[cryptography] Fwd: NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition

Aaron Toponce aaron.toponce at gmail.com
Thu Oct 4 15:55:17 EDT 2012

On Wed, Oct 03, 2012 at 12:17:52PM +0200, CodesInChaos wrote:
> I for one am not happy with the choice. It's slower in software than
> blake or skein, and on ARM it's even slower than SHA-2.

There is more to the decision than performance.

> I'm not convinced that using a construction that's significantly
> different from MD gains us much. The constructions are often provably
> secure, so we only need to care about the quality of the compression
> function. To my amateur eyes, keccak doesn't look stronger than blake
> or skein.
> I also think the "it's different" argument is overplayed. SHA-3 should
> stand for itself. Many applications will choose one hash-function, and
> not hash their data with both SHA-2 and SHA-3. They get broken if that
> one hash is broken, and SHA-2 and SHA-3 being different doesn't really
> help them much. I think it's nice to have different constructions on
> stand-by, but would have chosen the one that seems best on its own,
> disregarding how similar it is to SHA-2.

NIST explained why they made the decsion:

"NIST chose Keccak over the four other excellent finalists for its elegant
design, large security margin, good general performance, excellent
efficiency in hardware implementations, and for its flexibility"


"Keccak complements the existing SHA-2 family of hash algorithms well. NIST
remains confident in the security of SHA-2 which is now widely implemented,
and the SHA-2 hash algorithms will continue to be used for the foreseeable
future, as indicated in the NIST hash policy statement. One benefit that
Keccak offers as the SHA-3 winner is its difference in design and
implementation properties from that of SHA-2. It seems very unlikely that a
single new cryptanalytic attack or approach could threaten both

So, it seems to me it was chosen for:

    * The sponge construction being entirely different.
    * Solid security.
    * Good overall performance.
    * Solid efficiency in hardware.
    * Flexibility.
    * Compliments SHA-2.

Seems to me those are solid reasons for making the decision they did.

. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121004/44be58a9/attachment.asc>

More information about the cryptography mailing list