KangarooTwelve: fast hashing based on Keccak-p Guido Bertoni 3 Joan Daemen 1,2 Michaël Peeters 1 Gilles Van Assche 1 Ronny Van Keer 1 Benoît Viguier 2 1 STMicroelectronics 2 Radboud University 3 Security Pattern The 16th International Conference on Applied Cryptography and Network Security Leuven, Belgium, July 2018 1 / 19
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
KangarooTwelve: fast hashing based on Keccak-p
Guido Bertoni3 Joan Daemen1,2 Michaël Peeters1Gilles Van Assche1 Ronny Van Keer1 Benoît Viguier2
The 16th International Conference onApplied Cryptography and Network Security
Leuven, Belgium, July 2018
1 / 19
Outline
1 What is KangarooTwelve?
2 Security vs speed
3 Speed vs security
2 / 19
What is KangarooTwelve?
Outline
1 What is KangarooTwelve?
2 Security vs speed
3 Speed vs security
3 / 19
What is KangarooTwelve?
Let’s start from SHAKE128
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezingeXtendable Output FunctionSponge constructionUses Keccak-p[1600,nr = 24]No parallelism at construction level
4 / 19
What is KangarooTwelve?
From SHAKE128 to KangarooTwelve
S0 0300* CV CV CV … CV CV n-1 FFFF 06
S1
0B
S2
0B
S3
0B
Sn-2
0B
Sn-1
0B
eXtendable Output FunctionTree on top of sponge constructionUses Keccak-p[1600,nr = 12]Parallelism grows automatically with input size
5 / 19
What is KangarooTwelve?
From SHAKE128 to KangarooTwelve
S0 0300* CV CV CV … CV CV n-1 FFFF 06
S1
0B
S2
0B
S3
0B
Sn-2
0B
Sn-1
0B
eXtendable Output FunctionTree on top of sponge const. +Sakura codingUses Keccak-p[1600,nr = 12]Parallelism grows automatically with input size
5 / 19
What is KangarooTwelve?
From SHAKE128 to KangarooTwelve
S0 0300* CV CV CV … CV CV n-1 FFFF 06
S1
0B
S2
0B
S3
0B
Sn-2
0B
Sn-1
0B
eXtendable Output FunctionTree on top of sponge const. +Sakura coding +kangaroo hoppingUses Keccak-p[1600,nr = 12]Parallelism grows automatically with input size
5 / 19
What is KangarooTwelve?
From SHAKE128 to KangarooTwelve
S0 0300* CV CV CV … CV CV n-1 FFFF 06
S1
0B
S2
0B
S3
0B
Sn-2
0B
Sn-1
0B
eXtendable Output FunctionTree on top of sponge const. +Sakura coding +kangaroo hoppingUses Keccak-p[1600,nr = 12]Parallelism grows automatically with input size (per 8KiB)
Correlation-freenessResistance against length-extension attacks…
What about 256-bit security?Philosophically much higherBut practically the same: well above the attacker’s budgetMarsupilamiFourteen
7 / 19
Security vs speed
First pillar of security in symmetric cryptography
Generic securityStrong mathematical proofs⇒ mode introduces no weaknesses⇒ scope of cryptanalysis focused on primitive
In our case:[EuroCrypt 2008] – On the Indifferentiability of the Sponge Construction[IJIS 2014] – Sufficient conditions for sound tree and sequential hashing modes[ACNS 2014] – Sakura: A Flexible Coding for Tree Hashing
8 / 19
Security vs speed
First pillar of security in symmetric cryptography
Generic securityStrong mathematical proofs⇒ mode introduces no weaknesses⇒ scope of cryptanalysis focused on primitive
In our case:[EuroCrypt 2008] – On the Indifferentiability of the Sponge Construction[IJIS 2014] – Sufficient conditions for sound tree and sequential hashing modes[ACNS 2014] – Sakura: A Flexible Coding for Tree Hashing
8 / 19
Security vs speed
First pillar of security in symmetric cryptography
Generic securityStrong mathematical proofs⇒ mode introduces no weaknesses⇒ scope of cryptanalysis focused on primitive
In our case:[EuroCrypt 2008] – On the Indifferentiability of the Sponge Construction[IJIS 2014] – Sufficient conditions for sound tree and sequential hashing modes[ACNS 2014] – Sakura: A Flexible Coding for Tree Hashing
8 / 19
Security vs speed
Second pillar of security in symmetric cryptography
Security of the primitiveNo proof!⇒ publicly documented design rationale⇒ cryptanalysis!
In our case:Ten years of cryptanalysis on (reduced-round) Keccak-f[1600]⇐ tune the number of rounds⇐ no tweak!
9 / 19
Security vs speed
Second pillar of security in symmetric cryptography
Security of the primitiveNo proof!⇒ publicly documented design rationale⇒ cryptanalysis!
In our case:Ten years of cryptanalysis on (reduced-round) Keccak-f[1600]⇐ tune the number of rounds⇐ no tweak!
9 / 19
Security vs speed
Second pillar of security in symmetric cryptography
Security of the primitiveNo proof!⇒ publicly documented design rationale⇒ cryptanalysis!
In our case:Ten years of cryptanalysis on (reduced-round) Keccak-f[1600]⇐ tune the number of rounds⇐ no tweak!
9 / 19
Security vs speed
Second pillar of security in symmetric cryptography
Security of the primitiveNo proof!⇒ publicly documented design rationale⇒ third-party cryptanalysis!
In our case:Ten years of cryptanalysis on (reduced-round) Keccak-f[1600]⇐ tune the number of rounds⇐ no tweak!
9 / 19
Security vs speed
Second pillar of security in symmetric cryptography
Security of the primitiveNo proof!⇒ publicly documented design rationale⇒ lots of third-party cryptanalysis!
In our case:Ten years of cryptanalysis on (reduced-round) Keccak-f[1600]⇐ tune the number of rounds⇐ no tweak!
9 / 19
Security vs speed
Second pillar of security in symmetric cryptography
Security of the primitiveNo proof!⇒ publicly documented design rationale⇒ lots of third-party cryptanalysis!
In our case:Ten years of cryptanalysis on (reduced-round) Keccak-f[1600]⇐ tune the number of rounds⇐ no tweak!
9 / 19
Security vs speed
Status of Keccak & KangarooTwelve cryptanalysisKe
ccak
-f [1
600]
0
3
6
9
12
15
18
21
24Collision attacks up to 5 rounds
Also up to 6 rounds, but for non-standardparameters (c = 160)
[Song, Liao, Guo, CRYPTO 2017]Distinguishers
7 rounds (practical time)[Huang et al., EUROCRYPT 2017]8 rounds (2128 time, academic)[Dinur et al., EUROCRYPT 2015]
Lots of third-party cryptanalysis available at:https://keccak.team/third_party.html