The US government has launched a public competition to pick a new cryptographic hash algorithm that will become the new federal information processing standard.
The National Institute of Standards and Technology Tuesday expects the evaluation process to run a minimum of three years.
The algorithm is a highly complex math formula that can be used to create digital signatures and authenticate data to ensure it hasn’t been tampered with. The current NIST federal hash standards include variations of the Secure Hash Algorithm, SHA-1, SHA-2, SHA-256, SHA-384 and SHA-512. But because cryptographic researchers have reported serious attacks against these algorithms, NIST has decided to start what’s expected to be a long process to find a new hash standard by eliciting public comment and submissions.
NIST successfully carried out this type of evaluation process several years ago to find the replacement for the older Digital Encryption Standard, which after a lively global competition, ended with the selection of the now widely used Advanced Encryption Standard, today a federal government standard. At that time, peer review by crypto experts of the published AES played a strong role in determining the future federal standard for non-classified encryption. NIST is hoping for similar success as it opens the hunt for a new hash algorithm.
"As a first step in this process, NIST is looking for comments on its recently published draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms," said an NIST spokeswoman..
According to a statement in the Federal Register, the government’s official book of record, NIST Tuesday stated it is looking for "unclassified, publicly disclosed" algorithms that would be royalty-free and "capable of protecting sensitive government information well into the foreseeable future".
The tentative schedule mapped out by NIST for receiving and evaluating technical proposals commences with the plan to present the "draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate hash functions" during the RSA Conference in San Francisco and at other conferences later.
NIST wants to finalise this first part of the process by the autumn, and will then welcome submissions for a period of a year, following by review.
Public comments will then be taken until the end of 2009. At that point, depending on the number and quality of the submissions, NIST may either extend the length of the public comment period or otherwise invite discussion about them through public workshops to discuss candidate algorithms.