The primary requirement for a hash function is the security. The SHA-3 Zoo gives an overview of the current state of SHA-3 cryptanalysis. Unfortunately, evaluating the security of an algorithm is lots of hard work. Performing a thorough security evaluation of all SHA-3 candidate algorithms is infeasible.
This page takes a different approach. We first analyze the engineering aspects of each candidate. This includes aspects like performance, memory use, overhead, etc. As the final SHA-3 candidate has to have good engineering properties, it is far more efficient to first select on the engineering properties and only perform the security analysis on the candidates that have good engineering properties. Our primary engineering metrics are
- Speed on 64-bit CPUs
- Memory required
- Overhead for small messages
- Use of table lookups
We concentrate on software performance on 64-bit code as that is the most relevant metric. By the time SHA-3 standard is selected, 64-bit code will be dominant for performance-sensitive applications. There will be many embedded systems with 32-bit CPUs, but these are rarely performance-critical and have the option to either switch to a 64-bit CPU or add dedicated hardware.
We divide the algorithms into four categories:
- Good
- Algorithms that we believe make a good standard from an engineering point of view and can be used in all situations where current hash functions are being used. (Algorithms are put in this category until a problem has been identified.)
- Fair
- Algorithms that have some significant disadvantages but could be made to work in most situations.
- Poor
- Algorithms that will lead to serious engineering problems when they are used in ways that hash functions are commonly used in practice today.
- Broken
- Algorithms that have been broken. See the SHA-3 Zoo for details
Within each category the algorithms are sorted in by speed on 64-bit CPUs (where we choose the fastest of the 256/512-bit hash variants).
Please note that this is a very preliminary analysis; most of the data is taken from a quick scan of the submission documentation for each function. Also, it is purely the internal evaluation of the Skein team that we use to select which competitors to spend time on. The data in this table is incomplete, possibly incorrect, and does not necessarily reflect the opinion of any individual Skein team member or any of our employers. If you see gross errors in the table, please let us know and we'll correct them when we have time.
Perfomance data is given in cycles per byte for 256-bit/512-bit hash computation, memory data as memory required (on small machines with few registers) for 256-bit/512-bit hashing.
| Algorithm | 64-bit code | 32-bit code | Memory | Extras | Remarks |
|---|---|---|---|---|---|
| "Good" algorithms, faster than 10 cycles/Byte | |||||
| Blue Midnight Wish | 7.32/3.63 | 7.64/12.6 | 264/528 | ||
| TIB3 | 7.68/6.24 | 13/4.95 | 32-bit TIB3-512 SSE code by Wei Dai. 64-bit code could probably be as fast as 32-bit code. | ||
| Skein | 7.6/6.1 | 21.6/20.1 | 100/200 | MAC, personalization, PK, KDF, stream cipher, PRNG, randomized, tree, variable output size, block cipher | Speed from conf. presentation |
| Shabal | 8.03 | 10.2 | Speed from conf. presentation | ||
| BLAKE | 8.19/9.29 | 9.21/12.53 | randomized | speed from email announcement | |
| "Good" algorithms, slower than 10 cycles/Byte | |||||
| Keccak | 10/20 | 31/62 | randomized, personalization, MAC, stream cipher, PRNG | Speed from conf. presentation | |
| SIMD | 11/12 | 12/13 | >60 c/B without SSE instructions. | ||
| Arirang | 15/11.3 | 20.1/55.2 | |||
| Luffa | 13.4/23.2 | 13.9/25.5 | |||
| CHI | 24/16 | 49/78 | 198/318 | ||
| JH | 16.8 | 21.3 | |||
| Grøstl | 22.2/30.5 | 23.1/36.7 | MAC | Speed from conf. presentation | |
| Hamsi | 25/? | ? | Speed from conf. presentation | ||
| LANE | 25.7/145 | 40.5/152 | |||
| SHAvite-3 | 26.7/38.2 | 35.3/55 | |||
| Fugue | 28/56 | 36/72 | |||
| Echo | 28.5/53.5 | 32.5/61 | Much faster with Intel AES instruction | ||
| "Fair" algorithms | |||||
| MD6 | 28/44 | 68/106 | > 700 | Tree, MAC | Memory use is not practical on smart cards |
| SANDstorm | 37/95 | 62/297 | Memory > 650 bytes, this is not practical on smart cards. Uses table lookup. | ||
| Lesamnta | 52.7/51.2 | 59.2/54.5 | Slow. Speed from conf. presentation. | ||
| SWIFFTX | 57 | 57(?) | Too slow. Performance data unclear. | ||
| "Poor" algorithms | |||||
| CubeHash | 160 | 200 | Too slow. Are the speed numbers correct? | ||
| FSB | 324/507 | Too slow | |||
| Broken algorithms | |||||
| Abacus | 37.6 | 37.6 | Broken | ||
| Aurora | 15.0/26.9 | 19.8/35.5 | Broken. Speed from conf. presentation. | ||
| Blender | Broken | ||||
| Cheetah | 9.3/13.6 | 15/30 | Length extension attack. Speed from conf. presentation | ||
| Crunch | 161/446 | 298/862 | Length extension attack. Too slow. | ||
| DCH | Broken | ||||
| Dynamic SHA | 27.9/47.2 | 27.9/47.2 | Length extension attack, collision | ||
| Dynamic SHA2 | 21.9/67.2 | 21.9/67.3 | Length extension attack, collision | ||
| ECOH | >1000 | 7500/10000 | Too slow. Broken. | ||
| Edon-R | 4.30/2.29 | 6.46/10.0 | 256/512 | Broken. | |
| EnRUPT | Broken | ||||
| ESSENSE | 42/40 | 59/76 | Slow. Broken. | ||
| Khichidi-1 | Broken | ||||
| LUX | 10.2/9.5 | 16.7/28.2 | Speed from conf. presentation. Broken. | ||
| MCSSHA-3 | 60 | Broken | |||
| MeshHash | 13.7/18.5 | 42.5/67.3 | Broken. | ||
| NaSHA | 26.5/26.8 | 27.3/30.6 | Broken. Speed from conf. presentation | ||
| Sarmal | 9.4/10.9 | 19.2/23.3 | Broken. | ||
| Sgàil | 61 | Broken | |||
| Spectral Hash | Broken (near collisions) | ||||
| StreamHash | Broken | ||||
| Tangle | Broken | ||||
| Twister | 15.8/17.5 | 35.8/39.6 | Broken. | ||
| Vortex | 46.3/56.1 | 69.4/90.1 | Correlation on output bits. Speeds up to < 3 cycles/byte using future Intel CPUs | ||
| No longer part of competition | |||||
| Boole | 7.68/7.68 | 21.5/21.5 | MAC, PRNG, stream cipher | Withdrawn | |
| HASH 2X | Did not make round 1. Broken | ||||
| Maraca | 5.3 | Did not make round 1. Too slow for short messages (e.g. IPsec authentication of a 40-byte packet); requires >6kB memory (impossible on smart cards) | |||
| NKS2D | Did not make round 1. Broken | ||||
| Ponic | 3000 | 7000 | Did not make round 1. Broken, too slow | ||
| SHAMATA | 8/11 | 15/22 | Withdrawn | ||
| WaMM | 360 | 360 | Withdrawn | ||
| Waterfall | 16.3 | 16.3 | Withdrawn | ||
