Difference between revisions of "The SHA-3 Zoo"

From The ECRYPT Hash Function Website
m
(tables updated)
 
(39 intermediate revisions by 6 users not shown)
Line 1: Line 1:
The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the [http://www.nist.gov/hash-competition SHA-3 contest] (see also [http://en.wikipedia.org/wiki/SHA-3 here]). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all [[SHA-3 submitters]] is also available. For a software performance related overview, see [http://bench.cr.yp.to/ebash.html eBASH]. At a separate page, we also collect [[SHA-3_Hardware_Implementations | hardware implementation results]] of the candidates. Another categorization of the SHA-3 submissions can be found [http://www.uni-weimar.de/cms/fileadmin/medien/medsicherheit/Research/SHA3/Classification_of_the_SHA-3_Candidates.pdf here].
+
The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the [http://www.nist.gov/hash-competition SHA-3 contest] (see also [http://en.wikipedia.org/wiki/SHA-3 here]). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all [[SHA-3 submitters]] is also available. For a software performance related overview, see [http://bench.cr.yp.to/ebash.html eBASH]. At a separate page, we also collect [[SHA-3_Hardware_Implementations | hardware implementation results]] of the candidates. Another categorization of the SHA-3 submissions can be found [http://eprint.iacr.org/2008/511.pdf here].
<br><br>
+
 
 
The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in [[Cryptanalysis Categories]].
 
The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in [[Cryptanalysis Categories]].
  
At this time, 55 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html submissions] have advanced to the first round.
+
At this time, 56 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 submissions have advanced to [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/index.html round 1], 14 submissions have made it into [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/index.html round 2] and 5 candidates have been selected for the [http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/index.html final].
So far, 8 out of 51 first round candidates have been officially conceded broken or withdrawn by the designers.
 
  
The following table should give a first impression on the remaining SHA-3 candidates. It shows only the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given [[Cryptanalysis_Categories#Main_Cryptanalysis_Table | here]].
+
The following tables give a first impression on the cryptanalysis of the SHA-3 candidates. The tables only show the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given [[Cryptanalysis_Categories#Main_Cryptanalysis_Table | here]].
  
 
[http://ehash.iaik.tugraz.at/index.php?title=Special:Recentchangeslinked&target=The_SHA-3_Zoo&days=7&limit=50&hideminor=1 Recent updates of the SHA-3 Zoo]
 
[http://ehash.iaik.tugraz.at/index.php?title=Special:Recentchangeslinked&target=The_SHA-3_Zoo&days=7&limit=50&hideminor=1 Recent updates of the SHA-3 Zoo]
 +
(Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!)
  
 +
 +
 +
Keccak has been selected as the SHA-3 standard:
  
 
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"
 
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"
 
|- style="background:#efefef;"
 
|- style="background:#efefef;"
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120"| Best Attack on Main NIST Requirements !! width="120"| Best Attack on other Hash Requirements
+
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements
 
|-
 
|-
| [[Abacus]]      || Neil Sholer || style="background:orange" | 2nd-preimage ||
+
| [[Keccak]]      || The Keccak Team || ||
|-
 
| [[ARIRANG]]      || Jongin Lim || ||
 
 
|-                                                                                                             
 
|-                                                                                                             
| [[AURORA]]      || Masahiro Fujita  || ||
+
|}
 +
 
 +
 
 +
 
 +
 
 +
The other 4 finalists of the SHA-3 competition are:
 +
 
 +
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"
 +
|- style="background:#efefef;"
 +
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements
 
|-
 
|-
 
| [[BLAKE]]        || Jean-Philippe Aumasson || ||
 
| [[BLAKE]]        || Jean-Philippe Aumasson || ||
 
|-
 
|-
| [[Blender]]     || Colin Bradbury || style="background:orange" | preimage ||
+
| [[Groestl|Grøstl]] || Lars R. Knudsen || ||
 +
|-
 +
| [[JH]]          || Hongjun Wu || style="background:greenyellow" | preimage ||
 +
|-                                                                                                           
 +
| [[Skein]]        || Bruce Schneier || ||
 
|-                                                                                                             
 
|-                                                                                                             
 +
|}
 +
 +
 +
 +
 +
The following SHA-3 candidates advanced to round 2 but did not get into the final:
 +
 +
[http://ehash.iaik.tugraz.at/uploads/c/ce/20090922-2230_SHA-3_round2_tweaks.pdf Round 2 tweaks for all candidates]
 +
 +
 +
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"
 +
|- style="background:#efefef;"
 +
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements
 +
|-
 
| [[Blue Midnight Wish]] || Svein Johan Knapskog || ||
 
| [[Blue Midnight Wish]] || Svein Johan Knapskog || ||
 
|-
 
|-
| [[Cheetah]]     || Dmitry Khovratovich || || length-extension
+
| [[CubeHash]]     || Daniel J. Bernstein || style="background:greenyellow" | preimage ||
 
|-
 
|-
| [[CHI]]         || Phillip Hawkes || ||
+
| [[ECHO]]         || Henri Gilbert || ||
 
|-                                                                                                             
 
|-                                                                                                             
| [[CRUNCH]]       || Jacques Patarin || || length-extension
+
| [[Fugue]]       || Charanjit S. Jutla || ||
 +
|-                                                                                                            
 +
| [[Hamsi]]        || <nowiki>Özgül Kü&#231;ük</nowiki> || ||
 +
|-
 +
| [[Luffa]]        || Dai Watanabe || ||
 
|-
 
|-
| [[CubeHash]]     || Daniel J. Bernstein || style="background:greenyellow" | preimage ||
+
| [[Shabal]]       || <nowiki>Jean-Fran&#231;ois Misarsky</nowiki> || ||
 
|-
 
|-
| [[Dynamic SHA]] || Xu Zijie || || length-extension
+
| [[SHAvite-3]]   || Orr Dunkelman || ||
 
|-
 
|-
| [[Dynamic SHA2]] || Xu Zijie || || length-extension
+
| [[SIMD]]         || <nowiki>Ga&#235;tan Leurent</nowiki> || ||
 
|-
 
|-
| [[ECHO]]        || Henri Gilbert || ||
+
|}
|-                                                                                                            
+
 
| [[ECOH]]        || Daniel R. L. Brown || ||
+
 
 +
 
 +
 
 +
 
 +
The following submitted hash functions have not advanced to round 2:
 +
 
 +
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"
 +
|- style="background:#efefef;"
 +
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120" | Status !! width="150"| Best Attack on Main NIST Requirements !! width="140"| Best Attack on other Hash Requirements
 
|-
 
|-
| [[Edon-R (SHA-3 submission)|Edon-R]] || Danilo Gligoroski || style="background:yellow" | preimage ||
+
| [[Abacus]]     || Neil Sholer || in round 1 || style="background:orange" | 2nd-preimage ||
 
|-
 
|-
| [[EnRUPT]]       || Sean O’Neil || style="background:red" | collision ||
+
| [[ARIRANG]]     || Jongin Lim || in round 1 || ||
 
|-                                                                                                             
 
|-                                                                                                             
| [[ESSENCE]]     || Jason Worth Martin || ||
+
| [[AURORA]]       || Masahiro Fujita  || in round 1|| style="background:orange"| 2nd preimage  ||
 
|-
 
|-
| [[FSB (SHA-3 submission) | FSB]] || Matthieu Finiasz || ||
+
| [[Blender]]      || Colin Bradbury || in round 1|| style="background:orange" | collision, preimage  || near-collision
 +
|- 
 +
| [[Boole]]      || Greg Rose || in round 1 || style="background:red" | collision ||
 +
|-                                                                                                          
 +
| [[Cheetah]]     || Dmitry Khovratovich || in round 1|| || length-extension
 
|-
 
|-
| [[Fugue]]       || Charanjit S. Jutla || ||
+
| [[CHI]]         || Phillip Hawkes || in round 1|| ||
 
|-                                                                                                             
 
|-                                                                                                             
| [[Groestl|Grøstl]] || Lars R. Knudsen || ||
+
| [[CRUNCH]]       || Jacques Patarin || in round 1|| || length-extension
 
|-
 
|-
| [[Hamsi]]       || Ozgul Kucuk || ||
+
| [[DCH]]         || David A. Wilson || in round 1 || style="background:red" | collision ||
 
|-
 
|-
| [[JH]]           || Hongjun Wu || style="background:greenyellow" | preimage ||
+
| [[Dynamic SHA]] || Xu Zijie || in round 1|| style="background:red"|collision || length-extension
|-                                                                                                            
 
| [[Keccak]]      || The Keccak Team || ||
 
 
|-
 
|-
| [[LANE]]         || Sebastiaan Indesteege || ||
+
| [[Dynamic SHA2]] || Xu Zijie || in round 1|| style="background:orange"|collision  || length-extension
|-                       
 
| [[Lesamnta]]    || Hirotaka Yoshida || ||
 
 
|-
 
|-
| [[Luffa]]       || Dai Watanabe || ||
+
| [[ECOH]]         || Daniel R. L. Brown || in round 1|| style="background:orange"| 2nd preimage ||
 
|-
 
|-
| [[LUX]]          || Ivica Nikolic || ||
+
| [[Edon-R (SHA-3 submission)|Edon-R]] || Danilo Gligoroski || in round 1|| style="background:yellow" | preimage ||
|-                                                                                                            
 
| [[MCSSHA-3]]     || Mikhail Maslennikov || style="background:orange" | collision ||
 
 
|-
 
|-
| [[MD6]]         || Ronald L. Rivest || ||
+
| [[EnRUPT]]       || Sean O'Neil || in round 1|| style="background:red" | collision ||
 
|-                                                                                                             
 
|-                                                                                                             
| [[NaSHA]]       || Smile Markovski || style="background:orange" | collision ||
+
| [[ESSENCE]]     || Jason Worth Martin || in round 1|| style="background:orange" | collision ||
 
|-
 
|-
| [[SANDstorm]]   || Rich Schroeppel || ||
+
| [[FSB (SHA-3 submission) | FSB]] || Matthieu Finiasz || in round 1|| ||
 
|-
 
|-
| [[Sarmal]]       || Kerem Varici || style="background:yellow" | preimage ||
+
| [[HASH 2X]]     || Jason Lee || not in round 1 || style="background:red" | 2nd-preimage ||
|-                                                                                                           
 
| [[Sgàil]]        || Peter Maxwell|| style="background:red" | collision ||
 
 
|-
 
|-
| [[Shabal]]       || Jean-Francois Misarsky || ||
+
| [[Khichidi-1]] || M. Vidyasagar || in round 1 || style="background:red" | collision ||
 
|-
 
|-
| [[SHAMATA]]     || Orhun Kara || ||
+
| [[LANE]]         || Sebastiaan Indesteege || in round 1|| ||
 
|-                         
 
|-                         
| [[SHAvite-3]]   || Orr Dunkelman || ||
+
| [[Lesamnta]]     || Hirotaka Yoshida || in round 1|| ||
 
|-
 
|-
| [[SIMD]]         || Gaetan Leurent || ||
+
| [[LUX]]         || <nowiki>Ivica Nikoli&#263;</nowiki> || in round 1|| style="background:orange" | collision, 2nd preimage || DRBG,HMAC
 +
|-           
 +
| [[Maraca]]      || Robert J. Jenkins || not in round 1 || style="background:red" | preimage ||
 +
|- 
 +
| [[MCSSHA-3]]    || Mikhail Maslennikov || in round 1|| style="background:orange" | 2nd preimage ||
 +
|-                                                                                           
 +
| [[MD6]]          || Ronald L. Rivest || in round 1|| ||
 +
|-   
 +
| [[MeshHash]]    || Björn Fay || in round 1 || style="background:orange" | 2nd preimage ||
 +
|-                                                                                                       
 +
| [[NaSHA]]        || Smile Markovski || in round 1|| style="background:orange" | collision ||
 
|-
 
|-
| [[Skein]]       || Bruce Schneier || ||
+
| [[NKS2D]]       || Geoffrey Park || not in round 1 || style="background:red" | collision ||
|-                                                                                                           
 
| [[Spectral Hash]] || Cetin Kaya Koc || ||
 
 
|-
 
|-
| [[SWIFFTX]]     || Daniele Micciancio || ||
+
| [[Ponic]]       || Peter Schmidt-Nielsen || not in round 1 || style="background:yellow" | 2nd-preimage
 
|-
 
|-
| [[TIB3]]         || Daniel Penazzi || ||
+
| [[SANDstorm]]   || Rich Schroeppel || in round 1|| ||
 
|-
 
|-
| [[Twister]]     || Michael Gorski || style="background:yellow" | 2nd preimage ||
+
| [[Sarmal]]       || <nowiki>Kerem Var&#305;c&#305;</nowiki> || in round 1||  style="background:yellow" | preimage ||
 
|-                                                                                                             
 
|-                                                                                                             
| [[Vortex (SHA-3 submission)|Vortex]] || Michael Kounavis || style="background:yellow" | preimage ||
+
| [[Sgàil]]       || Peter Maxwell|| in round 1|| style="background:red" | collision ||
|}
 
 
 
 
 
 
 
The following hash functions have been submitted to the NIST competition but did not advance to the first round or have been conceded broken by the designers:
 
 
 
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable" style="text-align:center"
 
|- style="background:#efefef;"
 
! width="120"| Hash Name !! width="160" | Principal Submitter !! width="120" | Status !! width="120" | Best Attack on Main NIST Requirements
 
 
|-
 
|-
| [[Boole]]       || Greg Rose || conceded broken || style="background:red" | collision
+
| [[SHAMATA]]     || Orhun Kara || in round 1 || style="background:red" | collision ||
 
|-
 
|-
| [[DCH]]         || David A. Wilson || conceded broken || style="background:red" | collision
+
| [[Spectral Hash]] || <nowiki>&#199;etin Kaya Ko&#231;</nowiki> || in round 1|| style="background:red" | collision ||
|-                                                                                                           
 
| [[HASH 2X]]    || Jason Lee || not in round 1 || style="background:red" | 2nd-preimage
 
 
|-
 
|-
| [[Khichidi-1]] || M. Vidyasagar || conceded broken || style="background:red" | collision
+
| [[StreamHash]]   || Michal Trojnara || in round 1 || style="background:red" | collision ||
 
|-
 
|-
| [[Maraca]]      || Robert J. Jenkins || not in round 1 || style="background:red" | preimage
+
| [[SWIFFTX]]      || Daniele Micciancio || in round 1|| ||
 
|-
 
|-
| [[MeshHash]]   || Björn Fay || conceded broken || style="background:orange" | 2nd preimage
+
| [[Tangle]]     || Rafael Alvarez || in round 1 || style="background:red" | collision ||
 
|-
 
|-
| [[NKS2D]]       || Geoffrey Park || not in round 1 || style="background:red" | collision
+
| [[TIB3]]         || Daniel Penazzi || in round 1|| style="background:yellow" | collision ||
 
|-
 
|-
| [[Ponic]]       || Peter Schmidt-Nielsen || not in round 1 || style="background:yellow" | 2nd-preimage
+
| [[Twister]]     || Michael Gorski || in round 1|| style="background:orange" | preimage ||
 
|-                                                                                                             
 
|-                                                                                                             
| [[StreamHash]]   || Michal Trojnara || conceded broken || style="background:red" | collision
+
| [[Vortex (SHA-3 submission)|Vortex]] || Michael Kounavis || in round 1|| style="background:yellow" | preimage ||
 
|-
 
|-
| [[Tangle]]     || Rafael Alvarez || conceded broken || style="background:red" | collision
+
| [[WaMM]]       || John Washburn || in round 1 || style="background:red" | collision ||
 
|-
 
|-
| [[WaMM]]       || John Washburn || conceded broken || style="background:red" | collision
+
| [[Waterfall]]   || Bob Hattersley || in round 1 || style="background:orange" | collision ||
 
|-
 
|-
| [[Waterfall]]   || Bob Hattersley || conceded broken || style="background:orange" | collision
+
| [[ZK-Crypt]]       || Carmi Gressel || not in round 1 || ||
 
|}
 
|}
 
 
Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!
 

Latest revision as of 14:32, 28 January 2013

The SHA-3 Zoo (work in progress) is a collection of cryptographic hash functions (in alphabetical order) submitted to the SHA-3 contest (see also here). It aims to provide an overview of design and cryptanalysis of all submissions. A list of all SHA-3 submitters is also available. For a software performance related overview, see eBASH. At a separate page, we also collect hardware implementation results of the candidates. Another categorization of the SHA-3 submissions can be found here.

The idea of the SHA-3 Zoo is to give a good overview of cryptanalytic results. We try to avoid additional judgement whether a submission is broken. The answer to this question is left to NIST. However, we categorize the cryptanalytic results by their impact from very theoretic to practical attacks. A detailed description is given in Cryptanalysis Categories.

At this time, 56 out of 64 submissions to the SHA-3 competition are publicly known and available. 51 submissions have advanced to round 1, 14 submissions have made it into round 2 and 5 candidates have been selected for the final.

The following tables give a first impression on the cryptanalysis of the SHA-3 candidates. The tables only show the best known attack, more detailed results are collected at the individual hash function pages. A description of the main table is given here.

Recent updates of the SHA-3 Zoo (Your analysis is not mentioned? Drop a line at sha3zoo@iaik.tugraz.at to let us know!)


Keccak has been selected as the SHA-3 standard:

Hash Name Principal Submitter Best Attack on Main NIST Requirements Best Attack on other Hash Requirements
Keccak The Keccak Team



The other 4 finalists of the SHA-3 competition are:

Hash Name Principal Submitter Best Attack on Main NIST Requirements Best Attack on other Hash Requirements
BLAKE Jean-Philippe Aumasson
Grøstl Lars R. Knudsen
JH Hongjun Wu preimage
Skein Bruce Schneier



The following SHA-3 candidates advanced to round 2 but did not get into the final:

Round 2 tweaks for all candidates


Hash Name Principal Submitter Best Attack on Main NIST Requirements Best Attack on other Hash Requirements
Blue Midnight Wish Svein Johan Knapskog
CubeHash Daniel J. Bernstein preimage
ECHO Henri Gilbert
Fugue Charanjit S. Jutla
Hamsi Özgül Küçük
Luffa Dai Watanabe
Shabal Jean-François Misarsky
SHAvite-3 Orr Dunkelman
SIMD Gaëtan Leurent



The following submitted hash functions have not advanced to round 2:

Hash Name Principal Submitter Status Best Attack on Main NIST Requirements Best Attack on other Hash Requirements
Abacus Neil Sholer in round 1 2nd-preimage
ARIRANG Jongin Lim in round 1
AURORA Masahiro Fujita in round 1 2nd preimage
Blender Colin Bradbury in round 1 collision, preimage near-collision
Boole Greg Rose in round 1 collision
Cheetah Dmitry Khovratovich in round 1 length-extension
CHI Phillip Hawkes in round 1
CRUNCH Jacques Patarin in round 1 length-extension
DCH David A. Wilson in round 1 collision
Dynamic SHA Xu Zijie in round 1 collision length-extension
Dynamic SHA2 Xu Zijie in round 1 collision length-extension
ECOH Daniel R. L. Brown in round 1 2nd preimage
Edon-R Danilo Gligoroski in round 1 preimage
EnRUPT Sean O'Neil in round 1 collision
ESSENCE Jason Worth Martin in round 1 collision
FSB Matthieu Finiasz in round 1
HASH 2X Jason Lee not in round 1 2nd-preimage
Khichidi-1 M. Vidyasagar in round 1 collision
LANE Sebastiaan Indesteege in round 1
Lesamnta Hirotaka Yoshida in round 1
LUX Ivica Nikolić in round 1 collision, 2nd preimage DRBG,HMAC
Maraca Robert J. Jenkins not in round 1 preimage
MCSSHA-3 Mikhail Maslennikov in round 1 2nd preimage
MD6 Ronald L. Rivest in round 1
MeshHash Björn Fay in round 1 2nd preimage
NaSHA Smile Markovski in round 1 collision
NKS2D Geoffrey Park not in round 1 collision
Ponic Peter Schmidt-Nielsen not in round 1 2nd-preimage
SANDstorm Rich Schroeppel in round 1
Sarmal Kerem Varıcı in round 1 preimage
Sgàil Peter Maxwell in round 1 collision
SHAMATA Orhun Kara in round 1 collision
Spectral Hash Çetin Kaya Koç in round 1 collision
StreamHash Michal Trojnara in round 1 collision
SWIFFTX Daniele Micciancio in round 1
Tangle Rafael Alvarez in round 1 collision
TIB3 Daniel Penazzi in round 1 collision
Twister Michael Gorski in round 1 preimage
Vortex Michael Kounavis in round 1 preimage
WaMM John Washburn in round 1 collision
Waterfall Bob Hattersley in round 1 collision
ZK-Crypt Carmi Gressel not in round 1