**November 2, 2007 **- Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family

- If a construct is specified for the use of the candidate algorithm in an
*n*-bit randomized hashing scheme, the construct must, with overwhelming probability, provide*n-k*bits of security against the following attack: The attacker chooses a message,*M*of length at most 2_{1}bits. The specified construct is then used on^{k}*M*with a randomization value_{1}*r*that has been randomly chosen without the attacker’s control after the attacker has supplied_{1}*M*. Given_{1}*r*, the attacker then attempts to find a second message_{1}*M*and randomization value_{2}*r*that yield the same randomized hash value. Note that in order to meet this specific security requirement, the specified randomized hashing construct may place restrictions on the length of the randomization value._{2}

**Correction (8/28/08)**

**4.A.ii Bullet 3 should have stated:**

**January 23, 2007** - Announcing the Development of New Hash Algorithm(s) for the Revision of Federal Information Processing Standard (FIPS) 180–2, Secure Hash Standard

A.3 of **the Proposed Draft Minimum Acceptability Requirements for Candidate Algorithms** (Section A) should have stated:

"A.3 The algorithm must support 224, 256, 384, and 512-bit message digests, and must support a maximum message length of at least **2 ^{64}** bits."