D.SYM.4 SHA-3 Design and Cryptanalysis Report

The competition to select a new secure hash function standard SHA-3 was initiated in response to surprising progress in the cryptanalysis of existing hash function constructions that started in 2004. In this report we survey design and cryptanalytic results of those 14 candidates that remain in the competition, about 1.5 years after the competition started with the initial submission of the candidates in October 2008. Implementation considerations are not in the scope of this report. The diversity of designs is also re ected in the great variety of cryptanalytic techniques and results that were applied and found during this time. This report gives an account of those techniques and results. So far, none of the 14 candidates were shown to have weaknesses when used with the recommended security parameters, and a lot of the cryptanalytic eorts continue to be directed at building blocks instead of the hash function construction as a whole. While this allows to build up a toolbox of candidate-specic techniques for analysis, and gives results at an earlier stage, this alone does not allow to draw direct conclusions about the security of the hash function that uses those building blocks. Also comparisons at this level are extremely dicult, as hash function use their building blocks in many dierent ways. Among the 14 candidates, only about a third of them have rst cryptanalytic results on the hash function proposal as a whole, were except the well dened security parameter nothing is changed. If nothing else, this seems to suggest that a lot of cryptanalysis remains to be done to allow for comparisons, and also to get the level of assurance that will be expected from a future SHA-3.