SHA-3

Secure Hash Algorithms
Concepts
hash functions, SHA, DSA
Main standards
SHA-0, SHA-1, SHA-2, SHA-3
SHA-3
(Keccak)
General
DesignersGuido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche.
First published2016; 8 years ago (2016)
Series(SHA-0), SHA-1, SHA-2, SHA-3
CertificationFIPS PUB 202
Detail
Digest sizesarbitrary
Structuresponge construction
Speed12.6 cpb on a typical x86-64-based machine for Keccak-f[1600] plus XORing 1024 bits,[1] which roughly corresponds to SHA2-256.
Best public cryptanalysis
Preimage attack on Keccak-512 reduced to 8 rounds, requiring 2511.5 time and 2508 memory.[2] Zero-sum distinguishers exist for the full 24-round Keccak-f[1600], though they cannot be used to attack the hash function itself[3]

SHA-3 (Secure Hash Algorithm 3) is the latest[4] member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015.[5][6][7] Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.

SHA-3 is a subset of the broader cryptographic primitive family Keccak (/ˈkɛæk/ or /ˈkɛɑːk/),[8][9] designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon RadioGatún. Keccak's authors have proposed additional uses for the function, not (yet) standardized by NIST, including a stream cipher, an authenticated encryption system, a "tree" hashing scheme for faster hashing on certain architectures,[10][11] and AEAD ciphers Keyak and Ketje.[12][13]

Keccak is based on a novel approach called sponge construction.[14] Sponge construction is based on a wide random function or random permutation, and allows inputting ("absorbing" in sponge terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a pseudorandom function with regard to all previous inputs. This leads to great flexibility.

As of 2022, NIST does not plan to withdraw SHA-2 or remove it from the revised Secure Hash Standard.[15] The purpose of SHA-3 is that it can be directly substituted for SHA-2 in current applications if necessary, and to significantly improve the robustness of NIST's overall hash algorithm toolkit.[16]

For small message sizes, the creators of the Keccak algorithms and the SHA-3 functions suggest using the faster function KangarooTwelve with adjusted parameters and a new tree hashing mode without extra overhead.

  1. ^ Cite error: The named reference ksoftimpl was invoked but never defined (see the help page).
  2. ^ Morawiecki, Paweł; Pieprzyk, Josef; Srebrny, Marian (2013). "Rotational Cryptanalysis of Round-Reduced Keccak" (PDF). In Moriai, S (ed.). Fast Software Encryption. Fast Software Encryption Lecture Notes in Computer Science. Vol. 8424. pp. 241–262. doi:10.1007/978-3-662-43933-3_13. ISBN 978-3-662-43932-6. Archived (PDF) from the original on January 8, 2013. Retrieved February 8, 2019.
  3. ^ Bertoni, Guido; Daemen, Joan; Peeters, Michaël; van Assche, Giles (January 14, 2011). "The Keccak SHA-3 submission" (PDF). keccak.team. Archived (PDF) from the original on August 19, 2011. Retrieved March 27, 2023.
  4. ^ Computer Security Division, Information Technology Laboratory (January 4, 2017). "Hash Functions | CSRC | CSRC". CSRC | NIST. Retrieved April 19, 2024.
  5. ^ "Hash Functions". NIST. June 22, 2020. Retrieved February 17, 2021.
  6. ^ Information Technology Laboratory (August 2015). SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (PDF). National Institute of Standards and Technology. doi:10.6028/NIST.FIPS.202. S2CID 64734386. Federal Information Processing Standard Publication 202. Retrieved February 29, 2020.
  7. ^ Dworkin, Morris J. (August 4, 2015). "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions". Federal Information Processing Standards (NIST FIPS).
  8. ^ Cite error: The named reference nist was invoked but never defined (see the help page).
  9. ^ Cruz, José R.C. (May 7, 2013). "Keccak: The New SHA-3 Encryption Standard". Dr. Dobbs.
  10. ^ Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche, Gilles. "Keccak specifications summary". Retrieved March 27, 2023.
  11. ^ Chang, Shu-jen; Perlner, Ray; Burr, William E.; Sonmez Turan, Meltem; Kelsey, John M.; Paul, Souradyuti; Bassham, Lawrence E. (November 2012). Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition (PDF). doi:10.6028/NIST.IR.7896. Retrieved February 29, 2020. Sections 5.1.2.1 (mentioning "tree mode"), 6.2 ("other features", mentioning authenticated encryption), and 7 (saying "extras" may be standardized in the future).
  12. ^ Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche, Gilles; Van Keer, Ronny (March 13, 2014). "CAESAR submission: Ketje v1" (PDF). Retrieved February 29, 2020.
  13. ^ Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche, Gilles; Van Keer, Ronny (March 13, 2014). "CAESAR submission: Keyak v1" (PDF). Retrieved February 29, 2020.
  14. ^ Cite error: The named reference sponge was invoked but never defined (see the help page).
  15. ^ Computer Security Division, Information Technology Laboratory (December 14, 2022). "NIST Transitioning Away from SHA-1 for All Applications | CSRC". CSRC | NIST. Retrieved October 9, 2024.
  16. ^ "Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family [U.S. Federal Register Vol. 72 No. 212)]" (PDF). November 2, 2007. Archived (PDF) from the original on March 31, 2011. Retrieved July 18, 2017.