Big news in the world of real cryptography: the SHA-3 finalists were announced. (An email was sent out on the hash-forum mailing list earlier today.) The finalists are

BLAKE

Grøstl

JH

Keccak

Skein

(See here for more information about the competition and all the above candidates.)

I have been following the competition with interest, more as an “interested outsider” than as an expert in hash function design. Some off-the-cuff observations:

According to the announcement, the choice of finalists came down more to issues of efficiency than issues of security. Indeed, to the best of my knowledge there have not been any serious attacks on any of the 14 semi-finalists. Does this mean all 14 semi-finalists were really strong? Or that people didn’t spend sufficient time analyzing all the candidates? In particular, talking to some people (with more knowledge than me) over the past few months there was a sense of less activity as compared to the AES competition.

Given the above, NIST didn’t have much to go on, with regard to security, in making their decision. They even made what I find to be an unusual statement in their announcement: “in some cases [we] did not select algorithms … largely because something about them made us ‘nervous,’ even though we knew of no clear attack”.

According to the announcement, NIST consciously chose the finalists with diversity of design in mind. (I.e., they did not choose 5 finalists all sharing the same structure.)

Some surprises (to me): some submissions by very well-known cryptanalysts did not make it to the final round (e.g., Cubehash, Echo, Fugue, and SHAvite-3), while some by less well-known cryptanalysts did (I’ll leave you to guess which ones I mean).

On the lighter side, seems that I have won my bet…