Tuesday, May 10, 2011

SHA-3 --- Round 3

In December of last year, the 5 SHA-3 finalists were announced by NIST's William Burr. It was only last week, however, that the official report made it out.

The five finalists are:

- Keccak
- Grøstl
- JH
- Skein

The evaluation of the finalists focused on two main aspects: security (obvious) and performance. Of the 14 2nd-round candidates, none was severely broken. There were, however, some concerns raised towards CubeHash and Hamsi. The former allows for generic preimage attacks due to its narrow-pipe design; the latter allows for faster-than-theoretical second preimages.

The clear winners seemed to have been BLAKE, Keccak, JH and Skein, with pretty much no discussion of their strengths and weaknesses in the report. The last place seems to have been disputed between BMW, Grostl, CubeHash, Luffa, Fugue, and Shabal. The selection of Grostl feels like shoehorning an AES-based candidate into the finalists: it is (relatively) slow and possibly prone to cache-timing attacks.

I'm sad to see CubeHash go. I mostly agree with the author, in that it's not useful to require 2^512 preimage security, yet only 256-bit collision security --- clearly the weakest link is collision resistance, and CubeHash was pretty strong there. By the length and content of the 4.3.3 section of the report, its rejection was not a no-brainer.

Personally, I'm rooting for BLAKE. Its building blocks have been thoroughly analyzed before (ChaCha's predecessor, Salsa20, was one of the winners of the eSTREAM competition) and it has excellent performance, for which I can claim an epsilon of credit. Our SSE optimized candidate implementation can be found on NIST below.