Cryptographic hash functions are very important for cryptographic protocols. When used with signature schemes, their role is to reduce the amount of data which must be signed [Pre93] and to break up any properties such as multiplicative homomorphism which might be exploited by an opponent [And93]. In short, they need to be both efficient and secure; and in most commercial applications, they need to run quickly in software on all the common hardware platforms.
Some hash functions are based on feedforward modes of block ciphers [Pre93], but the main contenders have been the functions based on MD4 [Riv90], which include MD5 [Riv92], RIPE-MD [RACE95], SHA [NIST92] and SHA-1 [NIST95]. Another family was Snefru, and its derivative Snefru-8 [Mer90].
However, collisions for Snefru were found in 1990 [BS91] [BS93], and recently a collision of MD4 has also been found [Dob95]. These attacks cast doubt on the security of the other members of these families. One may only speculate at how long each function will remain unbroken; however it seems prudent to start work now on replacements.
From the performance point of view, all the functions mentioned above were designed for 32-bit processors. The next generation of processors has 64-bit words, and includes the DEC Alpha series as well as forthcoming processors from Intel, HP and IBM. It seems reasonable to assume that, with the exception of microcontrollers used in embedded applications, the majority of systems will use 64-bit processors within five years or so. However, on such processors, the above families of hash functions cannot be implemented efficiently.
For example, the MD family uses many 32-bit rotations and additions, so a 64-bit register can only handle one 32-bit value at a time, which decreases the potential speed by a factor of about two. Moreover, the Alpha architecture does not have any rotation operations, whether 64-bit or 32-bit.
From these considerations, we believe that a next generation hash function: