Why isn’t SHA-3 in wider use?

Question

SHA-3 was released by NIST just over 4 years ago this week. In my experience it does not seem to be as widely used as I might have expected. I see SHA-2 and even SHA-1 more often. What are your opinions on why this is the case?:

Answer 1

First, you're taking the question backwards. Inertia is the default position. You shouldn't be looking for reasons not to switch, but for reasons to switch. If there are no strong reasons to switch, nobody will switch.

Security is not a reason. Between SHA-2 and SHA3, there is no reason to believe that one is more secure than the other. It isn't like when switching from MD5 to SHA-1 or from SHA-1 to SHA-2, where in each case the older function has structural weaknesses that did lead to attacks, and had a smaller output size that was starting to raise concerns over brute-force attacks. SHA-2 and SHA3 have the same sizes and no known structual weaknesses.

Performance is not a reason for most applications. Indeed, performance is a reason not to switch. SHA3 is slower than SHA-2 on a general-purpose processor. It was one of the slowest finalists of the SHA3 competition across various processors. This is not a big reason not to switch, because hashes are pretty much never a bottleneck, but it's certainly not an incentive to switch.

SHA3 does have a performance benefit, which is that it's cheap to implement in specialized hardware. It's very fast on a dedicated circuit. This is especially important for low-power devices: SHA3 costs fewer Joules per byte than SHA-2 (or any other SHA3 finalist) when implemented in hardware. So IoT may drive the adoption of SHA3. However, hardware design takes time, and hardware designers are conservative (you can't fix bugs in hardware), so this won't happen any time soon. Furthermore, a hardware implementation of SHA3 uses more gates than SHA-2, so it costs more to build a SHA3 device, even if it costs less to use afterwards, therefore there isn't a clear cost incentive to switch even when a low power requirement is critical.

SHA3 also has a versatility benefit. The same core primitive (the Keccak sponge) can not only be used as a hash, but also as a MAC (KMAC, at lower cost than HMAC), as a key derivation function (SHAKE with a partially-secret input, at a lower cost than constructions such as HKDF), etc. It's not that SHA3 can do things that nobody else can do, but it can do things that otherwise require more complex combinations of primitives. That's an incentive to switch, but only in circumstances where 1. you need those extra things and 2. it is a problem to combine more code. Again, IoT (which wants low-cost, low-power devices) may look towards SHA3, but only once protocols that use more than SHA3's hash functionality are defined and start being deployed.

Coming back to security, a benefit of SHA3 is that it's very different from SHA-2. Indeed this is one of the main reasons it was chosen over other SHA3 proposals: since its construction is different, if a new class of attacks breaks SHA-2, it's unlikely to apply to SHA3, and vice versa. The security benefit would not be in switching to SHA3, but in deploying software and protocols that support both, so that if a weakness is found in SHA-2, the world can quickly and cheaply transition to SHA3.

Answer 2

Since this question is asking about opinions, it's hard to give the correct answer (alternatively, all possible answers are correct, because they're an opinion). However, my opinion:

I believe that there are several aspects contributing to it:

Most application designers (that is, the people who use crypto to actually solve a problem) generally don't actually specify something as low level as the hash function; instead, they specify things at a higher level (e.g. perhaps the public key signature method, or the encryption protocol), and use whatever hashes those higher level primitives use.

As for designers of the lower level primitives, they tend to update things at a much slower rate - and hence, they tend to take a while to pick up things like SHA-3 (especially if there isn't a strong perceived need to make the change).

As for perceived need, SHA-2 is mostly seen as perfectly adequate technology, which solves the problems we give it, and at generally reasonable cost, and so there is no immediate need to spend effort at moving to SHA-3. The big advantage to SHA-3 is that it can be implemented faster, and for most applications, the speed of the hash function just isn't a major factor.

Now, we will likely see more adoption over the next several years; if you go through the NIST postquantum candidates, they tend to use SHAKE (at least, the ones that need a hash function). That means that, as they are taken up by the applications (and used in real products), they'll take SHA-3 with them (and one would expect that, given that there is now a SHA-3 implementation in the crypto library already) it'll find more general use.

However, as for becoming 'the standard' (that is, people are actually discouraged from using SHA-2) I don't see that for a very long time (barring a cryptanalytic discovery); as far as we can tell, it doesn't have any weakness, and it does have some practical advantages over SHA-3 (at least, I believe it's easier to build with a minimal number of gates)

Answer 3

Mostly option 2. People are lazy. Furthermore, those using SHA-2 have no good reason to switch. Those using SHA-1 are lazy, and have been lazy for a while. Another reason is compatibility, If I use SHA3 in my certificate some software may not be able to use it, and if SHA2 is fast and as secure for all practical purposes why should I opt for the less compatible option. I don't think there are serious security concerns against SHA-3, some think it wasn't the best candidate (I'm one of them) but that doesn't mean they think objectively it is an insecure hash function. Most developers do not make an informed choice about cryptographic primitives and inertia is a good choice. I think very few are holding out for more cryptanalysis.

Answer 4

Below are some suggestions I originally included in the question but fit better as an answer.

1) There are still some concerns about SHA-3. I recall that there was some controversy when released, e.g. Bruce Schneier and others raised some concerns. Are these concerns still lingering? [Based on other answers I now see that this is not really valid. I also researched Bruce Schneider’s criticism further and it was in relation to NIST-enforced changes to the capacity optionality to balance security and performance, not security as such]

2) People are just slow/lazy when it comes to adopting new standards and four years is not a long time. Adoption will continue to grow slowly until SHA-2 is shown as weak or withdrawn by NIST.

3) Many developers wait to see a crypto function in use for 5 years and widely research and attacked before they adopt (ie more conscious/systematic approach than 2). SHA-3 usage will likely increase significantly in the next couple of years and become the standard.