Cryptology ePrint Archive: Report 2012/147

On Security Arguments of the Second Round SHA-3 Candidates

Elena Andreeva and Andrey Bogdanov and Bart Mennink and Bart Preneel and Christian Rechberger

Abstract: In 2007, the US National Institute for Standards and Technology (NIST) announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities like differential attacks identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. 14 candidates were left in the second round, out of which 5 candidates have been recently chosen for the final round. An important criterion in the selection process is the SHA-3 hash function security. We identify two important classes of security arguments for the new designs: (1) the possible reductions of the hash function security to the security of its underlying building blocks, and (2) arguments against differential attack on building blocks. In this paper, we compare the state of the art provable security reductions for the second round candidates, and review arguments and bounds against classes of differential attacks. We discuss all the SHA-3 candidates at a high functional level, analyze and summarize the security reduction results and bounds against differential attacks. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.

Category / Keywords: secret-key cryptography / SHA-3 competition, hash functions, classification, security reductions, differential attacks

Publication Info: Earlier version appears in International Journal of Information Security

Date: received 19 Mar 2012

Contact author: bart mennink at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Note: Earlier version appears in International Journal of Information Security. Updated with first bounds on Keccak trails from FSE 2012 in Section 3.9 and Table 2.

Version: 20120322:032426 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]