[Federal Register Volume 72, Number 14 (Tuesday, January 23, 2007)]
[Notices]
[Pages 2861-2863]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-927]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No.: 061213336-6336-01]


Announcing the Development of New Hash Algorithm(s) for the 
Revision of Federal Information Processing Standard (FIPS) 180-2, 
Secure Hash Standard

AGENCY: National Institute of Standards and Technology, Commerce.

ACTION: Notice and request for comments.

-----------------------------------------------------------------------

SUMMARY: A process to develop and standardize one or more new hash 
algorithms \\ to augment and revise FIPS 180-2, Secure Hash Standard, 
is being initiated by the National Institute of Standards and 
Technology (NIST). As a first step in this process, NIST is publishing 
draft minimum acceptability requirements, submission requirements, and 
evaluation criteria for candidate algorithms to solicit public comment. 
It is intended that the revised hash function standard will specify one 
or more additional unclassified, publicly disclosed hash algorithms 
that are available royalty-free worldwide, and are capable of 
protecting sensitive government information well into the foreseeable 
future.
---------------------------------------------------------------------------

    \1\ In this announcement, the term ``has function'' and ``hash 
algorithm'' are used interchangeably.
---------------------------------------------------------------------------

    The purpose of this notice is to solicit comments on the draft 
minimum acceptability requirements, submission requirements, and 
evaluation criteria of candidate algorithms from the public, the 
cryptographic community, academic/research communities, manufacturers, 
voluntary standards organizations, and Federal, state, and local 
government organizations so that their needs can be considered in the 
process of developing the augmented and revised hash function standard.

DATES: Comments must be received on or before April 27, 2007.

ADDRESSES: Written comments should be sent to Mr. William Burr, Attn: 
Hash Algorithm Requirements and Evaluation Criteria, National Institute 
of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, 
MD 20899-8930.
    Electronic comments should be sent to [email protected] with a 
subject line of ``Hash Algorithm Requirements and Evaluation 
Criteria''.
    Comments received in response to this notice will be made part of 
the public record and will be available for inspection on the Web site: 
http://www.nist.gov/hash-function.

[[Page 2862]]


FOR FURTHER INFORMATION CONTACT: For general information, contact: Shu-
jen Chang, National Institute of Standards and Technology, Stop 8930, 
Gaithersburg, MD 20899-8930; telephone 301-975-2940 or via fax at 301-
975-8670.
    Technical inquiries regarding the proposed draft acceptability 
requirements, submission requirements, and evaluation criteria should 
be sent electronically to [email protected], or addressed to 
William Burr, National Institute of Standards and Technology, Stop 
8930, Gaithersburg, MD 20899-8930; telephone 301-975-2914 or via fax at 
301-975-8670 (Attn: Hash Algorithm Requirements and Evaluation 
Criteria). Answers to germane questions will be posted at http://www.nist.gov/hash-function. Questions and answers that are not 
pertinent to this announcement may not be posted.
    NIST will endeavor to answer all questions in a timely manner.

SUPPLEMENTARY INFORMATION: A hash function takes binary data, called 
the message, and produces a condensed representation, called the 
message digest. A cryptographic hash function is a hash function that 
is designed to achieve certain security properties. The Federal 
Information Processing Standard 180-2, Secure Hash Standard specifies 
algorithms for computing four cryptographic hash functions--SHA-1, SHA-
256, SHA-384, and SHA-512. FIPS 180-2 was issued in August, 2002, 
superseding FIPS 180-1.
    In recent years, several of the non-NIST approved cryptographic 
hash functions have been successfully attacked, and serious attacks 
have been published against SHA-1. In response, NIST held two public 
workshops on cryptographic hash functions, on Oct. 31-Nov. 1, 2005 and 
Aug. 24-25, 2006, to assess the status of its approved hash functions 
and to solicit public input on its cryptographic hash function policy 
and standard. As a result of these workshops, NIST has decided to 
develop one or more additional hash functions through a public 
competition, similar to the development process for the Advanced 
Encryption Standard (AES).
    To begin the competition process, NIST has drafted the following 
minimum acceptability requirements, submission requirements, and 
evaluation criteria for candidate algorithms. NIST seeks comments on 
these draft minimum acceptability requirements, submission 
requirements, and evaluation criteria, as well as suggestions for other 
criteria and for the relative importance of each individual criterion 
in the evaluation process. Since neither the submission requirements 
nor the evaluation criteria have been finalized, and may evolve over 
time as a result of the public comments that NIST receives, candidate 
algorithms should NOT be submitted at this time.

    Authority: This work is being initiated pursuant to NIST's 
responsibilities under the Federal Information Security Management 
Act (FISMA) of 2002, Public Law 107-347.

A. Proposed Draft Minimum Acceptability Requirements for Candidate 
Algorithms

    The draft minimum acceptability requirements for candidate hash 
algorithms are:
    A.1 The algorithm must be publicly disclosed and available on a 
worldwide, non-exclusive, royalty-free basis.
    A.2 The algorithm must be implementable in a wide range of hardware 
and software platforms.
    A.3 The algorithm must support 224, 256, 384, and 512-bit message 
digests, and must support a maximum message length of at least 264 
bits.

B. Proposed Draft Submission Requirements

    In order to provide for an orderly, fair, and timely evaluation of 
candidate algorithms, submission requirements will specify the 
procedures and supporting documentation necessary to submit a candidate 
algorithm. The submission package must include the following:
    B.1 A complete written specification of the algorithm, including 
any applicable mathematical equations, tables, and parameters that are 
needed to implement the algorithm. The documentation must include 
design rationale; an explanation for all the important design 
decisions; any security argument that is applicable, such as a security 
reduction proof; and a preliminary analysis, such as possible attack 
scenarios for collision-finding, second-preimage-finding, or any 
cryptographic attacks that have been considered and their results.
    In addition, the documentation should suggest one or more 
parameters of the algorithm that can be modified, or suggest other 
modification techniques, to enhance the security of the design. A 
supporting rationale should also be provided. For example, for SHA-1 
the number of rounds is a natural parameter to modify to increase the 
security of the design.
    B.2 An ANSI C source language reference implementation and an 
optimized implementation. The optimized code will be used to compare 
software performance and memory requirements to the implementations of 
other submitted algorithms.
    B.3 A statement of the estimated computational efficiency and 
memory requirements in hardware and software across a variety of 
platforms, including 8-, 32-, and 64-bit platforms.
    B.4 A hashing example that maps a specified message into its 
message digest.
    B.5 A statement of issued or pending patents that the submitter 
believes may be infringed by implementations of this algorithm.
    B.6 A statement of advantages and limitations of the submitted 
algorithm. If the submitter believes that the algorithm has certain 
advantageous features, then these should be listed and described, along 
with supporting rationale.
    Should NIST later decide to add such features to the evaluation 
criteria, submitters of candidate algorithms may be asked to provide 
additional information with respect to these new criteria.

(End of draft submission requirements)

C. Proposed Draft Evaluation Criteria of Candidate Algorithms

    Candidate algorithms that meet the minimum acceptability 
requirements and the submission requirements will be compared, based on 
the following factors:
     Security,
     Computational efficiency,
     Memory requirements,
     Hardware and software suitability,
     Simplicity,
     Flexibility, and
     Licensing requirements.
    With the exception of self-explanatory items in the above list, 
these evaluation criteria are described below.

C.1 Security

    Algorithms will be judged on the following factors:
     The actual security provided by the algorithm as compared 
to other submitted algorithms (of the same hash length), including (but 
not limited to) first and second preimage resistance, collision 
resistance, and resistance to generic attacks (e.g., length extension).
     The extent to which the algorithm output is 
indistinguishable from a random oracle.
     The soundness of the mathematical basis for the 
algorithm's security.
     Other security factors raised by the public during the 
evaluation process, including any attacks which demonstrate that the 
actual security of the algorithm is less than the strength claimed by 
the submitter.

[[Page 2863]]

    Claimed attacks will be evaluated for practicality.

C.2 Cost

    C.2.1 Computational efficiency: The evaluation of computational 
efficiency will be applicable to both hardware and software 
implementations.
    Computational efficiency essentially refers to the throughput of an 
implementation. NIST will use the optimized software of each submission 
(discussed in B.2 above) on a variety of platforms and analyze their 
computation efficiency for a variety of message lengths. The data in 
the submission packages and any public comments on computational 
efficiency will also be taken into consideration.
    C.2.2 Memory requirements: The memory required for hardware and 
software implementations of the candidate algorithm will be considered 
during the evaluation process.
    Memory requirements will include such factors as gate counts for 
hardware implementations, and code size and RAM requirements for 
software implementations.
    NIST will use the optimized software of each submission (discussed 
in B.2 above) on a variety of platforms and test their memory 
requirements for a variety of message lengths. The data in the 
submission packages and any public comments on memory requirements will 
also be taken into consideration.

C.3 Algorithm and Implementation Characteristics

    C.3.1 Flexibility: Candidate algorithms with greater flexibility 
that meet the needs of more users are preferable. Some examples of 
``flexibility'' include (but are not limited to) the following:
    i. The algorithm is parameterizable, e.g. can accommodate 
additional rounds.
    ii. Implementations of the algorithm can be parallelized to achieve 
higher performance efficiency.
    iii. The algorithm can be implemented securely and efficiently in a 
wide variety of platforms, including constrained environments such as 
smart cards.
    C.3.2 Simplicity: A candidate algorithm will be judged according to 
relative simplicity of design.

    Dated: January 16, 2007.
James E. Hill,
Acting Deputy Director.
 [FR Doc. E7-927 Filed 1-22-07; 8:45 am]
BILLING CODE 3510-CN-P