21

I know SHA-224, SHA-256, SHA-384 and SHA-512 are all part of the SHA-2 hash function family. But there is now also a new SHA-3 hash algorithm.

Could you please tell me the difference between SHA-2 and SHA-3? When and why should I use SHA-3? And which secure hash algorithm(s) does SHA-3 actually include?

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
user1926193
  • 249
  • 1
  • 2
  • 3
  • 2
    @xuinkrbin. that's a shame, as it is off topic on this forum - this question would be better off at crypto.stackexchange. Note that we now have one answer, and no additional answers can be added. So there is no way that this will ever become a useful hit at google - even if Ilmari's answer isn't half bad. But I've removed my rather offensive remark. – Maarten Bodewes Aug 22 '13 at 23:27
  • 1
    It was useful to me. :-) – 700 Software Jul 12 '16 at 20:43

1 Answers1

36

SHA-3, also known as Keccak (its original name before it was chosen as the winner of the NIST SHA-3 competition), is a completely new hash algorithm that has nothing to do with SHA-1 and SHA-2.

Indeed, one of the stated reasons why NIST chose Keccak over the other SHA-3 competition finalists was its dissimilarity to the existing SHA-1/2 algorithms; it was argued that this dissimilarity makes it a better complement to the existing SHA-2 algorithms (which are still considered secure and recommended by NIST), as well as making it less likely that any future cryptanalytic breakthroughs would compromise the security of both SHA-2 and SHA-3.

For some background, the SHA-3 hash function competition was originally announced by NIST in 2007, after some new cryptanalytic attacks had called the security of SHA-1 into question. While the attacks on SHA-1 were mainly of theoretical interest back then, it was feared that further improvements on these techniques might allow practical collision-finding attacks on SHA-1, and that the same techniques might also be applied against SHA-2, which shares a similar design to SHA-1. Thus, NIST decided to hold a competition to select a successor for SHA-2, which would be named SHA-3.

However, while a real world collision attack on SHA-1 was finally demonstrated in 2017, the feared attacks on SHA-2 have failed to materialize. It's nowadays generally accepted that breaking SHA-2 won't be as easy as it seemed ten years ago, and thus all the variants of SHA-2 are still considered secure for the foreseeable future. However, since NIST had promised that SHA-3 would be chosen in 2012, and since a lot of people had spent quite a bit of time and effort on submitting and evaluating new hash functions for the competition, and since there were some really nice designs among the finalists, it would've seemed a shame not to choose any of them as the winner after all. So NIST decided to select Keccak as SHA-3, and to recommend it as an alternative (not successor) to the SHA-2 hash functions.

What all that means is that, if you want a secure and standardized hash function, you can choose either SHA-2 or SHA-3. If you're feeling really paranoid, you may even want to use both, and to design your cryptosystem so that it remains secure even if either one of the hash functions is broken.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
  • 6
    Using both hash functions can be a bit dangerous if you don't know what you are doing. It depends on what you want to achieve of course. – Maarten Bodewes Jan 16 '13 at 21:48
  • 2
    Dangerous how? (not sure about potential pitfalls here...) – Laoujin Mar 24 '18 at 01:03
  • 2
    not a cryptoanalyst here, but i think dangerous could mean either it could be easier to collide sha3(sha2(X)) than to collide sha2(X) or sha3(X), or it could mean that providing both sha2(X) and sha3(X) could leak more information about X than intented, and make guessing X easier. – Tshirtman Dec 26 '19 at 22:56