Secure Hash Algorithms | |
---|---|
Concepts | |
hash functions, SHA, DSA | |
Main standards | |
SHA-0, SHA-1, SHA-2, SHA-3 | |
General | |
---|---|
Designers | Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. |
First published | 2016 |
Series | (SHA-0), SHA-1, SHA-2, SHA-3 |
Certification | FIPS PUB 202 |
Detail | |
Digest sizes | arbitrary |
Structure | sponge construction |
Speed | 12.6 cpb on a typical x86-64-based machine for Keccak-f[1600] plus XORing 1024 bits,[1] which roughly corresponds to SHA2-256. |
Best public cryptanalysis | |
Preimage attack on Keccak-512 reduced to 8 rounds, requiring 2511.5 time and 2508 memory.[2] Zero-sum distinguishers exist for the full 24-round Keccak-f[1600], though they cannot be used to attack the hash function itself[3] |
SHA-3 (Secure Hash Algorithm 3) is the latest[4] member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015.[5][6][7] Although part of the same series of standards, SHA-3 is internally different from the MD5-like structure of SHA-1 and SHA-2.
SHA-3 is a subset of the broader cryptographic primitive family Keccak (/ˈkɛtʃæk/ or /ˈkɛtʃɑːk/),[8][9] designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon RadioGatún. Keccak's authors have proposed additional uses for the function, not (yet) standardized by NIST, including a stream cipher, an authenticated encryption system, a "tree" hashing scheme for faster hashing on certain architectures,[10][11] and AEAD ciphers Keyak and Ketje.[12][13]
Keccak is based on a novel approach called sponge construction.[14] Sponge construction is based on a wide random function or random permutation, and allows inputting ("absorbing" in sponge terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a pseudorandom function with regard to all previous inputs. This leads to great flexibility.
As of 2007, NIST did not plan to withdraw SHA-2 or remove it from the revised Secure Hash Standard.[needs update?] The purpose of SHA-3 is that it can be directly substituted for SHA-2 in current applications if necessary, and to significantly improve the robustness of NIST's overall hash algorithm toolkit.[15]
For small message sizes, the creators of the Keccak algorithms and the SHA-3 functions suggest using the faster function KangarooTwelve with adjusted parameters and a new tree hashing mode without extra overhead.
ksoftimpl
was invoked but never defined (see the help page).nist
was invoked but never defined (see the help page).sponge
was invoked but never defined (see the help page).