What are the disadvantages of SHA3?

Explore the disadvantages of SHA3, including its limited adoption, computational complexity, vulnerability to length extension attacks, and more.
On this page

What are the disadvantages of SHA3?

Excerpt

Explore the disadvantages of SHA3, including its limited adoption, computational complexity, vulnerability to length extension attacks, limited hardware support, limited research and analysis, lack of historical track record, and more.


Introduction

SHA3 is the latest secure hash algorithm standard published by NIST in 2015. It was designed through an open competition to provide robust security against attacks like those faced by older standards like SHA1 and SHA2. However, despite its strong security promises, SHA3 does come with some notable disadvantages. In this post, we will explore some of the key drawbacks and limitations of the SHA3 hashing algorithm.

Understanding the weaknesses in any cryptographic primitive is important to make informed decisions regarding its suitability and scope of usage. This allows organizations to evaluate SHA3 objectively by weighing its strengths against shortcomings.

Lack of widespread adoption

One major disadvantage of SHA3 is its relatively low adoption rate so far compared to older and more established algorithms like SHA2. This is partly due to the recency of the SHA3 standard which means integration with applications and software libraries is still ongoing. The radical differences in the Keccak design of SHA3 compared to SHA2 has also contributed to the adoption lag.

Slow uptake within the cryptography community affects the availability of robust implementations, optimized software libraries and compatible hardware which further hampers adoption.

Computational complexity

The SHA3 algorithm utilizes significantly more complex computations in its sponge construction and related cryptographic primitives compared to SHA2. This translates to relatively poor performance in software and hardware implementations.

In resource-constrained environments like IoT devices, the computational overhead of SHA3 can be prohibitive making lighter algorithms like SHA2 or BLAKE2 more suitable.

Vulnerability to length extension attacks

The hash-then-MAC approach used in the SHA3 construction makes it vulnerable to length extension attacks. An attacker can append malicious data to a valid message and generate a seemingly valid authentication code without knowing the secret key. This allows forged messages to be constructed that pass integrity checks.

SHA2 and BLAKE2 are not susceptible to these attacks due to the HMAC nested construction used.

Limited hardware support

Since SHA3 is a recent standard, dedicated hardware implementations are still under development. FPGA and ASIC solutions for SHA3 are not widely available and relatively immature compared to highly optimized hardware for SHA2 algorithms.

Limited hardware support hampers the usage of SHA3 in specialized systems and applications where hardware crypto accelerators are preferred for performance reasons.

Limited research and analysis

The SHA3 algorithm has not undergone the same rigorous cryptanalysis as older and widely deployed algorithms like SHA2, AES etc. While no theoretical vulnerabilities have been identified so far, the relatively limited scrutiny from researchers allows the possibility of undiscovered weaknesses.

More extensive peer review and analysis over time is required to firmly establish the security guarantees of SHA3 against both classical and quantum attacks.

Lack of historical track record

SHA2 has over 15 years of proven resilience against attacks in the real-world under widespread deployment. In contrast, SHA3 lacks this extensive track record which precludes a high degree of confidence in its long-term security against new and evolving attack vectors.

The longevity of new algorithms can only be firmly established over an extended period of adversarial scrutiny and sustained attacks.

Conclusion

SHA3 represents a new era in cryptographic hash security. However, adoption inertia, performance overhead, length extension flaws, immature implementations and limited analysis represent some current disadvantages. These drawbacks may potentially get mitigated over time with further maturation.

Going forward, SHA3 is likely to occupy a niche role in highly security-centric applications rather than fully replace older standards. Organizations must assess the tradeoffs based on their specific requirements to determine the appropriate secure hash algorithm.