Posted by: jonkatz | July 31, 2009

SHA-3 update

I didn’t see much buzz about this, but the second-round candidates for the SHA-3 cryptographic hash function competition have been announced. (See also here for information on all the submissions.) I am certainly no expert on hash function design, but here are a few observations:

  • In perhaps the biggest surprise, MD6 (Rivest’s submission) did not make it to the second round. The team behind MD6 effectively withdrew their submission because (paraphrasing here) they were unable to prove security against differential attacks while matching the efficiency of SHA-2. I don’t know the whole story here, but this seems a little odd to me given that some other second-round candidates also do not have proofs. Why withdraw once you have already put so much work into it?
  • Perhaps not unexpected, but it was too bad to see SWIFFTX and FSB not make it to the second round. Both of these were based on provable reductions to hard problems in lattices/coding theory.
  • I have a bet with X (who wishes to remain anonymous) about the outcome of the competition: I lose the bet only if the eventual winner is one of ECHO, Fugue, or MD6. Even knowing very little about hash functions, I liked those odds. =) (Now that MD6 has been eliminated, the odds are even more in my favor. ECHO and Fugue both made it to the second round.) Our bet actually boils down to something more substantive: X claimed that NIST would only pick a hash function that [was reasonably efficient and] had some level of provable security, and I felt that NIST would not really care much about proofs.
  • There are a number of well-known names among the designers of the second-round candidates, and it would be easy to list favorites based on that. On the other hand, it is fair to say that among the five AES finalists, Rijndael — the eventual winner — had the least famous designers.

Now that the field has been narrowed, maybe we will start to see some more serious attacks. The competition should be interesting to follow!



  1. SIMD also has a level of provable security. Since MD6 has been withdrawn, maybe you should voluntarily replace MD6 with SIMD, given that the odds highly favor you by your own reckoning.

  2. Lowering your odds a bit:
    The Groestl designers give similar proofs against differential attacks as ECHO, but prove also other aspects of it.
    On top of that, Groestl seems more efficient than the three you picked.

  3. No — If Groestl is picked, I win. =)

  4. Very clever bet indeed!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: