I didn’t see much buzz about this, but the second-round candidates for the SHA-3 cryptographic hash function competition have been announced. (See also here for information on all the submissions.) I am certainly no expert on hash function design, but here are a few observations:
- In perhaps the biggest surprise, MD6 (Rivest’s submission) did not make it to the second round. The team behind MD6 effectively withdrew their submission because (paraphrasing here) they were unable to prove security against differential attacks while matching the efficiency of SHA-2. I don’t know the whole story here, but this seems a little odd to me given that some other second-round candidates also do not have proofs. Why withdraw once you have already put so much work into it?
- Perhaps not unexpected, but it was too bad to see SWIFFTX and FSB not make it to the second round. Both of these were based on provable reductions to hard problems in lattices/coding theory.
- I have a bet with X (who wishes to remain anonymous) about the outcome of the competition: I lose the bet only if the eventual winner is one of ECHO, Fugue, or MD6. Even knowing very little about hash functions, I liked those odds. =) (Now that MD6 has been eliminated, the odds are even more in my favor. ECHO and Fugue both made it to the second round.) Our bet actually boils down to something more substantive: X claimed that NIST would only pick a hash function that [was reasonably efficient and] had some level of provable security, and I felt that NIST would not really care much about proofs.
- There are a number of well-known names among the designers of the second-round candidates, and it would be easy to list favorites based on that. On the other hand, it is fair to say that among the five AES finalists, Rijndael — the eventual winner — had the least famous designers.
Now that the field has been narrowed, maybe we will start to see some more serious attacks. The competition should be interesting to follow!