The NIST SHA-3 Competition: A Perspective on the Final Year

Cryptographic hash functions map input strings of arbitrary length to fixed length output strings. They are expected to satisfy several security properties that include preimage resistance, second preimage resistance, and collision resistance. The free availability of efficient software-oriented hash functions such as MD4, MD5 and SHA-1 has resulted in a very broad deployment of hash functions, way beyond their initial design purposes. In spite of the importance for applications, until 2005 the amount of theoretical research and cryptanalysis invested in this topic was rather limited. Moreover, cryptanalysts had been winning the battle from designers: about 4 of every 5 designs were broken. In 2004 Wang et al. made a breakthrough in the cryptanalysis of MD4, MD5 and SHA-1. Around the same time, serious shortcomings were identified in the theoretical foundations of existing designs. In response to this hash function crisis, in the last five years a substantial number of papers has been published with theoretical results and novel designs. Moreover, NIST announced in November 2007 the start of the SHA-3 competition, with as goal to select a new hash function family by 2012. We present a brief outline of the state of the art of hash functions in the last year of the competition and attempt to identify the lessons learned and some open research problems.