SHA-3 NIST announcement controversy

This was a manufactured controversy if I ever saw one. The controversial changes were proposed by the Keccak team sometime after Keccak was announced as the SHA-3 winner [1], and did not originate from NIST.<p>The idea was to decouple the security of the hash function from its output size, and have a single parameter determining its security (the capacity). At the moment, when you have a hash function, you expect to have 2^n (second-)preimage security and 2^(n&#x2F;2) collision security, where n is the output size. In the case of sponges (and Keccak), the security level also depends on c, the capacity, which is a parameter that also happens to affect performance of the hash function.<p>To avoid generic preimage attacks, the capacity parameter in Keccak must be 4 times the size of the desired security level; for 128 bits of security we need c = 512, for 256 we need c = 1024. Achieving collision resistance requires smaller c, only 2 times the desired security level. This results in a very slow hash function at high security, more than twice as slow as SHA-512 on x86 chips.<p>So the proposal was to set c = 2n, where n is the security level. This puts the preimage resistance of Keccak at the same level as its collision resistance, i.e., 2^128 preimage security for a 256-bit output, and 2^256 security for a 512-bit hash. That is, the strengths of the 3 main properties of the hash function, preimage, second-preimage, and collision-resistance are all the same. This is not what is expected out of a perfect hash function, but this is very reasonable nonetheless, and the performance of Keccak is otherwise lacking.<p>After the leaks, however, there was a lot of attention focused on NIST and these changes to Keccak got confused with attempted backdooring. Much protesting ensued, and the decision ended up being reverted back to having a Keccak that has 512-bit preimage security at 512 bits of output, but is disappointingly slow.<p>[1] <a href="http://csrc.nist.gov/groups/ST/hash/sha-3/documents/Keccak-slides-at-NIST.pdf" rel="nofollow">http:&#x2F;&#x2F;csrc.nist.gov&#x2F;groups&#x2F;ST&#x2F;hash&#x2F;sha-3&#x2F;documents&#x2F;Keccak-s...</a> (Slide 47 onwards)

There is more to the story then is in the linked article. DJB contributed Cubehash, which had limited preimage resistance due to some design decisions made for speed. This was controversial, and one of the reasons for Cubehash being eliminated. But at the end of the competition, NIST lowered the preimage resistance requirement for the eventual standard to that of Cubehash.<p>In practice I don&#x27;t think it would matter: the additional speed of the reduced capacity version would be nice to have. However, many competition entries would look different to take advantage of this.

A few years back I had the chance to talk with Joan Daemen after he gave a presentation about keccak, which hadn&#x27;t won the competition yet. This was way before Snowden. He was very sceptical about the use of his work. He thought it was fun doing it, but it didn&#x27;t have any use, since everything has backdoors anyway. That&#x27;s what he said. Sounded a bit paranoid to me back then, but now it sounds a lot more plausible.

As you&#x27;ll note, they went back on these changes and the final (currently draft) SHA-3 in the FIPS-202 draft is Keccak pretty much as it was entered. They&#x27;ve proposed using the Keccak team&#x27;s own Sakura padding - which is a pretty simple padding, also ready for use with tree-hashes.<p>See also: <a href="http://keccak.noekeon.org/a_concrete_proposal.html" rel="nofollow">http:&#x2F;&#x2F;keccak.noekeon.org&#x2F;a_concrete_proposal.html</a><p>I have no security concerns with the proposed SHA-3 drop-ins.<p>I am not entirely satisfied with the SHAKE XOF functions, as they didn&#x27;t specify SHAKE512(M,d) = KECCAK[1024](M || 1111, d) but instead the weaker SHAKE256 and SHAKE128. Those functions won&#x27;t have a problem now, but I don&#x27;t think they hold up to post-quantum well enough for use with, say, Merkle signatures.<p>As usual, they strongly favour hardware implementations; that&#x27;s internal culture at work, there.<p>Software performance of SHA-3 is unfortunately not very good. The other finalists like BLAKE (or its faster successor BLAKE2), or Skein, are much more viable software contenders (and make excellent tree hashes), and no-one&#x27;s particularly rushing towards SHA-3 anyway as except for the length-extension attack common to all Damgård-Merkle hashes, the SHA-2 functions seem okay for now (except for the not-entirely-undeserved stigma of having come from the NSA - that said, I don&#x27;t think they&#x27;re &#x27;enabled&#x27; in any way).<p>Bigger problems exist than our hash algorithms, but it&#x27;s good to have a few good ones under our belts for the future.

TL;DR<p>SHA-3 (with very specific parameters) won the brutally audited NIST hash competition. NIST announces official SHA-3 will use different parameters that were never evaluated in the competition phase. Warning bells go off. NIST backpedals. Cue conspiracy theories due to precedent for backdoored crypto algos.

tangential: if you&#x27;re worried about nsa-backdoored algorithms, instead of betting hard on one particular that you happen to judge beyond reproach, you&#x27;d be better off incorporating algorithm agility into your design (ofc in such a way that rules out downgrade attacks by construction).

Can the title be edited back somewhat toward the original? &quot;Can SHA-3 be trusted?&quot; is definitely editorializing, but the new title wipes away the context for discussing SHA-3&#x27;s security.<p>Even a title of &quot;SHA-3 NIST announcement controversy&quot; would be good.

Blake2 is better and much faster anyway:<p><a href="https://blake2.net/" rel="nofollow">https:&#x2F;&#x2F;blake2.net&#x2F;</a>

NIST has demonstrated to such a high degree on multiple occasions that it isn&#x27;t trustworthy, so I think it should be ignored, practically speaking.