SPONGE FUNCTION & SHA-3

Gennaro Caccavale, Student@UniParthenope

June 2013

What is an hash?

Input message

Digest

h : {0, 1}* {0, 1}n

Crypthographic hash function

A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any change to the data will change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.

MD5 MD = 128 (Ron Rivest, 1992)SHA-1 MD = 160 (NSA, NIST, 1995)SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)SHA-3 MD = arbitrary (Bertoni, Daemen, Peeters, Van Assche, NIST, 2014)

SHA-3 / KECCAK

• Cryptographic hash function, SHA family

• Selected on October 2012 as the winner of the NIST hash function competition

• Not meant to replace SHA-2

• Based on the sponge construction

Sponge Function

More general than a hash function: arbitrary-length outputCalls a b-bit permutation f, with b = r + cr bits of ratec bits of capacity

Sponge Function – Absorbing Phase

Sponge Function – Squeezing Phase

Sponge Function – Duplex Construction

The duplex construction allows the alternation of input and output blocks at the same rate as the sponge construction, like a full-duplex communication

Keccak-f Efficency Summary

• High level of parallelism

• Flexibility: bit-interleaving

• Software: competitive on wide range of CPU (also implem. for CUDA)

• Dedicated hardware: very competitive

• Suited for protection against side-channel attack

• Faster than SHA-2 on all modern PC (12.5cpb on C2D)

Tune Keccak to your requirements

• http://keccak.noekeon.org/tune.html

If an attacker has access to one billion computers, each performing one billion evaluations of Keccak-f per second, it would take about 1.6×1061 years (1.1×1051 times the estimated age of the universe) to evaluate the permutation 2288 times

KECCAK-f[r+c]KECCAK-f[1024+576]KECCAK-f[1600]

Keccak example with different hash values

Keccak pseudo-code

In the pseudo-code above, S denotes the state as an array of lanes. The padded message P is organised as an array of blocks Pi, themselves organized as arrays of lanes. The || operator denotes the usual byte string concatenation.

Performance in software

Efficient and flexible in hardware

Third-party cryptanalysis of Keccak

What is currently the safety margin of KECCAK?

• Currently best attack on KECCAK: 4 rounds

• Sufficient nr. of rounds for security claim on KECCAK: 13 rounds

• KECCAK has 24 rounds (complexity 215xx)

Documentation

• http://en.wikipedia.org/wiki/SHA-3

• http://sponge.noekeon.org/

• http://keccak.noekeon.org/specs_summary.html

• http://csrc.nist.gov/groups/ST/hash/sha-3/documents/Keccak-slides-at-NIST.pdf

• http://celan.informatik.uni-oldenburg.de/kryptos/info/keccak/overview/

...

Any Question?