SHA-3 to Be Announced

I implemented the Skein hash in a crypto class at my uni. What is remarkable about that hash is that it has a "hash tree" mode which provides an interesting opportunity for parallelization and doing hashing of partial data. In contrast, many traditional hash algorithms are inherently sequential by nature.<p>On the other hand, as Mr. Schneier points out in the article, the Skein hash utilizes a modified Threefish block cipher, while many of the SHA-3 contestants were AES-based (edit: seems like none of the finalists are). Now we have a hardware AES implementation shipping in mainstream processors, so it gives an edge to the AES-based hash functions out there.<p>edit: I went through the list of finalists and it seems none of them actually use the whole AES block cipher, although several of them use AES S-boxes or other parts of AES.

I'm a bit surprised that Schneier is advocating for "no award". Even if the SHA-3 candidates are not fundamentally better than SHA-512, we really do need a standardized algorithm that has built in protection from length extension attacks.

I think NIST should have a big Apple-esque unveiling event for new crypto. I for one am that excited about SHA-3.

Interesting that the reason for SHA-3 has been missed in that the finalists offer no better way to hash with the main difference being some are faster and some slower than the best SH2 variations.<p>What does this mean, well in effect no extra value is being directly offered, sure some have extra abilities by design like being more able to liberate parallel processing by sbeing able to split the data to be hashed into chunks and work on partial blocks of the final data and use the results to get the final hash result. That is nice.<p>But when it comes to brute forcing then being faster works against you, also the ability to work on partial chunks of the data allows you to modify the code and rechecking the partial hash for the part your changing until you get the same result, this alows you to do nasty things to code and get the official hash answear alot easier than having to rehash the end result every time and getting the same result or modifying the code to get the same result (usualy have area you jump over all nop and modify that to influence the hash, but more sane ways to do this but offtopic).<p>So in essence any hash that can be run faster in any way will make it weaker in terms of brut forcing (yes I know people assume there passwords will be the last one on the list to be checked bia brute forcing and assume if it takes 10 years to test all variations then there password is 10 years strong, you see the flaw in mentality there).<p>Now NIST still have an opertunity here and it is a simple, tried and tested approach and that would be to have all finalists winners and have them all in the standard as variations. This then allows end users/admins to pick there variation of choice or even perish the thought allow mixed usage so say your /etc/password file could have some users using one variation, others using another, etc. Whilst it add's no obvious extra benifit, it will allow more variations and in that fallbacks/choice and that is what n BIT encryption/hashing is all about, each bit being a choice in a way.<p>So in summary I believe NIST should let them all win and have SH3.n with n being the variation of finalist, let them all win, choice is good and that is what n bit encryption is after all, extra choices.

djb thought in March it was going to be Keccak:<p><a href="https://twitter.com/hashbreaker/status/183552364953878528" rel="nofollow">https://twitter.com/hashbreaker/status/183552364953878528</a>

Schneier picked a very misleading headline here. I was wary when I saw that the NIST page he links regarding the timeline still hasn't been updated since June, and then I saw him reply in the comments:<p><i>"&#62; When will SHA3 be announced? Were you given special information the rest of us don't have access to?</i><p><i>I have no inside information on when SHA-3 will be announced. My guess is that they've made the decision, and are going over the final rationale again and again. My guess is that it won't be Skein."</i><p>Even though this is the original title, I'd prefer the HN title be edited to something about Schneier hoping NIST will pick no SHA-3.

Out of interest these hash functions can be implemented in very few bytes with 100 being mooted for this skien hash. With that in mind when it comes to brute forcing I do wonder if it would be possible to just brute force a better solution easier than brute forcing a hash, I say that in jest.<p>But it does make you reliase how much empressive stuff you can do in just a few bytes and what else is out there.