The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition

The first designs of cryptographic hash functions date back to the late 1970s; more proposals emerged in the 1980s. During the 1990s, the number of hash function designs grew very quickly, but for many of these proposals security flaws were identified. MD5 and SHA-1 were deployed in an ever increasing number of applications, resulting in the name “Swiss army knifes” of cryptography. In spite of the importance of hash functions, only limited effort was spent on studying their formal definitions and foundations. In 2004 Wang et al. perfected differential cryptanalysis to a point that finding collisions for MD5 became very easy; for SHA-1 a substantial reduction of the security margin was obtained. This breakthrough has resulted in a flurry of research, resulting in new constructions and a growing body of foundational research. NIST announced in November 2007 that it would organize the SHA-3 competition, with as goal to select a new hash function family by 2012. From the 64 candidates submitted by October 2008, 14 have made it to the second round. This paper presents a brief overview of the state of hash functions 30 years after their introduction; it also discusses the progress of the SHA-3 competition. 1 Early History and Definitions Cryptographic hash functions map input strings of arbitrary (or very large) length to short fixed length output strings. In their 1976 seminal paper on publickey cryptography [31], Diffie and Hellman identified the need for a one-way hash function as a building block of a digital signature scheme. The first definitions, analysis and constructions for cryptographic hash functions can be found in the work of Rabin [74], Yuval [99], and Merkle [60] of the late 1970s. Rabin proposed a design with a 64-bit result based on the block cipher DES [37], Yuval showed how to find collisions for an n-bit hash function in time 2 with the birthday paradox, and Merkle’s work introduced the requirements of collision resistance, second preimage resistance, and preimage resistance. In 1987, Damg̊ard [26] formalized the definition of collision resistance, and two years later Naor and Yung defined a variant of seoncd preimage resistant functions called Universal One Way Hash Functions (UOWHFs) [66] (also known as functions