Paper 2010/381

Security Reductions of the Second Round SHA-3 Candidates

Elena Andreeva, Bart Mennink, and Bart Preneel


In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round. An important criterion in the selection process is the SHA-3 hash function security and more concretely, the possible security reductions of the hash function to the security of its underlying building blocks. While some of the candidates are supported with firm security reductions, for most of the schemes these results are still incomplete. In this paper, we compare the state of the art provable security reductions of the second round candidates. We discuss all SHA-3 candidates at a high functional level, and analyze and summarize the security reduction results. Surprisingly, we derive some security bounds from the literature, which the hash function designers seem to be unaware of. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Presented at ISC 2010, this is the full version
hash functionssecurity
Contact author(s)
bart mennink @ esat kuleuven be
2011-08-26: last of 6 revisions
2010-07-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Elena Andreeva and Bart Mennink and Bart Preneel},
      title = {Security Reductions of the Second Round SHA-3 Candidates},
      howpublished = {Cryptology ePrint Archive, Paper 2010/381},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.