International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Security Reductions of the Second Round SHA-3 Candidates

Elena Andreeva
Bart Mennink
Bart Preneel
Search ePrint
Search Google
Abstract: In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round. An important criterion in the selection process is the SHA-3 hash function security and more concretely, the possible security reductions of the hash function to the security of its underlying building blocks. While some of the candidates are supported with firm security reductions, for most of the schemes these results are still incomplete. In this paper, we compare the state of the art provable security reductions of the second round candidates. We discuss all SHA-3 candidates at a high functional level, and analyze and summarize the security reduction results. Surprisingly, we derive some security bounds from the literature, which the hash function designers seem to be unaware of. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.
  title={Security Reductions of the Second Round SHA-3 Candidates},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / hash functions, security},
  note={ 14820 received 5 Jul 2010, last revised 30 Jul 2010},
  author={Elena Andreeva and Bart Mennink and Bart Preneel},