I for one am not happy with the choice. It's slower in software than blake or skein, and on ARM it's even slower than SHA-2.
I'm not convinced that using a construction that's significantly different from MD gains us much. The constructions are often provably secure, so we only need to care about the quality of the compression function. To my amateur eyes, keccak doesn't look stronger than blake or skein. I also think the "it's different" argument is overplayed. SHA-3 should stand for itself. Many applications will choose one hash-function, and not hash their data with both SHA-2 and SHA-3. They get broken if that one hash is broken, and SHA-2 and SHA-3 being different doesn't really help them much. I think it's nice to have different constructions on stand-by, but would have chosen the one that seems best on its own, disregarding how similar it is to SHA-2. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography