SPONGE FUNCTION & SHA-3 Gennaro Caccavale, Student@UniParthenope June 2013
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SPONGE FUNCTION & SHA-3
Gennaro Caccavale, Student@UniParthenope
June 2013
What is an hash?
Input message
Digest
h : {0, 1}* {0, 1}n
Crypthographic hash function
A cryptographic hash function is an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that any change to the data will change the hash value. The data to be encoded are often called the "message," and the hash value is sometimes called the message digest or simply digest.
MD5 MD = 128 (Ron Rivest, 1992)SHA-1 MD = 160 (NSA, NIST, 1995)SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)SHA-3 MD = arbitrary (Bertoni, Daemen, Peeters, Van Assche, NIST, 2014)
SHA-3 / KECCAK
• Cryptographic hash function, SHA family
• Selected on October 2012 as the winner of the NIST hash function competition
• Not meant to replace SHA-2
• Based on the sponge construction
Sponge Function
More general than a hash function: arbitrary-length outputCalls a b-bit permutation f, with b = r + cr bits of ratec bits of capacity
Sponge Function – Absorbing Phase
Sponge Function – Squeezing Phase
Sponge Function – Duplex Construction
The duplex construction allows the alternation of input and output blocks at the same rate as the sponge construction, like a full-duplex communication
Keccak-f Efficency Summary
• High level of parallelism
• Flexibility: bit-interleaving
• Software: competitive on wide range of CPU (also implem. for CUDA)
• Dedicated hardware: very competitive
• Suited for protection against side-channel attack
• Faster than SHA-2 on all modern PC (12.5cpb on C2D)
Tune Keccak to your requirements
• http://keccak.noekeon.org/tune.html
If an attacker has access to one billion computers, each performing one billion evaluations of Keccak-f per second, it would take about 1.6×1061 years (1.1×1051 times the estimated age of the universe) to evaluate the permutation 2288 times
KECCAK-f[r+c]KECCAK-f[1024+576]KECCAK-f[1600]
Keccak example with different hash values
Keccak pseudo-code
In the pseudo-code above, S denotes the state as an array of lanes. The padded message P is organised as an array of blocks Pi, themselves organized as arrays of lanes. The || operator denotes the usual byte string concatenation.
Performance in software
Efficient and flexible in hardware
Third-party cryptanalysis of Keccak
What is currently the safety margin of KECCAK?
• Currently best attack on KECCAK: 4 rounds
• Sufficient nr. of rounds for security claim on KECCAK: 13 rounds
• KECCAK has 24 rounds (complexity 215xx)
Documentation
• http://en.wikipedia.org/wiki/SHA-3
• http://sponge.noekeon.org/
• http://keccak.noekeon.org/specs_summary.html
• http://csrc.nist.gov/groups/ST/hash/sha-3/documents/Keccak-slides-at-NIST.pdf
• http://celan.informatik.uni-oldenburg.de/kryptos/info/keccak/overview/
...
Any Question?
Related Documents
![Authenticated Encryption Mode IAPM using SHA-3’s Public ...IAPM that is using the same key-less permutation Keccak. In fact, while [20] prove a composition theorem that says that](https://static.cupdf.com/doc/110x72/6124331d1e45eb348177e8c4/authenticated-encryption-mode-iapm-using-sha-3as-public-iapm-that-is-using.jpg)
![KangarooTwelve: fast hashing based on Keccak-p · of a tree hash mode with Sakura encoding [29,9] and the sponge construc-tion [7], both proven secure. Its underlying permutation](https://static.cupdf.com/doc/110x72/5f3b8c6521687b4b7e5aba24/kangarootwelve-fast-hashing-based-on-keccak-p-of-a-tree-hash-mode-with-sakura-encoding.jpg)
