NIST hash function competition

From HandWiki
Short description: Competition to develop SHA-3

The NIST hash function competition was an open competition held by the US National Institute of Standards and Technology (NIST) to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2. The competition was formally announced in the Federal Register on November 2, 2007.[1] "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)."[2] The competition ended on October 2, 2012 when NIST announced that Keccak would be the new SHA-3 hash algorithm.[3]

The winning hash function has been published as NIST FIPS 202 the "SHA-3 Standard", to complement FIPS 180-4, the Secure Hash Standard.

The NIST competition has inspired other competitions such as the Password Hashing Competition.


Submissions were due October 31, 2008 and the list of candidates accepted for the first round was published on December 9, 2008.[4] NIST held a conference in late February 2009 where submitters presented their algorithms and NIST officials discussed criteria for narrowing down the field of candidates for Round 2.[5] The list of 14 candidates accepted to Round 2 was published on July 24, 2009.[6] Another conference was held on August 23–24, 2010 (after CRYPTO 2010) at the University of California, Santa Barbara, where the second-round candidates were discussed.[7] The announcement of the final round candidates occurred on December 10, 2010.[8] On October 2, 2012, NIST announced its winner, choosing Keccak, created by Guido Bertoni, Joan Daemen, and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP.[3]


This is an incomplete list of known submissions. NIST selected 51 entries for round 1.[4] 14 of them advanced to round 2,[6] from which 5 finalists were selected.


The winner was announced to be Keccak on October 2, 2012.[9]


NIST selected five SHA-3 candidate algorithms to advance to the third (and final) round:[10]

  • BLAKE (Aumasson et al.)
  • Grøstl (Knudsen et al.)
  • JH (Hongjun Wu)
  • Keccak (Keccak team, Daemen et al.)
  • Skein (Schneier et al.)

NIST noted some factors that figured into its selection as it announced the finalists:[11]

  • Performance: "A couple of algorithms were wounded or eliminated by very large [hardware gate] area requirement – it seemed that the area they required precluded their use in too much of the potential application space."
  • Security: "We preferred to be conservative about security, and in some cases did not select algorithms with exceptional performance, largely because something about them made us 'nervous,' even though we knew of no clear attack against the full algorithm."
  • Analysis: "NIST eliminated several algorithms because of the extent of their second-round tweaks or because of a relative lack of reported cryptanalysis – either tended to create the suspicion that the design might not yet be fully tested and mature."
  • Diversity: The finalists included hashes based on different modes of operation, including the HAIFA and sponge function constructions, and with different internal structures, including ones based on AES, bitslicing, and alternating XOR with addition.

NIST has released a report explaining its evaluation algorithm-by-algorithm.[12][13][14]

Did not pass to Final Round

The following hash function submissions were accepted for Round Two, but did not make it to the final round. As noted in the announcement of the finalists, "none of these candidates was clearly broken".

Did not pass to Round Two

The following hash function submissions were accepted for Round One but did not pass to Round Two. They have neither been conceded by the submitters nor have had substantial cryptographic weaknesses. However, most of them have some weaknesses in the design components, or performance issues.

Entrants with substantial weaknesses

The following non-conceded Round One entrants have had substantial cryptographic weaknesses announced:

Conceded entrants

The following Round One entrants have been officially retracted from the competition by their submitters; they are considered broken according to the NIST official Round One Candidates web site.[54] As such, they are withdrawn from the competition.

Rejected entrants

Several submissions received by NIST were not accepted as First Round Candidates, following an internal review by NIST.[4] In general, NIST gave no details as to why each was rejected. NIST also has not given a comprehensive list of rejected algorithms; there are known to be 13,[4][68] but only the following are public.

See also


  1. "Federal Register / Vol. 72, No. 212" (PDF). Federal Register. Government Printing Office. November 2, 2007. 
  2. "cryptographic hash project – Background Information". Computer Security Resource Center. National Institute of Standards and Technology. November 2, 2007. 
  3. 3.0 3.1 "NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition". NIST. October 2, 2012. 
  4. 4.00 4.01 4.02 4.03 4.04 4.05 4.06 4.07 4.08 4.09 4.10 "Round 1". 2008-12-09. 
  5. National Institute of Standards and Technology (December 9, 2008). "The First SHA-3 Candidate Conference". 
  6. 6.0 6.1 "Second Round Candidates". National Institute for Standards and Technology. July 24, 2009. 
  7. National Institute of Standards and Technology (June 30, 2010). "The Second SHA-3 Candidate Conference". 
  8. "Tentative Timeline of the Development of New Hash Functions". NIST. December 10, 2008. 
  9. NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition
  10. Third (Final) Round Candidates Retrieved 9 Nov 2011
  11. SHA-3 Finalists Announced by NIST , blog post quoting NIST's announcement in full.
  12. Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition (PDF).
  13. Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition (PDF). Retrieved 2 March 2011
  14. Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition (PDF).
  15. Svein Johan Knapskog; Danilo Gligoroski (November 4, 2008). "blue_midnight_wish". 
  16. Søren S. Thomsen (2009). "Pseudo-cryptanalysis of Blue Midnight Wish" (PDF). 
  17. Henri Gilbert; Ryad Benadjila (October 29, 2008). "SHA-3 Proposal: ECHO" (PDF). 
  18. Özgül Kücük (31 October 2008). "The Hash Function Hamsi" (PDF). 
  19. Dai Watanabe; Christophe De Canniere (31 October 2008). "Hash Function Luffa: Specification" (PDF). 
  20. Jean-François Misarsky; Emmanuel Bresson (October 28, 2008). "Shabal, a Submission to NIST's Cryptographic Hash Algorithm Competition" (PDF). 
  21. Eli Biham; Orr Dunkelman. "The SHAvite-3 Hash Function" (PDF). 
  22. Jongin Lim; Donghoon Chang (October 29, 2008). "ARIRANG" (PDF). 
  23. Philip Hawkes; Cameron McDonald (October 30, 2008). "Submission to the SHA-3 Competition: The CHI Family of Cryptographic Hash Algorithms". 
  24. Jacques Patarin; Louis Goubin. "CRUNCH". 
  25. Hirotaka Yoshida; Shoichi Hirose (30 October 2008). "SHA-3 Proposal: Lesamnta" (PDF). 
  26. Kerem Varıcı; Onur Özen. "The Sarmal Hash Function". 
  27. Daniel Penazzi; Miguel Montes. "The TIB3 Hash". 
  28. Tetsu Iwata; Kyoji Shibutani (October 31, 2008). "AURORA: A Cryptographic Hash Algorithm Family" (PDF). 
  29. Niels Ferguson; Stefan Lucks (2009). "Attacks on AURORA-512 and the Double-MIX Merkle–Damgård Transform" (PDF). 
  30. Colin Bradbury (25 October 2008). "BLENDER: A Proposed New Family of Cryptographic Hash Algorithms" (PDF). 
  31. Craig Newbold. "Observations and Attacks On The SHA-3 Candidate Blender" (PDF). 
  32. Florian Mendel. "Preimage Attack on Blender" (PDF). 
  33. Dmitry Khovratovich; Alex Biryukov (October 30, 2008). "The Hash Function Cheetah: Specification and Supporting Documentation" (PDF). 
  34. Danilo Gligoroski (2008-12-12). "Danilo Gligoroski – Cheetah hash function is not resistant against length-extension attack". 
  35. Zijie Xu. "Dynamic SHA" (PDF). 
  36. Vlastimil Klima (2008-12-14). "Dynamic SHA is vulnerable to generic attacks". 
  37. Zijie Xu. "Dynamic SHA2" (PDF). NIST. 
  38. Vlastimil Klima (2008-12-14). "Dynamic SHA2 is vulnerable to generic attacks". 
  39. Danilo Gligoroski; Rune Steinsmo Ødegård (November 4, 2008). "edon-r". 
  40. "Cryptanalysis of Edon-R". 2008. 
  41. Sean O'Neil; Karsten Nohl (October 31, 2008). "EnRUPT – The Simpler The Better". 
  42. Sebastiaan Indesteege (November 6, 2008). "Collisions for EnRUPT". 
  43. Jason Worth Martin (October 21, 2008). "ESSENCE: A Candidate Hashing Algorithm for the NIST Competition" (PDF). 
  44. "Cryptanalysis of ESSENCE" (PDF). 
  45. Ivica Nikolić; Alex Biryukov. "Hash family LUX – Algorithm Specifications and Supporting Documentation" (PDF). 
  46. Mikhail Maslennikov. "MCSSHA-3 hash algorithm". 
  47. Jean-Philippe Aumasson; María Naya-Plasencia. "Second preimages on MCSSHA-3" (PDF). 
  48. Peter Maxwell (September 2008). "The Sgàil Cryptographic Hash Function" (PDF). 
  49. Peter Maxwell (November 5, 2008). "Aww, p*sh!". 
  50. Michael Gorski; Ewan Fleischmann (October 28, 2008). "The Twister Hash Function Family" (PDF). 
  51. "Cryptanalysis of Twister" (PDF). 2008. 
  52. Michael Kounavis; Shay Gueron (November 3, 2008). "Vortex: A New Family of One Way Hash Functions based on Rijndael Rounds and Carry-less Multiplication". 
  53. "Cryptanalysis of Vortex" (PDF). 2009. 
  54. Computer Security Division, Information Technology Laboratory (4 January 2017). "SHA-3 Project – Hash Functions". 
  55. Neil Sholer (October 29, 2008). "Abacus: A Candidate for SHA-3" (PDF). 
  56. Gregory G. Rose. "Design and Primitive Specification for Boole" (PDF). 
  57. Gregory G. Rose (10 Dec 2008). "Official Comment: Boole" (PDF). 
  58. David A. Wilson (October 23, 2008). "The DCH Hash Function" (PDF). 
  59. Natarajan Vijayarangan. "A New Hash Algorithm: Khichidi-1" (PDF). 
  60. Björn Fay. "MeshHash" (PDF). 
  61. Orhun Kara; Adem Atalay. "SHAMATA hash function: A candidate algorithm for NIST competition". 
  62. Michal Trojnara (October 14, 2008). "StreamHash Algorithm Specifications and Supporting Documentation" (PDF). 
  63. Rafael Alvarez; Gary McGuire. "The Tangle Hash Function" (PDF). 
  64. John Washburn. "WaMM: A Candidate Algorithm for the SHA-3 Competition" (PDF). 
  65. "Official Comment: WaMM is Withdrawn" (PDFauthor=John Washburn). 20 Dec 2008. 
  66. Bob Hattersly (October 15, 2008). "Waterfall Hash – Algorithm Specification and Analysis" (PDF). 
  67. Bob Hattersley (20 Dec 2008). "Official Comment: Waterfall is broken" (PDF). 
  68. Bruce Schneier (November 19, 2008). "Skein and SHA-3 News". 
  69. Robert J. Jenkins Jr.. "Algorithm Specification". 
  70. Anne Canteaut; María Naya-Plasencia. "Internal collision attack on Maraca" (PDF). 
  71. Michael P. Frank. "Algorithm Specification for MIXIT: a SHA-3 Candidate Cryptographic Hash Algorithm". 
  72. Geoffrey Park. "NKS 2D Cellular Automata Hash" (PDF). 
  73. Cristophe De Cannière (November 13, 2008). "Collisions for NKS2D-224". 
  74. Brandon Enright (November 14, 2008). "Collisions for NKS2D-512". 
  75. Peter Schmidt-Nielsen. "Ponic" (PDF). 
  76. María Naya-Plasencia. "Second preimage attack on Ponic" (PDF). 
  77. Nicolas T. Courtois; Carmi Gressel. "ZK-Crypt Homepage". 

External links