6.857: Computer and Network Security
MIT's class 6.857 (Computer and Network Security, Fall
2009), taught by Professor Ronald L. Rivest, was given
a homework assignment to review some of the submissions
NIST SHA-3 Hash Function Competition
with respect to the arguments made by the submitters
about the security of their proposals. The homework assignment itself is given
here (see Problem 3).
Professor Rivest invited the students to post their
homework solutions online, for public review, in the
belief that this might be helpful to the SHA-3 process.
So, they are posted here. However, the following caveats
and understandings apply:
These solutions are posted with the students' explicit
permission. Some of the solutions are not posted,
some of the solutions are posted anonymously, and
some of the solutions are posted with the submitters'
names attached, at the discretion of the submitters.
Each solution was created by a team of three or four
Each team was given four candidate algorithms to review.
They were also asked to pick their favorite algorithm.
The students were only asked to consider the security
aspects of the submitted proposals. Some algorithms
were reviewed by more than one team. Some algorithms
may have no posted review here.
The MD6 algorithm was not given to any team, as that
algorithm was developed by Professor Rivest and a team
including Jayant Krishnamurthy, the 6.857 teaching
The evaluations and recommendations made in these reviews
are those of the student authors only; they do not in any way
represent any evaluation, official or otherwise, of
Professor Rivest, Jayant Krishnamurthy, MIT, or any other
individuals or organizations.
These are student reviews, not reviews by professionals who
have been working in the field for many years. Thus, they
may well contain serious mistakes or misunderstandings of
various kinds. Nothing in these reviews should be considered
authoritative, definitive, or expert opinion. Any recommendations
made should be considered as at best suggestive of what NIST
should do. Note in particular that the reviews did not
consider aspects other than security (such as speed).
The students are of course busy with many obligations, and
the reviews may sometimes show that the students really
needed more time to digest the proposals adequately.
These solutions are typically posted as they were received, with
little or no corrections and no indication of the grades
received by the students.
Nonetheless, even with all of these caveats,
it might be useful and/or interesting
to others examining the SHA-3
candidate algorithms to see what a class of MIT students studying
security thought of the security documentation
of the SHA-3 proposals in such an
We do not intend to post corrections or updates to these homework
postings. Substantial comments regarding any points made in these
evaluations should be posted on the hash-forum mailing list:
hash-forum at nist dot gov.
Here are the evaluations:
- Group 0: Cheetah, SHABAL, SHAMATA and
Blender -- by Tom Brown, Nick Semenkovich, and Capen Low
- Group 1: CRUNCH
SIMD, Dynamic SHA, ECHO -- by Elette Boyle, David Harvison,
Rodrigo Ipince and Benjamin Switala
- Group 2: Skein, ECHO, Dynamic
- Group 3: FUGUE, Arirang, Spectral Hash, Enrupt -- Declined to
post their problem solution
- Group 4: GROSTL, Hamsi,
- Group 5: KECCAK, LUX, AURORA, and
- Group 6: LANE, CHI, Sandstorm, MCSSHA-3 -- Declined to post their problem solution
- Group 7: FSB, Lesamnta, SHAvite-3, JH -- by Victor Williamson,
Trevor Rundell, and Oliver Yeh
- Group 8: BLAKE, Twister, Blue
Midnight Wish, Luffa
-- by Manal Dia, Curtis Liu, Eric Marion and Victoria Popic
- Group 9: NaSHA, CubeHash, SWIFFTX, Skein -- by Aleksandar Zlateski,
Ranko Sredojevic and Sarah Cheng
- Group 10: EDON-R, Sarmal, Vortex, Blue Midnight Wish -- Declined
to post their problem solution