Engineering comparison of SHA-3 candidates

The primary requirement for a hash function is the security. The SHA-3 Zoo gives an overview of the current state of SHA-3 cryptanalysis. Unfortunately, evaluating the security of an algorithm is lots of hard work. Performing a thorough security evaluation of all SHA-3 candidate algorithms is infeasible.

This page takes a different approach. We first analyze the engineering aspects of each candidate. This includes aspects like performance, memory use, overhead, etc. As the final SHA-3 candidate has to have good engineering properties, it is far more efficient to first select on the engineering properties and only perform the security analysis on the candidates that have good engineering properties. Our primary engineering metrics are

Speed on 64-bit CPUs
Memory required
Overhead for small messages
Use of table lookups

We concentrate on software performance on 64-bit code as that is the most relevant metric. By the time SHA-3 standard is selected, 64-bit code will be dominant for performance-sensitive applications. There will be many embedded systems with 32-bit CPUs, but these are rarely performance-critical and have the option to either switch to a 64-bit CPU or add dedicated hardware.

We divide the algorithms into four categories:

Good: Algorithms that we believe make a good standard from an engineering point of view and can be used in all situations where current hash functions are being used. (Algorithms are put in this category until a problem has been identified.)
Fair: Algorithms that have some significant disadvantages but could be made to work in most situations.
Poor: Algorithms that will lead to serious engineering problems when they are used in ways that hash functions are commonly used in practice today.
Broken: Algorithms that have been broken. See the SHA-3 Zoo for details

Within each category the algorithms are sorted in by speed on 64-bit CPUs (where we choose the fastest of the 256/512-bit hash variants).

Please note that this is a very preliminary analysis; most of the data is taken from a quick scan of the submission documentation for each function. Also, it is purely the internal evaluation of the Skein team that we use to select which competitors to spend time on. The data in this table is incomplete, possibly incorrect, and does not necessarily reflect the opinion of any individual Skein team member or any of our employers. If you see gross errors in the table, please let us know and we'll correct them when we have time.

Perfomance data is given in cycles per byte for 256-bit/512-bit hash computation, memory data as memory required (on small machines with few registers) for 256-bit/512-bit hashing.

Algorithm	64-bit code	32-bit code	Memory	Extras	Remarks
"Good" algorithms, faster than 10 cycles/Byte
Blue Midnight Wish	7.32/3.63	7.64/12.6	264/528
TIB3	7.68/6.24	13/4.95			32-bit TIB3-512 SSE code by Wei Dai. 64-bit code could probably be as fast as 32-bit code.
Skein	7.6/6.1	21.6/20.1	100/200	MAC, personalization, PK, KDF, stream cipher, PRNG, randomized, tree, variable output size, block cipher	Speed from conf. presentation
Shabal	8.03	10.2			Speed from conf. presentation
BLAKE	8.19/9.29	9.21/12.53		randomized	speed from email announcement

"Good" algorithms, slower than 10 cycles/Byte
Keccak	10/20	31/62		randomized, personalization, MAC, stream cipher, PRNG	Speed from conf. presentation
SIMD	11/12	12/13			>60 c/B without SSE instructions.
Arirang	15/11.3	20.1/55.2
Luffa	13.4/23.2	13.9/25.5
CHI	24/16	49/78	198/318
JH	16.8	21.3
Grøstl	22.2/30.5	23.1/36.7		MAC	Speed from conf. presentation
Hamsi	25/?	?			Speed from conf. presentation
LANE	25.7/145	40.5/152
SHAvite-3	26.7/38.2	35.3/55
Fugue	28/56	36/72
Echo	28.5/53.5	32.5/61			Much faster with Intel AES instruction

"Fair" algorithms
MD6	28/44	68/106	> 700	Tree, MAC	Memory use is not practical on smart cards
SANDstorm	37/95	62/297			Memory > 650 bytes, this is not practical on smart cards. Uses table lookup.
Lesamnta	52.7/51.2	59.2/54.5			Slow. Speed from conf. presentation.
SWIFFTX	57	57(?)			Too slow. Performance data unclear.

"Poor" algorithms
CubeHash	160	200			Too slow. Are the speed numbers correct?
FSB		324/507			Too slow

Broken algorithms
Abacus	37.6	37.6			Broken
Aurora	15.0/26.9	19.8/35.5			Broken. Speed from conf. presentation.
Blender					Broken
Cheetah	9.3/13.6	15/30			Length extension attack. Speed from conf. presentation
Crunch	161/446	298/862			Length extension attack. Too slow.
DCH					Broken
Dynamic SHA	27.9/47.2	27.9/47.2			Length extension attack, collision
Dynamic SHA2	21.9/67.2	21.9/67.3			Length extension attack, collision
ECOH	>1000	7500/10000			Too slow. Broken.
Edon-R	4.30/2.29	6.46/10.0	256/512		Broken.
EnRUPT					Broken
ESSENSE	42/40	59/76			Slow. Broken.
Khichidi-1					Broken
LUX	10.2/9.5	16.7/28.2			Speed from conf. presentation. Broken.
MCSSHA-3		60			Broken
MeshHash	13.7/18.5	42.5/67.3			Broken.
NaSHA	26.5/26.8	27.3/30.6			Broken. Speed from conf. presentation
Sarmal	9.4/10.9	19.2/23.3			Broken.
Sgàil	61				Broken
Spectral Hash					Broken (near collisions)
StreamHash					Broken
Tangle					Broken
Twister	15.8/17.5	35.8/39.6			Broken.
Vortex	46.3/56.1	69.4/90.1			Correlation on output bits. Speeds up to < 3 cycles/byte using future Intel CPUs

No longer part of competition
Boole	7.68/7.68	21.5/21.5		MAC, PRNG, stream cipher	Withdrawn
HASH 2X					Did not make round 1. Broken
Maraca	5.3				Did not make round 1. Too slow for short messages (e.g. IPsec authentication of a 40-byte packet); requires >6kB memory (impossible on smart cards)
NKS2D					Did not make round 1. Broken
Ponic	3000	7000			Did not make round 1. Broken, too slow
SHAMATA	8/11	15/22			Withdrawn
WaMM	360	360			Withdrawn
Waterfall	16.3	16.3			Withdrawn