Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein

In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and $\mathrm{SHA\text{-}1}$. NIST received many submissions, 51 of which got accepted to the first round. At present, 5 candidates are left in the third round of the competition. At NIST's second SHA-3 Candidate Conference 2010, Andreeva et al. provided a provable security classification of the second round SHA-3 candidates in the ideal model. In this work, we revisit this classification for the five SHA-3 finalists. We evaluate recent provable security results on the candidates, and resolve remaining open problems for Grostl, JH, and Skein.

[1]  Jooyoung Lee,et al.  Collision Resistance of the JH Hash Function , 2012, IEEE Transactions on Information Theory.

[2]  Bart Preneel,et al.  The parazoa family: generalizing the sponge hash functions , 2012, International Journal of Information Security.

[3]  Moti Yung,et al.  Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding , 2006, ASIACRYPT.

[4]  John P. Steinberger Stam's Collision Resistance Conjecture , 2010, EUROCRYPT.

[5]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[6]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[7]  Pierre-Alain Fouque,et al.  Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound , 2010 .

[8]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[9]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[10]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[11]  Atul Luykx,et al.  Provable Security of BLAKE with Non-ideal Compression Function , 2012, Selected Areas in Cryptography.

[12]  Martijn Stam,et al.  Blockcipher-Based Hashing Revisited , 2009, FSE.

[13]  Christian Forler,et al.  Classification of the SHA-3 Candidates , 2008, IACR Cryptol. ePrint Arch..

[14]  Bart Preneel,et al.  On the Indifferentiability of the Grøstl Hash Function , 2010, SCN.

[15]  Bo Zhu,et al.  Revisiting the Indifferentiability of PGV Hash Functions , 2009, IACR Cryptol. ePrint Arch..

[16]  Moti Yung,et al.  Indifferentiability of the Hash Algorithm BLAKE , 2011, IACR Cryptol. ePrint Arch..

[17]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[18]  Bart Preneel,et al.  Security Reductions of the Second Round SHA-3 Candidates , 2010, ISC.

[19]  Bart Preneel,et al.  Seven-Property-Preserving Iterated Hashing: ROX , 2007, ASIACRYPT.

[20]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[21]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[22]  Mridul Nandi,et al.  Indifferentiability Characterization of Hash Functions and Optimal Bounds of Popular Domain Extensions , 2009, INDOCRYPT.

[23]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[24]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[25]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[26]  Jacques Stern,et al.  Cryptanalysis of Tweaked Versions of SMASH and Reparation , 2009, Selected Areas in Cryptography.

[27]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[28]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[29]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[30]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[31]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[32]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[33]  Bruce Schneier One-way hash functions , 1991 .

[34]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[35]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[36]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[37]  Kefei Chen,et al.  A synthetic indifferentiability analysis of some block-cipher-based hash functions , 2008, Des. Codes Cryptogr..

[38]  Kazuo Ohta,et al.  Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII , 2010, IACR Cryptol. ePrint Arch..

[39]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[40]  Martin Feldhofer,et al.  High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Gröstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein , 2009, IACR Cryptol. ePrint Arch..

[41]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[42]  G. V. Assche,et al.  Sponge Functions , 2007 .

[43]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[44]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[45]  M. Bellare Provable Security Support for the Skein Hash Family Version 1 , 2009 .