Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [sha-3]

SHA-3, also known as Keccak, is a cryptographic hash function standardized by NIST as a new alternative to the SHA-2 hash function family.

SHA-3, also known as Keccak, is a cryptographic hash function selected by NIST as an alternative to the SHA-2 hash function family.

The Keccak sponge function family was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche, and was submitted to the NIST SHA-3 hash function competition in 2008. Its design is based on the earlier hash functions Panama and RadioGatún, and uses the cryptographic sponge construction.

On October 2, 2012, from among the five finalists of the SHA-3 competition (Blake, Grøstl, JH, Keccak and Skein), NIST selected Keccak as the new SHA-3 hash standard, which is expected to be published in the second quarter of 2014. The SHA-3 hash function does not replace the existing SHA-2 hash functions (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256), which are still recommended by NIST, but rather complements them. According to the SHA-3 selection announcement:

"NIST chose KECCAK over the four other excellent finalists for its elegant design, large security margin, good general performance, excellent efficiency in hardware implementations, and for its flexibility. KECCAK uses a new “sponge construction” chaining mode, based on a fixed permutation, that can readily be adjusted to trade generic security strength for throughput, and can generate larger or smaller hash outputs as required. The KECCAK designers have also defined a modified chaining mode for KECCAK that provides authenticated encryption.

Additionally, KECCAK complements the existing SHA-2 family of hash algorithms well. NIST remains confident in the security of SHA-2 which is now widely implemented, and the SHA-2 hash algorithms will continue to be used for the foreseeable future, as indicated in the NIST hash policy statement. One benefit that KECCAK offers as the SHA-3 winner is its difference in design and implementation properties from that of SHA-2. It seems very unlikely that a single new cryptanalytic attack or approach could threaten both algorithms. Similarly, the very different implementation properties of the two algorithms will allow future application and protocol designers greater flexibility in finding one of the two hash algorithms that fits well with their requirements."

See also:

187 questions
60
votes
4 answers

Why isn’t SHA-3 in wider use?

SHA-3 was released by NIST just over 4 years ago this week. In my experience it does not seem to be as widely used as I might have expected. I see SHA-2 and even SHA-1 more often. What are your opinions on why this is the case?:
RixN
  • 792
  • 1
  • 5
  • 8
60
votes
2 answers

What advantages does Keccak/SHA-3 have over BLAKE2?

Keccak/SHA-3 is new NIST standard for cryptographic hash functions. However, it is much slower than BLAKE2 in software implementations. Does Keccak have compensating advantages?
Demi
  • 4,853
  • 1
  • 22
  • 40
46
votes
2 answers

What is the difference between SHA-3 and SHA-256?

I am new about cryptography, I learned that SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST. But I recently saw SHA-256 but I don't get what is it in comparison to SHA-3 ?
Ced
  • 595
  • 1
  • 4
  • 8
36
votes
5 answers

What security do Cryptographic Sponges offer against generic quantum attacks?

In the face of non-quantum attacker, Keccak[r=1088,c=512] with 512 bits of output provides: Collision resistance up to $2^{256}$ operations Preimage resistance up to $2^{256}$ operations Second preimage resistance up to $2^{256}$ operations In…
Nakedible
  • 1,460
  • 11
  • 15
34
votes
1 answer

Proof for the SHA3 claim that 256 bit security is "post-quantum sufficient"?

On page 14 of "Keccak and the SHA-3 Standardization" (February 6, 2013) it says: Instantiation of a sponge function the permutation KECCAK-f 7 permutations: b → {25,50,100,200,400,800,1600} Security-speed trade-offs using the same permutation,…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
31
votes
1 answer

Is it possible to actually verify a “sponge function” security claim?

When using a “sponge function” to create a cryptographic hash, we can look at the flat sponge claim, which flattens the claimed success probabilities of all attacks using a single parameter: the claimed capacity cclaim Is there any way to actually…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
30
votes
1 answer

How secure would HMAC-SHA3 be?

It would be possible to implement the HMAC construction with (draft) SHA-3, leading to HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 (the last 3 digits are the output size $\ell$, where $\ell/8$ is the $L$ parameter in HMAC). All that's…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
26
votes
2 answers

Is HMAC needed for a SHA-3 based MAC?

HMAC does nested hashing in order to prevent Length Extension Attacks. Given that you use the SHA-3 hash (which is resistant against length extension attacks), would you still need to go through that procedure in order to produce a secure…
hl3mukkel
  • 509
  • 5
  • 10
25
votes
1 answer

Why is SHA-3 robust against Length-Extension Attacks?

If a length extension attack can occur because of $H(\text{K}\mathbin\|\text{Message})$, what changed in SHA-3 from SHA-2 that prevents this from occurring?
elberman
  • 351
  • 3
  • 3
24
votes
3 answers

Are NIST's changes to Keccak/SHA-3 problematic?

NIST is working on standardizing SHA-3. They have selected Keccak as the basis for SHA-3, and they plan to make some small changes to it; the result (with NIST's changes) will be standardized as SHA-3. A blog post from the CDT raises concerns over…
D.W.
  • 36,982
  • 13
  • 107
  • 196
23
votes
1 answer

What is the origin of the word "Keccak"?

Where does the word or acronym Keccak come from? Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. Keccak sponge function family main document. Submission to NIST (updated), 2009. "NIST Selects Winner of Secure Hash Algorithm…
user8131
  • 231
  • 2
  • 3
20
votes
2 answers

Use case for extendable-output functions (XOF) such as SHAKE128/SHAKE256

FIPS 202 defines 2 functions, SHAKE128 and SHAKE256, as extendable-output functions (XOFs) that can have variable output length. But in Appendix A.2 marks: it is possible to use an XOF as a hash function by selecting a fixed output length.…
Hauleth
  • 336
  • 5
  • 13
18
votes
2 answers

Why are the constants so simple in Keccak?

Keccak, the construction selected for SHA-3 is very interesting. It seems unlike other primitives and has chosen very simple constants. (Keccak talk PDF) The initial values of the state in Keccak is all zero, why? The round constants have just a few…
u0b34a0f6ae
  • 283
  • 2
  • 6
18
votes
1 answer

What are the key differences between the draft SHA-3 standard and the Keccak submission?

I just noticed that on the NIST website there is a PDF with a draft of the SHA-3 standard (i.e. FIPS 202) (marked as "new", and seemingly the page was last changed on April 7, 2014). Previously it was discussed here that NIST would be changing stuff…
Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
18
votes
1 answer

Did NIST verify “post-quantum” claims in the SHA3 proposal papers?

I have been reading Bernstein’s “Quantum attacks against Blue Midnight Wish, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Shabal, SHAvite-3, SIMD, and Skein” paper from 2010… This document disproves the claims of preimage resistance for Blue Midnight…
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
1
2 3
12 13