SHA-3, Keccak & Sponge function
-
Upload
gennaro-caccavale -
Category
Technology
-
view
2.439 -
download
2
Transcript of SHA-3, Keccak & Sponge function
SPONGE FUNCTION & SHA-3
Gennaro Caccavale, Student@UniParthenope
June 2013
What is an hash?
Input message
Digest
h : {0, 1}* {0, 1}n
Crypthographic hash function
A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any change to the data will change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.
MD5 MD = 128 (Ron Rivest, 1992)SHA-1 MD = 160 (NSA, NIST, 1995)SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)SHA-3 MD = arbitrary (Bertoni, Daemen, Peeters, Van Assche, NIST, 2014)
SHA-3 / KECCAK
• Cryptographic hash function, SHA family
• Selected on October 2012 as the winner of the NIST hash function competition
• Not meant to replace SHA-2
• Based on the sponge construction
Sponge Function
More general than a hash function: arbitrary-length outputCalls a b-bit permutation f, with b = r + cr bits of ratec bits of capacity
Sponge Function – Absorbing Phase
Sponge Function – Squeezing Phase
Sponge Function – Duplex Construction
The duplex construction allows the alternation of input and output blocks at the same rate as the sponge construction, like a full-duplex communication
Keccak-f Efficency Summary
• High level of parallelism
• Flexibility: bit-interleaving
• Software: competitive on wide range of CPU (also implem. for CUDA)
• Dedicated hardware: very competitive
• Suited for protection against side-channel attack
• Faster than SHA-2 on all modern PC (12.5cpb on C2D)
Tune Keccak to your requirements
• http://keccak.noekeon.org/tune.html
If an attacker has access to one billion computers, each performing one billion evaluations of Keccak-f per second, it would take about 1.6×1061 years (1.1×1051 times the estimated age of the universe) to evaluate the permutation 2288 times
KECCAK-f[r+c]KECCAK-f[1024+576]KECCAK-f[1600]
Keccak example with different hash values
Keccak pseudo-code
In the pseudo-code above, S denotes the state as an array of lanes. The padded message P is organised as an array of blocks Pi, themselves organized as arrays of lanes. The || operator denotes the usual byte string concatenation.
Performance in software
Efficient and flexible in hardware
Third-party cryptanalysis of Keccak
What is currently the safety margin of KECCAK?
• Currently best attack on KECCAK: 4 rounds
• Sufficient nr. of rounds for security claim on KECCAK: 13 rounds
• KECCAK has 24 rounds (complexity 215xx)
Documentation
• http://en.wikipedia.org/wiki/SHA-3
• http://sponge.noekeon.org/
• http://keccak.noekeon.org/specs_summary.html
• http://csrc.nist.gov/groups/ST/hash/sha-3/documents/Keccak-slides-at-NIST.pdf
• http://celan.informatik.uni-oldenburg.de/kryptos/info/keccak/overview/
...
Any Question?