https://ehash.iaik.tugraz.at/api.php?action=feedcontributions&user=JAumasson&feedformat=atom
The ECRYPT Hash Function Website - User contributions [en]
2024-07-08T06:58:58Z
User contributions
MediaWiki 1.31.3
https://ehash.iaik.tugraz.at/index.php?title=Fugue&diff=3716
Fugue
2011-07-12T07:05:41Z
<p>JAumasson: /* Building blocks */ added Gauravaram et al. results</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Shai Halevi and William E. Hall and Charanjit S. Jutla<br />
* Website: [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2_Update.zip Fugue_Round2_Update.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Fugue.zip Fugue.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/FugueUpdate.zip FugueUpdate.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2.zip Fugue_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Halevi09,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/fugue_09.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Halevi08,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (k,r,t) = '''(2,5,13)''' for (n=224,256); (k,r,t) = '''(3,5,13)''' for (n=384); (k,r,t) = '''(4,8,13)''' for (n=512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| || |||| || || <br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observations || hash || 256 || (2,5,13) || - || - || [http://www2.mat.dtu.dk/pg-projects/Fugue-256-analysis-v1.pdf Gauravaram et al.]<br />
|- <br />
| meet-in-the-middle preimage || hash || 256 || (2,5,13) || 2<sup>416</sup> || 2<sup>416</sup> || [http://www2.mat.dtu.dk/pg-projects/Fugue-256-analysis-v1.pdf Gauravaram et al.]<br />
|- <br />
| distinguisher || output transformation || 256 || (2,5,11.5), keyed || 2<sup>8</sup> || - || [http://www2.mat.dtu.dk/pg-projects/Fugue-256-analysis-v1.pdf Gauravaram et al.]<br />
|- <br />
| semi-free-start collision || compression function || 256 || (2,1,5) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start near-collision || compression function || 256 || (2,2,10) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| distinguisher<sup>(1)</sup> || output transformation || 256 || || 1 || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| distinguisher || output transformation || 256 || (2,5,0.5), keyed || 2<sup>8</sup> || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| internal collision || hash function || 256 || (2,5,13) || 2<sup>352</sup> || 2<sup>352</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|-<br />
| internal collision || hash function || 512 || (4,8,13) || 2<sup>480</sup> || 2<sup>480</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|- <br />
|}<br />
<sup>(1)</sup>The Fugue team commented on these distinguishers in [http://ehash.iaik.tugraz.at/uploads/d/d7/Fugue_designers_reply_to_AumassonPhan_Distinguisher.txt this note] using [http://ehash.iaik.tugraz.at/uploads/c/c8/Fig7.pdf this figure].<br />
<br />
<br />
<bibtex><br />
@misc{fugueGKBW11,<br />
author = {Praveen Gauravaram and Lars R.Knudsen and Nasour Bagher and Lei Wei},<br />
title = {Improved Security Analysis of Fugue-256 (a second round SHA-3 candidate)},<br />
howpublished = {Proceedings of ACISP (short paper), 2011},<br />
year = {2011},<br />
url = {http://www2.mat.dtu.dk/pg-projects/Fugue-256-analysis-v1.pdf},<br />
abstract = {Fugue is a cryptographic hash function designed by Halevi, Hall and Jutla and was one of the fourteen hash algorithms of the second round of NIST's SHA3 hash competition. We consider Fugue-256, the 256-bit instance of Fugue. Fugue-256 updates a state of 960 bits with a \textit{round transformation} \textbf{R} parametrized by a 32-bit message word. Twice in every state update, this transform invokes an AES like round function called \textbf{SMIX}. Fugue-256 relies on a \textit{final transformation} \textbf{G} to output digests that look random. \textbf{G} has 18 rounds where each round invokes \textbf{SMIX} twice and finally the 960-bit output of the \textbf{G} transform is mapped with a transform $\tau$ to a 256-bit digest. \\ In this paper, we present some improved as well as new analytical results of Fugue-256 (with length-padding). First we improve Aumasson and Phans' integral distinguisher on the 5.5 rounds of the \textbf{G} transform to 16.5 rounds, thus showing \textit{weak} diffusion in the \textbf{G} transform. Next we improve the designers' meet-in-the-middle preimage attack on Fugue-256 from $2^{480}$ time and memory to $2^{416}$. Next we study the security of Fugue-256 against free-start distinguishers and free-start collisions. In this direction, we use an improved variant of the differential characteristic of the \textbf{G} transform shown by the designers to present an efficient distinguisher for the $\tau(\mathbf{G})(.)$ transform showing another \textit{weak} diffusion property of \textbf{G}. We then extend this distinguisher to some interesting practical free-start distinguishers and free-start collisions for the length padded Fugue-256 in $2^{33}$ complexity. Finally, we show that free-start collision attacks on the length-padded Fugue-256 can be found in just $\mathcal{O}(1)$ \textit{without} relying on the differential properties of the \textbf{G} transform and even \textit{without} inverting it.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{nistTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{nistAP10,<br />
author = {Jean-Philippe Aumasson and Raphael C.-W. Phan},<br />
title = {Analysis of Fugue-256},<br />
howpublished = {Posting to NIST hash mailing list},<br />
year = {2010},<br />
url = {http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf},<br />
abstract = {We would like to report our analysis results on the final round algorithm of<br />
Fugue-256 (i.e., the function called "G"):<br />
The attached pdf note shows an example differential characteristic of<br />
probability 1, on 15 intermediate rounds of G, as well as an extended<br />
characteristic that can be used as a distinguisher for the full<br />
18-round G. It also shows how differences propagate on an<br />
augmented-round version of G (i.e. if more G2 rounds were added).<br />
A detailed analysis as well as further observations will be reported<br />
in a subsequent paper.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sacKhovratovich09,<br />
author = {Dmitry Khovratovich},<br />
title = {Cryptanalysis of hash functions with structures},<br />
howpublished = {Proceedings of Selected Areas in Cryptography},<br />
year = {2009},<br />
url = {http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf},<br />
abstract = {Hash function cryptanalysis has acquired many methods,<br />
tools and tricks from other areas, mostly block ciphers. In this paper<br />
another trick from block cipher cryptanalysis, the structures, is used for<br />
speeding up the collision search. We investigate the memory and the time<br />
complexities of this approach under different assumptions on the round<br />
functions. The power of the new attack is illustrated with the crypt-<br />
analysis of the hash functions Grindahl and the analysis of the SHA-3<br />
candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Fugue&diff=3715
Fugue
2011-07-12T06:52:19Z
<p>JAumasson: /* Building blocks */ added Gauravaram et al. bib item</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Shai Halevi and William E. Hall and Charanjit S. Jutla<br />
* Website: [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2_Update.zip Fugue_Round2_Update.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Fugue.zip Fugue.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/FugueUpdate.zip FugueUpdate.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2.zip Fugue_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Halevi09,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/fugue_09.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Halevi08,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (k,r,t) = '''(2,5,13)''' for (n=224,256); (k,r,t) = '''(3,5,13)''' for (n=384); (k,r,t) = '''(4,8,13)''' for (n=512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| || |||| || || <br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || (2,1,5) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start near-collision || compression function || 256 || (2,2,10) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| distinguisher<sup>(1)</sup> || output transformation || 256 || || 1 || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| distinguisher || output transformation || 256 || (2,5,0.5), keyed || 2<sup>8</sup> || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| internal collision || hash function || 256 || (2,5,13) || 2<sup>352</sup> || 2<sup>352</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|-<br />
| internal collision || hash function || 512 || (4,8,13) || 2<sup>480</sup> || 2<sup>480</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|- <br />
|}<br />
<sup>(1)</sup>The Fugue team commented on these distinguishers in [http://ehash.iaik.tugraz.at/uploads/d/d7/Fugue_designers_reply_to_AumassonPhan_Distinguisher.txt this note] using [http://ehash.iaik.tugraz.at/uploads/c/c8/Fig7.pdf this figure].<br />
<br />
<br />
<bibtex><br />
@misc{fugueGKBW11,<br />
author = {Praveen Gauravaram and Lars R.Knudsen and Nasour Bagher and Lei Wei},<br />
title = {Improved Security Analysis of Fugue-256 (a second round SHA-3 candidate)},<br />
howpublished = {Proceedings of ACISP (short paper), 2011},<br />
year = {2011},<br />
url = {http://www2.mat.dtu.dk/pg-projects/Fugue-256-analysis-v1.pdf},<br />
abstract = {Fugue is a cryptographic hash function designed by Halevi, Hall and Jutla and was one of the fourteen hash algorithms of the second round of NIST's SHA3 hash competition. We consider Fugue-256, the 256-bit instance of Fugue. Fugue-256 updates a state of 960 bits with a \textit{round transformation} \textbf{R} parametrized by a 32-bit message word. Twice in every state update, this transform invokes an AES like round function called \textbf{SMIX}. Fugue-256 relies on a \textit{final transformation} \textbf{G} to output digests that look random. \textbf{G} has 18 rounds where each round invokes \textbf{SMIX} twice and finally the 960-bit output of the \textbf{G} transform is mapped with a transform $\tau$ to a 256-bit digest. \\ In this paper, we present some improved as well as new analytical results of Fugue-256 (with length-padding). First we improve Aumasson and Phans' integral distinguisher on the 5.5 rounds of the \textbf{G} transform to 16.5 rounds, thus showing \textit{weak} diffusion in the \textbf{G} transform. Next we improve the designers' meet-in-the-middle preimage attack on Fugue-256 from $2^{480}$ time and memory to $2^{416}$. Next we study the security of Fugue-256 against free-start distinguishers and free-start collisions. In this direction, we use an improved variant of the differential characteristic of the \textbf{G} transform shown by the designers to present an efficient distinguisher for the $\tau(\mathbf{G})(.)$ transform showing another \textit{weak} diffusion property of \textbf{G}. We then extend this distinguisher to some interesting practical free-start distinguishers and free-start collisions for the length padded Fugue-256 in $2^{33}$ complexity. Finally, we show that free-start collision attacks on the length-padded Fugue-256 can be found in just $\mathcal{O}(1)$ \textit{without} relying on the differential properties of the \textbf{G} transform and even \textit{without} inverting it.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{nistTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{nistAP10,<br />
author = {Jean-Philippe Aumasson and Raphael C.-W. Phan},<br />
title = {Analysis of Fugue-256},<br />
howpublished = {Posting to NIST hash mailing list},<br />
year = {2010},<br />
url = {http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf},<br />
abstract = {We would like to report our analysis results on the final round algorithm of<br />
Fugue-256 (i.e., the function called "G"):<br />
The attached pdf note shows an example differential characteristic of<br />
probability 1, on 15 intermediate rounds of G, as well as an extended<br />
characteristic that can be used as a distinguisher for the full<br />
18-round G. It also shows how differences propagate on an<br />
augmented-round version of G (i.e. if more G2 rounds were added).<br />
A detailed analysis as well as further observations will be reported<br />
in a subsequent paper.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sacKhovratovich09,<br />
author = {Dmitry Khovratovich},<br />
title = {Cryptanalysis of hash functions with structures},<br />
howpublished = {Proceedings of Selected Areas in Cryptography},<br />
year = {2009},<br />
url = {http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf},<br />
abstract = {Hash function cryptanalysis has acquired many methods,<br />
tools and tricks from other areas, mostly block ciphers. In this paper<br />
another trick from block cipher cryptanalysis, the structures, is used for<br />
speeding up the collision search. We investigate the memory and the time<br />
complexities of this approach under different assumptions on the round<br />
functions. The power of the new attack is illustrated with the crypt-<br />
analysis of the hash functions Grindahl and the analysis of the SHA-3<br />
candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Fugue&diff=3666
Fugue
2011-01-12T07:46:26Z
<p>JAumasson: added missing Aumasson/Phan result</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Shai Halevi and William E. Hall and Charanjit S. Jutla<br />
* Website: [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2_Update.zip Fugue_Round2_Update.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Fugue.zip Fugue.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/FugueUpdate.zip FugueUpdate.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2.zip Fugue_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Halevi09,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/fugue_09.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Halevi08,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (k,r,t) = '''(2,5,13)''' for (n=224,256); (k,r,t) = '''(3,5,13)''' for (n=384); (k,r,t) = '''(4,8,13)''' for (n=512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| || |||| || || <br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || (2,1,5) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start near-collision || compression function || 256 || (2,2,10) || example || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| distinguisher<sup>(1)</sup> || output transformation || 256 || || 1 || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| distinguisher || output transformation || 256 || (2,5,0.5), keyed || 2<sup>8</sup> || - || [http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf Aumasson,Phan]<br />
|- <br />
| internal collision || hash function || 256 || (2,5,13) || 2<sup>352</sup> || 2<sup>352</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|-<br />
| internal collision || hash function || 512 || (4,8,13) || 2<sup>480</sup> || 2<sup>480</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|- <br />
|}<br />
<sup>(1)</sup>The Fugue team commented on these distinguishers in [http://ehash.iaik.tugraz.at/uploads/d/d7/Fugue_designers_reply_to_AumassonPhan_Distinguisher.txt this note] using [http://ehash.iaik.tugraz.at/uploads/c/c8/Fig7.pdf this figure].<br />
<br />
<br />
<bibtex><br />
@misc{nistTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{nistAP10,<br />
author = {Jean-Philippe Aumasson and Raphael C.-W. Phan},<br />
title = {Analysis of Fugue-256},<br />
howpublished = {Posting to NIST hash mailing list},<br />
year = {2010},<br />
url = {http://ehash.iaik.tugraz.at/uploads/c/cd/Fugue_path.pdf},<br />
abstract = {We would like to report our analysis results on the final round algorithm of<br />
Fugue-256 (i.e., the function called "G"):<br />
The attached pdf note shows an example differential characteristic of<br />
probability 1, on 15 intermediate rounds of G, as well as an extended<br />
characteristic that can be used as a distinguisher for the full<br />
18-round G. It also shows how differences propagate on an<br />
augmented-round version of G (i.e. if more G2 rounds were added).<br />
A detailed analysis as well as further observations will be reported<br />
in a subsequent paper.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sacKhovratovich09,<br />
author = {Dmitry Khovratovich},<br />
title = {Cryptanalysis of hash functions with structures},<br />
howpublished = {Proceedings of Selected Areas in Cryptography},<br />
year = {2009},<br />
url = {http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf},<br />
abstract = {Hash function cryptanalysis has acquired many methods,<br />
tools and tricks from other areas, mostly block ciphers. In this paper<br />
another trick from block cipher cryptanalysis, the structures, is used for<br />
speeding up the collision search. We investigate the memory and the time<br />
complexities of this approach under different assumptions on the round<br />
functions. The power of the new attack is illustrated with the crypt-<br />
analysis of the hash functions Grindahl and the analysis of the SHA-3<br />
candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=ECHO&diff=3663
ECHO
2010-12-08T12:43:58Z
<p>JAumasson: /* Building blocks */ added Sasaki et al.</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin <br />
* Website: http://crypto.rd.francetelecom.com/echo/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/ECHO_Round2.zip ECHO_Round2.zip] (old version [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ECHO.zip ECHO.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3BBG+09,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3BBG+08,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
<br />
<br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|- <br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>182</sup> || 2<sup>37</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakayima,Ohta]<br />
|-<br />
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:588,<br />
author = {Martin Schläffer},<br />
title = {Improved Collisions for Reduced ECHO-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/588},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/588.pdf},<br />
abstract = {In this work, we present a collision attack on 5 out of 8 rounds of the ECHO-256 hash function with a complexity of $2^{112}$ in time and $2^{85.3}$ memory. In this work, we further show that the merge inbound phase can still be solved in the case of hash function attacks on ECHO. As correctly observed by Jean et al., the merge inbound phase of previous hash function attacks succeeds only with a probability of $2^{-128}$. The main reason for this behavior is the low rank of the linear SuperMixColumns transformation. However, since there is enough freedom in ECHO we can solve the resulting linear equations with a complexity much lower than $2^{128}$. On the other hand, also this low rank of the linear SuperMixColumns transformation allows us to extend the collision attack on the reduced hash function from 4 to 5 rounds. Additionally, we present a collision attack on 6 rounds of the compression function of ECHO-256 and show that a subspace distinguisher is still possible for 7 out of 8 rounds of the compression function of ECHO-256. Both compression function attacks have a complexity of $2^{160}$ with memory requirements of $2^{128}$ and chosen salt.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:569,<br />
author = {Jérémy Jean and Pierre-Alain Fouque},<br />
title = {Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/569},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/569.pdf},<br />
abstract = {In this paper, we present new results on the second-round SHA-3 candidate ECHO. We describe a method to construct a collision in the compression function of ECHO-256 reduced to four rounds in 2^52 operations on AES-columns without significant memory requirements. Our attack uses the most recent analyses on ECHO, in particular the SuperSBox and SuperMixColumns layers to utilize efficiently the available freedom degrees. We also show why some of these results are flawed and we propose a solution to fix them. Our work improve the time and memory complexity of previous known techniques by using available freedom degrees more precisely. Finally, we validate our work by an implementation leading to near-collisions in 2^36 operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:321,<br />
author = {Martin Schläffer},<br />
title = {Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/321},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/321.pdf},<br />
abstract = {In this work we present the first results for the ECHO hash function. We provide a subspace distinguisher for 5/8 rounds, near-collisions on 4.5/8 rounds and collisions for 4/8 rounds of the ECHO-256 hash function. The complexities are $2^{96}$ compression function calls for the distinguisher and near-collision attack, and $2^{64}$ for the collision attack. The memory requirements are $2^{64}$ for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get a distinguisher on 7/8 rounds and near-collisions for 6.5/8 rounds with chosen salt. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most 1/4 of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.},<br />
}<br />
</bibtex><br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3662
Groestl
2010-12-08T12:39:56Z
<p>JAumasson: added Sasaki et al</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3661
Groestl
2010-12-08T12:36:15Z
<p>JAumasson: Undo revision 3660 by JAumasson (Talk)</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|- <br />
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3660
Groestl
2010-12-08T12:34:48Z
<p>JAumasson: /* Building blocks */ added Sasaki et al.</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>48</sup> || 2<sup>8</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 7 rounds || 2<sup>152</sup> || 2<sup>56</sup> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf Sasaki,Li,Wang,Sakiyama,Ohta]<br />
|- <br />
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlechoSLWSO10,<br />
author = {Yu Sasaki and Yang Li and Lei Wang and Kazuo Sakiyama and Kazuo Ohta},<br />
title = {New Non-Ideal Properties of AES-Based Permutations: Applications to ECHO and Grøstl<br />
},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SASAKI_ECHOanalysisFinal.pdf},<br />
abstract = {In this paper, we present non-full-active Super-Sbox analysis which can detect non-ideal<br />
properties of a class of AES-based permutations with a low complexity. We apply this framework<br />
to SHA-3 round-2 candidates ECHO and Grøstl. The first application is for the full-round (8-round)<br />
ECHO permutation, which is a building block for 256-bit and 224-bit output sizes. By combining several<br />
observations specific to ECHO, our attack detects a non-ideal property with a time complexity of 2^182<br />
and 2^37 amount of memory. The complexity, especially in terms of the product of time and memory,<br />
is drastically reduced from the previous best attack which required 2^512 x 2^512. To the best of our knowledge, this is the first result on the full-round ECHO permutation with both time and memory below 2^256 or 2^224. Note that this result does not impact the security of the ECHO compression function nor the overall hash function. We also show that our method can detect non-ideal properties of the 8-round Grøstl-256 permutation with a practical complexity, and finally show that our approach leads<br />
to an improvement on a semi-free-start collision attack on the 7-round Grøstl-512 compression function.<br />
Our approach is based on a series of attacks on AES-based hash functions such as rebound attack and<br />
Super-Sbox analysis. The core idea is using a new differential path consisting of only non-full-active<br />
states.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=JH&diff=3659
JH
2010-12-08T08:41:27Z
<p>JAumasson: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh_round2.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W08,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''35.5''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=LANE&diff=3658
LANE
2010-12-07T14:17:56Z
<p>JAumasson: /* Cryptanalysis */ added Naya-Plasencia results</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Sebastiaan Indesteege, Elena Andreeva, Christophe De Cannière, Orr Dunkelman, Emilia Käsper, Svetla Nikova, Bart Preneel, Elmar Tischhauser<br />
* Website: [http://www.cosic.esat.kuleuven.be/lane/ http://www.cosic.esat.kuleuven.be/lane/]<br />
* NIST submission package: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LANE.zip LANE.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3IP08,<br />
author = {Sebastiaan Indesteege},<br />
title = {The LANE hash function},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1181.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression || 224,256 || 6 P-rounds || 2<sup>80</sup> || 2<sup>66</sup> || [http://eprint.iacr.org/20010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start collision || compression || 512 || 8 P-rounds || 2<sup>224</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|- <br />
| collision || hash || 384,512 || 3 P-rounds || 2<sup>94</sup> || 2<sup>133</sup> || [http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf Wu,Feng,Wu]<br />
|-<br />
| semi-free-start collision || compression || 224,256 || 3 P-rounds || 2<sup>62</sup> || 2<sup>69</sup> || [http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf Wu,Feng,Wu]<br />
|-<br />
| semi-free-start collision || compression || 384,512 || 3 P-rounds || 2<sup>62</sup> || 2<sup>69</sup> || [http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf Wu,Feng,Wu]<br />
|-<br />
| semi-free-start collision || compression || 224,256 || 6 P-rounds || 2<sup>96</sup> || 2<sup>88</sup> || [http://eprint.iacr.org/2009/443.pdf Matusiewicz,Naya-Plasencia,Nikolic,Sasaki,Schläffer]<br />
|-<br />
| semi-free-start collision || compression || 512 || 8 P-rounds || 2<sup>224</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2009/443.pdf Matusiewicz,Naya-Plasencia,Nikolic,Sasaki,Schläffer]<br />
|-<br />
|}<br />
<br />
A description of this table is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{laneWFW09,<br />
author = {Shuang Wu and Dengguo Feng and Wenling Wu},<br />
title = {Cryptanalysis of the LANE Hash Function},<br />
url = {http://sac.ucalgary.ca/sites/sac.math.ucalgary.ca/files/u5/09_swu.pdf},<br />
howpublished = {Presentation, SAC},<br />
year = {2009},<br />
abstract = {The LANE hash function is designed by Sebastiaan Indesteege and Bart Preneel. It is now a first round candidate of NIST's SHA-3 competition. The LANE hash function contains four concrete designs with different digest length of 224, 256, 384 and 512.<br />
The LANE hash function uses two permutations P and Q, which consist of different number of AES-like rounds. LANE-224/256 uses 6-round P and 3-round Q. LANE-384/512 uses 8-round P and 4-round Q. We will use LANE-n-(a,b) to denote a variant of LANE with a-round P, b-round Q and a digest length n.<br />
We have found a semi-free start collision attack on reduced-round LANE-256-(3,3) with complexity of 2^62 compression function evaluations and 2^69 memory. This technique can be applied to LANE-512-(3,4) to get a semi-free start collision attack with the same complexity of 2^62 and 2^69 memory. We also propose a collision attack on LANE-512-(3,4) with complexity of 2^94 and 2^133 memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{laneMNNSS09,<br />
author = {Krystian Matusiewicz and Maria Naya-Plasencia and Ivica Nikolic and Yu Sasaki and Martin Schläffer},<br />
title = {Rebound Attack on the Full LANE Compression Function},<br />
url = {http://eprint.iacr.org/2009/443.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/443},<br />
year = {2009},<br />
abstract = {In this work, we apply the rebound attack to the AES based SHA-3 candidate LANE. The hash function LANE uses a permutation based compression function, consisting of a linear message expansion and 6 parallel lanes. In the rebound attack on LANE, we apply several new techniques to construct a collision for the full compression function of LANE-256 and LANE-512. Using a relatively sparse truncated differential path, we are able to solve for a valid message expansion and colliding lanes independently. Additionally, we are able to apply the inbound phase more than once by exploiting the degrees of freedom in the parallel AES states. This allows us to construct semi-free-start collisions for full LANE-256 with $2^{96}$ compression function evaluations and $2^{88}$ memory, and for full LANE-512 with $2^{224}$ compression function evaluations and $2^{128}$ memory.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3657
Groestl
2010-12-07T14:10:58Z
<p>JAumasson: /* Building blocks */ added Naya-Plasencia results</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>175</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>630</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|- <br />
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=JH&diff=3656
JH
2010-12-07T14:02:12Z
<p>JAumasson: /* Building blocks */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh_round2.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W08,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''35.5''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=JH&diff=3655
JH
2010-12-07T14:00:19Z
<p>JAumasson: /* Building blocks */ added Naya-Plasencia results</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Hongjun Wu<br />
* Website: [http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/JH_Round2.zip JH_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JH.zip JH.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/JHUpdate.zip JHUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3W09,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh_round2.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3W08,<br />
author = {Hongjun Wu},<br />
title = {The Hash Function JH},<br />
url = {http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/jh.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''35.5''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>507</sup> || 2<sup>507</sup> || [http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf Bhattacharyya et al.]<br />
|- <br />
| style="background:greenyellow" | preimage<sup>(1)</sup> || 512 || || 2<sup>510.3</sup> (+ 2<sup>524</sup> MA + 2<sup>524</sup> CMP) || 2<sup>510.3</sup> (Wu: 2<sup>510.6</sup>) || [http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Mendel,Thomsen], [http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf Wu]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> Wu has analyzed the exact memory requirements, additional memory accesses (MA) and comparisons (CMP) of the attack by Mendel and Thomsen.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>96.12</sup> || 2<sup>96.12</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || hash || 256 || 22 rounds || 2<sup>95.63</sup> || 2<sup>95.63</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|-<br />
| semi-free-start near collision || compression function || all || 10 rounds || 2<sup>23.24</sup> || - || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf Turan,Uyan]<br />
|- <br />
| semi-free-start collision || hash || 256 || 16 rounds || 2<sup>178.24</sup> || 2<sup>101.12</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.77</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| semi-free-start near collision || compression function || 256 || 22 rounds || 2<sup>156.56</sup> || 2<sup>143.70</sup> || [http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf Rijmen,Toz,Varıcı]<br />
|- <br />
| | pseudo-collision || compression function || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
| | pseudo-2nd preimage || compression || all || || - || - || [http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt Bagheri]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeTU10,<br />
author = {Meltem Sönmez Turan, Erdener Uyan},<br />
title = {Practical Near-Collisions for Reduced Round Blake, Fugue, Hamsi and JH},<br />
howpublished = {Second SHA-3 Candidate Conference},<br />
year = {2010},<br />
url = {http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/TURAN_Paper_Erdener.pdf},<br />
abstract = {A hash function is near-collision resistant, if it is hard to find two messages with hash values that differ in only a small number of bits. In this study, we use hill climbing methods to evaluate the near-collision resistance of some of the round SHA-3 candidates. We practically obtained (i) 184/256-bit near-collision for the 2-round compression function of Blake-32; (ii) 192/256-bit near-collision for the 2-round compression function of Hamsi-256; (iii) 820/1024-bit near-collisions for 10-round compression function of JH. We also observed practical collisions and near-collisions for reduced versions of F-256 function used in Fugue.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{BMN10,<br />
author = {Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi},<br />
title = {Security Analysis of the Mode of JH Hash Function},<br />
url = {http://www.isical.ac.in/~rishi_r/FSE2010-146.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{RTV10,<br />
author = {Vincent Rijmen and Denis Toz and Kerem Varıcı},<br />
title = {Rebound Attack on Reduced-Round Versions of JH},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1431.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{B08,<br />
author = {Nasour Bagheri},<br />
title = {Pseudo-collision and pseudo-second preimage on JH},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a8/Jh1.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Florian Mendel, Søren S. Thomsen},<br />
title = {An Observation on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {In this paper, we present a generic preimage attack on JH-512. We do not claim that<br />
our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting<br />
properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the<br />
SHA-2 family.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{MT08,<br />
author = {Hongjun Wu},<br />
title = {The Complexity of Mendel and Thomsen's Preimage Attack on JH-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {Mendel and Thomsen gave a preimage attack on JH-512 by finding a preimage through the collision search over the space of $2^{1024} elements. However, they did not estimate the cost of the collision search which is the most expensive part in their attack. Our analysis shows that their attack requires at least $2^{510.3}$ compression function computations, $2^{510.6}$ memory ($2^{516.6}$ bytes), $2^{524}$ memory accesses and $2^{524}$ comparisons. Such complexity is far more expensive than brute force<br />
attack which requires $2^{512}$ compression function computations and almost no memory.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=ECHO&diff=3654
ECHO
2010-12-07T13:39:02Z
<p>JAumasson: /* Cryptanalysis */ added Naya-Plasencia result</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin <br />
* Website: http://crypto.rd.francetelecom.com/echo/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/ECHO_Round2.zip ECHO_Round2.zip] (old version [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ECHO.zip ECHO.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3BBG+09,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3BBG+08,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
<br />
<br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>151</sup> || 2<sup>67</sup> || [http://eprint.iacr.org/2010/607.pdf Naya-Plasencia]<br />
|- <br />
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:607,<br />
author = {María Naya-Plasencia},<br />
title = {Scrutinizing rebound attacks: new algorithms for improving the complexities},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/607},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/607.pdf},<br />
abstract = {Rebound attacks are a state-of-the-art analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA-3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a great number of cases, that complexities of existing attacks can be improved. This is done by determining problems that adapt optimally to the cryptanalytic situation, and by using better algorithms to follow the differential path. These improvements are essentially based on merging big lists in a more efficient way, as well as on new ideas on how to reduce the complexities. As a result, we introduce general purpose new algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms for real hash functions and demonstrate how to reduce the complexities of the best known analysis on five hash functions: JH, Grøstl, ECHO, Luffa and Lane (the first four are round two SHA-3 candidates).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:588,<br />
author = {Martin Schläffer},<br />
title = {Improved Collisions for Reduced ECHO-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/588},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/588.pdf},<br />
abstract = {In this work, we present a collision attack on 5 out of 8 rounds of the ECHO-256 hash function with a complexity of $2^{112}$ in time and $2^{85.3}$ memory. In this work, we further show that the merge inbound phase can still be solved in the case of hash function attacks on ECHO. As correctly observed by Jean et al., the merge inbound phase of previous hash function attacks succeeds only with a probability of $2^{-128}$. The main reason for this behavior is the low rank of the linear SuperMixColumns transformation. However, since there is enough freedom in ECHO we can solve the resulting linear equations with a complexity much lower than $2^{128}$. On the other hand, also this low rank of the linear SuperMixColumns transformation allows us to extend the collision attack on the reduced hash function from 4 to 5 rounds. Additionally, we present a collision attack on 6 rounds of the compression function of ECHO-256 and show that a subspace distinguisher is still possible for 7 out of 8 rounds of the compression function of ECHO-256. Both compression function attacks have a complexity of $2^{160}$ with memory requirements of $2^{128}$ and chosen salt.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:569,<br />
author = {Jérémy Jean and Pierre-Alain Fouque},<br />
title = {Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/569},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/569.pdf},<br />
abstract = {In this paper, we present new results on the second-round SHA-3 candidate ECHO. We describe a method to construct a collision in the compression function of ECHO-256 reduced to four rounds in 2^52 operations on AES-columns without significant memory requirements. Our attack uses the most recent analyses on ECHO, in particular the SuperSBox and SuperMixColumns layers to utilize efficiently the available freedom degrees. We also show why some of these results are flawed and we propose a solution to fix them. Our work improve the time and memory complexity of previous known techniques by using available freedom degrees more precisely. Finally, we validate our work by an implementation leading to near-collisions in 2^36 operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:321,<br />
author = {Martin Schläffer},<br />
title = {Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/321},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/321.pdf},<br />
abstract = {In this work we present the first results for the ECHO hash function. We provide a subspace distinguisher for 5/8 rounds, near-collisions on 4.5/8 rounds and collisions for 4/8 rounds of the ECHO-256 hash function. The complexities are $2^{96}$ compression function calls for the distinguisher and near-collision attack, and $2^{64}$ for the collision attack. The memory requirements are $2^{64}$ for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get a distinguisher on 7/8 rounds and near-collisions for 6.5/8 rounds with chosen salt. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most 1/4 of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.},<br />
}<br />
</bibtex><br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=ECHO&diff=3653
ECHO
2010-12-07T13:26:24Z
<p>JAumasson: /* Cryptanalysis */</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin <br />
* Website: http://crypto.rd.francetelecom.com/echo/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/ECHO_Round2.zip ECHO_Round2.zip] (old version [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ECHO.zip ECHO.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3BBG+09,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3BBG+08,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
<br />
<br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision<sup>(1)</sup> || 256 || 5 rounds || 2<sup>112</sup> || 2<sup>85.3</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher<sup>(1)</sup> (chosen salt) || compression function || 256 || 7 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|- <br />
| free-start collision<sup>(1)</sup> (chosen salt) || compression function || 256 || 6 rounds || 2<sup>160</sup> || 2<sup>128</sup> || [http://eprint.iacr.org/2010/588.pdf Schläffer]<br />
|-<br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<sup>(1)</sup> In this attack some problems in the [http://eprint.iacr.org/2010/321.pdf previous attacks] (pointed out by [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]) have been corrected.<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:588,<br />
author = {Martin Schläffer},<br />
title = {Improved Collisions for Reduced ECHO-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/588},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/588.pdf},<br />
abstract = {In this work, we present a collision attack on 5 out of 8 rounds of the ECHO-256 hash function with a complexity of $2^{112}$ in time and $2^{85.3}$ memory. In this work, we further show that the merge inbound phase can still be solved in the case of hash function attacks on ECHO. As correctly observed by Jean et al., the merge inbound phase of previous hash function attacks succeeds only with a probability of $2^{-128}$. The main reason for this behavior is the low rank of the linear SuperMixColumns transformation. However, since there is enough freedom in ECHO we can solve the resulting linear equations with a complexity much lower than $2^{128}$. On the other hand, also this low rank of the linear SuperMixColumns transformation allows us to extend the collision attack on the reduced hash function from 4 to 5 rounds. Additionally, we present a collision attack on 6 rounds of the compression function of ECHO-256 and show that a subspace distinguisher is still possible for 7 out of 8 rounds of the compression function of ECHO-256. Both compression function attacks have a complexity of $2^{160}$ with memory requirements of $2^{128}$ and chosen salt.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:569,<br />
author = {Jérémy Jean and Pierre-Alain Fouque},<br />
title = {Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/569},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/569.pdf},<br />
abstract = {In this paper, we present new results on the second-round SHA-3 candidate ECHO. We describe a method to construct a collision in the compression function of ECHO-256 reduced to four rounds in 2^52 operations on AES-columns without significant memory requirements. Our attack uses the most recent analyses on ECHO, in particular the SuperSBox and SuperMixColumns layers to utilize efficiently the available freedom degrees. We also show why some of these results are flawed and we propose a solution to fix them. Our work improve the time and memory complexity of previous known techniques by using available freedom degrees more precisely. Finally, we validate our work by an implementation leading to near-collisions in 2^36 operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:321,<br />
author = {Martin Schläffer},<br />
title = {Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/321},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/321.pdf},<br />
abstract = {In this work we present the first results for the ECHO hash function. We provide a subspace distinguisher for 5/8 rounds, near-collisions on 4.5/8 rounds and collisions for 4/8 rounds of the ECHO-256 hash function. The complexities are $2^{96}$ compression function calls for the distinguisher and near-collision attack, and $2^{64}$ for the collision attack. The memory requirements are $2^{64}$ for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get a distinguisher on 7/8 rounds and near-collisions for 6.5/8 rounds with chosen salt. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most 1/4 of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.},<br />
}<br />
</bibtex><br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3652
SHA-3 Hardware Implementations
2010-12-07T10:14:05Z
<p>JAumasson: /* Important Information */ typo</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisons between different hardware implementations difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparison of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparison of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] <br />
|| 4 G function units per iteration || Xilinx Virtex 5 || align="right"| 1871 slices || align="right"| 2854 Mbit/s || align="right"| 117.1 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Altera Stratix III || align="right"| 1779 ALUTs || align="right"| 3037 Mbit/s || align="right"| 124.6 MHz<br />
<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Xilinx Virtex 5 || align="right"| 3276 slices || align="right"| 3743 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Altera Stratix III || align="right"| 3414 ALUTs || align="right"| 3298 Mbit/s || align="right"| 93.4 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5577 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Altera Stratix III || align="right"| 12632 ALUTs || align="right"| 8422 Mbit/s || align="right"| 16.5 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Xilinx Virtex 5 || align="right"| 10401 slices || align="right"| 8656 Mbit/s || align="right"| 8.5 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Altera Stratix III || align="right"| 25225 ALUTs || align="right"| 7619 Mbit/s || align="right"| 7.4 MHz<br />
<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 707 slices || align="right"| 3445 Mbit/s || align="right"| 215.3 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 1928 ALUTs || align="right"| 3777 Mbit/s || align="right"| 236.1 MHz<br />
<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
<br />
|-<br />
| CubeHash16/32-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 764 slices || align="right"| 3509 Mbit/s || align="right"| 219.3 MHz<br />
|-<br />
| CubeHash16/32-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 1924 ALUTs || align="right"| 3489 Mbit/s || align="right"| 218.1 MHz<br />
<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 5445 slices || align="right"| 13874 Mbit/s || align="right"| 234.9 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 21689 ALUTs || align="right"| 9700 Mbit/s || align="right"| 164.2 MHz<br />
<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
<br />
|-<br />
| ECHO-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 5958 slices || align="right"| 6431 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| ECHO-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 20085 ALUTs || align="right"| 7872 Mbit/s || align="right"| 246.0 MHz<br />
<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 clk cycles per round || Xilinx Virtex 5 || align="right"| 729 slices || align="right"| 3512 Mbit/s || align="right"| 219.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 clk cycles per round || Altera Stratix III || align="right"| 2352 ALUTs || align="right"| 3765 Mbit/s || align="right"| 235.3 MHz<br />
<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
<br />
|-<br />
| Fugue-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Xilinx Virtex 5 || align="right"| 955 slices || align="right"| 1862 Mbit/s || align="right"| 232.7 MHz<br />
|-<br />
| Fugue-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Altera Stratix III || align="right"| 2680 ALUTs || align="right"| 1878 Mbit/s || align="right"| 234.8 MHz<br />
<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Xilinx Virtex 5 || align="right"| 1716 slices || align="right"| 8546 Mbit/s || align="right"| 350.5 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Altera Stratix III || align="right"| 3103 ALUTs || align="right"| 6589 Mbit/s || align="right"| 270.3 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
<br />
|-<br />
| Grøstl-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Xilinx Virtex 5 || align="right"| 3155 slices || align="right"| 11498 Mbit/s || align="right"| 325.6 MHz<br />
|-<br />
| Grøstl-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Altera Stratix III || align="right"| 6288 ALUTs || align="right"| 8841 Mbit/s || align="right"| 250.4 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 2320 ALUTs || align="right"| 3145 Mbit/s || align="right"| 294.8 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
<br />
|-<br />
| Hamsi-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2201 slices || align="right"| 1828 Mbit/s || align="right"| 171.4 MHz<br />
|-<br />
| Hamsi-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 5668 ALUTs || align="right"| 1932 Mbit/s || align="right"| 181.2 MHz<br />
<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1108 slices || align="right"| 3955 Mbit/s || align="right"| 278.1 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3107 ALUTs || align="right"| 5191 Mbit/s || align="right"| 365.0 MHz<br />
<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
<br />
|-<br />
| JH-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1165 slices || align="right"| 3918 Mbit/s || align="right"| 275.5 MHz<br />
|-<br />
| JH-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3222 ALUTs || align="right"| 5105 Mbit/s || align="right"| 358.9 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10807 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 4458 ALUTs || align="right"| 13432 Mbit/s || align="right"| 296.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
<br />
|-<br />
| Keccak(-512) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1236 slices || align="right"| 6645 Mbit/s || align="right"| 276.9 MHz<br />
|-<br />
| Keccak(-512) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3575 ALUTs || align="right"| 6471 Mbit/s || align="right"| 269.6 MHz<br />
<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3304 ALUTs || align="right"| 8741 Mbit/s || align="right"| 307.3 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
<br />
|-<br />
| Luffa-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2164 slices || align="right"| 7044 Mbit/s || align="right"| 220.1 MHz<br />
|-<br />
| Luffa-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 6888 ALUTs || align="right"| 8577 Mbit/s || align="right"| 268.0 MHz<br />
<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Altera Stratix III || align="right"| 3600 ALUTs || align="right"| 2598 Mbit/s || align="right"| 126.9 MHz<br />
<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Xilinx Virtex 5 || align="right"| 1372 slices || align="right"| 2771 Mbit/s || align="right"| 135.3 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Altera Stratix III || align="right"| 3753 ALUTs || align="right"| 2589 Mbit/s || align="right"| 126.4 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2886 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 2497 ALUTs || align="right"| 3529 Mbit/s || align="right"| 255.0 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Xilinx Virtex 5 || align="right"| 1954 slices || align="right"| 3835 Mbit/s || align="right"| 213.4 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Altera Stratix III || align="right"| 5610 ALUTs || align="right"| 3869 Mbit/s || align="right"| 215.4 MHz<br />
<br />
|-<br />
| SIMD-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2326 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Altera Stratix III || align="right"| 22376 ALUTs || align="right"| 2697 Mbit/s || align="right"| 47.4 MHz<br />
<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
<br />
|-<br />
| SIMD-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Xilinx Virtex 5 || align="right"| 17016 slices || align="right"| 4139 Mbit/s || align="right"| 36.4 MHz<br />
|-<br />
| SIMD-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Altera Stratix III || align="right"| 47671 ALUTs || align="right"| 4936 Mbit/s || align="right"| 43.4 MHz<br />
<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| Skein-512-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1463 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Altera Stratix III || align="right"| 4499 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1520 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Altera Stratix III || align="right"| 4563 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf El Hadedy et al.] [[#Ref041|[41]]] / [http://www.q2s.ntnu.no/sha3_nist_competition/start Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 3 memory blocks || Xilinx Virtex 5 || align="right"| 51 slices || align="right"| 68.71 Mbit/s || align="right"| 141 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf El Hadedy et al.] [[#Ref041|[41]]] / [http://www.q2s.ntnu.no/sha3_nist_competition/start Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, 3 memory blocks || Xilinx Virtex 5 || align="right"| 105 slices || align="right"| 112.18 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || Xilinx Virtex 5 || align="right"| 355 slices || align="right"| 33 Mbit/s || align="right"| 50 MHz<br />
<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 79 kGates || align="right"| 6376 Mbit/s || align="right"| 137 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 48 kGates || align="right"| 5847 Mbit/s || align="right"| 240 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 67 kGates || align="right"| 9365 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 43 kGates || align="right"| 8047 Mbit/s || align="right"| 330 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 65 kGates || align="right"| 17498 Mbit/s || align="right"| 376 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 38 kGates || align="right"| 15143 Mbit/s || align="right"| 621 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 147 kGates || align="right"| 7216 Mbit/s || align="right"| 106 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 98 kGates || align="right"| 7192 Mbit/s || align="right"| 204 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 139 kGates || align="right"| 10802 Mbit/s || align="right"| 158 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 92 kGates || align="right"| 10265 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 128 kGates || align="right"| 20317 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 79 kGates || align="right"| 18782 Mbit/s || align="right"| 532 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 13.56 kGates || align="right"| 135 Mbit/s || align="right"| 215 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 8.60 kGates || align="right"| 62 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 and Altera Stratix III platforms (both for the 256-bit and the 512-bit version of the candidates). For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
<br />
|-<br />
| BLAKE-32 || 4 G function units per iteration || align="right"| 1871 slices || align="right"| 2854 Mbit/s || align="right"| 117.1 MHz<br />
|-<br />
| BLAKE-64 || 4 G function units per iteration || align="right"| 3276 slices || align="right"| 3743 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Fully unrolled || align="right"| 4400 slices || align="right"| 5577 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-512 || Fully unrolled || align="right"| 10401 slices || align="right"| 8656 Mbit/s || align="right"| 8.5 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 707 slices || align="right"| 3445 Mbit/s || align="right"| 215.3 MHz<br />
|-<br />
| CubeHash16/32-512 || || align="right"| 764 slices || align="right"| 3509 Mbit/s || align="right"| 219.3 MHz<br />
|-<br />
| ECHO-256 || 3 clk cycles per round || align="right"| 5445 slices || align="right"| 13874 Mbit/s || align="right"| 234.9 MHz<br />
|-<br />
| ECHO-512 || 3 clk cycles per round || align="right"| 5958 slices || align="right"| 6431 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| Fugue-256 || 2 clk cycles per round || align="right"| 729 slices || align="right"| 3512 Mbit/s || align="right"| 219.5 MHz<br />
|-<br />
| Fugue-512 || 4 clk cycles per round || align="right"| 955 slices || align="right"| 1862 Mbit/s || align="right"| 232.7 MHz<br />
|-<br />
| Grøstl-256 || P & Q permutations interleaved || align="right"| 1716 slices || align="right"| 8546 Mbit/s || align="right"| 350.5 MHz<br />
|-<br />
| Grøstl-512 || P & Q permutations interleaved || align="right"| 3155 slices || align="right"| 11498 Mbit/s || align="right"| 325.6 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 2201 slices || align="right"| 1828 Mbit/s || align="right"| 171.4 MHz<br />
|-<br />
| JH-256 || || align="right"| 1108 slices || align="right"| 3955 Mbit/s || align="right"| 278.1 MHz<br />
|-<br />
| JH-512 || || align="right"| 1165 slices || align="right"| 3918 Mbit/s || align="right"| 275.5 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10807 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1236 slices || align="right"| 6645 Mbit/s || align="right"| 276.9 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 2164 slices || align="right"| 7044 Mbit/s || align="right"| 220.1 MHz<br />
|-<br />
| Shabal-256 || 2 rounds unrolled || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-512 || 2 rounds unrolled || align="right"| 1372 slices || align="right"| 2771 Mbit/s || align="right"| 135.3 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || 3 clk cycles per round || align="right"| 1130 slices || align="right"| 2886 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || 4 clk cycles per round || align="right"| 1954 slices || align="right"| 3835 Mbit/s || align="right"| 213.4 MHz<br />
|-<br />
| SIMD-256 || 4 SIMD steps unrolled || align="right"| 9288 slices || align="right"| 2326 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-512 || 4 SIMD steps unrolled || align="right"| 17016 slices || align="right"| 4139 Mbit/s || align="right"| 36.4 MHz<br />
|-<br />
| Skein-512-256 || 4 Threefish rounds unrolled || align="right"| 1463 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-512 || 4 Threefish rounds unrolled || align="right"| 1520 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
<br />
|-<br />
| BLAKE-32 || 4 G function units per iteration || align="right"| 1779 ALUTs || align="right"| 3037 Mbit/s || align="right"| 124.6 MHz<br />
|-<br />
| BLAKE-64 || 4 G function units per iteration || align="right"| 3414 ALUTs || align="right"| 3298 Mbit/s || align="right"| 93.4 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Fully unrolled || align="right"| 12632 ALUTs || align="right"| 8422 Mbit/s || align="right"| 16.5 MHz<br />
|-<br />
| Blue Midnight Wish-512 || Fully unrolled || align="right"| 25225 ALUTs || align="right"| 7619 Mbit/s || align="right"| 7.4 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 1928 ALUTs || align="right"| 3777 Mbit/s || align="right"| 236.1 MHz<br />
|-<br />
| CubeHash16/32-512 || || align="right"| 1924 ALUTs || align="right"| 3489 Mbit/s || align="right"| 218.1 MHz<br />
|-<br />
| ECHO-256 || 3 clk cycles per round || align="right"| 21689 ALUTs || align="right"| 9700 Mbit/s || align="right"| 164.2 MHz<br />
|-<br />
| ECHO-512 || 3 clk cycles per round || align="right"| 20085 ALUTs || align="right"| 7872 Mbit/s || align="right"| 246.0 MHz<br />
|-<br />
| Fugue-256 || 2 clk cycles per round || align="right"| 2352 ALUTs || align="right"| 3765 Mbit/s || align="right"| 235.3 MHz<br />
|-<br />
| Fugue-512 || 4 clk cycles per round || align="right"| 2680 ALUTs || align="right"| 1878 Mbit/s || align="right"| 234.8 MHz<br />
|-<br />
| Grøstl-256 || P & Q permutations interleaved || align="right"| 3103 ALUTs || align="right"| 6589 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Grøstl-512 || P & Q permutations interleaved || align="right"| 6288 ALUTs || align="right"| 8841 Mbit/s || align="right"| 250.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 2320 ALUTs || align="right"| 3145 Mbit/s || align="right"| 294.8 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 5668 ALUTs || align="right"| 1932 Mbit/s || align="right"| 181.2 MHz<br />
|-<br />
| JH-256 || || align="right"| 3107 ALUTs || align="right"| 5191 Mbit/s || align="right"| 365.0 MHz<br />
|-<br />
| JH-512 || || align="right"| 3222 ALUTs || align="right"| 5105 Mbit/s || align="right"| 358.9 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 4458 ALUTs || align="right"| 13432 Mbit/s || align="right"| 296.3 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 3575 ALUTs || align="right"| 6471 Mbit/s || align="right"| 269.6 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 3304 ALUTs || align="right"| 8741 Mbit/s || align="right"| 307.3 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 6888 ALUTs || align="right"| 8577 Mbit/s || align="right"| 268.0 MHz<br />
|-<br />
| Shabal-256 || 2 rounds unrolled || align="right"| 3600 ALUTs || align="right"| 2598 Mbit/s || align="right"| 126.9 MHz<br />
|-<br />
| Shabal-512 || 2 rounds unrolled || align="right"| 3753 ALUTs || align="right"| 2589 Mbit/s || align="right"| 126.4 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || 3 clk cycles per round || align="right"| 2497 ALUTs || align="right"| 3529 Mbit/s || align="right"| 255.0 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || 4 clk cycles per round || align="right"| 5610 ALUTs || align="right"| 3869 Mbit/s || align="right"| 215.4 MHz<br />
|-<br />
| SIMD-256 || 4 SIMD steps unrolled || align="right"| 22376 ALUTs || align="right"| 2697 Mbit/s || align="right"| 47.4 MHz<br />
|-<br />
| SIMD-512 || 4 SIMD steps unrolled || align="right"| 47671 ALUTs || align="right"| 4936 Mbit/s || align="right"| 43.4 MHz<br />
|-<br />
| Skein-512-256 || 4 Threefish rounds unrolled || align="right"| 4499 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
|-<br />
| Skein-512-512 || 4 Threefish rounds unrolled || align="right"| 4563 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa (version 20101105). Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Ekawat Homsirikamol, Marcin Rogawski, and Kris Gaj. Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. IACR Eprint report 2010/445. Available online at http://eprint.iacr.org/2010/445.pdf.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div><br />
<br />
<div id="Ref041"><br />
[41] Mohamed El Hadedy, Danilo Gligoroski, and Svein J. Knapskog. Single Core Implementation of Blue Midnight Wish Hash Function on VIRTEX 5 Platform. Available online at http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3651
SHA-3 Hardware Implementations
2010-12-07T10:13:32Z
<p>JAumasson: typos</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisons between different hardware implementation difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparison of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparison of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] <br />
|| 4 G function units per iteration || Xilinx Virtex 5 || align="right"| 1871 slices || align="right"| 2854 Mbit/s || align="right"| 117.1 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Altera Stratix III || align="right"| 1779 ALUTs || align="right"| 3037 Mbit/s || align="right"| 124.6 MHz<br />
<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Xilinx Virtex 5 || align="right"| 3276 slices || align="right"| 3743 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Altera Stratix III || align="right"| 3414 ALUTs || align="right"| 3298 Mbit/s || align="right"| 93.4 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5577 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Altera Stratix III || align="right"| 12632 ALUTs || align="right"| 8422 Mbit/s || align="right"| 16.5 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Xilinx Virtex 5 || align="right"| 10401 slices || align="right"| 8656 Mbit/s || align="right"| 8.5 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Altera Stratix III || align="right"| 25225 ALUTs || align="right"| 7619 Mbit/s || align="right"| 7.4 MHz<br />
<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 707 slices || align="right"| 3445 Mbit/s || align="right"| 215.3 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 1928 ALUTs || align="right"| 3777 Mbit/s || align="right"| 236.1 MHz<br />
<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
<br />
|-<br />
| CubeHash16/32-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 764 slices || align="right"| 3509 Mbit/s || align="right"| 219.3 MHz<br />
|-<br />
| CubeHash16/32-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 1924 ALUTs || align="right"| 3489 Mbit/s || align="right"| 218.1 MHz<br />
<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 5445 slices || align="right"| 13874 Mbit/s || align="right"| 234.9 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 21689 ALUTs || align="right"| 9700 Mbit/s || align="right"| 164.2 MHz<br />
<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
<br />
|-<br />
| ECHO-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 5958 slices || align="right"| 6431 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| ECHO-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 20085 ALUTs || align="right"| 7872 Mbit/s || align="right"| 246.0 MHz<br />
<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 clk cycles per round || Xilinx Virtex 5 || align="right"| 729 slices || align="right"| 3512 Mbit/s || align="right"| 219.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 clk cycles per round || Altera Stratix III || align="right"| 2352 ALUTs || align="right"| 3765 Mbit/s || align="right"| 235.3 MHz<br />
<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
<br />
|-<br />
| Fugue-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Xilinx Virtex 5 || align="right"| 955 slices || align="right"| 1862 Mbit/s || align="right"| 232.7 MHz<br />
|-<br />
| Fugue-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Altera Stratix III || align="right"| 2680 ALUTs || align="right"| 1878 Mbit/s || align="right"| 234.8 MHz<br />
<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Xilinx Virtex 5 || align="right"| 1716 slices || align="right"| 8546 Mbit/s || align="right"| 350.5 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Altera Stratix III || align="right"| 3103 ALUTs || align="right"| 6589 Mbit/s || align="right"| 270.3 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
<br />
|-<br />
| Grøstl-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Xilinx Virtex 5 || align="right"| 3155 slices || align="right"| 11498 Mbit/s || align="right"| 325.6 MHz<br />
|-<br />
| Grøstl-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Altera Stratix III || align="right"| 6288 ALUTs || align="right"| 8841 Mbit/s || align="right"| 250.4 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 2320 ALUTs || align="right"| 3145 Mbit/s || align="right"| 294.8 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
<br />
|-<br />
| Hamsi-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2201 slices || align="right"| 1828 Mbit/s || align="right"| 171.4 MHz<br />
|-<br />
| Hamsi-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 5668 ALUTs || align="right"| 1932 Mbit/s || align="right"| 181.2 MHz<br />
<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1108 slices || align="right"| 3955 Mbit/s || align="right"| 278.1 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3107 ALUTs || align="right"| 5191 Mbit/s || align="right"| 365.0 MHz<br />
<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
<br />
|-<br />
| JH-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1165 slices || align="right"| 3918 Mbit/s || align="right"| 275.5 MHz<br />
|-<br />
| JH-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3222 ALUTs || align="right"| 5105 Mbit/s || align="right"| 358.9 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10807 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 4458 ALUTs || align="right"| 13432 Mbit/s || align="right"| 296.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
<br />
|-<br />
| Keccak(-512) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1236 slices || align="right"| 6645 Mbit/s || align="right"| 276.9 MHz<br />
|-<br />
| Keccak(-512) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3575 ALUTs || align="right"| 6471 Mbit/s || align="right"| 269.6 MHz<br />
<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3304 ALUTs || align="right"| 8741 Mbit/s || align="right"| 307.3 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
<br />
|-<br />
| Luffa-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2164 slices || align="right"| 7044 Mbit/s || align="right"| 220.1 MHz<br />
|-<br />
| Luffa-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 6888 ALUTs || align="right"| 8577 Mbit/s || align="right"| 268.0 MHz<br />
<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Altera Stratix III || align="right"| 3600 ALUTs || align="right"| 2598 Mbit/s || align="right"| 126.9 MHz<br />
<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Xilinx Virtex 5 || align="right"| 1372 slices || align="right"| 2771 Mbit/s || align="right"| 135.3 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Altera Stratix III || align="right"| 3753 ALUTs || align="right"| 2589 Mbit/s || align="right"| 126.4 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2886 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 2497 ALUTs || align="right"| 3529 Mbit/s || align="right"| 255.0 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Xilinx Virtex 5 || align="right"| 1954 slices || align="right"| 3835 Mbit/s || align="right"| 213.4 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Altera Stratix III || align="right"| 5610 ALUTs || align="right"| 3869 Mbit/s || align="right"| 215.4 MHz<br />
<br />
|-<br />
| SIMD-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2326 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Altera Stratix III || align="right"| 22376 ALUTs || align="right"| 2697 Mbit/s || align="right"| 47.4 MHz<br />
<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
<br />
|-<br />
| SIMD-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Xilinx Virtex 5 || align="right"| 17016 slices || align="right"| 4139 Mbit/s || align="right"| 36.4 MHz<br />
|-<br />
| SIMD-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Altera Stratix III || align="right"| 47671 ALUTs || align="right"| 4936 Mbit/s || align="right"| 43.4 MHz<br />
<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| Skein-512-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1463 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Altera Stratix III || align="right"| 4499 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1520 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Altera Stratix III || align="right"| 4563 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf El Hadedy et al.] [[#Ref041|[41]]] / [http://www.q2s.ntnu.no/sha3_nist_competition/start Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 3 memory blocks || Xilinx Virtex 5 || align="right"| 51 slices || align="right"| 68.71 Mbit/s || align="right"| 141 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf El Hadedy et al.] [[#Ref041|[41]]] / [http://www.q2s.ntnu.no/sha3_nist_competition/start Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, 3 memory blocks || Xilinx Virtex 5 || align="right"| 105 slices || align="right"| 112.18 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || Xilinx Virtex 5 || align="right"| 355 slices || align="right"| 33 Mbit/s || align="right"| 50 MHz<br />
<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 79 kGates || align="right"| 6376 Mbit/s || align="right"| 137 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 48 kGates || align="right"| 5847 Mbit/s || align="right"| 240 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 67 kGates || align="right"| 9365 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 43 kGates || align="right"| 8047 Mbit/s || align="right"| 330 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 65 kGates || align="right"| 17498 Mbit/s || align="right"| 376 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 38 kGates || align="right"| 15143 Mbit/s || align="right"| 621 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 147 kGates || align="right"| 7216 Mbit/s || align="right"| 106 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 98 kGates || align="right"| 7192 Mbit/s || align="right"| 204 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 139 kGates || align="right"| 10802 Mbit/s || align="right"| 158 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 92 kGates || align="right"| 10265 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 128 kGates || align="right"| 20317 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 79 kGates || align="right"| 18782 Mbit/s || align="right"| 532 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 13.56 kGates || align="right"| 135 Mbit/s || align="right"| 215 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 8.60 kGates || align="right"| 62 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 and Altera Stratix III platforms (both for the 256-bit and the 512-bit version of the candidates). For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
<br />
|-<br />
| BLAKE-32 || 4 G function units per iteration || align="right"| 1871 slices || align="right"| 2854 Mbit/s || align="right"| 117.1 MHz<br />
|-<br />
| BLAKE-64 || 4 G function units per iteration || align="right"| 3276 slices || align="right"| 3743 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Fully unrolled || align="right"| 4400 slices || align="right"| 5577 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-512 || Fully unrolled || align="right"| 10401 slices || align="right"| 8656 Mbit/s || align="right"| 8.5 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 707 slices || align="right"| 3445 Mbit/s || align="right"| 215.3 MHz<br />
|-<br />
| CubeHash16/32-512 || || align="right"| 764 slices || align="right"| 3509 Mbit/s || align="right"| 219.3 MHz<br />
|-<br />
| ECHO-256 || 3 clk cycles per round || align="right"| 5445 slices || align="right"| 13874 Mbit/s || align="right"| 234.9 MHz<br />
|-<br />
| ECHO-512 || 3 clk cycles per round || align="right"| 5958 slices || align="right"| 6431 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| Fugue-256 || 2 clk cycles per round || align="right"| 729 slices || align="right"| 3512 Mbit/s || align="right"| 219.5 MHz<br />
|-<br />
| Fugue-512 || 4 clk cycles per round || align="right"| 955 slices || align="right"| 1862 Mbit/s || align="right"| 232.7 MHz<br />
|-<br />
| Grøstl-256 || P & Q permutations interleaved || align="right"| 1716 slices || align="right"| 8546 Mbit/s || align="right"| 350.5 MHz<br />
|-<br />
| Grøstl-512 || P & Q permutations interleaved || align="right"| 3155 slices || align="right"| 11498 Mbit/s || align="right"| 325.6 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 2201 slices || align="right"| 1828 Mbit/s || align="right"| 171.4 MHz<br />
|-<br />
| JH-256 || || align="right"| 1108 slices || align="right"| 3955 Mbit/s || align="right"| 278.1 MHz<br />
|-<br />
| JH-512 || || align="right"| 1165 slices || align="right"| 3918 Mbit/s || align="right"| 275.5 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10807 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1236 slices || align="right"| 6645 Mbit/s || align="right"| 276.9 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 2164 slices || align="right"| 7044 Mbit/s || align="right"| 220.1 MHz<br />
|-<br />
| Shabal-256 || 2 rounds unrolled || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-512 || 2 rounds unrolled || align="right"| 1372 slices || align="right"| 2771 Mbit/s || align="right"| 135.3 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || 3 clk cycles per round || align="right"| 1130 slices || align="right"| 2886 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || 4 clk cycles per round || align="right"| 1954 slices || align="right"| 3835 Mbit/s || align="right"| 213.4 MHz<br />
|-<br />
| SIMD-256 || 4 SIMD steps unrolled || align="right"| 9288 slices || align="right"| 2326 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-512 || 4 SIMD steps unrolled || align="right"| 17016 slices || align="right"| 4139 Mbit/s || align="right"| 36.4 MHz<br />
|-<br />
| Skein-512-256 || 4 Threefish rounds unrolled || align="right"| 1463 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-512 || 4 Threefish rounds unrolled || align="right"| 1520 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
<br />
|-<br />
| BLAKE-32 || 4 G function units per iteration || align="right"| 1779 ALUTs || align="right"| 3037 Mbit/s || align="right"| 124.6 MHz<br />
|-<br />
| BLAKE-64 || 4 G function units per iteration || align="right"| 3414 ALUTs || align="right"| 3298 Mbit/s || align="right"| 93.4 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Fully unrolled || align="right"| 12632 ALUTs || align="right"| 8422 Mbit/s || align="right"| 16.5 MHz<br />
|-<br />
| Blue Midnight Wish-512 || Fully unrolled || align="right"| 25225 ALUTs || align="right"| 7619 Mbit/s || align="right"| 7.4 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 1928 ALUTs || align="right"| 3777 Mbit/s || align="right"| 236.1 MHz<br />
|-<br />
| CubeHash16/32-512 || || align="right"| 1924 ALUTs || align="right"| 3489 Mbit/s || align="right"| 218.1 MHz<br />
|-<br />
| ECHO-256 || 3 clk cycles per round || align="right"| 21689 ALUTs || align="right"| 9700 Mbit/s || align="right"| 164.2 MHz<br />
|-<br />
| ECHO-512 || 3 clk cycles per round || align="right"| 20085 ALUTs || align="right"| 7872 Mbit/s || align="right"| 246.0 MHz<br />
|-<br />
| Fugue-256 || 2 clk cycles per round || align="right"| 2352 ALUTs || align="right"| 3765 Mbit/s || align="right"| 235.3 MHz<br />
|-<br />
| Fugue-512 || 4 clk cycles per round || align="right"| 2680 ALUTs || align="right"| 1878 Mbit/s || align="right"| 234.8 MHz<br />
|-<br />
| Grøstl-256 || P & Q permutations interleaved || align="right"| 3103 ALUTs || align="right"| 6589 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Grøstl-512 || P & Q permutations interleaved || align="right"| 6288 ALUTs || align="right"| 8841 Mbit/s || align="right"| 250.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 2320 ALUTs || align="right"| 3145 Mbit/s || align="right"| 294.8 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 5668 ALUTs || align="right"| 1932 Mbit/s || align="right"| 181.2 MHz<br />
|-<br />
| JH-256 || || align="right"| 3107 ALUTs || align="right"| 5191 Mbit/s || align="right"| 365.0 MHz<br />
|-<br />
| JH-512 || || align="right"| 3222 ALUTs || align="right"| 5105 Mbit/s || align="right"| 358.9 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 4458 ALUTs || align="right"| 13432 Mbit/s || align="right"| 296.3 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 3575 ALUTs || align="right"| 6471 Mbit/s || align="right"| 269.6 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 3304 ALUTs || align="right"| 8741 Mbit/s || align="right"| 307.3 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 6888 ALUTs || align="right"| 8577 Mbit/s || align="right"| 268.0 MHz<br />
|-<br />
| Shabal-256 || 2 rounds unrolled || align="right"| 3600 ALUTs || align="right"| 2598 Mbit/s || align="right"| 126.9 MHz<br />
|-<br />
| Shabal-512 || 2 rounds unrolled || align="right"| 3753 ALUTs || align="right"| 2589 Mbit/s || align="right"| 126.4 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || 3 clk cycles per round || align="right"| 2497 ALUTs || align="right"| 3529 Mbit/s || align="right"| 255.0 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || 4 clk cycles per round || align="right"| 5610 ALUTs || align="right"| 3869 Mbit/s || align="right"| 215.4 MHz<br />
|-<br />
| SIMD-256 || 4 SIMD steps unrolled || align="right"| 22376 ALUTs || align="right"| 2697 Mbit/s || align="right"| 47.4 MHz<br />
|-<br />
| SIMD-512 || 4 SIMD steps unrolled || align="right"| 47671 ALUTs || align="right"| 4936 Mbit/s || align="right"| 43.4 MHz<br />
|-<br />
| Skein-512-256 || 4 Threefish rounds unrolled || align="right"| 4499 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
|-<br />
| Skein-512-512 || 4 Threefish rounds unrolled || align="right"| 4563 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa (version 20101105). Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Ekawat Homsirikamol, Marcin Rogawski, and Kris Gaj. Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. IACR Eprint report 2010/445. Available online at http://eprint.iacr.org/2010/445.pdf.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div><br />
<br />
<div id="Ref041"><br />
[41] Mohamed El Hadedy, Danilo Gligoroski, and Svein J. Knapskog. Single Core Implementation of Blue Midnight Wish Hash Function on VIRTEX 5 Platform. Available online at http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3650
SHA-3 Hardware Implementations
2010-12-07T10:12:44Z
<p>JAumasson: /* Important Information */ typo "comparisions"</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisons between different hardware implementation difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparision of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparision of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] <br />
|| 4 G function units per iteration || Xilinx Virtex 5 || align="right"| 1871 slices || align="right"| 2854 Mbit/s || align="right"| 117.1 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Altera Stratix III || align="right"| 1779 ALUTs || align="right"| 3037 Mbit/s || align="right"| 124.6 MHz<br />
<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Xilinx Virtex 5 || align="right"| 3276 slices || align="right"| 3743 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 G function units per iteration || Altera Stratix III || align="right"| 3414 ALUTs || align="right"| 3298 Mbit/s || align="right"| 93.4 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5577 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Altera Stratix III || align="right"| 12632 ALUTs || align="right"| 8422 Mbit/s || align="right"| 16.5 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Xilinx Virtex 5 || align="right"| 10401 slices || align="right"| 8656 Mbit/s || align="right"| 8.5 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully unrolled || Altera Stratix III || align="right"| 25225 ALUTs || align="right"| 7619 Mbit/s || align="right"| 7.4 MHz<br />
<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 707 slices || align="right"| 3445 Mbit/s || align="right"| 215.3 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 1928 ALUTs || align="right"| 3777 Mbit/s || align="right"| 236.1 MHz<br />
<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
<br />
|-<br />
| CubeHash16/32-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 764 slices || align="right"| 3509 Mbit/s || align="right"| 219.3 MHz<br />
|-<br />
| CubeHash16/32-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 1924 ALUTs || align="right"| 3489 Mbit/s || align="right"| 218.1 MHz<br />
<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 5445 slices || align="right"| 13874 Mbit/s || align="right"| 234.9 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 21689 ALUTs || align="right"| 9700 Mbit/s || align="right"| 164.2 MHz<br />
<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
<br />
|-<br />
| ECHO-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 5958 slices || align="right"| 6431 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| ECHO-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 20085 ALUTs || align="right"| 7872 Mbit/s || align="right"| 246.0 MHz<br />
<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 clk cycles per round || Xilinx Virtex 5 || align="right"| 729 slices || align="right"| 3512 Mbit/s || align="right"| 219.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 clk cycles per round || Altera Stratix III || align="right"| 2352 ALUTs || align="right"| 3765 Mbit/s || align="right"| 235.3 MHz<br />
<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
<br />
|-<br />
| Fugue-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Xilinx Virtex 5 || align="right"| 955 slices || align="right"| 1862 Mbit/s || align="right"| 232.7 MHz<br />
|-<br />
| Fugue-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Altera Stratix III || align="right"| 2680 ALUTs || align="right"| 1878 Mbit/s || align="right"| 234.8 MHz<br />
<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Xilinx Virtex 5 || align="right"| 1716 slices || align="right"| 8546 Mbit/s || align="right"| 350.5 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Altera Stratix III || align="right"| 3103 ALUTs || align="right"| 6589 Mbit/s || align="right"| 270.3 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
<br />
|-<br />
| Grøstl-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Xilinx Virtex 5 || align="right"| 3155 slices || align="right"| 11498 Mbit/s || align="right"| 325.6 MHz<br />
|-<br />
| Grøstl-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutations interleaved || Altera Stratix III || align="right"| 6288 ALUTs || align="right"| 8841 Mbit/s || align="right"| 250.4 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 2320 ALUTs || align="right"| 3145 Mbit/s || align="right"| 294.8 MHz<br />
<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
<br />
|-<br />
| Hamsi-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2201 slices || align="right"| 1828 Mbit/s || align="right"| 171.4 MHz<br />
|-<br />
| Hamsi-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 5668 ALUTs || align="right"| 1932 Mbit/s || align="right"| 181.2 MHz<br />
<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1108 slices || align="right"| 3955 Mbit/s || align="right"| 278.1 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3107 ALUTs || align="right"| 5191 Mbit/s || align="right"| 365.0 MHz<br />
<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
<br />
|-<br />
| JH-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1165 slices || align="right"| 3918 Mbit/s || align="right"| 275.5 MHz<br />
|-<br />
| JH-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3222 ALUTs || align="right"| 5105 Mbit/s || align="right"| 358.9 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10807 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 4458 ALUTs || align="right"| 13432 Mbit/s || align="right"| 296.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
<br />
|-<br />
| Keccak(-512) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1236 slices || align="right"| 6645 Mbit/s || align="right"| 276.9 MHz<br />
|-<br />
| Keccak(-512) || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3575 ALUTs || align="right"| 6471 Mbit/s || align="right"| 269.6 MHz<br />
<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 3304 ALUTs || align="right"| 8741 Mbit/s || align="right"| 307.3 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
<br />
|-<br />
| Luffa-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2164 slices || align="right"| 7044 Mbit/s || align="right"| 220.1 MHz<br />
|-<br />
| Luffa-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Altera Stratix III || align="right"| 6888 ALUTs || align="right"| 8577 Mbit/s || align="right"| 268.0 MHz<br />
<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Altera Stratix III || align="right"| 3600 ALUTs || align="right"| 2598 Mbit/s || align="right"| 126.9 MHz<br />
<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Xilinx Virtex 5 || align="right"| 1372 slices || align="right"| 2771 Mbit/s || align="right"| 135.3 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 2 rounds unrolled || Altera Stratix III || align="right"| 3753 ALUTs || align="right"| 2589 Mbit/s || align="right"| 126.4 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2886 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 3 clk cycles per round || Altera Stratix III || align="right"| 2497 ALUTs || align="right"| 3529 Mbit/s || align="right"| 255.0 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Xilinx Virtex 5 || align="right"| 1954 slices || align="right"| 3835 Mbit/s || align="right"| 213.4 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 clk cycles per round || Altera Stratix III || align="right"| 5610 ALUTs || align="right"| 3869 Mbit/s || align="right"| 215.4 MHz<br />
<br />
|-<br />
| SIMD-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2326 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Altera Stratix III || align="right"| 22376 ALUTs || align="right"| 2697 Mbit/s || align="right"| 47.4 MHz<br />
<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
<br />
|-<br />
| SIMD-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Xilinx Virtex 5 || align="right"| 17016 slices || align="right"| 4139 Mbit/s || align="right"| 36.4 MHz<br />
|-<br />
| SIMD-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 SIMD steps unrolled || Altera Stratix III || align="right"| 47671 ALUTs || align="right"| 4936 Mbit/s || align="right"| 43.4 MHz<br />
<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| Skein-512-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1463 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-256 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Altera Stratix III || align="right"| 4499 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1520 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 Threefish rounds unrolled || Altera Stratix III || align="right"| 4563 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
<br />
|-<br />
| Blue Midnight Wish-256 || [http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf El Hadedy et al.] [[#Ref041|[41]]] / [http://www.q2s.ntnu.no/sha3_nist_competition/start Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 3 memory blocks || Xilinx Virtex 5 || align="right"| 51 slices || align="right"| 68.71 Mbit/s || align="right"| 141 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf El Hadedy et al.] [[#Ref041|[41]]] / [http://www.q2s.ntnu.no/sha3_nist_competition/start Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, 3 memory blocks || Xilinx Virtex 5 || align="right"| 105 slices || align="right"| 112.18 Mbit/s || align="right"| 115 MHz<br />
<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || Xilinx Virtex 5 || align="right"| 355 slices || align="right"| 33 Mbit/s || align="right"| 50 MHz<br />
<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 79 kGates || align="right"| 6376 Mbit/s || align="right"| 137 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 48 kGates || align="right"| 5847 Mbit/s || align="right"| 240 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 67 kGates || align="right"| 9365 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 43 kGates || align="right"| 8047 Mbit/s || align="right"| 330 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 65 kGates || align="right"| 17498 Mbit/s || align="right"| 376 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 38 kGates || align="right"| 15143 Mbit/s || align="right"| 621 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 147 kGates || align="right"| 7216 Mbit/s || align="right"| 106 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 98 kGates || align="right"| 7192 Mbit/s || align="right"| 204 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 139 kGates || align="right"| 10802 Mbit/s || align="right"| 158 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 92 kGates || align="right"| 10265 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 128 kGates || align="right"| 20317 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 79 kGates || align="right"| 18782 Mbit/s || align="right"| 532 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 13.56 kGates || align="right"| 135 Mbit/s || align="right"| 215 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 8.60 kGates || align="right"| 62 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 and Altera Stratix III platforms (both for the 256-bit and the 512-bit version of the candidates). For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
<br />
|-<br />
| BLAKE-32 || 4 G function units per iteration || align="right"| 1871 slices || align="right"| 2854 Mbit/s || align="right"| 117.1 MHz<br />
|-<br />
| BLAKE-64 || 4 G function units per iteration || align="right"| 3276 slices || align="right"| 3743 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Fully unrolled || align="right"| 4400 slices || align="right"| 5577 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-512 || Fully unrolled || align="right"| 10401 slices || align="right"| 8656 Mbit/s || align="right"| 8.5 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 707 slices || align="right"| 3445 Mbit/s || align="right"| 215.3 MHz<br />
|-<br />
| CubeHash16/32-512 || || align="right"| 764 slices || align="right"| 3509 Mbit/s || align="right"| 219.3 MHz<br />
|-<br />
| ECHO-256 || 3 clk cycles per round || align="right"| 5445 slices || align="right"| 13874 Mbit/s || align="right"| 234.9 MHz<br />
|-<br />
| ECHO-512 || 3 clk cycles per round || align="right"| 5958 slices || align="right"| 6431 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| Fugue-256 || 2 clk cycles per round || align="right"| 729 slices || align="right"| 3512 Mbit/s || align="right"| 219.5 MHz<br />
|-<br />
| Fugue-512 || 4 clk cycles per round || align="right"| 955 slices || align="right"| 1862 Mbit/s || align="right"| 232.7 MHz<br />
|-<br />
| Grøstl-256 || P & Q permutations interleaved || align="right"| 1716 slices || align="right"| 8546 Mbit/s || align="right"| 350.5 MHz<br />
|-<br />
| Grøstl-512 || P & Q permutations interleaved || align="right"| 3155 slices || align="right"| 11498 Mbit/s || align="right"| 325.6 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 2201 slices || align="right"| 1828 Mbit/s || align="right"| 171.4 MHz<br />
|-<br />
| JH-256 || || align="right"| 1108 slices || align="right"| 3955 Mbit/s || align="right"| 278.1 MHz<br />
|-<br />
| JH-512 || || align="right"| 1165 slices || align="right"| 3918 Mbit/s || align="right"| 275.5 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10807 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1236 slices || align="right"| 6645 Mbit/s || align="right"| 276.9 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 2164 slices || align="right"| 7044 Mbit/s || align="right"| 220.1 MHz<br />
|-<br />
| Shabal-256 || 2 rounds unrolled || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-512 || 2 rounds unrolled || align="right"| 1372 slices || align="right"| 2771 Mbit/s || align="right"| 135.3 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || 3 clk cycles per round || align="right"| 1130 slices || align="right"| 2886 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || 4 clk cycles per round || align="right"| 1954 slices || align="right"| 3835 Mbit/s || align="right"| 213.4 MHz<br />
|-<br />
| SIMD-256 || 4 SIMD steps unrolled || align="right"| 9288 slices || align="right"| 2326 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-512 || 4 SIMD steps unrolled || align="right"| 17016 slices || align="right"| 4139 Mbit/s || align="right"| 36.4 MHz<br />
|-<br />
| Skein-512-256 || 4 Threefish rounds unrolled || align="right"| 1463 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
|-<br />
| Skein-512-512 || 4 Threefish rounds unrolled || align="right"| 1520 slices || align="right"| 2812 Mbit/s || align="right"| 104.3 MHz<br />
<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/445.pdf Homsirikamol et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
<br />
|-<br />
| BLAKE-32 || 4 G function units per iteration || align="right"| 1779 ALUTs || align="right"| 3037 Mbit/s || align="right"| 124.6 MHz<br />
|-<br />
| BLAKE-64 || 4 G function units per iteration || align="right"| 3414 ALUTs || align="right"| 3298 Mbit/s || align="right"| 93.4 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Fully unrolled || align="right"| 12632 ALUTs || align="right"| 8422 Mbit/s || align="right"| 16.5 MHz<br />
|-<br />
| Blue Midnight Wish-512 || Fully unrolled || align="right"| 25225 ALUTs || align="right"| 7619 Mbit/s || align="right"| 7.4 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 1928 ALUTs || align="right"| 3777 Mbit/s || align="right"| 236.1 MHz<br />
|-<br />
| CubeHash16/32-512 || || align="right"| 1924 ALUTs || align="right"| 3489 Mbit/s || align="right"| 218.1 MHz<br />
|-<br />
| ECHO-256 || 3 clk cycles per round || align="right"| 21689 ALUTs || align="right"| 9700 Mbit/s || align="right"| 164.2 MHz<br />
|-<br />
| ECHO-512 || 3 clk cycles per round || align="right"| 20085 ALUTs || align="right"| 7872 Mbit/s || align="right"| 246.0 MHz<br />
|-<br />
| Fugue-256 || 2 clk cycles per round || align="right"| 2352 ALUTs || align="right"| 3765 Mbit/s || align="right"| 235.3 MHz<br />
|-<br />
| Fugue-512 || 4 clk cycles per round || align="right"| 2680 ALUTs || align="right"| 1878 Mbit/s || align="right"| 234.8 MHz<br />
|-<br />
| Grøstl-256 || P & Q permutations interleaved || align="right"| 3103 ALUTs || align="right"| 6589 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Grøstl-512 || P & Q permutations interleaved || align="right"| 6288 ALUTs || align="right"| 8841 Mbit/s || align="right"| 250.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 2320 ALUTs || align="right"| 3145 Mbit/s || align="right"| 294.8 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 5668 ALUTs || align="right"| 1932 Mbit/s || align="right"| 181.2 MHz<br />
|-<br />
| JH-256 || || align="right"| 3107 ALUTs || align="right"| 5191 Mbit/s || align="right"| 365.0 MHz<br />
|-<br />
| JH-512 || || align="right"| 3222 ALUTs || align="right"| 5105 Mbit/s || align="right"| 358.9 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 4458 ALUTs || align="right"| 13432 Mbit/s || align="right"| 296.3 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 3575 ALUTs || align="right"| 6471 Mbit/s || align="right"| 269.6 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 3304 ALUTs || align="right"| 8741 Mbit/s || align="right"| 307.3 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 6888 ALUTs || align="right"| 8577 Mbit/s || align="right"| 268.0 MHz<br />
|-<br />
| Shabal-256 || 2 rounds unrolled || align="right"| 3600 ALUTs || align="right"| 2598 Mbit/s || align="right"| 126.9 MHz<br />
|-<br />
| Shabal-512 || 2 rounds unrolled || align="right"| 3753 ALUTs || align="right"| 2589 Mbit/s || align="right"| 126.4 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || 3 clk cycles per round || align="right"| 2497 ALUTs || align="right"| 3529 Mbit/s || align="right"| 255.0 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || 4 clk cycles per round || align="right"| 5610 ALUTs || align="right"| 3869 Mbit/s || align="right"| 215.4 MHz<br />
|-<br />
| SIMD-256 || 4 SIMD steps unrolled || align="right"| 22376 ALUTs || align="right"| 2697 Mbit/s || align="right"| 47.4 MHz<br />
|-<br />
| SIMD-512 || 4 SIMD steps unrolled || align="right"| 47671 ALUTs || align="right"| 4936 Mbit/s || align="right"| 43.4 MHz<br />
|-<br />
| Skein-512-256 || 4 Threefish rounds unrolled || align="right"| 4499 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
|-<br />
| Skein-512-512 || 4 Threefish rounds unrolled || align="right"| 4563 ALUTs || align="right"| 2482 Mbit/s || align="right"| 92.1 MHz<br />
<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || [http://rijndael.ece.vt.edu/sha3/ VT webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa (version 20101105). Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20101105.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Ekawat Homsirikamol, Marcin Rogawski, and Kris Gaj. Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. IACR Eprint report 2010/445. Available online at http://eprint.iacr.org/2010/445.pdf.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div><br />
<br />
<div id="Ref041"><br />
[41] Mohamed El Hadedy, Danilo Gligoroski, and Svein J. Knapskog. Single Core Implementation of Blue Midnight Wish Hash Function on VIRTEX 5 Platform. Available online at http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/SmallSizeFPGA-BMWOct2010.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=CubeHash&diff=3625
CubeHash
2010-11-09T07:46:24Z
<p>JAumasson: /* Building blocks */ dashes added</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Dan Bernstein <br />
* Website: [http://cubehash.cr.yp.to/ http://cubehash.cr.yp.to/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/CubeHash.zip CubeHash.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/CubeHash_Round2.zip CubeHash_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3Bernstein09a,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission2/spec.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein09,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash parameter tweak: 16 times faster},<br />
url = {http://cubehash.cr.yp.to/submission/tweak.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein08,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash Specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission/spec.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: r/b = '''16/32''' (n=224,256); '''16/32''' (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| style="background:greenyellow" | preimage || 384,512 || r/32 || 2<sup>383.7</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| preimage || 384,512 || r/33 || 2<sup>257.6</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| collision || 512 || 7/64 || 2<sup>203</sup> || - || [http://eprint.iacr.org/2009/382.pdf Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/48 || example (2<sup>37</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/64 || example (2<sup>34</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || example (2<sup>24</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 2/2 || 2<sup>196</sup> || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 5/64 || 2<sup>231</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || 2<sup>89</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 512 || 4/3 || 2<sup>207</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 384,512 || 4/4 || 2<sup>189</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || all || 2/3 || 2<sup>46</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 2/4 || example || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 1/45, 2/89 || example || - || [http://www.cryptopp.com/sha3/cubehash.pdf Dai]<br />
|- <br />
| collision || 512 || 2/120 || example || - || [http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt Aumasson]<br />
|- <br />
| preimage || 512 || r/8 || 2<sup>480</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| preimage || 512 || r/4 || 2<sup>496</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || 512 || r/1 (round 1) || 2<sup>511</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || all || r/b || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|-<br />
| collision || all || r/b || 2<sup>521-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
| style="background:greenyellow" | preimage || all || r/b || 2<sup>522-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| quantum preimage || hash || 512 || || 2<sup>192</sup> || - || [http://eprint.iacr.org/2008/506.pdf Leurent]<br />
|- <br />
| distinguisher || permutation|| all || 14 rounds || 2<sup>812</sup> || - || [http://eprint.iacr.org/2010/535.pdf Ashur,Dunkelman]<br />
|- <br />
| distinguisher || permutation|| all || 11 rounds || 2<sup>470</sup> || - || [http://eprint.iacr.org/2010/535.pdf Ashur,Dunkelman]<br />
|- <br />
| observations || hash || all || || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| observations || hash || all || || - || - || [http://eprint.iacr.org/2009/407.pdf Bloom,Kaminsky]<br />
|- <br />
| multi-collision || hash || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
| observations || permutation|| all || || - || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cubehashLeu10,<br />
author = {Gaëtan Leurent},<br />
title = {Quantum Preimage and Collision Attacks on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/506},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/506.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {In this short note we show a quantum preimage attack on CubeHash-normal-512 with complexity 2^192. This kind of attack is expected to cost 2^256 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2^256 operations, as explained in the CubeHash submission document.<br />
This attack only use very simple techniques: we use the symmetry properties of CubeHash which were already described in the submission document and have been analyzed in detail later, together with Gover's algorithm which is also discussed in the submission document.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashAD10,<br />
author = {Tomer Ashur and Orr Dunkelman},<br />
title = {Linear Analysis of Reduced-Round CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/535},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/535.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {Recent developments in the field of cryptanalysis of hash functions has inspired NIST to announce a competition for selecting a new cryptographic hash function to join the SHA family of standards. One of the 14 second-round candidates is CubeHash designed by Daniel J. Bernstein. CubeHash is a unique hash function in the sense that it does not iterate a common compression function, and offers a structure which resembles a sponge function, even though it is not exactly a sponge function. In this paper we analyze reduced-round variants of CubeHash where the adversary controls the full 1024-bit input to reduced-round CubeHash and can observe its full output. We show that linear approximations with high biases exist in reduced-round variants. For example, we present an 11-round linear approximation with bias of 2^{&#8722;235}, which allows distinguishing 11-round CubeHash using about 2^{470} queries. We also discuss the extension of this distinguisher to 12 rounds using message modification techniques. Finally, we present a linear distinguisher for 14-round CubeHash which uses about 2^{812} queries.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashFLM10,<br />
author = {Niels Ferguson and Stefan Lucks and Kerry A. McKay},<br />
title = {Symmetric States and their Structure: Improved Analysis of CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/273},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/273.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {This paper provides three improvements over previous work on analyzing CubeHash, based on its classes of symmetric states: (1) We present a detailed analysis of the hierarchy of symmetry classes. (2) We point out some flaws in previously claimed attacks which tried to exploit the symmetry classes. (3) We present and analyze new multicollision and preimage attacks. For the default parameter setting of CubeHash, namely for a message block size of b = 32, the new attacks are slightly faster than 2^384 operations. If one increases the size of a message block by a single byte to b = 33, our multicollision and preimage attacks become much faster – they only require about 2^256 operations. This demonstrates how sensitive the security of CubeHash is, depending on minor changes of the tunable security parameter b. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBK09,<br />
author = {Benjamin Bloom and Alan Kaminsky},<br />
title = {Single Block Attacks and Statistical Tests on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/407},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/407.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash $r$/$b$-224 for $b > 100$; CubeHash$r$/$b$-256 for $b > 96$; CubeHash$r$/$b$-384 for $b > 80$; and CubeHash$r$/$b$-512 for $b > 64$. However, the attack does not break the CubeHash variants recommended for SHA-3. The attack requires minimal memory and can be performed in a massively parallel fashion. This paper also describes several statistical randomness tests on CubeHash. The tests were unable to disprove the hypothesis that CubeHash behaves as a random mapping. These results support CubeHash's viability as a secure cryptographic hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09b,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Linearization Framework for Collision Attacks: Application to CubeHash and MD6},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/382},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/382.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector for the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on its output bits. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction of the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/48},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Attack for CubeHash-2/2 and collision for CubeHash-3/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<!--<br />
<bibtex><br />
@misc{cubehashP09,<br />
author = {Thomas Peyrin},<br />
title = {Collision for CubeHash2/4},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d5/Peyrin_cubehashcollision.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
--><br />
<bibtex><br />
@misc{cubehashBP09,<br />
author = {Eric Brier and Thomas Peyrin},<br />
title = {Cryptanalysis of CubeHash},<br />
url = {http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {CubeHash is a family of hash functions submitted by Bern stein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash-1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and simply based on a linearization of the scheme, allowed us to compute a collision for the CubeHash-2/4 hash function. Finally, a theoretical collision attack against CubeHash-2/3, CubeHash-4/4 and CubeHash-4/3 is described. This is currently the best known cryptanalysis result on this SHA-3 candidate.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashD08,<br />
author = {Wei Dai},<br />
title = {Collisions for CubeHash1/45 and CubeHash2/89},<br />
url = {http://www.cryptopp.com/sha3/cubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Collisions were found for the hash functions CubeHash1/45-512 and CubeHash2/89-512. Attack code is included.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashA08,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Collision for CubeHash2/120-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKNW08,<br />
author = {Dmitry Khovratovich and Ivica Nikolic' and Ralf-Philipp Weinmann},<br />
title = {Preimage attack on CubeHash512-r/4 and CubeHash512-r/8},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cubehashAMPP09,<br />
author = {Jean-Philippe Aumasson and Eric Brier and Willi Meier and María Naya-Plasencia and Thomas Peyrin},<br />
title = {Inside the Hypercube},<br />
booktitle = {ACISP},<br />
publisher = {Springer},<br />
editor = {Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto},<br />
series = {LNCS},<br />
pages = {202-213},<br />
volume = {5594},<br />
url = {http://www.131002.net/data/papers/ABMNP08.pdf},<br />
year = {2009},<br />
abstract = {Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h. The 1024-bit internal state of CubeHash is represented as a five-dimension hypercube. Submissions to NIST have r = 8, b = 1, and $h \in {224, 256, 384, 512}$. <br />
This paper gives the first external analysis of CubeHash, with<br />
- improved standard generic attacks for collisions and preimages<br />
- a multicollision attack that exploits fixed points<br />
- a study of the round function symmetries<br />
- a preimage attack that exploits these symmetries<br />
- a practical collision attack on a weakened version of CubeHash<br />
- high-probability truncated differentials over the 8-round transform<br />
Our results do not contradict the security claims about CubeHash.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3624
Shabal
2010-11-08T15:46:53Z
<p>JAumasson: added eprint 2010/434</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | pseudo collision || compression function || all || 45-bit difference || 2<sup>84</sup> || || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai]<br />
|- <br />
| | preimage || hash || all || (2,12),no final loop || 2<sup>497</sup> || 2<sup>400</sup> || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai]<br />
|- <br />
| | preimage || hash || all || (1.5,8) || 2<sup>497</sup> || 2<sup>272</sup> || [http://eprint.iacr.org/2010/434.pdf Isobe,Shirai]<br />
|- <br />
| | non-randomness || compression function || all || || 1 || || [http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt Aumasson]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>21</sup> || || [http://eprint.iacr.org/2010/398.pdf Novotney]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>159</sup> || || [http://gva.noekeon.org/papers/ShabalRotation.pdf Van Assche]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<bibtex><br />
@misc{shabalIS10,<br />
author = {Takanori Isobe and Taizo Shirai},<br />
title = {Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/434},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/434.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This paper studies two types of attacks on the hash function Shabal. The first attack is a low-weight pseudo collision attack on Shabal. Since a pseudo collision attack is trivial for Shabal, we focus on a low-weight pseudo collision attack. It means that only low-weight difference in a chaining value is considered. By analyzing the difference propagation in the underlying permutation, we can construct a low-weight (45-bits) pseudo collision attack on the full compression function with complexity of 2^84. The second attack is a preimage attack on variants of Shabal-512. We utilize a guess-and-determine technique, which is originally developed for a cryptanalysis of stream ciphers, and customize the technique for a preimage attack on Shabal-512. As a result, for the weakened variant of Shabal-512 using security parameters (p; r) = (2; 12), a preimage can be found with complexity of 2^497 and memory of 2^400. Moreover, for the Shabal-512 using security parameters (p; r) = (1:5; 8), a preimage can be found with complexity of 2^497 and memory of 2^272. To the best of our knowledge, these are best preimage attacks on Shabal variants and the second result is a first preimage attack on Shabal-512 with reduced security parameters.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Observation on Shabal},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalNov10,<br />
author = {Peter Novotney},<br />
title = {Distinguisher for Shabal's Permutation Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/398},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/398.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this note we consider the Shabal permutation function $\mathcal{P}$ as a block cipher with input $A_p$,$B_p$ and key $C$,$M$ and describe a distinguisher with a data complexity of $2^{23}$ random inputs with a given difference. If the attacker can control one chosen bit of $B_p$, only $2^{21}$ inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Shabal construction.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalVA10,<br />
author = {Gilles Van Assche},<br />
title = {A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs},<br />
url = {http://gva.noekeon.org/papers/ShabalRotation.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract = {In this short note, we apply a rotational distinguisher to the keyed permutation of the SHA-3 candidate Shabal. We then discuss its applicability in the scope of Shabal's mode of operation and its impact on the security proofs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=CubeHash&diff=3623
CubeHash
2010-11-08T15:27:21Z
<p>JAumasson: added eprint 2010/506</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Dan Bernstein <br />
* Website: [http://cubehash.cr.yp.to/ http://cubehash.cr.yp.to/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/CubeHash.zip CubeHash.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/CubeHash_Round2.zip CubeHash_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3Bernstein09a,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission2/spec.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein09,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash parameter tweak: 16 times faster},<br />
url = {http://cubehash.cr.yp.to/submission/tweak.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein08,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash Specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission/spec.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: r/b = '''16/32''' (n=224,256); '''16/32''' (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| style="background:greenyellow" | preimage || 384,512 || r/32 || 2<sup>383.7</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| preimage || 384,512 || r/33 || 2<sup>257.6</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| collision || 512 || 7/64 || 2<sup>203</sup> || - || [http://eprint.iacr.org/2009/382.pdf Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/48 || example (2<sup>37</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/64 || example (2<sup>34</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || example (2<sup>24</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 2/2 || 2<sup>196</sup> || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 5/64 || 2<sup>231</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || 2<sup>89</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 512 || 4/3 || 2<sup>207</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 384,512 || 4/4 || 2<sup>189</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || all || 2/3 || 2<sup>46</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 2/4 || example || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 1/45, 2/89 || example || - || [http://www.cryptopp.com/sha3/cubehash.pdf Dai]<br />
|- <br />
| collision || 512 || 2/120 || example || - || [http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt Aumasson]<br />
|- <br />
| preimage || 512 || r/8 || 2<sup>480</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| preimage || 512 || r/4 || 2<sup>496</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || 512 || r/1 (round 1) || 2<sup>511</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || all || r/b || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|-<br />
| collision || all || r/b || 2<sup>521-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
| style="background:greenyellow" | preimage || all || r/b || 2<sup>522-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| quantum preimage || hash || 512 || || 2<sup>192</sup> || || [http://eprint.iacr.org/2008/506.pdf Leurent]<br />
|- <br />
| distinguisher || permutation|| all || 14 rounds || 2<sup>812</sup> || || [http://eprint.iacr.org/2010/535.pdf Ashur,Dunkelman]<br />
|- <br />
| distinguisher || permutation|| all || 11 rounds || 2<sup>470</sup> || || [http://eprint.iacr.org/2010/535.pdf Ashur,Dunkelman]<br />
|- <br />
| observations || hash || all || || || || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| observations || hash || all || || || || [http://eprint.iacr.org/2009/407.pdf Bloom,Kaminsky]<br />
|- <br />
| multi-collision || hash || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
| observations || permutation|| all || || || || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cubehashLeu10,<br />
author = {Gaëtan Leurent},<br />
title = {Quantum Preimage and Collision Attacks on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/506},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/506.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {In this short note we show a quantum preimage attack on CubeHash-normal-512 with complexity 2^192. This kind of attack is expected to cost 2^256 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2^256 operations, as explained in the CubeHash submission document.<br />
This attack only use very simple techniques: we use the symmetry properties of CubeHash which were already described in the submission document and have been analyzed in detail later, together with Gover's algorithm which is also discussed in the submission document.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashAD10,<br />
author = {Tomer Ashur and Orr Dunkelman},<br />
title = {Linear Analysis of Reduced-Round CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/535},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/535.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {Recent developments in the field of cryptanalysis of hash functions has inspired NIST to announce a competition for selecting a new cryptographic hash function to join the SHA family of standards. One of the 14 second-round candidates is CubeHash designed by Daniel J. Bernstein. CubeHash is a unique hash function in the sense that it does not iterate a common compression function, and offers a structure which resembles a sponge function, even though it is not exactly a sponge function. In this paper we analyze reduced-round variants of CubeHash where the adversary controls the full 1024-bit input to reduced-round CubeHash and can observe its full output. We show that linear approximations with high biases exist in reduced-round variants. For example, we present an 11-round linear approximation with bias of 2^{&#8722;235}, which allows distinguishing 11-round CubeHash using about 2^{470} queries. We also discuss the extension of this distinguisher to 12 rounds using message modification techniques. Finally, we present a linear distinguisher for 14-round CubeHash which uses about 2^{812} queries.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashFLM10,<br />
author = {Niels Ferguson and Stefan Lucks and Kerry A. McKay},<br />
title = {Symmetric States and their Structure: Improved Analysis of CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/273},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/273.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {This paper provides three improvements over previous work on analyzing CubeHash, based on its classes of symmetric states: (1) We present a detailed analysis of the hierarchy of symmetry classes. (2) We point out some flaws in previously claimed attacks which tried to exploit the symmetry classes. (3) We present and analyze new multicollision and preimage attacks. For the default parameter setting of CubeHash, namely for a message block size of b = 32, the new attacks are slightly faster than 2^384 operations. If one increases the size of a message block by a single byte to b = 33, our multicollision and preimage attacks become much faster – they only require about 2^256 operations. This demonstrates how sensitive the security of CubeHash is, depending on minor changes of the tunable security parameter b. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBK09,<br />
author = {Benjamin Bloom and Alan Kaminsky},<br />
title = {Single Block Attacks and Statistical Tests on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/407},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/407.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash $r$/$b$-224 for $b > 100$; CubeHash$r$/$b$-256 for $b > 96$; CubeHash$r$/$b$-384 for $b > 80$; and CubeHash$r$/$b$-512 for $b > 64$. However, the attack does not break the CubeHash variants recommended for SHA-3. The attack requires minimal memory and can be performed in a massively parallel fashion. This paper also describes several statistical randomness tests on CubeHash. The tests were unable to disprove the hypothesis that CubeHash behaves as a random mapping. These results support CubeHash's viability as a secure cryptographic hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09b,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Linearization Framework for Collision Attacks: Application to CubeHash and MD6},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/382},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/382.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector for the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on its output bits. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction of the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/48},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Attack for CubeHash-2/2 and collision for CubeHash-3/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<!--<br />
<bibtex><br />
@misc{cubehashP09,<br />
author = {Thomas Peyrin},<br />
title = {Collision for CubeHash2/4},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d5/Peyrin_cubehashcollision.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
--><br />
<bibtex><br />
@misc{cubehashBP09,<br />
author = {Eric Brier and Thomas Peyrin},<br />
title = {Cryptanalysis of CubeHash},<br />
url = {http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {CubeHash is a family of hash functions submitted by Bern stein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash-1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and simply based on a linearization of the scheme, allowed us to compute a collision for the CubeHash-2/4 hash function. Finally, a theoretical collision attack against CubeHash-2/3, CubeHash-4/4 and CubeHash-4/3 is described. This is currently the best known cryptanalysis result on this SHA-3 candidate.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashD08,<br />
author = {Wei Dai},<br />
title = {Collisions for CubeHash1/45 and CubeHash2/89},<br />
url = {http://www.cryptopp.com/sha3/cubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Collisions were found for the hash functions CubeHash1/45-512 and CubeHash2/89-512. Attack code is included.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashA08,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Collision for CubeHash2/120-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKNW08,<br />
author = {Dmitry Khovratovich and Ivica Nikolic' and Ralf-Philipp Weinmann},<br />
title = {Preimage attack on CubeHash512-r/4 and CubeHash512-r/8},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cubehashAMPP09,<br />
author = {Jean-Philippe Aumasson and Eric Brier and Willi Meier and María Naya-Plasencia and Thomas Peyrin},<br />
title = {Inside the Hypercube},<br />
booktitle = {ACISP},<br />
publisher = {Springer},<br />
editor = {Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto},<br />
series = {LNCS},<br />
pages = {202-213},<br />
volume = {5594},<br />
url = {http://www.131002.net/data/papers/ABMNP08.pdf},<br />
year = {2009},<br />
abstract = {Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h. The 1024-bit internal state of CubeHash is represented as a five-dimension hypercube. Submissions to NIST have r = 8, b = 1, and $h \in {224, 256, 384, 512}$. <br />
This paper gives the first external analysis of CubeHash, with<br />
- improved standard generic attacks for collisions and preimages<br />
- a multicollision attack that exploits fixed points<br />
- a study of the round function symmetries<br />
- a preimage attack that exploits these symmetries<br />
- a practical collision attack on a weakened version of CubeHash<br />
- high-probability truncated differentials over the 8-round transform<br />
Our results do not contradict the security claims about CubeHash.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=ECHO&diff=3622
ECHO
2010-11-08T14:26:17Z
<p>JAumasson: added eprint 2010/569</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin <br />
* Website: http://crypto.rd.francetelecom.com/echo/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/ECHO_Round2.zip ECHO_Round2.zip] (old version [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ECHO.zip ECHO.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3BBG+09,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3BBG+08,<br />
author = {Ryad Benadjila and Olivier Billet and Henri Gilbert and Gilles Macario-Rat and Thomas Peyrin and Matt Robshaw and Yannick Seurin},<br />
title = {SHA-3 Proposal: ECHO},<br />
url = {http://crypto.rd.francetelecom.com/echo/doc/echo_description.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds (n=224,256); '''10''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || 256 || 5 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|- <br />
| near-collision|| 256 || 4.5 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|- <br />
| collision|| 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 256 || 4 rounds || 2<sup>52</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2010/569.pdf Jean,Fouque]<br />
|- <br />
| distinguisher (chosen salt) || compression function || 256 || 7 rounds || 2<sup>107</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|- <br />
| free-start near-collision (chosen salt) || compression function || 256 || 6.5 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|-<br />
| distinguisher (chosen salt) || compression function || 512 || 7 rounds || 2<sup>106</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|- <br />
| free-start near-collision (chosen salt) || compression function || 512|| 6.5 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/321.pdf Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 3 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 512 || 3 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 6 rounds || 2<sup>96</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 8 rounds || 2<sup>768</sup> || 2<sup>512</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>384</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=110408 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || all || 7 rounds || 2<sup>896</sup> || - || [http://crypto.rd.francetelecom.com/echo/doc/echo_description_1-5.pdf submission document]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:569,<br />
author = {Jérémy Jean and Pierre-Alain Fouque},<br />
title = {Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/569},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/569.pdf},<br />
abstract = {In this paper, we present new results on the second-round SHA-3 candidate ECHO. We describe a method to construct a collision in the compression function of ECHO-256 reduced to four rounds in 2^52 operations on AES-columns without significant memory requirements. Our attack uses the most recent analyses on ECHO, in particular the SuperSBox and SuperMixColumns layers to utilize efficiently the available freedom degrees. We also show why some of these results are flawed and we propose a solution to fix them. Our work improve the time and memory complexity of previous known techniques by using available freedom degrees more precisely. Finally, we validate our work by an implementation leading to near-collisions in 2^36 operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:321,<br />
author = {Martin Schläffer},<br />
title = {Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/321},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/321.pdf},<br />
abstract = {In this work we present the first results for the ECHO hash function. We provide a subspace distinguisher for 5/8 rounds, near-collisions on 4.5/8 rounds and collisions for 4/8 rounds of the ECHO-256 hash function. The complexities are $2^{96}$ compression function calls for the distinguisher and near-collision attack, and $2^{64}$ for the collision attack. The memory requirements are $2^{64}$ for all attacks. Furthermore, we provide improved compression function attacks on ECHO-256 to get a distinguisher on 7/8 rounds and near-collisions for 6.5/8 rounds with chosen salt. The compression function attacks also apply to ECHO-512. To get these results, we consider new and sparse truncated differential paths through ECHO. We are able to construct these paths by analyzing the combined MixColumns and BigMixColumns transformation. Since in these sparse truncated differential paths at most 1/4 of all bytes of each ECHO state are active, missing degrees of freedom are not a problem. Therefore, we are able to mount a rebound attack with multiple inbound phases to efficiently find according message pairs for ECHO.},<br />
}<br />
</bibtex><br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=CubeHash&diff=3621
CubeHash
2010-11-08T10:07:59Z
<p>JAumasson: added eprint 2010/535 results</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Dan Bernstein <br />
* Website: [http://cubehash.cr.yp.to/ http://cubehash.cr.yp.to/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/CubeHash.zip CubeHash.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/CubeHash_Round2.zip CubeHash_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3Bernstein09a,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission2/spec.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein09,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash parameter tweak: 16 times faster},<br />
url = {http://cubehash.cr.yp.to/submission/tweak.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein08,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash Specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission/spec.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: r/b = '''16/32''' (n=224,256); '''16/32''' (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| style="background:greenyellow" | preimage || 384,512 || r/32 || 2<sup>383.7</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| preimage || 384,512 || r/33 || 2<sup>257.6</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| collision || 512 || 7/64 || 2<sup>203</sup> || - || [http://eprint.iacr.org/2009/382.pdf Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/48 || example (2<sup>37</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/64 || example (2<sup>34</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || example (2<sup>24</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 2/2 || 2<sup>196</sup> || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 5/64 || 2<sup>231</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || 2<sup>89</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 512 || 4/3 || 2<sup>207</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 384,512 || 4/4 || 2<sup>189</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || all || 2/3 || 2<sup>46</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 2/4 || example || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 1/45, 2/89 || example || - || [http://www.cryptopp.com/sha3/cubehash.pdf Dai]<br />
|- <br />
| collision || 512 || 2/120 || example || - || [http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt Aumasson]<br />
|- <br />
| preimage || 512 || r/8 || 2<sup>480</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| preimage || 512 || r/4 || 2<sup>496</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || 512 || r/1 (round 1) || 2<sup>511</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || all || r/b || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|-<br />
| collision || all || r/b || 2<sup>521-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
| style="background:greenyellow" | preimage || all || r/b || 2<sup>522-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation|| all || 14 rounds || 2<sup>812</sup> || || [http://eprint.iacr.org/2010/535.pdf Ashur,Dunkelman]<br />
|- <br />
| distinguisher || permutation|| all || 11 rounds || 2<sup>470</sup> || || [http://eprint.iacr.org/2010/535.pdf Ashur,Dunkelman]<br />
|- <br />
| observations || hash || all || || || || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| observations || hash || all || || || || [http://eprint.iacr.org/2009/407.pdf Bloom,Kaminsky]<br />
|- <br />
| multi-collision || hash || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
| observations || permutation|| all || || || || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cubehashAD10,<br />
author = {Tomer Ashur and Orr Dunkelman},<br />
title = {Linear Analysis of Reduced-Round CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/535},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/535.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {Recent developments in the field of cryptanalysis of hash functions has inspired NIST to announce a competition for selecting a new cryptographic hash function to join the SHA family of standards. One of the 14 second-round candidates is CubeHash designed by Daniel J. Bernstein. CubeHash is a unique hash function in the sense that it does not iterate a common compression function, and offers a structure which resembles a sponge function, even though it is not exactly a sponge function. In this paper we analyze reduced-round variants of CubeHash where the adversary controls the full 1024-bit input to reduced-round CubeHash and can observe its full output. We show that linear approximations with high biases exist in reduced-round variants. For example, we present an 11-round linear approximation with bias of 2^{&#8722;235}, which allows distinguishing 11-round CubeHash using about 2^{470} queries. We also discuss the extension of this distinguisher to 12 rounds using message modification techniques. Finally, we present a linear distinguisher for 14-round CubeHash which uses about 2^{812} queries.. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashFLM10,<br />
author = {Niels Ferguson and Stefan Lucks and Kerry A. McKay},<br />
title = {Symmetric States and their Structure: Improved Analysis of CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/273},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/273.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {This paper provides three improvements over previous work on analyzing CubeHash, based on its classes of symmetric states: (1) We present a detailed analysis of the hierarchy of symmetry classes. (2) We point out some flaws in previously claimed attacks which tried to exploit the symmetry classes. (3) We present and analyze new multicollision and preimage attacks. For the default parameter setting of CubeHash, namely for a message block size of b = 32, the new attacks are slightly faster than 2^384 operations. If one increases the size of a message block by a single byte to b = 33, our multicollision and preimage attacks become much faster – they only require about 2^256 operations. This demonstrates how sensitive the security of CubeHash is, depending on minor changes of the tunable security parameter b. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBK09,<br />
author = {Benjamin Bloom and Alan Kaminsky},<br />
title = {Single Block Attacks and Statistical Tests on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/407},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/407.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash $r$/$b$-224 for $b > 100$; CubeHash$r$/$b$-256 for $b > 96$; CubeHash$r$/$b$-384 for $b > 80$; and CubeHash$r$/$b$-512 for $b > 64$. However, the attack does not break the CubeHash variants recommended for SHA-3. The attack requires minimal memory and can be performed in a massively parallel fashion. This paper also describes several statistical randomness tests on CubeHash. The tests were unable to disprove the hypothesis that CubeHash behaves as a random mapping. These results support CubeHash's viability as a secure cryptographic hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09b,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Linearization Framework for Collision Attacks: Application to CubeHash and MD6},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/382},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/382.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector for the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on its output bits. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction of the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/48},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Attack for CubeHash-2/2 and collision for CubeHash-3/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<!--<br />
<bibtex><br />
@misc{cubehashP09,<br />
author = {Thomas Peyrin},<br />
title = {Collision for CubeHash2/4},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d5/Peyrin_cubehashcollision.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
--><br />
<bibtex><br />
@misc{cubehashBP09,<br />
author = {Eric Brier and Thomas Peyrin},<br />
title = {Cryptanalysis of CubeHash},<br />
url = {http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {CubeHash is a family of hash functions submitted by Bern stein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash-1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and simply based on a linearization of the scheme, allowed us to compute a collision for the CubeHash-2/4 hash function. Finally, a theoretical collision attack against CubeHash-2/3, CubeHash-4/4 and CubeHash-4/3 is described. This is currently the best known cryptanalysis result on this SHA-3 candidate.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashD08,<br />
author = {Wei Dai},<br />
title = {Collisions for CubeHash1/45 and CubeHash2/89},<br />
url = {http://www.cryptopp.com/sha3/cubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Collisions were found for the hash functions CubeHash1/45-512 and CubeHash2/89-512. Attack code is included.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashA08,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Collision for CubeHash2/120-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKNW08,<br />
author = {Dmitry Khovratovich and Ivica Nikolic' and Ralf-Philipp Weinmann},<br />
title = {Preimage attack on CubeHash512-r/4 and CubeHash512-r/8},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cubehashAMPP09,<br />
author = {Jean-Philippe Aumasson and Eric Brier and Willi Meier and María Naya-Plasencia and Thomas Peyrin},<br />
title = {Inside the Hypercube},<br />
booktitle = {ACISP},<br />
publisher = {Springer},<br />
editor = {Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto},<br />
series = {LNCS},<br />
pages = {202-213},<br />
volume = {5594},<br />
url = {http://www.131002.net/data/papers/ABMNP08.pdf},<br />
year = {2009},<br />
abstract = {Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h. The 1024-bit internal state of CubeHash is represented as a five-dimension hypercube. Submissions to NIST have r = 8, b = 1, and $h \in {224, 256, 384, 512}$. <br />
This paper gives the first external analysis of CubeHash, with<br />
- improved standard generic attacks for collisions and preimages<br />
- a multicollision attack that exploits fixed points<br />
- a study of the round function symmetries<br />
- a preimage attack that exploits these symmetries<br />
- a practical collision attack on a weakened version of CubeHash<br />
- high-probability truncated differentials over the 8-round transform<br />
Our results do not contradict the security claims about CubeHash.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3620
Skein
2010-11-08T10:02:07Z
<p>JAumasson: added eprint 2010/538 result</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| distinguisher || compression function || all || 57 rounds || 2<sup>503</sup> || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| distinguisher || compression function || 256 || 53 rounds || 2<sup>251</sup>, Skein-256 || - || [http://eprint.iacr.org/2010/538.pdf Khovratovich,Nikolić,Rechberger]<br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinKNR10,<br />
author = {Dmitry Khovratovich and Ivica Nikolić and Christian Rechberger},<br />
title = {Rotational Rebound Attacks on Reduced Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/538},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/538.pdf},<br />
abstract = {In this paper we combine the recent rotational cryptanalysis with the rebound attack, which results in the best cryptanalysis of Skein, a candidate for the SHA-3 competition. The rebound attack approach was so far only applied to AES-like constructions. For the first time, we show that this approach can also be applied to very different constructions. In more detail, we develop a number of techniques that extend the reach of both the inbound and the outbound phase, leading to rotational collisions for about 53/57 out of the 72 rounds of the Skein-256/512 compression function and the Threefish cipher. At this point, the results do not threaten the security of the full-round Skein hash function.<br />
<br />
The new techniques include an analytical search for optimal input values in the rotational cryptanalysis, which allows to extend the outbound phase of the attack with a precomputation phase, an approach never used in any rebound-style attack before. Further we show how to combine multiple inside-out computations and neutral bits in the inbound phase of the rebound attack, and give well-defined rotational distinguishers as certificates of weaknesses for the compression functions and block ciphers.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3619
Skein
2010-11-08T09:52:43Z
<p>JAumasson: fixed bibtex ordering</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds (Skein-512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| near-collision || compression function || all || 24 rounds (No. 20-43) || 2<sup>230</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || 256 || 24 rounds (No. 12-35), Skein-256 || 2<sup>60</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| near-collision || compression function || all || 24 rounds, Skein-1024 || 2<sup>395</sup> || - || [http://eprint.iacr.org/2010/355.pdf Su,Wu,Wu,Dong]<br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeSuWWD10,<br />
author = {Bozhan Su and Wenling Wu and Shuang Wu and Le Dong},<br />
title = {Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/355},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/355.pdf},<br />
abstract = {The SHA-3 competition organized by NIST aims to find a new hash standard as a replacement of SHA-2. Till now, 14 submissions have been selected as the second round candidates, including Skein and BLAKE, both of which have components based on modular addition, rotation and bitwise XOR (ARX). In this paper, we propose improved near-collision attacks on the reduced-round compression functions of Skein and a variant of BLAKE. The attacks are based on linear differentials of the modular additions. The computational complexity of near-collision attacks on a 4-round compression function of BLAKE-32, 4-round and 5-round compression functions of BLAKE-64 are 2^{21}, 2^{16} and 2^{216} respectively, and the attacks on a 24-round compression functions of Skein-256, Skein-512 and Skein-1024 have a complexity of 2^{60}, 2^{230} and 2^{395} respectively.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Blue_Midnight_Wish&diff=3618
Blue Midnight Wish
2010-11-08T09:49:50Z
<p>JAumasson: fixed bibtex ordering</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Danilo Gligoroski, Vlastimil Klima, Svein Johan Knapskog, Mohamed El-Hadedy, Jørn Amundsen, Stig Frode Mjølsnes<br />
* Website: [http://www.q2s.ntnu.no/sha3_nist_competition/start http://www.q2s.ntnu.no/sha3_nist_competition/start]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Blue_Midnight_Wish.zip Blue_Midnight_Wish.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Blue_Midnight_Wish_Round2.zip Blue_Midnight_Wish_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+09,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiK09,<br />
author = {Danilo Gligoroski and Vlastimil Klima },<br />
title = {A Document describing all modifications made on the Blue Midnight Wish cryptographic hash function before entering the Second Round of SHA-3 hash competition},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW-SecondRound/Supporting_Documentation/Round2Mods.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3GligoroskiKKH+08,<br />
author = {Danilo Gligoroski and Vlastimil Klima and Svein Johan Knapskog and Mohamed El-Hadedy and J\o{}rn Amundsen and Stig Frode Mj\o{}lsnes},<br />
title = {Cryptographic Hash Function BLUE MIDNIGHT WISH},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/BMW/Supporting_Documentation/BlueMidnightWishDocumentation.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: Expandrounds<sub>1</sub> = '''2'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf Gligoroski,Klima]<br />
|-<br />
| observation|| compression function || all || || || - || [http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf Gligoroski,Klima]<br />
|-<br />
| distinguisher || compression function || 256,512 || || 1 || - || [http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf Guo,Thomsen]<br />
|-<br />
| distinguisher || compression function|| 512 || changed constant || 2<sup>278.2</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function|| 512 || (Round 1) || 2<sup>223.5</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression function || 256,512 || || 2<sup>19</sup> || - || [http://131002.net/data/papers/Aum10.pdf Aumasson]<br />
|- <br />
| observation || hash || 256,512 || || - || - || [http://eprint.iacr.org/2009/453.pdf Klima,Susil]<br />
|- <br />
| pseudo-collision || hash || all || (Round 1) || 2<sup>3n/8+1</sup>|| - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| pseudo-preimage || hash || all || (Round 1) || 2<sup>3n/4+1</sup> || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
| near-collision || compression || all || (Round 1) || example || - || [http://eprint.iacr.org/2009/478.pdf Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK10,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On Blue Midnight Wish Decomposition},<br />
booktitle = {SantaCrypt 2009},<br />
pages = {41-51},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/2009/BMWDecomposition04.pdf},<br />
abstract ={Blue Midnight Wish is one of the 14 candidates in the second round of the NIST SHA-3 competition. In this paper we present a decomposition of the Blue Midnight Wish core functions, what gives<br />
deeper look at the Blue Midnight Wish family of hash functions and a tool for their cryptanalysis. We<br />
used this decomposition for better understanding the insights of Blue Midnight Wish functions and<br />
to propose the tweak for the second round. We would like to encourage further cryptanalysis of Blue<br />
Midnight Wish, as the quickest candidate in the second round.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{bmwGligoroskiK102,<br />
author = {Danilo Gligoroski and Vlastimil Klima},<br />
title = {On the Computational Asymmetry of the S-Boxes Present in Blue Midnight Wish Cryptographic Hash},<br />
booktitle = {ICT Innovations 2009},<br />
editor = {Danco Davcev and Jorge Marx Gómez},<br />
publisher = {Springer},<br />
pages = {391-400},<br />
year = {2010},<br />
url = {http://cryptography.hyperlink.cz/BMW/BijectionsInBMW03-plain.pdf},<br />
abstract ={Blue Midnight Wish hash function is one of 14 candidate functions that are continuing in the Second Round of the SHA-3 competition. In its design it has several S-boxes (bijective components) that transform 32-bit or 64-bit values. Although they look similar to the S-boxes in SHA-2, they are also different.<br />
It is well known fact that the design principles of SHA-2 family of hash functions are still kept as a classified NSA information. However, in the open literature there have been several attempts to analyze those design principles. In this paper first we give an observation on the properties of SHA-2 S-boxes and then we investigate the same properties in Blue Midnight Wish.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwGT10,<br />
author = {Jian Guo and Søren S. Thomsen},<br />
title = {Distinguishers for the Compression Function of Blue Midnight Wish with Probability 1},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/bmw-distinguishers.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={In this paper, we give distinguishers for the compression function of SHA-3 candidate Blue Midnight Wish (tweaked version for round 2) with probability 1. The computational complexity is about 20 compression function calls. This applies to security parameters 0/16, 1/15, and 2/14. However, it does not threaten the security of the BMW hash functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić and Josef Pieprzyk and Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{bmwAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Practical distinguisher for the compression function of Blue Midnight Wish},<br />
url = {http://131002.net/data/papers/Aum10.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={This note presents distinguishers for the compression functions of Blue Midnight Wish-256 and -512, with data complexity of 2^19 pairs of images of uniformly random unknown inputs with a given difference.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:453,<br />
author = {Vlastimil Klima and Petr Susil},<br />
title = {A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/453},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/453.pdf},<br />
abstract = {Abstract. BLUE MIDNIGHT WISH hash function is the fastest among 14 algorithms in the second round of SHA-3 competition [1]. At the beginning of this round authors were invited to add some tweaks before September 15th 2009. In this paper we discuss the tweaked version (BMW). The BMW algorithm [3] is of the type AXR, since it uses only operations ADD (sub), XOR and ROT (shift). If we substitute the operation ADD with operation XOR, we get a BMWlin, which is an affine transformation. In this paper we consider only a BMWlin function and its building blocks. These affine transformations can be represented as a linear matrix and a constant vector. We found that all matrices of main blocks of BMWlin have a full rank, or they have a rank very close to full rank. The structure of matrices was examined. Matrices of elementary blocks have an expected non-random structure, while main blocks have a random structure. We will also show matrices for different values of security parameter ExpandRounds1 (values between 0 and 16). We observed that increasing the number of rounds ExpandRounds1 tends to increase randomness as was intended by designers. These observations hold for both BMW256lin and BMW512lin. In this analysis we did not find any useful property, which would help in cryptanalysis, nor did we find any weaknesses of BMW. The study of all building blocks will follow.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseThomsen10,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of the Original Blue Midnight Wish},<br />
url = {http://eprint.iacr.org/2009/478.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
note = {To appear}<br />
abstract = {The hash function Blue Midnight Wish (BMW) is a candidate in the SHA-3 competition organised by the U.S. National Institute of Standards and Technology (NIST). BMW was selected for the second round of the competition, but the algorithm was tweaked in a number of ways. In this paper we describe cryptanalysis on the original version of BMW, as submitted to the SHA-3 competition in October 2008. When we refer to BMW, we therefore mean the original version of the algorithm.<br />
<br />
The attacks described are (near-)collision, preimage and second preimage attacks on the BMW compression function. These attacks can also be described as pseudo-attacks on the full hash function, i.e., as attacks in which the adversary is allowed to choose the initial value of the hash function. The complexities of the attacks are about 2^{14} for the near-collision attack, about 2^{3n/8+1} for the pseudo-collision attack, and about 2^{3n/4+1} for the pseudo-(second) preimage attack, where n is the output length of the hash function. Memory requirements are negligible. Moreover, the attacks are not (or only moderately) affected by the choice of security parameter for BMW. }<br />
</bibtex><br />
<br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-compress,<br />
author = {Søren S. Thomsen},<br />
title = {Pseudo-cryptanalysis of Blue Midnight Wish},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/bmw/bmw-pseudo.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract ={We describe pseudo-collision and pseudo-(second) preimage attacks on the SHA-3 candidate Blue Midnight Wish. The complexity of the pseudo-collision attack is around 2^{3n/8+1}, and the complexity of the pseudo-(second) preimage attack is around 2^{3n/4+1}.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Thomsen-bmw-nc-compress,<br />
author = {Søren S. Thomsen},<br />
title = {A near-collision attack on the Blue Midnight Wish compression function},<br />
url = {http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf},<br />
howpublished = {Version 2.0, available online},<br />
year = {2008},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Keccak&diff=3617
Keccak
2010-10-21T07:06:55Z
<p>JAumasson: </p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche<br />
* Website: [http://keccak.noekeon.org/ http://keccak.noekeon.org/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Keccak.zip Keccak.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Keccak_Round2.zip Keccak_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{KeccakSpecs2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications-2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain2,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-2.0.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakSpecs,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak specifications},<br />
url = {http://keccak.noekeon.org/Keccak-specifications.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakMain,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Keccak sponge function family main document},<br />
url = {http://keccak.noekeon.org/Keccak-main-1.0.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''24''' rounds (Keccak-''f'' [1600])<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage<sup>(2)</sup> || hash || 1024 || 3 rounds, 40 bit message || 1852 seconds (2<sup>34.11</sup>) || ? || [http://eprint.iacr.org/2010/285.pdf Morawiecki,Srebrny]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 18 rounds || 2<sup>1370</sup> || || [http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf Boura,Canteaut]<br />
|- <br />
| distinguisher<sup>(1)</sup> || permutation || all || 16 rounds || 2<sup>1023.88</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|- <br />
| key recovery || secret-prefix MAC || 224 || 4 rounds || 2<sup>19</sup> || ? || [http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf Lathrop]<br />
|- <br />
| observations || permutation || all || || || || [http://131002.net/data/papers/AK09.pdf Aumasson,Khovratovich]<br />
|- <br />
|}<br />
<br />
<sup>(1)</sup>The Keccak team commented on these distinguishers and provide generic constructions in [http://keccak.noekeon.org/NoteZeroSum.pdf this note].<br />
<br />
<sup>(2)</sup>The Keccak team estimated the complexity of this attack with 2<sup>34.11</sup> evaluations of 3-rounds of Keccak-f[1600] in [http://ehash.iaik.tugraz.at/uploads/5/5b/Note_SAT-basedPreimageAnalysis.txt this note] (exhaustive search: 2<sup>40</sup>).<br />
<br />
<br />
<bibtex><br />
@misc{keccakMS10,<br />
author = {Pawel Morawiecki and Marian Srebrny},<br />
title = {A SAT-based preimage analysis of reduced KECCAK hash functions},<br />
url = {http://eprint.iacr.org/2010/285.pdf},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/285},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{KeccakNoteZeroSum,<br />
author = {G. Bertoni and J. Daemen and M. Peeters and G. Van Assche},<br />
title = {Note on zero-sum distinguishers of Keccak-f},<br />
url = {http://keccak.noekeon.org/NoteZeroSum.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakBC10,<br />
author = {Christina Boura and Anne Canteaut},<br />
title = {A Zero-Sum property for the Keccak-f Permutation with 18 Rounds},<br />
url = {http://www-roc.inria.fr/secret/Anne.Canteaut/Publications/zero_sum.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2010},<br />
abstract = {A new type of distinguishing property, named the zero-sum property<br />
has been recently presented by Aumasson and Meier [1]. It has<br />
been applied to the inner permutation of the hash function Keccak<br />
and it has led to a distinguishing property for the Keccak-f permutation<br />
up to 16 rounds, out of 24 in total. Here, we additionally exploit<br />
some spectral properties of the Keccak-f permutation and we improve<br />
the previously known upper bounds on the degree of the inverse<br />
permutation after a certain number of rounds. This result enables us<br />
to extend the zero-sum property to 18 rounds of the Keccak-f permutation,<br />
which was the number of rounds in the previous version of<br />
Keccak submitted to the SHA-3 competition..},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAM09,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Joel Lathrop},<br />
title = {Cube Attacks on Cryptographic Hash Functions},<br />
url = {http://www.cs.rit.edu/~jal6806/thesis/thesis.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {The thesis includes a successful cube attack against 4-round Keccak complete with a table of maxterms, analysis of the attack, and the estimated limits of its extension to higher numbers of rounds.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{keccakAK09,<br />
author = {Jean-Philippe Aumasson and Dmitry Khovratovich},<br />
title = {First Analysis of Keccak},<br />
url = {http://131002.net/data/papers/AK09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {We apply known automated cryptanalytic tools to the Keccak-f[1600] permutation, using<br />
a triangulation tool to solve the CICO problem, and cube testers to detect some structure in the<br />
algebraic description of the reduced Keccak-f[1600]. The applicability of our tools was notably limited<br />
by the strength of the inverse permutation.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3609
SHA-3 Hardware Implementations
2010-09-22T07:55:58Z
<p>JAumasson: added compact implementations from [40]</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisions between different hardware implementation difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparision of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparision of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 79 kGates || align="right"| 6376 Mbit/s || align="right"| 137 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 48 kGates || align="right"| 5847 Mbit/s || align="right"| 240 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 67 kGates || align="right"| 9365 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 43 kGates || align="right"| 8047 Mbit/s || align="right"| 330 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 65 kGates || align="right"| 17498 Mbit/s || align="right"| 376 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 38 kGates || align="right"| 15143 Mbit/s || align="right"| 621 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 147 kGates || align="right"| 7216 Mbit/s || align="right"| 106 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 98 kGates || align="right"| 7192 Mbit/s || align="right"| 204 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 139 kGates || align="right"| 10802 Mbit/s || align="right"| 158 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 92 kGates || align="right"| 10265 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 128 kGates || align="right"| 20317 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 79 kGates || align="right"| 18782 Mbit/s || align="right"| 532 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 13.56 kGates || align="right"| 135 Mbit/s || align="right"| 215 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || 1 adder and 4-word latch array || UMC 0.18 µm || align="right"| 8.60 kGates || align="right"| 62 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 platform only. For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| JH-256 || || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa. Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski. Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/q41257x376615p22/.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3608
SHA-3 Hardware Implementations
2010-09-22T07:47:26Z
<p>JAumasson: minor fix</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisions between different hardware implementation difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparision of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparision of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 79 kGates || align="right"| 6376 Mbit/s || align="right"| 137 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 48 kGates || align="right"| 5847 Mbit/s || align="right"| 240 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 67 kGates || align="right"| 9365 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 43 kGates || align="right"| 8047 Mbit/s || align="right"| 330 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 65 kGates || align="right"| 17498 Mbit/s || align="right"| 376 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 38 kGates || align="right"| 15143 Mbit/s || align="right"| 621 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 147 kGates || align="right"| 7216 Mbit/s || align="right"| 106 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 98 kGates || align="right"| 7192 Mbit/s || align="right"| 204 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 139 kGates || align="right"| 10802 Mbit/s || align="right"| 158 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 92 kGates || align="right"| 10265 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 128 kGates || align="right"| 20317 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 79 kGates || align="right"| 18782 Mbit/s || align="right"| 532 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 platform only. For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| JH-256 || || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa. Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski. Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/q41257x376615p22/.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3607
SHA-3 Hardware Implementations
2010-09-22T07:45:41Z
<p>JAumasson: added high-speed implementations from [40]</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisions between different hardware implementation difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparision of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparision of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 79 kGates || align="right"| 6376 Mbit/s || align="right"| 137.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 48 kGates || align="right"| 5847 Mbit/s || align="right"| 240.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 67 kGates || align="right"| 9365 Mbit/s || align="right"| 201.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 43 kGates || align="right"| 8047 Mbit/s || align="right"| 330.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 65 kGates || align="right"| 17498 Mbit/s || align="right"| 376.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 38 kGates || align="right"| 15143 Mbit/s || align="right"| 621.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 147 kGates || align="right"| 7216 Mbit/s || align="right"| 106.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 98 kGates || align="right"| 7192 Mbit/s || align="right"| 204.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 0.13 µm || align="right"| 139 kGates || align="right"| 10802 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 0.13 µm || align="right"| 92 kGates || align="right"| 10265 Mbit/s || align="right"| 291.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 8 G function units || UMC 90 nm || align="right"| 128 kGates || align="right"| 20317 Mbit/s || align="right"| 298.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/data/papers/HAMP10.pdf Henzen et al.] [[#Ref040|[40]]] / [http://131002.net/blake/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units || UMC 90 nm || align="right"| 79 kGates || align="right"| 18782 Mbit/s || align="right"| 532.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 platform only. For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| JH-256 || || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa. Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski. Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/q41257x376615p22/.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHA-3_Hardware_Implementations&diff=3606
SHA-3 Hardware Implementations
2010-09-22T07:29:04Z
<p>JAumasson: added ref [40]</p>
<hr />
<div>== Call for Contributions ==<br />
<br />
Implementers (both submitters and non-submitters): You have results that complement this site? <br />
Let us know at sha3zoo-hardware@iaik.tugraz.at If you are making your HDL code available, please also provide us with according information.<br />
<br />
== Important Information ==<br />
<br />
This page summarizes key properties of reported hardware implementations of those SHA-3 candidates, which are currently under consideration by NIST. This is work in progress. If you know of any implementations which should be mentioned on this page, refer to our [[#Call_for_Contributions|call for contributions]].<br />
<br />
A list of hardware implementations of the round 1 candidates can be found [[SHA-3_Hardware_Implementations_Round_One|here]]. Please note that the page for round 1 candidates is provided for reference and will not be updated.<br />
<br />
The implementations are categorized into FPGA and standard-cell ASIC implementations. Note that the diversity of implementation scope, target technologies, and synthesis tools makes direct comparisions between different hardware implementation difficult. The more of these parameters agree, the more reasonable the comparison becomes. <br />
<br />
The target technology should be as similar as possible. For FPGA implementation, it is desirable to compare implementations on the same target device (or at least on devices of the same FPGA family). For standard-cell ASIC implementation, at least the minimal gate length of the process (e.g., 0.13 µm) should agree. More ideally, the implementations use the same standard-cell library (which implies the use of the same process technology).<br />
<br />
In order to facilitate the comparision of hardware modules with different implementation scopes, we classify them into three categories:<br />
<br />
* [[#Fully_Autonomous_Implementation|Fully autonomous]]<br />
* [[#Implementation_with_External_Memory|Using external memory]]<br />
* [[#Implementation_of_Core_Functionality|Core functionality]]<br />
<br />
For suggestions regarding the structure of this site, let us know at sha3zoo-hardware@iaik.tugraz.at<br />
<br />
=== Fully Autonomous Implementation ===<br />
<br />
[[Image:HW_type_self-cont.jpg]]<br />
<br />
Such hardware implementations include the complete functionality of a SHA-3 candidate (or a specific version thereof). That means the input message can be loaded piecewise into the hardware module and it delivers the message digest as output. All hash calculations happen exclusively within the hardware module. If integrated in a system, the achievable throughput of a fully autonomous implementation depends on the speed of the hardware module itself and the speed of the (system dependent) data interface delivering the input message.<br />
<br />
<br />
=== Implementation with External Memory ===<br />
<br />
[[Image:HW_type_ext-mem.jpg]]<br />
<br />
These implementations use external memory to hold intermediate values during the hashing of a message. The implemented hardware itself normally consists of the core logic functionality of the hash function, some registers for short-lived temporary values, and possible a memory controller for access to the external memory. Such implementations can load the input message either over a dedicated interface (similar to a fully autonomous implementation) or from the external memory. In order to reach the maximal throughput of the hardware module, the external memory must be sufficiently fast.<br />
<br />
<br />
=== Implementation of Core Functionality ===<br />
<br />
[[Image:HW_type_core-funct.jpg]]<br />
<br />
Such implementations comprise only important parts of the hash function (e.g., the compression function), which normally allows to get a first-order estimate of the performance figures of full implementations.<br />
<br />
== Ongoing Hardware Benchmarking Efforts ==<br />
<br />
To describe it in the words of the initiators and maintainers: "ATHENa: Automated Tool for Hardware EvaluatioN is a project started at George Mason University, aimed at fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog." More information about the project and the current results can be found on the [http://cryptography.gmu.edu/athena/ ATHENa webpage]. Note: As each hash module submitted to ATHENAa is implemented on several FPGA platforms, the SHA-3 zoo pages will not replicate all results produced by the ATHENa project on this webpage. Instead please refer directly to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
== Summary of All Results ==<br />
<br />
This section includes four categories of implementations (high-speed, low-area, both for FPGA and ASIC) which include known published results. If the HDL sourcecode is available, a link is provided as well.<br />
<br />
=== High-Speed Implementations (FPGA) ===<br />
<br />
Important note: The size and functionality of slices varies between FPGA families. A direct comparision of the slice count of implementations on different FPGA families is therefore problematic.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Impl. Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 3091 slices || align="right"| 1724 Mbit/s || align="right"| 37.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 3087 slices || align="right"| 2235 Mbit/s || align="right"| 48.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 1694 slices || align="right"| 3103 Mbit/s || align="right"| 67.0 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || Altera Stratix III || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex-II Pro || align="right"| 11122 slices || align="right"| 1177 Mbit/s || align="right"| 17.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 4 || align="right"| 11483 slices || align="right"| 1707 Mbit/s || align="right"| 25.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || Xilinx Virtex 5 || align="right"| 4329 slices || align="right"| 2389 Mbit/s || align="right"| 35.0 MHz<br />
|-<br />
| BLAKE-64 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || Altera Stratix III || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| Blue Midnight Wish-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Spartan 3 || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex-II || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Xilinx Virtex 4 || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 2 compression functions unrolled || Xilinx Spartan 3 || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| CubeHash8/1-256(***) || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 iterated compression function || Xilinx Virtex 5 || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| CubeHash8/32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9333 slices || align="right"| 14860 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-224/256 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 273 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 397 Mbit/s(*) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || Xilinx Virtex 5 || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex5.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 5 || align="right"| 10407 slices || align="right"| 26390 Mbit/s || align="right"| 154.6 MHz<br />
|-<br />
| ECHO-256 || [http://crypto.rd.francetelecom.com/ECHO/hard/ Mabrouk and Benadjila] [[#Ref028|[28]]] / [http://crypto.rd.francetelecom.com/ECHO/hard/echo_highspeed_virtex6.zip Implementer's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Fully parallel iterations of Compress512 || Xilinx Virtex 6 || align="right"| 8071 slices || align="right"| 29457 Mbit/s || align="right"| 172.6 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9097 slices || align="right"| 7810 Mbit/s || align="right"| 83.9 MHz<br />
|-<br />
| ECHO-384/512 || [http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf Kinsy and Uhler] [[#Ref021|[21]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 341 cycles per block || Altera Cyclone II || align="right"| 39091 LEs || align="right"| 212 Mbit/s(**) || align="right"| 70.6 MHz<br />
|-<br />
| ECHO-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Fugue-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 6136 slices || align="right"| 4520 Mbit/s || align="right"| 88.3 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 1722 slices || align="right"| 10276 Mbit/s || align="right"| 200.7 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Spartan 3 || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation in parallel, S-box in BRAM || Xilinx Virtex 5 || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 20233 slices || align="right"| 5901 Mbit/s || align="right"| 80.7 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Spartan 3 || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || P & Q permutation parallel, S-box in LUTs || Xilinx Virtex 5 || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || Xilinx Virtex 5 || align="right"| 5419 slices || align="right"| 15395 Mbit/s || align="right"| 210.5 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation || Xilinx Spartan 3 || align="right"| 8308 slices || align="right"| 3474 Mbit/s || align="right"| 95 MHz<br />
|-<br />
| Grøstl-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Non-linear permutation block reused || Xilinx Virtex 5 || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Hamsi-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| JH || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Cyclone III || align="right"| 5776 LEs || align="right"| 7500 Mbit/s || align="right"| 133 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Altera Stratix III || align="right"| 4713 ALUTs || align="right"| 12400 Mbit/s || align="right"| 218 MHz<br />
|-<br />
| Keccak || [http://www.strombergson.com/files/Keccak_in_FPGAs.pdf J. Str&ouml;mbergson] [[#Ref009|[9]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || Xilinx Spartan 3A || align="right"| 3393 slices || align="right"| 4800 Mbit/s || align="right"| 85 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || Xilinx Virtex 5 || align="right"| 1412 slices || align="right"| 6900 Mbit/s || align="right"| 122 MHz<br />
|-<br />
| Keccak(-224) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Keccak(-384) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Spartan 3 || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex-II || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Xilinx Virtex 4 || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || Altera Stratix III || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Luffa-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || One step block reused for 8 rounds || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 2303 Mbit/s || align="right"| 179 MHz<br />
|-<br />
| Luffa-256 || [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] / [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#Implementation_of_Core_Functionality|Core functionality]] || Straight-forward instantiation of complete compression function || Xilinx Virtex 5 || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Luffa-384 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Spartan 3 || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex-II || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Xilinx Virtex 4 || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|-<br />
| Shabal || [http://www.shabal.com/wp-content/plugins/download-monitor/download.php?id=FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 1171 slices || align="right"| 2588 Mbit/s || align="right"| 126 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2010/406.pdf Francq and Thuillet] [[#Ref026|[26]]] / [http://www.shabal.com/?p=170 Shabal webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 4 iterations of the permutation unrolled || Xilinx Virtex 5 || align="right"| 1715 slices || align="right"| 3242 Mbit/s || align="right"| 76 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Spartan 3 || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|-<br />
| Shabal || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || Altera Stratix III || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| SIMD-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-256-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1001 slices || align="right"| 408.7 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 937 slices || align="right"| 1751 Mbit/s || align="right"| 68.4 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 2421 slices || align="right"| 669 Mbit/s || align="right"| 26.14 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] / [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS website] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Skein-512-h || [http://www.skein-hash.info/sites/default/files/skein_fpga.pdf Men Long] [[#Ref011|[11]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || UBI component || Xilinx Virtex 5 || align="right"| 1877 slices || align="right"| 817.4 Mbit/s || align="right"| 114.9 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Virtex 5 || align="right"| 1632 slices || align="right"| 3535 Mbit/s || align="right"| 69.04 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Xilinx Spartan 3 || align="right"| 4273 slices || align="right"| 1365 Mbit/s || align="right"| 26.66 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] / [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || Xilinx Virtex 5 || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
<br />
|}<br />
<br />
(*) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1536 bits/block) * (70.6 * 10^6 cycles/s) / (273 cycles/block) = 397.22 * 10^6 bits/s.<br />
<br /><br />
(**) Estimated peak throughput ignoring I/O bottleneck resulting from specific interface: (1024 bits/block) * (70.6 * 10^6 cycles/s) / (341 cycles/block) = 212.01 * 10^6 bits/s.<br />
<br /><br />
(***) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Low-Area Implementations (FPGA) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 124 slices || align="right"| 115 Mbit/s || align="right"| 190.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 124 slices || align="right"| 216 Mbit/s || align="right"| 357.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 56 slices || align="right"| 225 Mbit/s || align="right"| 372.0 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 285 LEs || align="right"| 116 Mbit/s || align="right"| 192.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 958 slices || align="right"| 371 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 960 slices || align="right"| 430 Mbit/s || align="right"| 68.0 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 390 slices || align="right"| 575 Mbit/s || align="right"| 91.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Spartan-3 || align="right"| 229 slices || align="right"| 138 Mbit/s || align="right"| 158.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-4 || align="right"| 230 slices || align="right"| 219 Mbit/s || align="right"| 250.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Xilinx Virtex-5 || align="right"| 108 slices || align="right"| 314 Mbit/s || align="right"| 358.0 MHz<br />
|-<br />
| BLAKE-64 || [http://eprint.iacr.org/2010/173.pdf Beuchat et al.] [[#Ref013|[13]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Rescheduled G function || Altera Cyclone III || align="right"| 542 LEs || align="right"| 123 Mbit/s || align="right"| 140.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex-II Pro || align="right"| 1802 slices || align="right"| 326 Mbit/s || align="right"| 36.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 4 || align="right"| 1856 slices || align="right"| 381 Mbit/s || align="right"| 42.0 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 1 G function unit || Xilinx Virtex 5 || align="right"| 939 slices || align="right"| 533 Mbit/s || align="right"| 59.0 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 1 memory block || Xilinx Virtex || align="right"| 895 slices || align="right"| 9 Mbit/s || align="right"| 38 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf El Hadedy et al.] [[#Ref032|[32]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 32-bit datapath, 2 memory blocks || Xilinx Virtex 5 || align="right"| 84 slices || align="right"| 28 Mbit/s || align="right"| 116 MHz<br />
|-<br />
| ECHO || [http://eprint.iacr.org/2010/364.pdf Beuchat et al.] [[#Ref024|[24]]] / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Adapted towards FPGA implementation (127 slices and 1 memory block) || Xilinx Virtex 5 || align="right"| 127 slices || align="right"| 72 Mbit/s || align="right"| 352.0 MHz<br />
|-<br />
| ECHO || Announced 19-08-2010 on hash-forum@nist.gov / On request from author || [[#Fully_Autonomous_Implementation|Fully autonomous]] || All ECHO + all AES variants || Xilinx Virtex 5 || align="right"| 231 slices || align="right"| 81.7 Mbit/s (ECHO-224/256), 41.9 Mbit/s (ECHO-384/512) || align="right"| 351.0 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Spartan 3 || align="right"| 2486 slices || align="right"| 404 Mbit/s || align="right"| 63.2 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/206.pdf Jungk et al.] [[#Ref006|[6]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation in parallel || Xilinx Virtex 2 Pro || align="right"| 2754 slices || align="right"| 512 Mbit/s || align="right"| 81.5 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 1276 slices || align="right"| 192 Mbit/s || align="right"| 60 MHz<br />
|-<br />
| Grøstl-384/512 || [http://eprint.iacr.org/2010/260.pdf Jungk and Reith] [[#Ref022|[22]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Shared P & Q permutation, S-Box based on composite field arithmetic || Xilinx Spartan 3 || align="right"| 2110 slices || align="right"| 144 Mbit/s || align="right"| 63 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Stratix III || align="right"| 855 ALUTs || align="right"| 96.8 Mbit/s || align="right"| 366 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Altera Cyclone III || align="right"| 1559 LEs || align="right"| 47.8 Mbit/s || align="right"| 181 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || Xilinx Virtex 5 || align="right"| 444 slices || align="right"| 70.1 Mbit/s || align="right"| 265 MHz<br />
|-<br />
| Shabal || [http://ehash.iaik.tugraz.at/uploads/d/d4/FPGA_Implementation_of_Shabal_-_First_Results.pdf Feron and Francq] [[#Ref010|[10]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 36 adders in permutation || Xilinx Virtex 5 || align="right"| 596 slices (+ 40 DSP blocks) || align="right"| 1142 Mbit/s || align="right"| 109 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Spartan 3 || align="right"| 1933 slices || align="right"| 540 Mbit/s || align="right"| 89.71 MHz<br />
|-<br />
| Shabal || [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || 1 adder in permutation || Xilinx Virtex 5 || align="right"| 2307 slices || align="right"| 1330 Mbit/s || align="right"| 222.22 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Virtex 5 || align="right"| 153 slices || align="right"| 2051 Mbit/s || align="right"| 256 MHz<br />
|-<br />
| Shabal-512 || [http://eprint.iacr.org/2010/292.pdf Detrey et al.] [[#Ref023|[23]]] / [http://hwshabal.gforge.inria.fr/ INRIA webpage (see SCM tree)] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Exploiting SRL16 primitive || Xilinx Spartan 3 || align="right"| 499 slices || align="right"| 800 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || Altera Stratix III || align="right"| 1385 ALUTs || align="right"| 573.9 Mbit/s || align="right"| 161.42 MHz<br />
|}<br />
<br />
<br><br><br />
<br />
=== High-Speed Implementations (ASIC) ===<br />
<br />
A comparison of implementations of all 14 round 2 candidates has been presented informally at [http://www.iaik.tugraz.at/ IAIK] (Graz University of Technology) on Sept. 16, 2009. The updated presentation slides can be found [http://ehash.iaik.tugraz.at/uploads/f/fc/20091112_SHA-3_HW_stillich.pdf here].<br />
<br />
<br /><br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 58.30 kGates || align="right"| 5295 Mbit/s || align="right"| 114 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 41.31 kGates || align="right"| 4153 Mbit/s || align="right"| 170 MHz<br />
|-<br />
| BLAKE-32 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units and I/O registers || STM 90 nm || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with 4 G function units with CSAs || UMC 0.18 µm || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| BLAKE-32 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel G functions modules || UMC 90 nm || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| BLAKE-32 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| BLAKE-32 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 8 G function units || UMC 0.18 µm || align="right"| 132.47 kGates || align="right"| 5910 Mbit/s || align="right"| 87 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with 4 G function units || UMC 0.18 µm || align="right"| 82.73 kGates || align="right"| 4810 Mbit/s || align="right"| 136 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || STM 90 nm || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Compression function with f0, f1, and f2 unrolled || UMC 0.18 µm || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || single-cycle f0 and f2, f1 iteratively || UMC 90 nm || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| Blue Midnight Wish || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with f0, f1, and f2 unrolled in sequence || Synopsys 90 nm || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Blue Midnight Wish-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-h || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Dynamically reconfigurable r and b parameters, two rounds unrolled || UMC 0.18 µm || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || 0.13 µm || align="right"| 34.33 kGates || align="right"| 9248 Mbit/s(***) || align="right"| 578 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Half a round per cycle || 0.13 µm || align="right"| 21.54 kGates || align="right"| 8000 Mbit/s(***) || align="right"| 1000 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle, IV fixed || UMC 90 nm || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| CubeHash16/32-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 521.1 kGates || align="right"| 14850 Mbit/s || align="right"| 87.1 MHz<br />
|-<br />
| ECHO-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || UMC 0.18 µm || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| ECHO-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 AES rounds per cycle || UMC 90 nm || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| ECHO-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| ECHO-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| ECHO-384/512 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm|| align="right"| 516.8 kGates || align="right"| 7750 Mbit/s || align="right"| 83.3 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel (SUPER4_P) || IBM 90 nm || align="right"| 109.85 kGates || align="right"| 13913 Mbit/s || align="right"| 869.5 MHz<br />
|-<br />
| Fugue-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four columns of SMIX transformation in parallel || UMC 0.18 µm || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Fugue-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-box as LUT || UMC 90 nm || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Fugue-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One shared permutation for P & Q, one pipeline stage || UMC 0.18 µm || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Grøstl-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P and Q permutation interleaved with one pipeline stage, S-box as LUT || UMC 90 nm || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Grøstl-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 120.8 kGates || align="right"| 16275 Mbit/s || align="right"| 349.7 MHz<br />
<br />
|-<br />
| Grøstl-384/512 || [http://www.groestl.info/Groestl.pdf Submission doc.] [[#Ref007|[7]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || P & Q permutation in parallel || UMC 0.18 µm || align="right"| 341 kGates || align="right"| 6225 Mbit/s || align="right"| 85.1 MHz<br />
|-<br />
| Hamsi-256 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 22 kGates || align="right"| 4940 Mbit/s || align="right"| 1080 MHz<br />
|-<br />
| Hamsi-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three instances of P/Pf function unrolled || UMC 0.18 µm || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| Hamsi-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Message expansions in LUTs, one round per cycle || UMC 90 nm || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| Hamsi-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| Hamsi-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| Hamsi-512 || [http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html Junfeng Fan (Hamsi website)] [[#Ref016|[16]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 50 kGates || align="right"| 3970 Mbit/s || align="right"| 820 MHz<br />
|-<br />
| JH-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 320 S-boxes, one round of R<sub>8</sub> per cycle || UMC 0.18 µm || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| JH-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || S-boxes as LUTs, stored constants || UMC 90 nm || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| JH-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| JH-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) & IO buffer || ST 0.13 µm || align="right"| 48 kGates || align="right"| 29900 Mbit/s || align="right"| 526 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-specifications.pdf Submission doc.] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Core (round function, state register) only || ST 0.13 µm || align="right"| 40 kGates || align="right"| 15000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Keccak(-256) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One instance of Keccak-f round || UMC 0.18 µm || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Keccak(-256) || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One round per cycle || UMC 90 nm || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Keccak(-256) || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Keccak || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One Keccak-f round per cycle || Synopsys 90 nm || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
<br />
|-<br />
| Keccak(-256) || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 55.9 kGates || align="right"| 43986 Mbit/s || align="right"| 1030.9 MHz<br />
<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 30.83 kGates || align="right"| 31960 Mbit/s || align="right"| 1124 MHz<br />
|-<br />
| Luffa-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function (1 cycle latency) and I/O registers || STM 90 nm || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Luffa-224/256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.18 µm || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Luffa-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three parallel step modules, SubCrumb as logic || UMC 90 nm || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Luffa-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Luffa-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each), two rounds unrolled || STM 90 nm || align="right"| 62.8 kGates || align="right"| 35068.5 Mbit/s || align="right"| 684.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 50.07 kGates || align="right"| 23126 Mbit/s || align="right"| 813 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Five permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || UMC 0.13 µm || align="right"| 65.1 kGates || align="right"| 19617 Mbit/s || align="right"| 690 MHz<br />
|-<br />
| Luffa || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Three step modules || Synopsys 90 nm || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|-<br />
| Shabal-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with I/O registers (latency of 16 clock cycles) || STM 90 nm || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Shabal-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 50 cycles per block || UMC 0.18 µm || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One word rotation per cycle, 52 cycles per block || 0.13 µm || align="right"| 41.32 kGates || align="right"| 6351 Mbit/s(***) || align="right"| 645 MHz<br />
|-<br />
| Shabal-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 30 adders, 16 subtractors || UMC 90 nm || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| Shabal-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| Shabal-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four AES rounds (two for compression, two for message expansion) || UMC 0.18 µm || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One AES round each for message expansion and F<sup>3</sup> round || UMC 90 nm || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256(**) || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || UMC 0.18 µm || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| SIMD-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || UMC 90 nm || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| SIMD-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| SIMD-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/159.pdf Stefan Tillich] [[#Ref012|[12]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 53.87 kGates || align="right"| 1762 Mbit/s || align="right"| 68.8 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || All 72 Threefish rounds unrolled || STM 90 nm || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-256-256 || [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] / [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Four unrolled Threefish rounds || UMC 90 nm || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|-<br />
| Skein-256-256 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || UMC 0.13 µm || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|-<br />
| Skein-256-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|-<br />
| Skein-512-512 || [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] / [mailto:mfeldhof@iaik.tugraz.at On request] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || UMC 0.18 µm || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|-<br />
| Skein-512 || [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf Walker et al.] [[#Ref036|[36]]] / N/A] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 8 Threefish rounds unrolled || Intel 32 nm || align="right"| 57.93 kGates || align="right"| 32320 Mbit/s || align="right"| 631.31 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br /><br />
(**) Implementation of round-one variant.<br />
<br /><br />
(***) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br><br><br />
<br />
=== Low-Area Implementations (ASIC) ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="120"| Hash Function Name !! width="150"| Reference / HDL !! width="100"| Impl. Scope !! width="200"| Implementation Details !! width="100"| Technology !! width="80"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One G function in 11 cycles || AMS 0.35 µm || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 10.54 kGates || align="right"| 253 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-32 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 9.89 kGates || align="right"| 127 Mbit/s || align="right"| 40 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a single G function unit || UMC 0.18 µm || align="right"| 20.61 kGates || align="right"| 181 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| BLAKE-64 || [http://131002.net/blake/blake.pdf Submission doc.] [[#Ref001|[1]]] / [http://131002.net/blake/ Submission webpage] || [[#Implementation_of_Core_Functionality|Core functionality]] || Compression function with a half G function unit || UMC 0.18 µm || align="right"| 19.46 kGates || align="right"| 91 Mbit/s || align="right"| 20 MHz<br />
|-<br />
| CubeHash16/32-h || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Process two 32-bit words per cycle, 64 cycles per round || 0.13 µm || align="right"| 7.63 kGates || align="right"| 32 Mbit/s(****) || align="right"| 100 MHz<br />
|-<br />
| ECHO-224/256 || [http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf Lu et al.] [[#Ref005|[5]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || 0.13 µm || align="right"| 82.8 kGates || align="right"| 373 Mbit/s || align="right"| 66.6 MHz<br />
|-<br />
| Fugue-256 || [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf Submission doc.] [[#Ref015|[15]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One SMIX transformation (SUPER1_L) || IBM 90 nm || align="right"| 59.22 kGates || align="right"| 2000 Mbit/s || align="right"| 500 MHz<br />
|-<br />
| Grøstl-224/256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || AMS 0.35 µm || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Grøstl-224/256 || [http://www.groestl.info Grøstl website] [[#Ref019|[19]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath, P & Q permutation shared || UMC 0.18 µm || align="right"| 17 kGates || align="right"| 645 Mbit/s || align="right"| 246.9 MHz<br />
<br />
|-<br />
| Grøstl-256 || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] [[#Ref039|[39]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || || STM 90 nm || align="right"| 34.8 kGates || align="right"| 2478 Mbit/s || align="right"| 101.6 MHz<br />
<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory || ST 0.13 µm || align="right"| 6.5 kGates || align="right"| 176.4 Mbit/s(*) || align="right"| 666.7 MHz<br />
|-<br />
| Keccak || [http://keccak.noekeon.org/Keccak-main-1.2.pdf Updated spec. (v1.2)] [[#Ref008|[8]]] / [http://keccak.noekeon.org/ Submission webpage] || [[#Implementation_with_External_Memory|Using external memory]] || Small core using system memory, clock freq. limited to 200 MHz || ST 0.13 µm || align="right"| 5 kGates || align="right"| 52.9 Mbit/s(**) || align="right"| 200 MHz<br />
|-<br />
| Luffa-224/256 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 18.26 kGates || align="right"| 2461 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-256 || [http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf Mikami et al.] [[#Ref027|[27]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 10.34 kGates || align="right"| 538 Mbit/s || align="right"| 806 MHz<br />
<br />
|-<br />
| Luffa-256 || [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1 Satoh et al.] [[#Ref038|[38]]] / [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html RCIS webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || STM 90 nm || align="right"| 14.7 kGates || align="right"| 3641.1 Mbit/s || align="right"| 355.9 MHz<br />
<br />
|-<br />
| Luffa-384 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 6 S-boxes, 1 MixWord || TSMC 90 nm || align="right"| 27.13 kGates || align="right"| 1882 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Luffa-512 || [http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf Knežević and Verbauwhede] [[#Ref017|[17]]] / [http://homes.esat.kuleuven.be/~mknezevi/luffa/luffa_hw_code.tar.gz Author's webpage] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One permutation block (64 S-boxes, 4 MixWord blocks) || UMC 0.13 µm || align="right"| 37.35 kGates || align="right"| 1524 Mbit/s || align="right"| 250 MHz<br />
|-<br />
| Shabal || [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043 Bernet et al.] [[#Ref020|[20]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || One adder, one subtractor, one incrementer. 165 cycles per block || 0.13 µm || align="right"| 23.32 kGates || align="right"| 310 Mbit/s || align="right"| 100 MHz<br />
|-<br />
| Skein-256-256 || [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] / N/A || [[#Fully_Autonomous_Implementation|Fully autonomous]] || 64-bit datapath || AMS 0.35 µm || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|-<br />
| Skein-256-256 || [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] / N/A || [[#Implementation_of_Core_Functionality|Core functionality]] || One round of Threefish iterated || STM 90 nm || align="right"| 21 kGates || align="right"| 1018.8 Mbit/s(***) || align="right"| 286.53 MHz<br />
|}<br />
<br />
(*) Estimation for 64-bit memory interface: (1024 bits/permutation) * (666.7 * 10^6 cycles/s) / (3870 cycles/permutation) = 176.41 * 10^6 bits/s<br />
<br /><br />
(**) Estimation for 64-bit memory interface: (1024 bits/permutation) * (200 * 10^6 cycles/s) / (3870 cycles/permutation) = 52.92 * 10^6 bits/s<br />
<br /><br />
(***) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s<br />
<br /><br />
(****) Estimated peak throughput: Throughput for CubeHash8/1-h implementation * 16.<br />
<br />
<br /><br />
<br /><br />
<br />
== Comparative Studies ==<br />
<br />
This section summarizes the reported results of publications which examined more than one round-two candidate in a similar setup.<br />
<br />
=== Blake, BMW, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Altera Stratix III<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 5435 ALUTs || align="right"| 2186.2 Mbit/s || align="right"| 46.97 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 12917 ALUTs || align="right"| 4889.6 Mbit/s || align="right"| 9.55 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 16552 ALUTs || align="right"| 12042.2 Mbit/s || align="right"| 47.04 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 1440 ALUTs || align="right"| 3125.6 Mbit/s || align="right"| 195.35 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled (device too small) || align="right"| N/A || align="right"| N/A || align="right"| N/A<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html Namin and Hasan] [[#Ref002|[2]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 8 G function units and I/O registers || align="right"| 53 kGates || align="right"| 4475 Mbit/s(*) || align="right"| 96.15 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled in sequence and I/O registers || align="right"| 164 kGates || align="right"| 26665 Mbit/s(*) || align="right"| 52.08 MHz<br />
|-<br />
| Luffa-256 || Compression function (1 cycle latency) and I/O registers || align="right"| 122 kGates || align="right"| 25702 Mbit/s(*) || align="right"| 100.4 MHz<br />
|-<br />
| Shabal-256 || Compression function with I/O registers (latency of 16 clock cycles) || align="right"| 20 kGates || align="right"| 4408 Mbit/s(*) || align="right"| 413.22 MHz<br />
|-<br />
| Skein-256-256 || All 72 Threefish rounds unrolled || align="right"| 369 kGates || align="right"| 3126 Mbit/s(*) || align="right"| 12.21 MHz<br />
|}<br />
<br />
(*) Estimated peak throughput for the minimal delay of compression function: 1000 * (Input Size in bits) / [(Compression Function Delay in ns) * (Number of Cycles)] = Throughput in Mbit/s.<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blake, CubeHash, ECHO, Grøstl, Hamsi, Luffa, Shabal, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2010/010.pdf Kobayashi et al.] [[#Ref003|[3]]] || [http://www.rcis.aist.go.jp/special/SASEBO/SHA3-en.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 3556 slices || align="right"| 1614 Mbit/s || align="right"| 104 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 4057 slices || align="right"| 5171 Mbit/s || align="right"| 101 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 6343 Mbit/s || align="right"| 223 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 1739 Mbit/s || align="right"| 214 MHz<br />
|-<br />
| Skein-256 || || align="right"| 854 slices || align="right"| 1482 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== CubeHash, Grøstl, Shabal ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 2 compression functions unrolled || align="right"| 3268 slices || align="right"| 70 Mbit/s || align="right"| 37.9 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4827 slices || align="right"| 3660 Mbit/s || align="right"| 71.53 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 17452 slices || align="right"| 3180 Mbit/s || align="right"| 79.61 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2223 slices || align="right"| 740 Mbit/s || align="right"| 71.48 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/342.pdf Baldwin et al.] [[#Ref004|[4]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| CubeHash8/1-256(*) || 1 iterated compression function || align="right"| 1178 slices || align="right"| 160 Mbit/s || align="right"| 166.8 MHz<br />
|-<br />
| Grøstl-224/256 || P & Q permutation in parallel, S-box in BRAM || align="right"| 4516 slices || align="right"| 7310 Mbit/s || align="right"| 142.87 MHz<br />
|-<br />
| Grøstl-384/512 || P & Q permutation parallel, S-box in LUTs || align="right"| 19161 slices || align="right"| 6090 Mbit/s || align="right"| 83.33 MHz<br />
|-<br />
| Shabal || 36 adders in permutation || align="right"| 2768 slices || align="right"| 1450 Mbit/s || align="right"| 138.87 MHz<br />
|}<br />
<br />
(*) CubeHash16/32-h implemented in a similar fashion can be expected to have throughput increased by a factor of about 16.<br />
<br />
<br /><br />
<br /><br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results are post-synthesis. An interactive graphical comparison of various area-performance tradeoffs of this study can be found [http://www.iaik.tugraz.at/content/research/vlsi/sha3hw/ here].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/510.pdf Tillich et al.] [[#Ref014|[14]]] || [mailto:mfeldhof@iaik.tugraz.at On request] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.18 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Compression function with 4 G function units with CSAs || align="right"| 45.64 kGates || align="right"| 3971 Mbit/s || align="right"| 170.64 MHz<br />
|-<br />
| Blue Midnight Wish-256 || Compression function with f0, f1, and f2 unrolled || align="right"| 169.74 kGates || align="right"| 5358 Mbit/s || align="right"| 10.46 MHz<br />
|-<br />
| CubeHash16/32-h || Dynamically reconfigurable r and b parameters, two rounds unrolled || align="right"| 58.87 kGates || align="right"| 4665 Mbit/s || align="right"| 145.77 MHz<br />
|-<br />
| ECHO-256 || Four parallel AES rounds, 16 AES MixColumns 32-bit column multipliers || align="right"| 141.49 kGates || align="right"| 2246 Mbit/s || align="right"| 141.84 MHz<br />
|-<br />
| Fugue-256 || Four columns of SMIX transformation in parallel || align="right"| 46.26 kGates || align="right"| 4092 Mbit/s || align="right"| 255.75 MHz<br />
|-<br />
| Grøstl-256 || One shared permutation for P & Q, one pipeline stage || align="right"| 58.40 kGates || align="right"| 6290 Mbit/s || align="right"| 270.27 MHz<br />
|-<br />
| Hamsi-256 || Three instances of P/Pf function unrolled || align="right"| 58.66 kGates || align="right"| 5565 Mbit/s || align="right"| 173.91 MHz<br />
|-<br />
| JH-256 || 320 S-boxes, one round of R<sub>8</sub> per cycle || align="right"| 58.83 kGates || align="right"| 4991 Mbit/s || align="right"| 380.22 MHz<br />
|-<br />
| Keccak(-256) || One instance of Keccak-f round || align="right"| 56.32 kGates || align="right"| 21229 Mbit/s || align="right"| 487.80 MHz<br />
|-<br />
| Luffa-224/256 || Three permutation blocks in parallel (64 S-boxes, 4 MixWord blocks each) || align="right"| 44.97 kGates || align="right"| 13741 Mbit/s || align="right"| 483.09 MHz<br />
|-<br />
| Shabal-256 || One word rotation per cycle, 50 cycles per block || align="right"| 54.19 kGates || align="right"| 3282 Mbit/s || align="right"| 320.51 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || Four AES rounds (two for compression, two for message expansion) || align="right"| 57.39 kGates || align="right"| 3152 Mbit/s || align="right"| 227.79 MHz<br />
|-<br />
| SIMD-256(*) || Two FFT-64 with two FFT-8 and 16 multipliers (8x8 bit) each || align="right"| 104.17 kGates || align="right"| 924 Mbit/s || align="right"| 64.93 MHz<br />
|-<br />
| Skein-256-256 || 8 Threefish rounds unrolled || align="right"| 58.61 kGates || align="right"| 1882 Mbit/s || align="right"| 73.52 MHz<br />
|-<br />
| Skein-512-512 || 8 Threefish rounds unrolled || align="right"| 102.04 kGates || align="right"| 2502 Mbit/s || align="right"| 48.87 MHz<br />
|}<br />
<br />
(*) Implementation of round-one variant.<br />
<br />
<br /><br />
<br /><br />
<br />
=== BLAKE, Grøstl, Skein ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://eprint.iacr.org/2009/349.pdf Tillich et al.] [[#Ref018|[18]]] || N/A || [[#Low-Area_Implementations_(ASIC)|Low-area ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || AMS 0.35 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || One G function in 11 cycles || align="right"| 25.57 kGates || align="right"| 15.4 Mbit/s || align="right"| 31.25 MHz<br />
|-<br />
| Grøstl-224/256 || 64-bit datapath, P & Q permutation shared || align="right"| 14.62 kGates || align="right"| 145.9 Mbit/s || align="right"| 55.87 MHz<br />
|-<br />
| Skein-256-256 || 64-bit datapath || align="right"| 12.89 kGates || align="right"| 19.8 Mbit/s || align="right"| 80 MHz<br />
|}<br />
<br />
<br />
=== ECHO, Hamsi, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf Ramakers and Narinx] [[#Ref025|[25]]] || [http://ehash.iaik.tugraz.at/uploads/2/27/Ramakers_Narinx2010ECHO-Hamsi-Luffa_VHDL_sources.zip Hosted by SHA-3 zoo] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| ECHO-256 || Straight-forward instantiation of complete compression function || align="right"| 15006 slices || align="right"| 23860 Mbit/s || align="right"| 139 MHz<br />
|-<br />
| ECHO-256 || Optimized: 4 x 2 AES round instances with pipeline register in BigSubWords || align="right"| 12061 slices || align="right"| 3560 Mbit/s || align="right"| 187 MHz<br />
|-<br />
| Hamsi-256 || Straight-forward instantiation of complete compression function || align="right"| 4664 slices || align="right"| 6620 Mbit/s || align="right"| 207 MHz<br />
|-<br />
| Hamsi-256 || Non-linear permutation block reused || align="right"| 2113 slices || align="right"| 1970 Mbit/s || align="right"| 308 MHz<br />
|-<br />
| Luffa-256 || Straight-forward instantiation of complete compression function || align="right"| 9611 slices || align="right"| 12290 Mbit/s || align="right"| 48.2 MHz<br />
|-<br />
| Luffa-256 || One step block reused for 8 rounds || align="right"| 2303 slices || align="right"| 5090 Mbit/s || align="right"| 179 MHz<br />
|}<br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Reported results of this study are post-P&amp;R performances of designs targeting high throughput.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/g0115v3272156r06/ Henzen et al.] [[#Ref029|[29]]] || [http://www.iis.ee.ethz.ch/~sha3/ ETH webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || Four parallel G functions modules || align="right"| 47.5 kGates || align="right"| 9752 Mbit/s || align="right"| 400 MHz<br />
|-<br />
| Blue Midnight Wish-256 || single-cycle f0 and f2, f1 iteratively || align="right"| 150 kGates || align="right"| 8486 Mbit/s || align="right"| 298 MHz<br />
|-<br />
| CubeHash16/32-256 || One round per cycle, IV fixed || align="right"| 42.5 kGates || align="right"| 10667 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| ECHO-256 || 8 AES rounds per cycle || align="right"| 260 kGates || align="right"| 13966 Mbit/s || align="right"| 291 MHz<br />
|-<br />
| Fugue-256 || S-box as LUT || align="right"| 55 kGates || align="right"| 8815 Mbit/s || align="right"| 551 MHz<br />
|-<br />
| Grøstl-256 || P and Q permutation interleaved with one pipeline stage, S-box as LUT || align="right"| 135 kGates || align="right"| 16254 Mbit/s || align="right"| 667 MHz<br />
|-<br />
| Hamsi-256 || Message expansions in LUTs, one round per cycle || align="right"| 45 kGates || align="right"| 8686 Mbit/s || align="right"| 814 MHz<br />
|-<br />
| JH-256 || S-boxes as LUTs, stored constants || align="right"| 80 kGates || align="right"| 10807 Mbit/s || align="right"| 760 MHz<br />
|-<br />
| Keccak(-256) || One round per cycle || align="right"| 50 kGates || align="right"| 43011 Mbit/s || align="right"| 949 MHz<br />
|-<br />
| Luffa-256 || Three parallel step modules, SubCrumb as logic || align="right"| 55 kGates || align="right"| 23256 Mbit/s || align="right"| 727 MHz<br />
|-<br />
| Shabal-256 || 30 adders, 16 subtractors || align="right"| 45 kGates || align="right"| 6819 Mbit/s || align="right"| 693 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || One AES round each for message expansion and F<sup>3</sup> round || align="right"| 75 kGates || align="right"| 7999 Mbit/s || align="right"| 562 MHz<br />
|-<br />
| SIMD-256 || Four parallel Feistel modules, message expansion based on NNT<sub>8</sub> and eight multipliers || align="right"| 135 kGates || align="right"| 5177 Mbit/s || align="right"| 364 MHz<br />
|-<br />
| Skein-256-256 || Four unrolled Threefish rounds || align="right"| 50 kGates || align="right"| 3558 Mbit/s || align="right"| 264 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Designs optimized towards throughput to area ratio. The cited results are those for the Xilinx Virtex 5 platform only. For a full listing of all ATHENa results refer to the [http://cryptography.gmu.edu/athena/ ATHENa webpage].<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://www.springerlink.com/content/q41257x376615p22/ Gaj et al.] [[#Ref030|[30]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1851 slices || align="right"| 2610.6 Mbit/s || align="right"| 102 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4400 slices || align="right"| 5576.7 Mbit/s || align="right"| 10.9 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 730 slices || align="right"| 3189.8 Mbit/s || align="right"| 199.4 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 6453 slices || align="right"| 10133.4 Mbit/s || align="right"| 178.1 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 956 slices || align="right"| 3151.2 Mbit/s || align="right"| 98.5 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 1884 slices || align="right"| 8676.5 Mbit/s || align="right"| 355.9 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 946 slices || align="right"| 2646.2 Mbit/s || align="right"| 248.1 MHz<br />
|-<br />
| JH-256 || || align="right"| 1275 slices || align="right"| 4013.5 Mbit/s || align="right"| 282.2 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1229 slices || align="right"| 10806.5 Mbit/s || align="right"| 238.4 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1154 slices || align="right"| 8008 Mbit/s || align="right"| 281.5 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1266 slices || align="right"| 2624 Mbit/s || align="right"| 128.1 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1130 slices || align="right"| 2885.9 Mbit/s || align="right"| 208.6 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 9288 slices || align="right"| 2325.9 Mbit/s || align="right"| 40.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 1312 slices || align="right"| 1416.1 Mbit/s || align="right"| 49.8 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are without wrapper for long messages.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf Baldwin et al.] [[#Ref031|[31]]] || [http://www.ucc.ie/en/crypto/SHA-3Hardware/ UCC webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1118 slices || align="right"| 1169 Mbit/s || align="right"| 118.06 MHz<br />
|-<br />
| BLAKE-64 || || align="right"| 1718 slices || align="right"| 1299 Mbit/s || align="right"| 90.91 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4997 slices || align="right"| 457 Mbit/s || align="right"| 14.02 MHz<br />
|-<br />
| Blue Midnight Wish-512 || || align="right"| 9810 slices || align="right"| 287 Mbit/s || align="right"| 10 MHz<br />
|-<br />
| CubeHash8/32 || || align="right"| 695 slices || align="right"| 2509 Mbit/s || align="right"| 166.83 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 7372 slices || align="right"| 5373 Mbit/s || align="right"| 198.93 MHz<br />
|-<br />
| ECHO-512 || || align="right"| 8633 slices || align="right"| 18133 Mbit/s || align="right"| 166.69 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 1689 slices || align="right"| 914 Mbit/s || align="right"| 200.04 MHz<br />
|-<br />
| Fugue-384 || || align="right"| 2380 slices || align="right"| 640 Mbit/s || align="right"| 200.08 MHz<br />
|-<br />
| Fugue-512 || || align="right"| 2596 slices || align="right"| 481 Mbit/s || align="right"| 200.16 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2391 slices || align="right"| 3242 Mbit/s || align="right"| 101.32 MHz<br />
|-<br />
| Grøstl-512 || || align="right"| 4845 slices || align="right"| 3619 Mbit/s || align="right"| 123.4 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 1518 slices || align="right"| 358 Mbit/s || align="right"| 72.41 MHz<br />
|-<br />
| Hamsi-512 || || align="right"| 6229 slices || align="right"| 79 Mbit/s || align="right"| 16.51 MHz<br />
|-<br />
| JH || || align="right"| 1291 slices || align="right"| 1941 Mbit/s || align="right"| 250.13 MHz<br />
|-<br />
| Keccak(-224) || || align="right"| 1117 slices || align="right"| 5915 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1117 slices || align="right"| 6263 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-384) || || align="right"| 1117 slices || align="right"| 8190 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Keccak(-512) || || align="right"| 1117 slices || align="right"| 8518 Mbit/s || align="right"| 189 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 2221 slices || align="right"| 5333 Mbit/s || align="right"| 166.67 MHz<br />
|-<br />
| Luffa-384 || || align="right"| 3740 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Luffa-512 || || align="right"| 3700 slices || align="right"| 5336 Mbit/s || align="right"| 166.75 MHz<br />
|-<br />
| Shabal || || align="right"| 1583 slices || align="right"| 1469 Mbit/s || align="right"| 148.04 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 3125 slices || align="right"| 1170 Mbit/s || align="right"| 109.17 MHz<br />
|-<br />
| SHAvite-3<sub>512</sub> || || align="right"| 9775 slices || align="right"| 931 Mbit/s || align="right"| 59.4 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 22704 slices || align="right"| 1338 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| SIMD-512 || || align="right"| 43729 slices || align="right"| 2677 Mbit/s || align="right"| 107.2 MHz<br />
|-<br />
| Skein-512 || || align="right"| 1786 slices || align="right"| 1945 Mbit/s || align="right"| 83.65 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || Xilinx Virtex 5<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 1660 slices || align="right"| 2676 Mbit/s || align="right"| 115 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 4350 slices || align="right"| 8704 Mbit/s || align="right"| 34 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 590 slices || align="right"| 2960 Mbit/s || align="right"| 185 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 2827 slices || align="right"| 2312 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 4013 slices || align="right"| 1248 Mbit/s || align="right"| 78 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 2616 slices || align="right"| 7885 Mbit/s || align="right"| 154 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 718 slices || align="right"| 1680 Mbit/s || align="right"| 210 MHz<br />
|-<br />
| JH-256 || || align="right"| 2661 slices || align="right"| 2639 Mbit/s || align="right"| 201 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 1433 slices || align="right"| 8397 Mbit/s || align="right"| 205 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 1048 slices || align="right"| 7424 Mbit/s || align="right"| 261 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 1251 slices || align="right"| 2335 Mbit/s || align="right"| 228 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 1063 slices || align="right"| 3382 Mbit/s || align="right"| 251 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 3987 slices || align="right"| 835 Mbit/s || align="right"| 75 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 854 slices || align="right"| 1402 Mbit/s || align="right"| 115 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
Same implementations as in [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf Matsuo et al.] [[#Ref033|[33]]] implemented on STM 90 nm technology.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] [[#Ref037|[37]]] || [http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html RCIS webpage] || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || STM 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 37 kGates || align="right"| 6668 Mbit/s || align="right"| 286.5 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 128.7 kGates || align="right"| 25937 Mbit/s || align="right"| 101.3 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 35.5 kGates || align="right"| 8247 Mbit/s || align="right"| 515.5 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 101.1 kGates || align="right"| 5621 Mbit/s || align="right"| 362.3 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 56.7 kGates || align="right"| 2721 Mbit/s || align="right"| 170.1 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 139.1 kGates || align="right"| 17297 Mbit/s || align="right"| 337.8 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 67.6 kGates || align="right"| 7767 Mbit/s || align="right"| 970.9 MHz<br />
|-<br />
| JH-256 || || align="right"| 54.6 kGates || align="right"| 10022 Mbit/s || align="right"| 763.4 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 50.7 kGates || align="right"| 33333 Mbit/s || align="right"| 781.3 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 39.6 kGates || align="right"| 28732 Mbit/s || align="right"| 1010.1 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 34.6 kGates || align="right"| 6059 Mbit/s || align="right"| 591.7 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 59.4 kGates || align="right"| 8421 Mbit/s || align="right"| 625 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139 kGates || align="right"| 3171 Mbit/s || align="right"| 284.9 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 43.1 kGates || align="right"| 3295 Mbit/s || align="right"| 270.3 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
=== Blue Midnight Wish, Keccak, Luffa ===<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Spartan 3<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10531 slices || align="right"| 2110 Mbit/s || align="right"| 4.22 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 3460 Mbit/s || align="right"| 81.4 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2956 slices || align="right"| 1480 Mbit/s || align="right"| 157.3 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex-II<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10432 slices || align="right"| 3360 Mbit/s || align="right"| 6.71 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 5810 Mbit/s || align="right"| 136.6 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"|2952 slices || align="right"| 8370 Mbit/s || align="right"| 301.4 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(FPGA)|High-speed FPGA]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Xilinx Virtex 4<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 10486 slices || align="right"| 4510 Mbit/s || align="right"| 9.01 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 2024 slices || align="right"| 6070 Mbit/s || align="right"| 142.9 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 2989 slices || align="right"| 8560 Mbit/s || align="right"| 308.2 MHz<br />
|}<br />
<br />
<br />
----<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf Akin et al.] [[#Ref034|[34]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Implementation_of_Core_Functionality|Core functionality]] || Synopsys 90 nm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| Blue Midnight Wish || Compression function with f0, f1, and f2 unrolled in sequence || align="right"| 55.9 kGates || align="right"| 26320 Mbit/s || align="right"| 52.63 MHz<br />
|-<br />
| Keccak || One Keccak-f round per cycle || align="right"| 10.5 kGates || align="right"| 19320 Mbit/s || align="right"| 454.5 MHz<br />
|-<br />
| Luffa || Three step modules || align="right"| 11.5 kGates || align="right"| 21370 Mbit/s || align="right"| 769.2 MHz<br />
|}<br />
<br />
=== All 14 Round-Two Candidates ===<br />
<br />
Results are post-P&amp;R and include throughputs without interface overhead.<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="200"| Reference !! width="120"| HDL !! width="120"| Category !! width="100"| Impl. Scope !! width="120"| Technology<br />
|- <br />
| [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf Guo et al.] [[#Ref035|[35]]] || N/A || [[#High-Speed_Implementations_(ASIC)|High-speed ASIC]] || [[#Fully_Autonomous_Implementation|Fully autonomous]] || UMC 0.13 µm<br />
|}<br />
<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" align="center" class="wikitable"<br />
|- style="background:#efefef;"<br />
! width="140"| Hash Function Name !! width="270"| Impl. Details !! width="90"| Size !! width="80"| Throughput !! width="80"| Clock Frequency<br />
|-<br />
| BLAKE-32 || || align="right"| 43.52 kGates || align="right"| 4645 Mbit/s || align="right"| 200 MHz<br />
|-<br />
| Blue Midnight Wish-256 || || align="right"| 198.17 kGates || align="right"| 12220 Mbit/s || align="right"| 48 MHz<br />
|-<br />
| CubeHash16/32-256 || || align="right"| 38.18 kGates || align="right"| 4624 Mbit/s || align="right"| 289 MHz<br />
|-<br />
| ECHO-256 || || align="right"| 92.73 kGates || align="right"| 3366 Mbit/s || align="right"| 217 MHz<br />
|-<br />
| Fugue-256 || || align="right"| 91.09 kGates || align="right"| 2385 Mbit/s || align="right"| 149 MHz<br />
|-<br />
| Grøstl-256 || || align="right"| 110.11 kGates || align="right"| 9606 Mbit/s || align="right"| 188 MHz<br />
|-<br />
| Hamsi-256 || || align="right"| 29.94 kGates || align="right"| 3571 Mbit/s || align="right"| 446 MHz<br />
|-<br />
| JH-256 || || align="right"| 62.42 kGates || align="right"| 5128 Mbit/s || align="right"| 391 MHz<br />
|-<br />
| Keccak(-256) || || align="right"| 47.43 kGates || align="right"| 15457 Mbit/s || align="right"| 377 MHz<br />
|-<br />
| Luffa-256 || || align="right"| 37.94 kGates || align="right"| 13943 Mbit/s || align="right"| 490 MHz<br />
|-<br />
| Shabal-256 || || align="right"| 49.44 kGates || align="right"| 2945 Mbit/s || align="right"| 362 MHz<br />
|-<br />
| SHAvite-3<sub>256</sub> || || align="right"| 55.25 kGates || align="right"| 4599 Mbit/s || align="right"| 341 MHz<br />
|-<br />
| SIMD-256 || || align="right"| 139.55 kGates || align="right"| 2157 Mbit/s || align="right"| 194 MHz<br />
|-<br />
| Skein-256-256 || || align="right"| 40.9 kGates || align="right"| 1941 Mbit/s || align="right"| 159 MHz<br />
|}<br />
<br />
<br /><br />
<br /><br />
<br />
== References ==<br />
<br />
<div id="Ref001"><br />
[1] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan. SHA-3 proposal BLAKE (version 1.3). Available online at http://131002.net/blake/blake.pdf.<br />
</div><br />
<br />
<div id="Ref002"><br />
[2] A. H. Namin and M. A. Hasan. Hardware Implementation of the Compression Function for Selected SHA-3 Candidates. Available online at http://www.vlsi.uwaterloo.ca/~ahasan/hasan_report.html.<br />
</div><br />
<br />
<div id="Ref003"><br />
[3] Kazuyuki Kobayashi, Jun Ikegami, Shin'ichiro Matsuo, Kazuo Sakiyama, and Kazuo Ohta. Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII. IACR Eprint report 2010/010. Available online at http://eprint.iacr.org/2010/010.pdf.<br />
</div><br />
<br />
<div id="Ref004"><br />
[4] Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan, and William P. Marnane. FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, LANE, Shabal and Spectral Hash. IACR Eprint report 2009/342. Available online at http://eprint.iacr.org/2009/342.pdf.<br />
</div><br />
<br />
<div id="Ref005"><br />
[5] Liang Lu, Maire O'Neil, and Earl Swartzlander. Hardware Evaluation of SHA-3 Hash Function Candidate ECHO. Presentation at the Clauce Shannon Institute Workshop on Coding and Cryptography 2009. Slides available online at http://www.ucc.ie/en/crypto/CodingandCryptographyWorkshop/TheClaudeShannonWorkshoponCodingCryptography2009/DocumentFile,75649,en.pdf.<br />
</div><br />
<br />
<div id="Ref006"><br />
[6] Bernhard Jungk, Steffen Reith, and Jürgen Apfelbeck. On Optimized FPGA Implementations of the SHA-3 Candidate Grøstl. IACR Eprint report 2009/206. Available online at http://eprint.iacr.org/2009/206.pdf.<br />
</div><br />
<br />
<div id="Ref007"><br />
[7] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusievicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl - a SHA-3 candidate (October 31, 2008). Available online at http://www.groestl.info/Groestl.pdf.<br />
</div><br />
<br />
<div id="Ref008"><br />
[8] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles van Assche. KECCAK sponge function family main document (Version 1.2, April 23, 2009). Available online at http://keccak.noekeon.org/Keccak-main-1.2.pdf.<br />
</div><br />
<br />
<div id="Ref009"><br />
[9] Joachim Strömbergson. Implementation of the Keccak Hash Function in FPGA Devices. Available online at http://www.strombergson.com/files/Keccak_in_FPGAs.pdf.<br />
</div><br />
<br />
<div id="Ref010"><br />
[10] Romain Feron and Julien Francq. FPGA Implementation of Shabal: Our First Results (Version 2.0, February 19, 2010). Available online at http://www.shabal.com/wp-content/uploads/2010/03/FPGA-Implementation-of-Shabal-First-ResultsV2.0.pdf.<br />
</div><br />
<br />
<div id="Ref011"><br />
[11] Men Long. Implementing Skein Hash Function on Xilinx Virtex-5 FPGA Platform (Version 0.7, February 2, 2009). Available online at http://www.skein-hash.info/sites/default/files/skein_fpga.pdf.<br />
</div><br />
<br />
<div id="Ref012"><br />
[12] Stefan Tillich. Hardware Implementation of the SHA-3 Candidate Skein. IACR Eprint report 2009/159. Available online at http://eprint.iacr.org/2009/159.pdf.<br />
</div><br />
<br />
<div id="Ref013"><br />
[13] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. Compact Implementations of BLAKE-32 and BLAKE-64 on FPGA. IACR Eprint report 2010/173. Available online at http://eprint.iacr.org/2010/173.pdf.<br />
</div><br />
<br />
<div id="Ref014"><br />
[14] Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, Jörn-Marc Schmidt, and Alexander Szekely. High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. IACR Eprint report 2009/510. Available online at http://eprint.iacr.org/2009/510.pdf.<br />
</div><br />
<br />
<div id="Ref015"><br />
[15] Shai Halevi, William E. Hall, and Charanjit S. Jutla. The Hash Function Fugue (October 30, 2008). Available online at http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf.<br />
</div><br />
<br />
<div id="Ref016"><br />
[16] Junfeng Fan. Hardware Evaluation of The Hash Function Hamsi. Available online at http://homes.esat.kuleuven.be/~okucuk/hamsi/implementations.html.<br />
</div><br />
<br />
<div id="Ref017"><br />
[17] Miroslav Knezevic and Ingrid Verbeiwhede. Hardware Evaluation of the Luffa Hash Family. 4th Workshop on Embedded Systems Security 2009. Available online at http://www.cosic.esat.kuleuven.be/publications/article-1282.pdf.<br />
</div><br />
<br />
<div id="Ref018"><br />
[18] Stefan Tillich, Martin Feldhofer, Wolfgang Issovits, Thomas Kern, Hermann Kureck, Michael Mühlberghuber, Georg Neubauer, Andreas Reiter, Armin Köfler, and Mathias Mayrhofer. Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein. IACR Eprint report 2009/349. Available online at http://eprint.iacr.org/2009/349.pdf.<br />
</div><br />
<br />
<div id="Ref019"><br />
[19] Grøstl website. http://www.groestl.info/.<br />
</div><br />
<br />
<div id="Ref020"><br />
[20] Markus Bernet, Luca Henzen, Hubert Kaeslin, Norbert Felber, and Wolfgang Fichtner. Hardware Implementations of the SHA-3 Candidates Shabal and CubeHash. 52nd IEEE International Midwest Symposium on Circuits and Systems, 2009. Available online at http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5236043.<br />
</div><br />
<br />
<div id="Ref021"><br />
[21] Michel Kinsy and Richard Uhler. SHA-3: FPGA Implementation of ESSENCE and ECHO Hash Algorithm Candidates Using Bluespec. Available online at http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group1_report.pdf.<br />
</div><br />
<br />
<div id="Ref022"><br />
[22] Bernhard Jungk and Steffen Reith. On FPGA-based implementations of Grøstl. IACR Eprint report 2010/260. Available online at http://eprint.iacr.org/2010/260.pdf.<br />
</div><br />
<br />
<div id="Ref023"><br />
[23] Jérémie Detrey, Pierre Gaudry, and Karim Khalfallah. A Low-Area yet Performant FPGA Implementation of Shabal. IACR Eprint report 2010/292. Available online at http://eprint.iacr.org/2010/292.pdf.<br />
</div><br />
<br />
<div id="Ref024"><br />
[24] Jean-Luc Beuchat, Eiji Okamoto, and Teppei Yamazaki. A Compact FPGA Implementation of the SHA-3 Candidate ECHO. IACR Eprint report 2010/364. Available online at http://eprint.iacr.org/2010/364.pdf.<br />
</div><br />
<br />
<div id="Ref025"><br />
[25] Wim Ramakers and Hans Narinx. Implementation and evaluation of SHA-3 candidates on FPGA. Extended abstract of Master Thesis &quot;Implementatie en Evaluatie van SHA-3-Kandidaten op FPGA&quot; (Dutch). Extended abstract available online at http://ehash.iaik.tugraz.at/uploads/1/12/Ramakers_Narinx2010ECHO-Hamsi-Luffa_ExtendedAbstract_ENGLISH.pdf. Full thesis available online at http://ehash.iaik.tugraz.at/uploads/6/62/Ramakers_Narinx2010ECHO-Hamsi-Luffa_Thesis_DUTCH.pdf.<br />
</div><br />
<br />
<div id="Ref026"><br />
[26] Julien Francq and Céline Thuillet. Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results. IACR Eprint report 2010/406. Available online at http://eprint.iacr.org/2010/406.pdf.<br />
</div><br />
<br />
<div id="Ref027"><br />
[27] Shugo Mikami, Nagamasa Mizushima, Setsuko Nakamura, and Dai Watanabe. A Compact Hardware Implementation of SHA-3 Candidate Luffa. Available online at http://www.sdl.hitachi.co.jp/crypto/luffa/ACompactHardwareImplementationOfSHA-3CandidateLuffa_20100810.pdf.<br />
</div><br />
<br />
<div id="Ref028"><br />
[28] Imed Mabrouk and Ryad Benadjila. ECHO webpage (hardware subpage). http://crypto.rd.francetelecom.com/ECHO/hard/.<br />
</div><br />
<br />
<div id="Ref029"><br />
[29] Luca Henzen, Pietro Gendotti, Patrice Guillet, Enrico Pargaetzi, Martin Zoller, and Frank K. Gürkaynak. Developing a Hardware Evaluation Method for SHA-3 Candidates. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/g0115v3272156r06/.<br />
</div><br />
<br />
<div id="Ref030"><br />
[30] Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski. Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs. 12th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2010. Available online at http://www.springerlink.com/content/q41257x376615p22/.<br />
</div><br />
<br />
<div id="Ref031"><br />
[31] Brian Baldwin, Neil Hanley, Mark Hamilton, Liang Lu, Andrew Byrne, Maire O'Neill, and William P. Marnane. FPGA Implementations of the Round Two SHA-3 Candidates. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/BALDWIN_FPGA_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref032"><br />
[32] Mohamed El Hadedy, Martin Margala, Danilo Gligoroski, and Svein J. Knapskog. Resource-Efficient Implementation of Blue Midnight Wish-256 Hash Function on Xilinx FPGA Platform. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/El-Hadedy_SmallSizeFPGA-BMW256.pdf.<br />
</div><br />
<br />
<div id="Ref033"><br />
[33] Shin'ichiro Matsuo, Miroslav Knezevic, Patrick Schaumont, Ingrid Verbauwhede, Akashi Satoh, Kazuo Sakiyama, and Kazuo Ota. How Can We Conduct "Fair and Consistent" Hardware Evaluation for SHA-3 Candidate? Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/MATSUO_SHA-3_Criteria_Hardware_revised.pdf.<br />
</div><br />
<br />
<div id="Ref034"><br />
[34] Abdulkadir Akin, Aydin Aysu, Onur Can Ulusel, and Erkay Savas. Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SAVAS_SHA3_NIST_final.pdf.<br />
</div><br />
<br />
<div id="Ref035"><br />
[35] Xu Guo, Sinan Huang, Leyla Nazhandali, and Patrick Schaumont. Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations. Second SHA-3 Candidate Conference, 2010. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf.<br />
</div><br />
<br />
<div id="Ref036"><br />
[36] Jesse Walker, Farhana Sheikh, Sanu K. Mathew, and Ram Krishnamurthy. A Skein-512 Hardware Implementation. Available online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/WALKER_skein-intel-hwd.pdf.<br />
</div><br />
<br />
<div id="Ref037"><br />
[37] RCIS webpage. http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/implement.html.<br />
</div><br />
<br />
<div id="Ref038"><br />
[38] Akashi Satoh, Toshihiro Katashita, Takeshi Sugawara, Naofumi Homma, and Takafumi Aoki. Hardware Implementations of Hash Function Luffa. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2010. Available online at http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5513102&tag=1.<br />
</div><br />
<br />
<div id="Ref039"><br />
[39] RCIS webpage (Other ASIC Implementations). http://staff.aist.go.jp/akashi.satoh/SASEBO/en/sha3/others.html.<br />
</div><br />
<br />
<div id="Ref040"><br />
[40] Luca Henzen, Jean-Philippe Aumasson, Willi Meier, and Raphael C.-W. Phan. VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE T VLSI, 2010. Available online at http://131002.net/data/papers/HAMP10.pdf.<br />
</div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3593
Shabal
2010-09-10T07:23:11Z
<p>JAumasson: Added observation from NIST mailing list</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>159</sup> || || [http://gva.noekeon.org/papers/ShabalRotation.pdf Van Assche]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>21</sup> || || [http://eprint.iacr.org/2010/398.pdf Novotney]<br />
|- <br />
| | non-randomness || compression function || all || || 1 || || [http://eprint.iacr.org/2010/398.pdf Aumasson]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalVA10,<br />
author = {Gilles Van Assche},<br />
title = {A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs},<br />
url = {http://gva.noekeon.org/papers/ShabalRotation.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract = {In this short note, we apply a rotational distinguisher to the keyed permutation of the SHA-3 candidate Shabal. We then discuss its applicability in the scope of Shabal's mode of operation and its impact on the security proofs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalNov10,<br />
author = {Peter Novotney},<br />
title = {Distinguisher for Shabal's Permutation Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/398},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this note we consider the Shabal permutation function $\mathcal{P}$ as a block cipher with input $A_p$,$B_p$ and key $C$,$M$ and describe a distinguisher with a data complexity of $2^{23}$ random inputs with a given difference. If the attacker can control one chosen bit of $B_p$, only $2^{21}$ inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Shabal construction. },<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum10,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Observation on Shabal},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4b/Aumasson_shabal.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2010},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=File:Aumasson_shabal.txt&diff=3592
File:Aumasson shabal.txt
2010-09-10T07:19:23Z
<p>JAumasson: </p>
<hr />
<div></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3536
Groestl
2010-07-05T14:09:45Z
<p>JAumasson: /* Cryptanalysis */ moved semifreestart to second table</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
<br />
| semi-free-start collision || compression function || 224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3535
Groestl
2010-07-05T12:58:19Z
<p>JAumasson: /* Cryptanalysis */ added Ideguchi/Tischhauser/Preneel results</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| collision || 224,256 || 5 rounds || 2<sup>48</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 256 || 6 rounds || 2<sup>112</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| semi-free-start collision ||224,256 || 7 rounds || 2<sup>80</sup> || 2<sup>32</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable sortable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 8 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>19</sup> || - || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || permutation || 224,256 || 8 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/375.pdf Ideguchi,Tischhauser,Preneel]<br />
|-<br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{ITP10,<br />
author = {Kota Ideguchi and Elmar Tischhauser and Bart Preneel},<br />
title = {Improved Collision Attacks on the Reduced-Round Grøstl Hash Function},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/375},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/375.pdf},<br />
abstract = {We analyze the Gr{\o}stl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Gr{\o}stl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities $2^{48}$ and $2^{112}$, respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Gr{\o}stl-224 and -256 hash functions reduced to 7 rounds and the Gr{\o}stl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations $P$ and $Q$ of Gr{\o}stl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Gr{\o}stl-224 and -256 permutations.},<br />
}<br />
</bibtex> <br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/223.pdf},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3507
BLAKE
2010-05-27T12:28:50Z
<p>JAumasson: added Gligoroski's paper</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (nb. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{blakeGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
howpublished = {Available online},<br />
note = {Accepted for presentation at WEWoRC 2009},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHAvite-3&diff=3506
SHAvite-3
2010-05-27T12:27:34Z
<p>JAumasson: added Gligoroski's paper</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Eli Biham and Orr Dunkelman<br />
* Website: [http://www.cs.technion.ac.il/~orrd/SHAvite-3/ http://www.cs.technion.ac.il/~orrd/SHAvite-3/]<br />
* NIST submission package:<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SHAvite3Update.zip SHAvite3Update.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SHAvite-3.zip SHAvite-3.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SHAvite-3_Round2.zip SHAvite-3_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3BihamD09,<br />
author = {Eli Biham and Orr Dunkelman},<br />
title = {The SHAvite-3 Hash Function},<br />
url = {http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3BihamD08,<br />
author = {Eli Biham and Orr Dunkelman},<br />
title = {The SHAvite-3 Hash Function},<br />
url = {http://ehash.iaik.tugraz.at/uploads/f/f5/Shavite.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''12''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| second preimage || 512 || 10 rounds || 2<sup>497</sup> || 2<sup>16</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.]<br />
|- <br />
| second preimage || 512 || 9 rounds || 2<sup>496</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2009/634.pdf Bouillaguet et al.]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| pseudo-preimage || compression || 512 || 14 rounds || 2<sup>384+s</sup> || 2<sup>128-s</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.]<br />
|- <br />
| pseudo-collision || compression || 512 || 14 rounds || 2<sup>192</sup> || 2<sup>128</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.]<br />
|- <br />
| pseudo-collision || compression || all || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt Peyrin]<br />
|- <br />
| pseudo-collision || compression || 256 || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/5/5c/NandiP-SHAvite-3.txt Nandi,Paul]<br />
|-<br />
| impossible differential || block cipher || 224,256 || 5 rounds || - || - || [http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf submission document]<br />
|-<br />
| impossible differential || block cipher || 384,512 || 9 rounds || - || - || [http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{shaviteGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{africacryptGauravaramLMNPRS10,<br />
author = {Praveen Gauravaram and Gaëtan Leurent and Florian Mendel and Maria Naya-Plasencia and Thomas Peyrin and Christian Rechberger and Martin Schläffer},<br />
title = {Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512},<br />
booktitle = {Africacrypt},<br />
year = {2010},<br />
editor = {Daniel J. Bernstein and Tanja Lange},<br />
volume = {6055},<br />
series = {LNCS},<br />
pages = {419 - 436},<br />
publisher = {Springer},<br />
url= {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974},<br />
abstract = {In this paper, we analyze the SHAvite-3-512 hash function, as proposed and tweaked for round 2 of the SHA-3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite-3-512, and on the full 14 round compression function of SHAvite-3-512. We show a second preimage attack on the hash function reduced to 10 rounds with a complexity of $2^{497}$ compression function evaluations and $2^{16}$ memory. For the full 14-round compression function, we give a chosen counter, chosen salt preimage attack with $2^{384}$ compression function evaluations and $2^{128}$ memory (or complexity $2^{448}$ without memory), and a collision attack with $2^{192}$ compression function evaluations and $2^{128}$ memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:634,<br />
author = {Charles Bouillaguet and Orr Dunkelman and Gaëtan Leurent and Pierre-Alain Fouque},<br />
title = {Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/634},<br />
year = {2009},<br />
url= {http://eprint.iacr.org/2009/634.pdf},<br />
abstract = {In this paper we study the strength of two hash functions which are based on Generalized Feistels. Our proposed attacks themselves are mostly independent of the round function in use, and can be applied to similar hash functions which share the same structure but have different round functions.<br />
<br />
We start with a 22-round generic attack on the structure of Lesamnta, and adapt it to the actual round function to attack 24-round Lesamnta. We then show a generic integral attack on 20-round Lesamnta (which can be used against the block cipher itself). We follow with an attack on 9-round SHAvite-3_{512} which is the first cryptanalytic result on the hash function (which also works for the tweaked version of SHAvite-3_{512}).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Peyrin-SHAvite-3,<br />
author = {Thomas Peyrin},<br />
title = {Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function},<br />
url = {http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{NandiP-SHAvite-3,<br />
author = {Mridul Nandi and Souradyuti Paul},<br />
title = {OFFICIAL COMMENT: SHAvite-3},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/5c/NandiP-SHAvite-3.txt},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Hamsi&diff=3505
Hamsi
2010-05-27T12:27:08Z
<p>JAumasson: added Gligoroski's paper</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Özgül Kücük<br />
* Website: [http://homes.esat.kuleuven.be/~okucuk/hamsi/ http://homes.esat.kuleuven.be/~okucuk/hamsi/]<br />
* NIST submission package: <br />
**round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Hamsi_Round2.zip Hamsi_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Hamsi.zip Hamsi.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/HamsiUpdate.zip HamsiUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Kucuk09,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://www.cosic.esat.kuleuven.be/publications/article-1203.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Kucuk08,<br />
author = {Özgül Küçük},<br />
title = {The Hash Function Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/95/Hamsi.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: '''(3,6)''' P,P<sub>f</sub> rounds (n=224,256); '''(6,12)''' P,P<sub>f</sub> rounds (n=384,512).<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the actual hash function. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| non-randomness || compression function || 224, 256 || 5 rounds || || || [http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt Aumasson]<br />
|-<br />
| near-collision || compression function || 224, 256 || 3 rounds || 2<sup>21</sup> || || [http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf Nikolic]<br />
|-<br />
| distinguisher || compression function || 224, 256 || 6 rounds || 2<sup>27</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| distinguisher || compression function || 384, 512 || 12 rounds || 2<sup>729</sup> || || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| near-collision || compression function || 224, 256 || 3 rounds || 2<sup>5</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| near-collision || compression function || 224, 256 || 4 rounds || 2<sup>32</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| near-collision || compression function || 224, 256 || 5 rounds || 2<sup>125</sup> || || [http://eprint.iacr.org/2009/484.pdf Wang,Wang,Jia,Wang]<br />
|-<br />
| message-recovery || compression function || 224, 256 || 3 rounds || 2<sup>10.48</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
| pseudo-2nd-preimage || hash function || 256 || (3,6) rounds || 2<sup>254.25</sup> || || [http://eprint.iacr.org/2010/057.pdf Calik,Turan]<br />
|-<br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{hamsiGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Hamsi},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/db/Hamsi_nonrandomness.txt},<br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiN09,<br />
author = {Ivica Nikolic},<br />
title = {Near Collisions for the Compression Function of Hamsi-256},<br />
url = {http://rump2009.cr.yp.to/936779b3afb9b48a404b487d6865091d.pdf},<br />
howpublished = {CRYPTO rump session},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiAM9,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Meiqin Wang, Xiaoyun Wang, Keting Jia, Wei Wang},<br />
title = {New Pseudo-Near-Collision Attack on Reduced-Round of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/484},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/484.pdf},<br />
abstract = {Hamsi-256 is designed by Özgül Kücük and it has been a candidate Hash function for the second round of SHA-3. The compression function of Hamsi-256 maps a 256-bit chaining value and a 32-bit message to a new 256-bit chaining value. As hashing a message, Hamsi-256 operates 3-round except for the last message it operates 6-round. In this paper, we will give the pseudo-near-collision for 5-round Hamsi-256. By the message modifying, the pseudo-near-collision for 3, 4 and 5 rounds can be found with $2^5$, $2^{32}$ and $2^{125}$ compression function computations respectively.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{hamsiWWJW09,<br />
author = {Cagdas Calik and Meltem Sonmez Turan},<br />
title = {Message Recovery and Pseudo-Preimage Attacks on the Compression Function of Hamsi-256},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/057}},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2010/057.pdf},<br />
abstract = {Hamsi is one of the second round candidates of the SHA-3<br />
competition. In this study, we present non-random differential proper-<br />
ties for the compression function of the hash function Hamsi-256. Based<br />
on these properties, we first demonstrate a distinguishing attack that<br />
requires a few evaluations of the compression function and extend the<br />
distinguisher to 5 rounds with complexity 2^83 . Then, we present a mes-<br />
sage recovery attack with complexity of 2^10.48 compression function evaluations. Also, we present a pseudo-preimage attack for the compression<br />
function with complexity 2^254.25 . The pseudo-preimage attack on the<br />
compression function is easily converted to a pseudo second preimage<br />
attack on Hamsi-256 hash function with the same complexity.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3504
Skein
2010-05-27T12:25:10Z
<p>JAumasson: added Gligoroski's paper</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
|- <br />
| observations || hash || all || || || || [http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf Gligoroski]<br />
|-<br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skinGli10,<br />
author = {Danilo Gligoroski},<br />
title = {Narrow-pipe SHA-3 candidates differ significantly from ideal random functions defined over big domains},<br />
url = {http://people.item.ntnu.no/~danilog/Hash/Non-random-behaviour-narrow-pipe-designs-03.pdf},<br />
howpublished = {NIST mailing list},<br />
year = {2010},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=CubeHash&diff=3503
CubeHash
2010-05-27T12:15:51Z
<p>JAumasson: Added Ferguson/Lucks/McKay paper</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Dan Bernstein <br />
* Website: [http://cubehash.cr.yp.to/ http://cubehash.cr.yp.to/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/CubeHash.zip CubeHash.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/CubeHash_Round2.zip CubeHash_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3Bernstein09a,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission2/spec.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein09,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash parameter tweak: 16 times faster},<br />
url = {http://cubehash.cr.yp.to/submission/tweak.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein08,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash Specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission/spec.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: r/b = '''16/32''' (n=224,256); '''16/1''' (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 384,512 || 16/32 || 2<sup>383.7</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| preimage || 384,512 || 16/33 || 2<sup>257.6</sup> || - || [http://eprint.iacr.org/2010/273.pdf Ferguson,Lucks,McKay]<br />
|- <br />
| collision || 512 || 7/64 || 2<sup>203</sup> || - || [http://eprint.iacr.org/2009/382.pdf Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/48 || example (2<sup>37</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/64 || example (2<sup>34</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || example (2<sup>24</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 2/2 || 2<sup>196</sup> || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 5/64 || 2<sup>231</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || 2<sup>89</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 512 || 4/3 || 2<sup>207</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 384,512 || 4/4 || 2<sup>189</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || all || 2/3 || 2<sup>46</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 2/4 || example || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 1/45, 2/89 || example || - || [http://www.cryptopp.com/sha3/cubehash.pdf Dai]<br />
|- <br />
| collision || 512 || 2/120 || example || - || [http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt Aumasson]<br />
|- <br />
| preimage || 512 || r/8 || 2<sup>480</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| preimage || 512 || r/4 || 2<sup>496</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>511</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|-<br />
| collision || all || || 2<sup>521-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
| preimage || all || || 2<sup>522-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observations || hash || all || || || || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| observations || hash || all || || || || [http://eprint.iacr.org/2009/407.pdf Bloom,Kaminsky]<br />
|- <br />
| multi-collision || hash || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
| observations || permutation|| all || || || || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cubehashFLM10,<br />
author = {Niels Ferguson and Stefan Lucks and Kerry A. McKay},<br />
title = {Symmetric States and their Structure: Improved Analysis of CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/273},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/273.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abtract = {This paper provides three improvements over previous work on analyzing CubeHash, based on its classes of symmetric states: (1) We present a detailed analysis of the hierarchy of symmetry classes. (2) We point out some flaws in previously claimed attacks which tried to exploit the symmetry classes. (3) We present and analyze new multicollision and preimage attacks. For the default parameter setting of CubeHash, namely for a message block size of b = 32, the new attacks are slightly faster than 2^384 operations. If one increases the size of a message block by a single byte to b = 33, our multicollision and preimage attacks become much faster – they only require about 2^256 operations. This demonstrates how sensitive the security of CubeHash is, depending on minor changes of the tunable security parameter b. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBK09,<br />
author = {Benjamin Bloom and Alan Kaminsky},<br />
title = {Single Block Attacks and Statistical Tests on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/407},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/407.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash $r$/$b$-224 for $b > 100$; CubeHash$r$/$b$-256 for $b > 96$; CubeHash$r$/$b$-384 for $b > 80$; and CubeHash$r$/$b$-512 for $b > 64$. However, the attack does not break the CubeHash variants recommended for SHA-3. The attack requires minimal memory and can be performed in a massively parallel fashion. This paper also describes several statistical randomness tests on CubeHash. The tests were unable to disprove the hypothesis that CubeHash behaves as a random mapping. These results support CubeHash's viability as a secure cryptographic hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09b,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Linearization Framework for Collision Attacks: Application to CubeHash and MD6},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/382},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/382.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector for the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on its output bits. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction of the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/48},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Attack for CubeHash-2/2 and collision for CubeHash-3/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<!--<br />
<bibtex><br />
@misc{cubehashP09,<br />
author = {Thomas Peyrin},<br />
title = {Collision for CubeHash2/4},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d5/Peyrin_cubehashcollision.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
--><br />
<bibtex><br />
@misc{cubehashBP09,<br />
author = {Eric Brier and Thomas Peyrin},<br />
title = {Cryptanalysis of CubeHash},<br />
url = {http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {CubeHash is a family of hash functions submitted by Bern stein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash-1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and simply based on a linearization of the scheme, allowed us to compute a collision for the CubeHash-2/4 hash function. Finally, a theoretical collision attack against CubeHash-2/3, CubeHash-4/4 and CubeHash-4/3 is described. This is currently the best known cryptanalysis result on this SHA-3 candidate.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashD08,<br />
author = {Wei Dai},<br />
title = {Collisions for CubeHash1/45 and CubeHash2/89},<br />
url = {http://www.cryptopp.com/sha3/cubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Collisions were found for the hash functions CubeHash1/45-512 and CubeHash2/89-512. Attack code is included.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashA08,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Collision for CubeHash2/120-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKNW08,<br />
author = {Dmitry Khovratovich and Ivica Nikolic' and Ralf-Philipp Weinmann},<br />
title = {Preimage attack on CubeHash512-r/4 and CubeHash512-r/8},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cubehashAMPP09,<br />
author = {Jean-Philippe Aumasson and Eric Brier and Willi Meier and María Naya-Plasencia and Thomas Peyrin},<br />
title = {Inside the Hypercube},<br />
booktitle = {ACISP},<br />
publisher = {Springer},<br />
editor = {Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto},<br />
series = {LNCS},<br />
pages = {202-213},<br />
volume = {5594},<br />
url = {http://www.131002.net/data/papers/ABMNP08.pdf},<br />
year = {2009},<br />
abstract = {Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h. The 1024-bit internal state of CubeHash is represented as a five-dimension hypercube. Submissions to NIST have r = 8, b = 1, and $h \in {224, 256, 384, 512}$. <br />
This paper gives the first external analysis of CubeHash, with<br />
- improved standard generic attacks for collisions and preimages<br />
- a multicollision attack that exploits fixed points<br />
- a study of the round function symmetries<br />
- a preimage attack that exploits these symmetries<br />
- a practical collision attack on a weakened version of CubeHash<br />
- high-probability truncated differentials over the 8-round transform<br />
Our results do not contradict the security claims about CubeHash.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3502
Skein
2010-05-27T12:13:10Z
<p>JAumasson: typo</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
|- <br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McKay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=CubeHash&diff=3501
CubeHash
2010-05-27T12:03:36Z
<p>JAumasson: added Kaminsky's paper</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Dan Bernstein <br />
* Website: [http://cubehash.cr.yp.to/ http://cubehash.cr.yp.to/] <br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/CubeHash.zip CubeHash.zip]<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/CubeHash_Round2.zip CubeHash_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3Bernstein09a,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission2/spec.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein09,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash parameter tweak: 16 times faster},<br />
url = {http://cubehash.cr.yp.to/submission/tweak.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Bernstein08,<br />
author = {Daniel J. Bernstein},<br />
title = {CubeHash Specification (2.B.1)},<br />
url = {http://cubehash.cr.yp.to/submission/spec.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: r/b = '''16/32''' (n=224,256); '''16/1''' (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision || 512 || 7/64 || 2<sup>203</sup> || - || [http://eprint.iacr.org/2009/382.pdf Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/48 || example (2<sup>37</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 4/64 || example (2<sup>34</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || example (2<sup>24</sup>) || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 2/2 || 2<sup>196</sup> || - || [http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt Brier,Khazaei,Meier,Peyrin]<br />
|- <br />
| collision || 512 || 5/64 || 2<sup>231</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || all || 3/64 || 2<sup>89</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 512 || 4/3 || 2<sup>207</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || 384,512 || 4/4 || 2<sup>189</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|-<br />
| collision || all || 2/3 || 2<sup>46</sup> || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 2/4 || example || - || [http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf Brier,Peyrin]<br />
|- <br />
| collision || 512 || 1/45, 2/89 || example || - || [http://www.cryptopp.com/sha3/cubehash.pdf Dai]<br />
|- <br />
| collision || 512 || 2/120 || example || - || [http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt Aumasson]<br />
|- <br />
| preimage || 512 || r/8 || 2<sup>480</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| preimage || 512 || r/4 || 2<sup>496</sup> || - || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || 512 || || 2<sup>511</sup> || 2<sup>508</sup> || [http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf Khovratovich,Nikolic',Weinmann]<br />
|- <br />
| style="background:greenyellow" | preimage || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|-<br />
| collision || all || || 2<sup>521-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
| preimage || all || || 2<sup>522-4b-log b</sup> || - || [http://cubehash.cr.yp.to/submission/generic.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| observations || hash || all || || || || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| observations || hash || all || || || || [http://eprint.iacr.org/2009/407.pdf Bloom,Kaminsky]<br />
|- <br />
| multi-collision || hash || all || || 2<sup>513-4b</sup> || - || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
| observations || permutation|| all || || || || [http://eprint.iacr.org/2008/486.pdf Aumasson,Meier,Naya-Plasencia,Peyrin]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{cubehashKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBK09,<br />
author = {Benjamin Bloom and Alan Kaminsky},<br />
title = {Single Block Attacks and Statistical Tests on CubeHash},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/407},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/407.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function. The attack finds a second preimage in less time than brute force search for these CubeHash variants: CubeHash $r$/$b$-224 for $b > 100$; CubeHash$r$/$b$-256 for $b > 96$; CubeHash$r$/$b$-384 for $b > 80$; and CubeHash$r$/$b$-512 for $b > 64$. However, the attack does not break the CubeHash variants recommended for SHA-3. The attack requires minimal memory and can be performed in a massively parallel fashion. This paper also describes several statistical randomness tests on CubeHash. The tests were unable to disprove the hypothesis that CubeHash behaves as a random mapping. These results support CubeHash's viability as a secure cryptographic hash function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09b,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Linearization Framework for Collision Attacks: Application to CubeHash and MD6},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/382},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/382.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on linearization of compression functions in order to find low weight differential characteristics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector for the condition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on its output bits. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in accelerated preimage reconstruction of the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/48},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/50/Bkmp_ch448.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09a,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Real Collisions for CubeHash-4/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/9/93/Bkmp_ch464.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashBKMP09,<br />
author = {Eric Brier and Shahram Khazaei and Willi Meier and Thomas Peyrin},<br />
title = {Attack for CubeHash-2/2 and collision for CubeHash-3/64},<br />
url = {http://ehash.iaik.tugraz.at/uploads/3/3a/Peyrin_ch22_ch364.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<!--<br />
<bibtex><br />
@misc{cubehashP09,<br />
author = {Thomas Peyrin},<br />
title = {Collision for CubeHash2/4},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d5/Peyrin_cubehashcollision.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
--><br />
<bibtex><br />
@misc{cubehashBP09,<br />
author = {Eric Brier and Thomas Peyrin},<br />
title = {Cryptanalysis of CubeHash},<br />
url = {http://thomas.peyrin.googlepages.com/BrierPeyrinCubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {CubeHash is a family of hash functions submitted by Bern stein as a SHA-3 candidate. In this paper, we provide two different cryptanalysis approaches concerning its collision resistance. Thanks to the first approach, related to truncated differentials, we computed a collision for the CubeHash-1/36 hash function, i.e. when for each iteration 36 bytes of message are incorporated and one call to the permutation is applied. Then, the second approach, already used by Dai, much more efficient and simply based on a linearization of the scheme, allowed us to compute a collision for the CubeHash-2/4 hash function. Finally, a theoretical collision attack against CubeHash-2/3, CubeHash-4/4 and CubeHash-4/3 is described. This is currently the best known cryptanalysis result on this SHA-3 candidate.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashD08,<br />
author = {Wei Dai},<br />
title = {Collisions for CubeHash1/45 and CubeHash2/89},<br />
url = {http://www.cryptopp.com/sha3/cubehash.pdf}, <br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {Collisions were found for the hash functions CubeHash1/45-512 and CubeHash2/89-512. Attack code is included.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashA08,<br />
author = {Jean-Philippe Aumasson},<br />
title = {Collision for CubeHash2/120-512},<br />
url = {http://ehash.iaik.tugraz.at/uploads/a/a9/Cubehash.txt}, <br />
howpublished = {NIST mailing list (local link)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cubehashKNW08,<br />
author = {Dmitry Khovratovich and Ivica Nikolic' and Ralf-Philipp Weinmann},<br />
title = {Preimage attack on CubeHash512-r/4 and CubeHash512-r/8},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Cubehash.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{cubehashAMPP09,<br />
author = {Jean-Philippe Aumasson and Eric Brier and Willi Meier and María Naya-Plasencia and Thomas Peyrin},<br />
title = {Inside the Hypercube},<br />
booktitle = {ACISP},<br />
publisher = {Springer},<br />
editor = {Colin Boyd and Juan Manuel Gonz{\'a}lez Nieto},<br />
series = {LNCS},<br />
pages = {202-213},<br />
volume = {5594},<br />
url = {http://www.131002.net/data/papers/ABMNP08.pdf},<br />
year = {2009},<br />
abstract = {Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h. The 1024-bit internal state of CubeHash is represented as a five-dimension hypercube. Submissions to NIST have r = 8, b = 1, and $h \in {224, 256, 384, 512}$. <br />
This paper gives the first external analysis of CubeHash, with<br />
- improved standard generic attacks for collisions and preimages<br />
- a multicollision attack that exploits fixed points<br />
- a study of the round function symmetries<br />
- a preimage attack that exploits these symmetries<br />
- a practical collision attack on a weakened version of CubeHash<br />
- high-probability truncated differentials over the 8-round transform<br />
Our results do not contradict the security claims about CubeHash.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Skein&diff=3500
Skein
2010-05-27T11:46:41Z
<p>JAumasson: Added Kaminsky and McCay/Vora's papers</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker<br />
* Website: [http://www.schneier.com/skein.html http://www.schneier.com/skein.html]; [http://skein-hash.info/ http://skein-hash.info/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SkeinUpdate.zip SkeinUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Skein.zip Skein.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Skein_Round2.zip Skein_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3F+09,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein1.2.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3F+08,<br />
author = {Niels Ferguson and Stefan Lucks and Bruce Schneier and Doug Whiting and Mihir Bellare and Tadayoshi Kohno and Jon Callas and Jesse Walker},<br />
title = {The Skein Hash Function Family},<br />
url = {http://www.skein-hash.info/sites/default/files/skein.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''72''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
|- <br />
| observations || block cipher || all || - || - || - || [http://eprint.iacr.org/2010/282.pdf McCay,Vora]<br />
|-<br />
| observations || compression function || all || - || - || - || [http://eprint.iacr.org/2010/262.pdf Kaminsky]<br />
|-<br />
| key recovery || block cipher || 256 || 39 rounds || 2<sup>254.1</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|-<br />
| key recovery || block cipher || 512 || 42 rounds|| 2<sup>507</sup> || - || [http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf Khovratovich,Nikolic]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>226</sup> (2<sup>222</sup>) || 2<sup>12</sup> || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|- <br />
| key recovery || block cipher || 512 || 33 rounds (Round 1) || 2<sup>352.17</sup> (2<sup>355.5</sup>) || - || [http://eprint.iacr.org/2009/526.pdf Chen,Jia]<br />
|-<br />
| near collision || compression function || 512 || 17 rounds (Round 1) || 2<sup>24</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| distinguisher || block cipher || 512 || 35 rounds (Round 1) || 2<sup>478</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| impossible differential || block cipher || 512 || 21 rounds (Round 1) || - || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
| key recovery || block cipher || 512 || 32 rounds (Round 1) || 2<sup>312</sup> || - || [http://eprint.iacr.org/2009/438.pdf Aumasson,Calik,Meier,Ozen,Phan,Varici]<br />
|- <br />
|} <br />
<br />
<br />
<bibtex><br />
@misc{skeinMV10,<br />
author = {Kerry A. McKay and Poorvi L. Vora},<br />
title = {Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/282},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/282.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {The operations addition modulo 2^n and exclusive-or have recently been combined to obtain an efficient mechanism for nonlinearity in block cipher design. In this paper, we show that ciphers using this approach may be approximated by pseudo-linear expressions relating groups of contiguous bits of the round key, round input, and round output. The bias of an approximation can be large enough for known plaintext attacks. We demonstrate an application of this concept to a reduced-round version of the Threefish block cipher, a component of the Skein entry in the secure hash function competition.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinKam10,<br />
author = {Alan Kaminsky},<br />
title = {Cube Test Analysis of the Statistical Behavior of CubeHash and Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/262},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/262.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {This work analyzes the statistical properties of the SHA-3 candidate cryptographic hash algorithms CubeHash and Skein to try to find nonrandom behavior. Cube tests were used to probe each algorithm's internal polynomial structure for a large number of choices of the polynomial input variables. The cube test data were calculated on a 40-core hybrid SMP cluster parallel computer. The cube test data were subjected to three statistical tests: balance, independence, and off-by-one. Although isolated statistical test failures were observed, the balance and off-by-one tests did not find nonrandom behavior overall in either CubeHash or Skein. However, the independence test did find nonrandom behavior overall in both CubeHash and Skein. }<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{skeinA+09,<br />
author = {Jean-Philippe Aumasson and Cagdas Calik and Willi Meier and Onur Ozen and Raphael C.-W. Phan and Kerem Varici},<br />
title = {Improved Cryptanalysis of Skein},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/438},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/438.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract={The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the first third-party analysis of Skein, with an extensive study of its main component: the block cipher Threefish. We notably investigate near collisions, distinguishers, impossible differentials, key recovery using related-key differential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible differential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 36 rounds of Threefish seem required for optimal security guarantees.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Jiazhe Chen and Keting Jia},<br />
title = {Improved Related-key Boomerang Attacks on Round-Reduced Threefish-512},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/526},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/526.pdf},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {Hash function Skein is one of the 14 NIST SHA-3 second round candidates. Threefish is a tweakable block cipher as the core of Skein, defined with a 256-, 512-, and 1024-bit block size. The 512-bit block size is the primary proposal of the authors. In this paper we construct two related-key boomerang distinguishers on round-reduced Threefish-512 using the method of \emph{modular differential}. With a distinguisher on 32 rounds of Threefish-512, we improve the key recovery attack on 32 rounds of Threefish-512 proposed by Aumasson et al. Their attack requires $2^{312}$ encryptions and $2^{71}$ bytes of memory. However, our attack has a time complexity of $2^{226}$ encryptions with memory of $2^{12}$ bytes. Furthermore, we give a key recovery attack on Threefish-512 reduced to 33 rounds using a 33-round related-key boomerang distinguisher, with $2^{352.17}$ encryptions and negligible memory. Skein had been updated after it entered the second round and the results above are based on the original version. However, as the only differences between the original and the new version are the rotation constants, both of the methods can be applied to the new version with modified differential trails. For the new rotation constants, our attack on 32-round Threefish-512 has a time complexity $2^{222}$ and $2^{12}$ bytes' memory. Our attack on 33-round Threefish-512 has a time complexity $2^{355.5}$ and negligible memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:526,<br />
author = {Dmitry Khovratovich and Ivica Nikolic},<br />
title = {Rotational Cryptanalysis of ARX},<br />
howpublished = {Preproceedings of FSE 2010},<br />
year = {2010},<br />
url = {http://cryptolux.org/mediawiki/uploads/5/5b/Rotational_Cryptanalysis_of_Skein.pdf},<br />
abstract = {In this paper we analyze the security of systems based on<br />
modular additions, rotations, and XORs (ARX systems). We provide<br />
both theoretical support for their security and practical cryptanalysis of<br />
real ARX primitives. We use a technique called rotational cryptanalysis,<br />
that is universal for the ARX systems and is quite efficient. We illustrate<br />
the method with the best known attack on reduced versions of the block<br />
cipher Threefish (the core of Skein). Additionally, we prove that ARX<br />
with constants are functionally complete, i.e. any function can be realized<br />
with these operations.<br />
},<br />
}<br />
</bibtex><br />
<br />
=== Archive ===<br />
<br />
<bibtex><br />
@misc{SkeinAum09,<br />
author = {Jean-Philippe Aumasson and Willi Meier and Raphael Phan},<br />
title = {Improved analyis of Threefish},<br />
url = {http://131002.net/data/talks/threefish_rump.pdf},<br />
howpublished = {FSE 2009 rump session, slides available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=BLAKE&diff=3490
BLAKE
2010-05-06T08:35:31Z
<p>JAumasson: corrected complexity of Guo/Matusiewicz result</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan<br />
* Website: [http://131002.net/blake/ http://131002.net/blake/]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/BLAKE_Round2.zip BLAKE_Round2.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKE.zip BLAKE.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/BLAKEUpdate.zip BLAKEUpdate.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3AumassonHMP08,<br />
author = {Jean-Philippe Aumasson and Luca Henzen and Willi Meier and Raphael C.-W. Phan},<br />
title = {SHA-3 proposal BLAKE},<br />
url = {http://131002.net/blake/blake.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| preimage || 224,256 || 2.5 rounds || 2<sup>n-15</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 384 || 2.5 rounds || 2<sup>355</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| preimage || 512 || 2.5 rounds || 2<sup>481</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| impossible differential || permutation || 224,256 || 5 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| impossible differential || permutation || 384,512 || 6 rounds || - || - || [http://eprint.iacr.org/2010/043.pdf Aumasson,Guo,Knellwolf,Matusiewicz,Meier]<br />
|-<br />
| near-collision || compression function || 256 || 4 rounds (nb. 3-6) || 2<sup>56</sup> || - || [http://www.jguo.org/docs/blake-col.pdf Guo,Matusiewicz]<br />
|-<br />
| free-start collision || hash || 224,256 || 2.5 rounds || 2<sup>n/2-16</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
| free-start collision || hash || 384,512 || 2.5 rounds || 2<sup>n/2-32</sup> || - || [http://eprint.iacr.org/2009/238.pdf Ji,Liangyu]<br />
|-<br />
|} <br />
<br />
<br />
<br />
<br />
<bibtex><br />
@misc{cryptoeprint:2010:043,<br />
author = {Jean-Philippe Aumasson and Jian Guo and Simon Knellwolf<br />
and Krystian Matusiewicz and Willi Meier},<br />
title = {Differential and invertibility properties of BLAKE (full version)},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/043},<br />
year = {2010},<br />
url = {http://eprint.iacr.org/2010/043.pdf},<br />
abstract = {BLAKE is a hash function selected by NIST as one of<br />
the 14 second round candidates for the SHA-3 Competition. In this<br />
paper, we follow a bottom-up approach to exhibit properties of BLAKE<br />
and of its building blocks: based on differential properties of the<br />
internal function G, we show that a round of BLAKE is a permutation on<br />
the message space, and present an efficient inversion algorithm. For<br />
1.5 rounds we present an algorithm that finds preimages faster than in<br />
previous attacks. Discovered properties lead us to describe large<br />
classes of impossible differentials for two rounds of BLAKE’s internal<br />
permutation, and particular impossible differentials for five and six<br />
rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear<br />
and rotation-free model, we describe near-collisions for four rounds<br />
of the compression function. Finally, we discuss the problem of<br />
establishing upper bounds on the probability of differential<br />
characteristics for BLAKE.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{blakeGM09,<br />
author = {Jian Guo and Krystian Matusiewicz},<br />
title = {Round-Reduced Near-Collisions of BLAKE-32},<br />
url = {http://www.jguo.org/docs/blake-col.pdf},<br />
howpublished = {Available online},<br />
note = {Accepted for presentation at WEWoRC 2009},<br />
year = {2009}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:238,<br />
author = {Li Ji and Xu Liangyu },<br />
title = {Attacks on Round-Reduced BLAKE},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/238},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/238.pdf},<br />
abstract = {BLAKE is a new hash family proposed for SHA-3. The<br />
core of compression function reuses the core function of ChaCha. A<br />
round-dependent permutation is used as message schedule. BLAKE is<br />
claimed to achieve full diffusion after 2 rounds. However, message<br />
words can be controlled on the first several founds. By exploiting<br />
properties of message permutation, we can attack 2.5 reduced rounds.<br />
The results do not threat the security claimed in the specification.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Groestl&diff=3489
Groestl
2010-04-30T07:43:48Z
<p>JAumasson: typo</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen<br />
* Website: [http://www.groestl.info http://www.groestl.info]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Grostl_Round2.zip Grostl_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Grostl.zip Grostl.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl -- a SHA-3 candidate},<br />
url = {http://www.groestl.info/Groestl.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3groestl,<br />
author = {Praveen Gauravaram and Lars R. Knudsen and Krystian Matusiewicz and Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Grøstl Addendum},<br />
url = {http://groestl.info/Groestl-addendum.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''10''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| collision || 224,256 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 224,256 || 3 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 5 rounds || 2<sup>176</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| collision || 384,512 || 4 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression function || 256 || 10 rounds || 2<sup>192</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 9 rounds || 2<sup>80</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| distinguisher || compression function || 512 || 11 rounds || 2<sup>640</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2010/223.pdf Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || compression function || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| distinguisher || permutation || 256 || 8 rounds || 2<sup>112</sup> || 2<sup>64</sup> || [http://eprint.iacr.org/2009/531.pdf Gilbert,Peyrin]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 7 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function|| 384,512 || 7 rounds || 2<sup>152</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 6 rounds || 2<sup>64</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || output transformation || 224,256 || 7 rounds || 2<sup>56</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| distinguisher || permutation || 224,256 || 7 rounds || 2<sup>55</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420 Mendel,Peyrin,Rechberger,Schläffer]<br />
|- <br />
| semi-free-start collision || compression function || 256 || 6 rounds || 2<sup>120</sup> || 2<sup>64</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| semi-free-start collision || compression function || 224,256 || 5 rounds || 2<sup>64</sup> || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943 Mendel,Rechberger,Schläffer,Thomsen]<br />
|- <br />
| observation || hash || all || || || || [http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf Kelsey]<br />
|- <br />
| observation || block cipher || all || || || || [http://www.larc.usp.br/~pbarreto/Grizzly.pdf Barreto]<br />
|- <br />
| free-start collision || compression function || all || any || 2<sup>2n/3</sup> || 2<sup>2n/3</sup> || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
| pseudo-preimage || compression function || all || any || 2<sup>n</sup> || - || [http://www.groestl.info/Groestl.pdf submission document]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex> <br />
@misc{Pey10,<br />
author = {Thomas Peyrin},<br />
title = {Improved Differential Attacks for ECHO and Grostl},<br />
howpublished = {Cryptology ePrint Archive, Report 2010/223},<br />
year = {2010},<br />
note = {\url{http://eprint.iacr.org/}},<br />
abstract = {We present improved cryptanalysis of two second-round SHA-3 candidates: the AES-based hash functions ECHO and Grostl. We explain methods for building better differential trails for ECHO by increasing the granularity of the truncated differential paths previously considered. In the case of Grostl, we describe a new technique, the internal differential attack, which shows that when using parallel computations designers should also consider the differential security between the parallel branches. Then, we exploit the recently introduced start-from-the-middle or Super-Sbox attacks, that proved to be very efficient when attacking AES-like permutations, to achieve a very efficient utilization of the available freedom degrees. Finally, we obtain the best known attacks so far for both ECHO and Grostl. In particular, we are able to mount a distinguishing attack for the full Grostl-256 compression function.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseGP10,<br />
author = {Henri Gilbert and Thomas Peyrin},<br />
title = {Super-Sbox Cryptanalysis: Improved Attacks for AES-like permutations},<br />
url = {http://eprint.iacr.org/2009/531.pdf},<br />
booktitle = {FSE},<br />
year = {2010},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
note = {To appear}<br />
abstract = {In this paper, we improve the recent rebound and start-from-the-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grostl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{ctrsaMRST10,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {Rebound Attacks on the Reduced Grøstl Hash Function},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=128007&pCurrPk=47053},<br />
booktitle = {CT-RSA},<br />
year = {2010},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5985},<br />
pages = {350-365},<br />
abstract = {Grøstl is one of 14 second round candidates of the<br />
NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression<br />
function of Grøstl-256 have already been published. However, little is known<br />
about the hash function, arguably a much more interesting cryptanalytic<br />
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show<br />
the first cryptanalytic attacks on reduced-round versions of the Grøstl hash<br />
functions. These results are obtained by several extensions of the rebound<br />
attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash<br />
function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we<br />
give the best collision attack for reduced-round (7/10 and 7/14) versions of the<br />
compression function of Grøstl-256 and Grøstl-512.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{sacMPRS09,<br />
author = {Florian Mendel and Thomas Peyrin and Christian<br />
Rechberger and Martin Schläffer},<br />
title = {Improved Cryptanalysis of the Reduced Grøstl<br />
Compression Function, ECHO Permutation and AES Block Cipher},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124407&pCurrPk=44420},<br />
booktitle = {SAC},<br />
year = {2009},<br />
series = {LNCS},<br />
publisher = {Springer},<br />
volume = {5867},<br />
pages = {16-35},<br />
abstract = {In this paper, we propose two new ways to mount attacks<br />
on the SHA-3 candidates Gr{\o}stl, and ECHO, and apply these attacks<br />
also to the AES. Our results improve upon and extend the rebound<br />
attack. Using the new techniques, we are able to extend the number of<br />
rounds in which available degrees of freedom can be used. As a result,<br />
we present the first attack on 7 rounds for the Gr{\o}stl-256 output<br />
transformation and improve the semi-free-start collision attack on 6<br />
rounds. Further, we present an improved known-key distinguisher for 7<br />
rounds of the AES block cipher and the internal permutation used in<br />
ECHO.}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{fseMRST09,<br />
author = {Florian Mendel and Christian Rechberger and Martin Schläffer and Søren S. Thomsen},<br />
title = {The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getVollText?pDocumentNr=124409&pCurrPk=40943},<br />
booktitle = {FSE},<br />
editor = {Orr Dunkelman},<br />
year = {2009},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {5665},<br />
pages = {260-276},<br />
abstract = {In this work, we propose the rebound attack, a new tool<br />
for the cryptanalysis of hash functions. The idea of the rebound<br />
attack is to use the available degrees of freedom in a collision<br />
attack to efficiently bypass the low probability parts of a<br />
differential trail. The rebound attack consists of an inbound phase<br />
with a match-in-the-middle part to exploit the available degrees of<br />
freedom, and a subsequent probabilistic outbound phase. Especially on<br />
AES based hash functions, the rebound attack leads to new attacks for<br />
a surprisingly high number of<br />
rounds.<br />
We use the rebound attack to construct collisions for 4.5 rounds of<br />
the 512-bit hash function Whirlpool with a complexity of $2^{120}$<br />
compression function evaluations and negligible memory requirements.<br />
The attack can be extended to a near-collision on 7.5 rounds of the<br />
compression function of Whirlpool and 8.5 rounds of the similar hash<br />
function Maelstrom. Additionally, we apply the rebound attack to the<br />
SHA-3 submission Gr{\o}stl, which leads to an attack on 6 rounds of<br />
the Gr{\o}stl-256 compression function with a complexity of $2^{120}$<br />
and memory requirements of about $2^{64}$.}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlK09,<br />
author = {John Kelsey},<br />
title = {Some notes on Grøstl},<br />
url = {http://ehash.iaik.tugraz.at/uploads/d/d0/Grostl-comment-april28.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {These are some quick notes on some properties and<br />
observations of Grøstl. Nothing in this note threatens the hash<br />
function; instead, I'm pointing out some properties that are a bit<br />
surprising, and some broad approaches someone might take to get<br />
attacks to work.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{groestlB08,<br />
author = {Paulo S. L. M. Barreto},<br />
title = {An observation on Grøstl},<br />
url = {http://www.larc.usp.br/~pbarreto/Grizzly.pdf},<br />
howpublished = {Available online},<br />
year = {2008},<br />
abstract = {An alternative view of the Groestl SHA-3 submission is<br />
presented. It does not lead to an effective attack nor reveals a<br />
weakness in the design, but illustrates the importance of the<br />
double-width pipe in this construction.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Fugue&diff=3488
Fugue
2010-04-30T07:00:40Z
<p>JAumasson: typo</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Shai Halevi and William E. Hall and Charanjit S. Jutla<br />
* Website: [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2_Update.zip Fugue_Round2_Update.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Fugue.zip Fugue.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/FugueUpdate.zip FugueUpdate.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2.zip Fugue_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Halevi09,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/fugue_09.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Halevi08,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (k,r,t) = '''(2,5,13)''' for (n=224,256); (k,r,t) = '''(3,5,13)''' for (n=384); (k,r,t) = '''(4,8,13)''' for (n=512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| || |||| || || <br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| internal collision || hash function || 256 || (2,5,13) || 2<sup>352</sup> || 2<sup>352</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|-<br />
| internal collision || hash function || 512 || (4,8,13) || 2<sup>480</sup> || 2<sup>480</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{sacKhovratovich09,<br />
author = {Dmitry Khovratovich},<br />
title = {Cryptanalysis of hash functions with structures},<br />
howpublished = {Proceedings of Selected Areas in Cryptography},<br />
year = {2009},<br />
url = {http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf},<br />
abstract = {Hash function cryptanalysis has acquired many methods,<br />
tools and tricks from other areas, mostly block ciphers. In this paper<br />
another trick from block cipher cryptanalysis, the structures, is used for<br />
speeding up the collision search. We investigate the memory and the time<br />
complexities of this approach under different assumptions on the round<br />
functions. The power of the new attack is illustrated with the crypt-<br />
analysis of the hash functions Grindahl and the analysis of the SHA-3<br />
candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Fugue&diff=3487
Fugue
2010-04-29T07:39:57Z
<p>JAumasson: moved DK's results to the bottom table (as isnt "according to NIST's req..").</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Shai Halevi and William E. Hall and Charanjit S. Jutla<br />
* Website: [http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html]<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2_Update.zip Fugue_Round2_Update.zip] (old versions: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Fugue.zip Fugue.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/FugueUpdate.zip FugueUpdate.zip], [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Fugue_Round2.zip Fugue_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3Halevi09,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/fugue_09.pdf},<br />
howpublished = {Submission to NIST (updated)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3Halevi08,<br />
author = {Shai Halevi and William E. Hall and Charanjit S. Jutla},<br />
title = {The Hash Function Fugue},<br />
url = {http://domino.research.ibm.com/comm/research_projects.nsf/pages/fugue.index.html/$FILE/NIST-submission-Oct08-fugue.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (k,r,t) = '''(2,5,13)''' for (n=224,256); (k,r,t) = '''(3,5,13)''' for (n=384); (k,r,t) = '''(4,8,13)''' for (n=512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|-<br />
| || |||| || || <br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| internal collision || hash functoin || 256 || (2,5,13) || 2<sup>352</sup> || 2<sup>352</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|-<br />
| internal collision || hash function || 512 || (4,8,13) || 2<sup>480</sup> || 2<sup>480</sup> || [http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf Khovratovich]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{sacKhovratovich09,<br />
author = {Dmitry Khovratovich},<br />
title = {Cryptanalysis of hash functions with structures},<br />
howpublished = {Proceedings of Selected Areas in Cryptography},<br />
year = {2009},<br />
url = {http://cryptolux.org/mediawiki/uploads/9/99/Struct2.pdf},<br />
abstract = {Hash function cryptanalysis has acquired many methods,<br />
tools and tricks from other areas, mostly block ciphers. In this paper<br />
another trick from block cipher cryptanalysis, the structures, is used for<br />
speeding up the collision search. We investigate the memory and the time<br />
complexities of this approach under different assumptions on the round<br />
functions. The power of the new attack is illustrated with the crypt-<br />
analysis of the hash functions Grindahl and the analysis of the SHA-3<br />
candidate Fugue (both functions as 256 and 512 bit versions). The collision attack on Grindahl-512 is the first collision attack on this function.<br />
},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Shabal&diff=3486
Shabal
2010-04-29T07:21:53Z
<p>JAumasson: correct placement of rec sec par</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Emmanuel Bresson, Anne Canteaut, Benoît Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-François Misarsky, Marìa Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-René Reinhard, Céline Thuillet, Marion Videau<br />
* Website: http://www.shabal.com/<br />
* NIST submission package: <br />
** round 1/2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Shabal_Round2.zip Shabal_Round2.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Shabal.zip Shabal.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CanteautCGPP08,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Shabal, a Submission to NIST’s Cryptographic Hash Algorithm Competition},<br />
url = {http://ehash.iaik.tugraz.at/uploads/6/6c/Shabal.pdf},<br />
howpublished = {Submission to NIST},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:199,<br />
author = {Emmanuel Bresson and Anne Canteaut and Benoît Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-François Misarsky and Marìa Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-René Reinhard and Céline Thuillet and Marion Videau},<br />
title = {Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/199},<br />
year = {2009},<br />
url = {http://eprint.iacr.org/2009/199.pdf},<br />
abstract = {Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest.},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameters: (p,r)='''(3,12)'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|}<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2<sup>12</sup> || || [http://131002.net/data/papers/Aum09.pdf Aumasson]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 1 || || [http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf Knudsen,Matusiewicz,Thomsen]<br />
|- <br />
| | non-randomness<sup>(1)</sup> || permutation || all || || 2 || || [http://131002.net/data/papers/AMM09.pdf Aumasson,Mashatan,Meier]<br />
|- <br />
| | non-randomness || permutation || all || || 2<sup>159</sup> || || [http://gva.noekeon.org/papers/ShabalRotation.pdf Van Assche]<br />
|- <br />
|} <br />
<sup>(1)</sup>The Shabal team commented on these analyses and provide an update of their security proofs in [http://eprint.iacr.org/2009/199.pdf this note].<br />
<br />
<br />
<br />
<bibtex><br />
@misc{shabalAum09,<br />
author = {Jean-Philippe Aumasson},<br />
title = {On the pseudorandomness of Shabal's keyed permutation},<br />
url = {http://131002.net/data/papers/Aum09.pdf},<br />
howpublished = {Available online},<br />
year = {2009},<br />
abstract = {<br />
We report observations suggesting that the permutation used in<br />
Shabal does not behave pseudorandomly. This does not affect the<br />
security of Shabal as submitted to the NIST Hash Competition.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalKMT09,<br />
author = {Lars R. Knudsen and Krystian Matusiewicz and Søren S. Thomsen},<br />
title = {Observations on the Shabal keyed permutation},<br />
url = {http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf },<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
abstract = {<br />
In this note we show that the permutation P used in the Shabal hash function, which is<br />
a candidate in the SHA-3 competition, has some non-random properties. As an example,<br />
it is easy to find a number of fixed points in the permutation. Moreover, large key-multicollisions<br />
can be easily found; these are multi-collisions where only the key input contains<br />
a difference. All observations are easily verified, and most of them are independent of the<br />
choice of security parameters. Our observations, on the other hand, do not seem extensible<br />
to the full hash function.<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalAum09a,<br />
author = {Jean-Philippe Aumasson and Atefeh Mashatan and Willi Meier},<br />
title = {More on Shabal's permutation},<br />
url = {http://131002.net/data/papers/AMM09.pdf},<br />
howpublished = {OFFICIAL COMMENT},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{shabalVA10,<br />
author = {Gilles Van Assche},<br />
title = {A rotational distinguisher on Shabal's keyed permutation and its impact on the security proofs},<br />
url = {http://gva.noekeon.org/papers/ShabalRotation.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract = {In this short note, we apply a rotational distinguisher to the keyed permutation of the SHA-3 candidate Shabal. We then discuss its applicability in the scope of Shabal's mode of operation and its impact on the security proofs.},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SHAvite-3&diff=3485
SHAvite-3
2010-04-29T07:21:11Z
<p>JAumasson: correct placement of rec sec par</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Eli Biham and Orr Dunkelman<br />
* Website: [http://www.cs.technion.ac.il/~orrd/SHAvite-3/ http://www.cs.technion.ac.il/~orrd/SHAvite-3/]<br />
* NIST submission package:<br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SHAvite3Update.zip SHAvite3Update.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SHAvite-3.zip SHAvite-3.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SHAvite-3_Round2.zip SHAvite-3_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3BihamD09,<br />
author = {Eli Biham and Orr Dunkelman},<br />
title = {The SHAvite-3 Hash Function},<br />
url = {http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3BihamD08,<br />
author = {Eli Biham and Orr Dunkelman},<br />
title = {The SHAvite-3 Hash Function},<br />
url = {http://ehash.iaik.tugraz.at/uploads/f/f5/Shavite.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''12''' rounds (n=224,256); '''14''' rounds (n=384,512)<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| second preimage || 512 || 10 rounds || 2<sup>497</sup> || 2<sup>16</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.]<br />
|- <br />
| second preimage || 512 || 9 rounds || 2<sup>496</sup> || 2<sup>16</sup> || [http://eprint.iacr.org/2009/634.pdf Bouillaguet et al.]<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| pseudo-preimage || compression || 512 || 14 rounds || 2<sup>384+s</sup> || 2<sup>128-s</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.]<br />
|- <br />
| pseudo-collision || compression || 512 || 14 rounds || 2<sup>192</sup> || 2<sup>128</sup> || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974 Gauravaram et al.]<br />
|- <br />
| pseudo-collision || compression || all || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt Peyrin]<br />
|- <br />
| pseudo-collision || compression || 256 || full (Round 1) || || || [http://ehash.iaik.tugraz.at/uploads/5/5c/NandiP-SHAvite-3.txt Nandi,Paul]<br />
|-<br />
| impossible differential || block cipher || 224,256 || 5 rounds || - || - || [http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf submission document]<br />
|-<br />
| impossible differential || block cipher || 384,512 || 9 rounds || - || - || [http://www.cs.technion.ac.il/~orrd/SHAvite-3/Spec.15.09.09.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
<bibtex><br />
@inproceedings{africacryptGauravaramLMNPRS10,<br />
author = {Praveen Gauravaram and Gaëtan Leurent and Florian Mendel and Maria Naya-Plasencia and Thomas Peyrin and Christian Rechberger and Martin Schläffer},<br />
title = {Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512},<br />
booktitle = {Africacrypt},<br />
year = {2010},<br />
editor = {Daniel J. Bernstein and Tanja Lange},<br />
volume = {6055},<br />
series = {LNCS},<br />
pages = {419 - 436},<br />
publisher = {Springer},<br />
url= {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pCurrPk=49974},<br />
abstract = {In this paper, we analyze the SHAvite-3-512 hash function, as proposed and tweaked for round 2 of the SHA-3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite-3-512, and on the full 14 round compression function of SHAvite-3-512. We show a second preimage attack on the hash function reduced to 10 rounds with a complexity of $2^{497}$ compression function evaluations and $2^{16}$ memory. For the full 14-round compression function, we give a chosen counter, chosen salt preimage attack with $2^{384}$ compression function evaluations and $2^{128}$ memory (or complexity $2^{448}$ without memory), and a collision attack with $2^{192}$ compression function evaluations and $2^{128}$ memory.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:634,<br />
author = {Charles Bouillaguet and Orr Dunkelman and Gaëtan Leurent and Pierre-Alain Fouque},<br />
title = {Attacks on Hash Functions based on Generalized Feistel - Application to Reduced-Round Lesamnta and SHAvite-3_{512}},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/634},<br />
year = {2009},<br />
url= {http://eprint.iacr.org/2009/634.pdf},<br />
abstract = {In this paper we study the strength of two hash functions which are based on Generalized Feistels. Our proposed attacks themselves are mostly independent of the round function in use, and can be applied to similar hash functions which share the same structure but have different round functions.<br />
<br />
We start with a 22-round generic attack on the structure of Lesamnta, and adapt it to the actual round function to attack 24-round Lesamnta. We then show a generic integral attack on 20-round Lesamnta (which can be used against the block cipher itself). We follow with an attack on 9-round SHAvite-3_{512} which is the first cryptanalytic result on the hash function (which also works for the tweaked version of SHAvite-3_{512}).},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{Peyrin-SHAvite-3,<br />
author = {Thomas Peyrin},<br />
title = {Chosen-salt, chosen-counter, pseudo-collision on SHAvite-3 compression function},<br />
url = {http://ehash.iaik.tugraz.at/uploads/e/ea/Peyrin-SHAvite-3.txt},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{NandiP-SHAvite-3,<br />
author = {Mridul Nandi and Souradyuti Paul},<br />
title = {OFFICIAL COMMENT: SHAvite-3},<br />
url = {http://ehash.iaik.tugraz.at/uploads/5/5c/NandiP-SHAvite-3.txt},<br />
howpublished = {Available online},<br />
year = {2009},<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=SIMD&diff=3484
SIMD
2010-04-29T07:20:43Z
<p>JAumasson: correct placement of rec sec par</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque <br />
* Website: [http://www.di.ens.fr/~leurent/simd.html http://www.di.ens.fr/~leurent/simd.html]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMDUpdate.zip SIMDUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/SIMD.zip SIMD.zip])<br />
** round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/SIMD_Round2.zip SIMD_Round2.zip]<br />
<br />
<br />
<bibtex><br />
@misc{sha3LBF09,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://www.di.ens.fr/~leurent/files/SIMD.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3LBF08,<br />
author = {Gaëtan Leurent and Charles Bouillaguet and Pierre-Alain Fouque},<br />
title = {SIMD Is a Message Digest},<br />
url = {http://ehash.iaik.tugraz.at/uploads/4/4e/Simd.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: total number of steps = '''32'''<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks).<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || compression || 512 || 12 steps || 2<sup>236</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression || 512 || linear message exp., 24 steps || 2<sup>497</sup> || - || [https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf Nikolić,Pieprzyk,Sokołowski,Steinfeld]<br />
|- <br />
| distinguisher || compression || 512 || full (Round 1) || 5*2<sup>425.28 || - || [http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658 Mendel, Nad]<br />
|- <br />
|}<br />
<br />
<br />
<bibtex><br />
@misc{bmwNikolicPST,<br />
author = {Ivica Nikolić, Josef Pieprzyk, Przemysław Sokołowski and Ron Steinfeld},<br />
title = {Rotational Cryptanalysis of (Modified) Versions of BMW and SIMD},<br />
url = {https://cryptolux.org/mediawiki/uploads/0/07/Rotational_distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld%29.pdf},<br />
howpublished = {Available online},<br />
year = {2010},<br />
abstract ={We extend the application of rotational distinguishers to<br />
classes of primitives that besides ARX, may have substractions, shifts,<br />
and boolean functions. This allows us to launch rotational attacks on<br />
the compression functions of two SHA-3 candidates: BMW and SIMD.<br />
Specifically, we find rotational distinguishers for the compression functions<br />
of:<br />
1. round 1 BMW-512,<br />
2. round 2 BMW-512, with the constant modified in one byte<br />
3. round 1,2 modified SIMD-512 reduced to 24 rounds, with linearized<br />
key schedule<br />
4. round 1,2, SIMD-512 reduced to 12 rounds<br />
Our attacks do not contradict any security claims of the candidates.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{indocryptMendelN09,<br />
author = {Florian Mendel and<br />
Tomislav Nad},<br />
title = {A Distinguisher for the Compression Function of SIMD-512},<br />
booktitle = {INDOCRYPT},<br />
editor = {Bimal K. Roy and<br />
Nicolas Sendrier},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
year = {2009},<br />
pages = {219-232},<br />
volume = {5922},<br />
url = {http://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=125658},<br />
abstract = {SIMD is one of the round 2 candidates of the public SHA-3<br />
competition hosted by NIST. It was designed by Leurent et al.. In this<br />
paper, we present a distinguisher attack on the compression function of<br />
SIMD-512. By linearizing the compression function we construct a linear<br />
code. Using techniques from coding theory to search for low Hamming<br />
weight codewords, we can find differential characteristics with low Hamming<br />
weight (and hence high probability). In the attack the differences<br />
are introduced only in the IV . Such a characteristic is the base for our distinguisher,<br />
which can distinguish the compression function of SIMD-512<br />
from random with a complexity of 5*2^425.28 compression function calls.<br />
Furthermore, we can distinguish the output transformation of SIMD-512<br />
from random with a complexity of about 22*2^425.28 compression function<br />
calls. So far this is the first cryptanalytic result for the SIMD hash<br />
function}<br />
}<br />
</bibtex></div>
JAumasson
https://ehash.iaik.tugraz.at/index.php?title=Luffa&diff=3483
Luffa
2010-04-29T07:19:09Z
<p>JAumasson: correct placement of rec sec par</p>
<hr />
<div>== The algorithm ==<br />
<br />
* Author(s): Christophe De Canniere, Hisayoshi Sato, Dai Watanabe<br />
* Website: [http://www.sdl.hitachi.co.jp/crypto/luffa/ http://www.sdl.hitachi.co.jp/crypto/luffa/]<br />
* NIST submission package: <br />
** round 1: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LuffaUpdate.zip LuffaUpdate.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Luffa.zip Luffa.zip])<br />
**round 2: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Luffa_Round2_Update.zip Luffa_Round2_Update.zip] (old version: [http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Luffa_Round2.zip Luffa_Round2.zip])<br />
<br />
<br />
<bibtex><br />
@misc{sha3CHSW09,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Specification},<br />
url = {http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_Specification_20091002.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3CHSW09a,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Supporting Document},<br />
url = {http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf},<br />
howpublished = {Submission to NIST (Round 2)},<br />
year = {2009},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3CHSW08,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Specification},<br />
url = {http://ehash.iaik.tugraz.at/uploads/e/ea/Luffa_Specification.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{sha3CHSW08a,<br />
author = {Christophe De Canniere and Hisayoshi Sato and Dai Watanabe},<br />
title = {Hash Function Luffa: Supporting Document},<br />
url = {http://ehash.iaik.tugraz.at/uploads/f/fe/Luffa_SupportingDocument.pdf},<br />
howpublished = {Submission to NIST (Round 1)},<br />
year = {2008},<br />
}<br />
</bibtex><br />
<br />
<br />
== Cryptanalysis ==<br />
<br />
We distinguish between two cases: results on the complete hash function, and results on underlying building blocks.<br />
<br />
A description of the tables is given [http://ehash.iaik.tugraz.at/wiki/Cryptanalysis_Categories#Individual_Hash_Function_Tables here].<br />
<br />
Recommended security parameter: '''8''' rounds<br />
<br />
=== Hash function ===<br />
<br />
Here we list results on the hash function according to the NIST requirements. The only allowed modification is to change the security parameter.<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Size (n) || Parameters || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| || || || || ||<br />
|- <br />
|} <br />
<br />
<br />
=== Building blocks ===<br />
<br />
Here we list results on underlying building blocks, and the hash function modified by other means than the security parameter.<br />
<br />
Note that these results assume more direct control or access over some internal variables (aka. free-start, pseudo, compression function, block cipher, or permutation attacks). <br />
<br />
{| border="1" cellpadding="4" cellspacing="0" class="wikitable" style="text-align:center" <br />
|- style="background:#efefef;" <br />
| Type of Analysis || Hash Function Part || Hash Size (n) || Parameters/Variants || Compression Function Calls || Memory Requirements || Reference <br />
|- <br />
| distinguisher || permutation || || 8 rounds || 2<sup>82</sup> || - || [http://www.131002.net/data/papers/AM09.pdf Aumasson,Meier]<br />
|-<br />
| pseudo-2nd preimage || hash || all || || 1 || - || [http://eprint.iacr.org/2009/224.pdf Jia]<br />
|-<br />
| pseudo-preimage || hash || 256 || || 2<sup>127</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]<br />
|-<br />
| pseudo-preimage || hash || 512 || || 2<sup>171</sup> || - || [http://eprint.iacr.org/2009/224.pdf Jia]<br />
|-<br />
| semi-free-start collision || hash || all || any || 2<sup>256*(w-1)/w</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]<br />
|-<br />
| semi-free-start collision || hash || 512 || any || 2<sup>204.8</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]<br />
|-<br />
| non-randomness || permutation || || 8 rounds || 2<sup>224</sup> || - || [http://www.sdl.hitachi.co.jp/crypto/luffa/Luffa_v2_SupportingDocument_20090915.pdf submission document]<br />
|-<br />
|} <br />
<br />
<br />
<br />
<br />
<bibtex><br />
@misc{hamsiAM9,<br />
author = {Jean-Philippe Aumasson and Willi Meier},<br />
title = {Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi},<br />
url = {http://www.131002.net/data/papers/AM09.pdf},<br />
howpublished = {NIST mailing list}<br />
year = {2009},<br />
abstract = {We present a new type of distinguisher, called zero-sum distinguisher, and apply it to reduced versions of the Keccak-f permutation. We obtain practical and deterministic distinguishers on up to 9 rounds, and shortcut distinguishers on up to 16 rounds, out of 18 in total. These observations do not seem to affect the security of Keccak. We also briefly describe application of zero-sum distinguishers to the core permutations of Luffa and Hamsi.},<br />
</bibtex><br />
<br />
<bibtex><br />
@misc{cryptoeprint:2009:224,<br />
author = {Keting Jia},<br />
title = {Pseudo-Collision, Pseudo-Preimage and Pseudo-Second-Preimage Attacks on Luffa},<br />
howpublished = {Cryptology ePrint Archive, Report 2009/224},<br />
year = {2009},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/2009/224.pdf},<br />
abstract = {In this paper, we show some pseudo-collision and pseudo-second-preimage examples for the SHA-3 candidate algorithm Luffa. The pseudo-collision and pseudo-second-preimage can be obtained easily by the message injection function. At the same time, the pseudo-preimage attacks are shown in this paper. For Luffa-224/256, only two iteration functions is needed to get the pseudo-preimage. We need $2^{127}$ and $2^{171}$ to get the pseudo-preimage for Luffa-384 and Luffa-512 respectively. },<br />
}<br />
</bibtex></div>
JAumasson