[cryptography] Fwd: NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition

Aaron Toponce aaron.toponce at gmail.com
Thu Oct 4 15:55:17 EDT 2012


On Wed, Oct 03, 2012 at 12:17:52PM +0200, CodesInChaos wrote:
> I for one am not happy with the choice. It's slower in software than
> blake or skein, and on ARM it's even slower than SHA-2.

There is more to the decision than performance.

> I'm not convinced that using a construction that's significantly
> different from MD gains us much. The constructions are often provably
> secure, so we only need to care about the quality of the compression
> function. To my amateur eyes, keccak doesn't look stronger than blake
> or skein.
> 
> I also think the "it's different" argument is overplayed. SHA-3 should
> stand for itself. Many applications will choose one hash-function, and
> not hash their data with both SHA-2 and SHA-3. They get broken if that
> one hash is broken, and SHA-2 and SHA-3 being different doesn't really
> help them much. I think it's nice to have different constructions on
> stand-by, but would have chosen the one that seems best on its own,
> disregarding how similar it is to SHA-2.

NIST explained why they made the decsion:

"NIST chose Keccak over the four other excellent finalists for its elegant
design, large security margin, good general performance, excellent
efficiency in hardware implementations, and for its flexibility"

Further:

"Keccak complements the existing SHA-2 family of hash algorithms well. NIST
remains confident in the security of SHA-2 which is now widely implemented,
and the SHA-2 hash algorithms will continue to be used for the foreseeable
future, as indicated in the NIST hash policy statement. One benefit that
Keccak offers as the SHA-3 winner is its difference in design and
implementation properties from that of SHA-2. It seems very unlikely that a
single new cryptanalytic attack or approach could threaten both
algorithms."

So, it seems to me it was chosen for:

    * The sponge construction being entirely different.
    * Solid security.
    * Good overall performance.
    * Solid efficiency in hardware.
    * Flexibility.
    * Compliments SHA-2.

Seems to me those are solid reasons for making the decision they did.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 519 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121004/44be58a9/attachment.asc>


More information about the cryptography mailing list