6.857: Computer and Network Security

MIT's class 6.857 (Computer and Network Security, Fall 2009), taught by Professor Ronald L. Rivest, was given a homework assignment to review some of the submissions to the NIST SHA-3 Hash Function Competition with respect to the arguments made by the submitters about the security of their proposals. The homework assignment itself is given here (see Problem 3).

Professor Rivest invited the students to post their homework solutions online, for public review, in the belief that this might be helpful to the SHA-3 process.

So, they are posted here. However, the following caveats and understandings apply:

• These solutions are posted with the students' explicit permission. Some of the solutions are not posted, some of the solutions are posted anonymously, and some of the solutions are posted with the submitters' names attached, at the discretion of the submitters.
• Each solution was created by a team of three or four students.
• Each team was given four candidate algorithms to review. They were also asked to pick their favorite algorithm. The students were only asked to consider the security aspects of the submitted proposals. Some algorithms were reviewed by more than one team. Some algorithms may have no posted review here.
• The MD6 algorithm was not given to any team, as that algorithm was developed by Professor Rivest and a team including Jayant Krishnamurthy, the 6.857 teaching assistant.
• The evaluations and recommendations made in these reviews are those of the student authors only; they do not in any way represent any evaluation, official or otherwise, of Professor Rivest, Jayant Krishnamurthy, MIT, or any other individuals or organizations.
• These are student reviews, not reviews by professionals who have been working in the field for many years. Thus, they may well contain serious mistakes or misunderstandings of various kinds. Nothing in these reviews should be considered authoritative, definitive, or expert opinion. Any recommendations made should be considered as at best suggestive of what NIST should do. Note in particular that the reviews did not consider aspects other than security (such as speed).
• The students are of course busy with many obligations, and the reviews may sometimes show that the students really needed more time to digest the proposals adequately.
• These solutions are typically posted as they were received, with little or no corrections and no indication of the grades received by the students.

Nonetheless, even with all of these caveats, it might be useful and/or interesting to others examining the SHA-3 candidate algorithms to see what a class of MIT students studying security thought of the security documentation of the SHA-3 proposals in such an initial review.

We do not intend to post corrections or updates to these homework postings. Substantial comments regarding any points made in these evaluations should be posted on the hash-forum mailing list: hash-forum at nist dot gov.

Here are the evaluations:

• Group 0: Cheetah, SHABAL, SHAMATA and Blender -- by Tom Brown, Nick Semenkovich, and Capen Low
• Group 1: CRUNCH SIMD, Dynamic SHA, ECHO -- by Elette Boyle, David Harvison, Rodrigo Ipince and Benjamin Switala
• Group 2: Skein, ECHO, Dynamic SHA2, ESSENCE
• Group 3: FUGUE, Arirang, Spectral Hash, Enrupt -- Declined to post their problem solution
• Group 4: GROSTL, Hamsi, SWIFFTX, Sgail
• Group 5: KECCAK, LUX, AURORA, and TIB3
• Group 6: LANE, CHI, Sandstorm, MCSSHA-3 -- Declined to post their problem solution
• Group 7: FSB, Lesamnta, SHAvite-3, JH -- by Victor Williamson, Trevor Rundell, and Oliver Yeh
• Group 8: BLAKE, Twister, Blue Midnight Wish, Luffa -- by Manal Dia, Curtis Liu, Eric Marion and Victoria Popic
• Group 9: NaSHA, CubeHash, SWIFFTX, Skein -- by Aleksandar Zlateski, Ranko Sredojevic and Sarah Cheng
• Group 10: EDON-R, Sarmal, Vortex, Blue Midnight Wish -- Declined to post their problem solution