21

I know NIST called for contenders (in 2007) regarding the new hash algorithm to replace SHA-2. Has there been a selection, or finalists selected?

AviD
  • 72,138
  • 22
  • 136
  • 218
Abdu
  • 511
  • 4
  • 12

1 Answers1

30

Keccak was selected by NIST on October 2, 2012 as the winner of the contest. It is widely seen as a suitable alternative to SHA-2, because the design is so different from most previous hash standards that even if SHA-2 is broken, confidence in Keccak should be relatively unaffected. It is also very fast and simple to implement in hardware.

NIST and most other observers also have renewed confidence in SHA-2 based on the experience gained since the attacks on SHA-1 and MD5 came to light. So we now have an opportunity to incorporate both standards as options in the various security protocols, which allows us to pivot quickly if problems are discovered in either one, and to select one of the two algorithms based on their suitability for the intended use cases.

In December of 2010, NIST selected the five SHA-3 finalists that advanced to Round 3, citing the following reasons in their Status Report on the Second Round

  • BLAKE: high security margin, good performance in software, and its simple and clear design
  • Grøstl: well-understood design and solid performance, especially in hardware.
  • JH: solid security margin, good all-around performance, and innovative design.
  • Keccak: high security margin, its high throughput and throughput-to-area ratio and the simplicity of its design
  • Skein: high security margin and speed in software

The initial hope was that a new hash could be found that was significantly more efficient than SHA-2, but achieving that with a high security margin has proved to be difficult. Some candidates are significantly faster than SHA-2, but that varies by platform (32-bit vs 64-bit vs "constrained" vs custom hardware).

Comparative Performance Review of the SHA-3 Second-Round Candidates (by our own @Thomas Pornin) focuses on embedded low power platforms where performance can actually be a bottleneck. Of the Round 3 candidates, BLAKE and Skein do best on such platforms.

More info:

nealmcb
  • 20,544
  • 6
  • 69
  • 116
  • 3
    Update: I have modified my library of hash functions (sphlib) for the tweaks incorporated in the five finalists. The source archive contains an update note with new benchmark; see http://www.saphir2.com/sphlib/ . The main point: on "small" 32-bit architectures (ARM, MIPS, Java on a 32-bit x86), SHA-256 outperforms all five SHA-3 candidates. Which is kind of sad. – Thomas Pornin Jul 22 '11 at 21:02