The NIST hash function competition was an open competition held by the US National Institute of Standards and Technology to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2. The competition was formally announced in the Federal Register on November 2, 2007. "NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard." The competition ended on October 2, 2012 when the NIST announced that Keccak would be the new SHA-3 hash algorithm. The winning hash function has been published as NIST FIPS 202 the "SHA-3 Standard", to complement FIPS 180-4, the Secure Hash Standard. The NIST competition has inspired other competitions such as the Password Hashing Competition.
Process
Submissions were due October 31, 2008 and the list of candidates accepted for the first round was published on December 9, 2008. NIST held a conference in late February 2009 where submitters presented their algorithms and NIST officials discussed criteria for narrowing down the field of candidates for Round 2. The list of 14 candidates accepted to Round 2 was published on July 24, 2009. Another conference was held on August 23–24, 2010 at the University of California, Santa Barbara, where the second-round candidates were discussed. The announcement of the final round candidates occurred on December 10, 2010. On October 2, 2012, the NIST announced its winner, choosing Keccak, created by Guido Bertoni, Joan Daemen, and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP.
Entrants
This is an incomplete list of known submissions. NIST selected 51 entries for round 1. 14 of them advanced to round 2, from which 5 finalists were selected.
Winner
The winner was announced to be Keccak on October 2, 2012.
Finalists
NIST selected five SHA-3 candidate algorithms to advance to the third round:
BLAKE
Grøstl
JH
Keccak
Skein
NIST noted some factors that figured into its selection as it announced the finalists:
Performance: "A couple of algorithms were wounded or eliminated by very large area requirement – it seemed that the area they required precluded their use in too much of the potential application space."
Security: "We preferred to be conservative about security, and in some cases did not select algorithms with exceptional performance, largely because something about them made us 'nervous,' even though we knew of no clear attack against the full algorithm."
Analysis: "NIST eliminated several algorithms because of the extent of their second-round tweaks or because of a relative lack of reported cryptanalysis – either tended to create the suspicion that the design might not yet be fully tested and mature."
Diversity: The finalists included hashes based on different modes of operation, including the HAIFA and sponge function constructions, and with different internal structures, including ones based on AES, bitslicing, and alternating XOR with addition.
NIST has released a report explaining its evaluation algorithm-by-algorithm.
Did not pass to Final Round
The following hash function submissions were accepted for Round Two, but did not make it to the final round. As noted in the announcement of the finalists, "none of these candidates was clearly broken".
Blue Midnight Wish
CubeHash
ECHO
Fugue
Hamsi
Luffa
Shabal
SHAvite-3
SIMD
Did not pass to Round Two
The following hash function submissions were accepted for Round One but did not pass to Round Two. They have neither been conceded by the submitters nor have had substantial cryptographic weaknesses. However, most of them have some weaknesses in the design components, or performance issues.
ARIRANG
CHI
CRUNCH
FSB
Lane
Lesamnta
MD6
SANDstorm
Sarmal
SWIFFTX
TIB3
Entrants with substantial weaknesses
The following non-conceded Round One entrants have had substantial cryptographic weaknesses announced:
AURORA
Blender
Cheetah
Dynamic SHA
Dynamic SHA2
ECOH
Edon-R
EnRUPT
ESSENCE
LUX
MCSSHA-3
NaSHA
Sgàil
Spectral Hash
Twister
Vortex
Conceded entrants
The following Round One entrants have been officially retracted from the competition by their submitters; they are considered broken according to the NIST official Round One Candidates web site. As such, they are withdrawn from the competition.
Abacus
Boole
DCH
Khichidi-1
MeshHash
SHAMATA
StreamHash
Tangle
WaMM
Waterfall
Rejected entrants
Several submissions received by NIST were not accepted as First Round Candidates, following an internal review by NIST. In general, NIST gave no details as to why each was rejected. NIST also has not given a comprehensive list of rejected algorithms; there are known to be 13, but only the following are public.
