tell people.) They'll need an answer in a year. They'll need an answer in four years. Maybe the answers will be the same, and maybe they'll be different. But if we don't give them answers, they'll make something up. They won't wait for us.
And while it's true that we don't have any real theory of hash functions, and it's true that anything we choose will be based partly on faith, we have no choice but to choose.
And finally, I think we need to stimulate research more. Whether it's a competition or a series of conferences, we need new ideas for design and analysis. Designs beget analyses beget designs beget analyses.... We need a whole bunch of new hash functions to beat up; that's how we'll learn to design better ones.
(Via Schneier on Security.)