advanced hash function design inside keccak
play

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan - PowerPoint PPT Presentation

Apr 02, 2023 •249 likes •774 views

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

  1. Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP Semiconductors

  2. Advanced hash function design: inside Keccak Outline 1 Advancing hash function design 2 Advancing the mode 3 Advancing the inner function 4 Motivating the design of Keccak - f 5 Keccak resources 2 / 46

  3. Advanced hash function design: inside Keccak Advancing hash function design Outline 1 Advancing hash function design 2 Advancing the mode 3 Advancing the inner function 4 Motivating the design of Keccak - f 5 Keccak resources 3 / 46

  4. Advanced hash function design: inside Keccak Advancing hash function design What is advanced hash function design? Design principles of MD4 and descendents: Mode: Merkle-Damgård with Davies-Meyer collision-resistance preservation is central coding of message length in the padding block cipher with a feedforward Inner function: block cipher data path for CV: generalized Feistel network ARX based nonlinearity Separate message expansion for message block Advanced design: anything that improves upon this 4 / 46

  5. Advanced hash function design: inside Keccak Advancing the mode Outline 1 Advancing hash function design 2 Advancing the mode 3 Advancing the inner function 4 Motivating the design of Keccak - f 5 Keccak resources 5 / 46

  6. Advanced hash function design: inside Keccak Examples: Panama, Grindahl, RadioGatún , Fugue Requires a strong inner function resisting specific attacks Proof bounds success probability of all generic attacks Replace by random oracle (RO) indifferentiability Abandon property-preserving paradigm Anther approach: get the criteria for the mode right Promising but hard to obtain assurance AKA streaming-based hashing Advancing the mode One approach: don’t separate mode and inner function etc. etc. etc. 2nd pre-image attacks more efficient than expected length extension Problems of Merkle-Damgård Advancing the mode 6 / 46

  7. Advanced hash function design: inside Keccak Advancing the mode Building a sound mode Building a sound mode Patching Merkle-Damgård by adding complexity Enveloped Merkle-Damgård (EMD): treat last block differently Haifa: extend Merkle-Damgård by adding in inner function: dedicated input for salt dedicated input for counter does not address the compression function design problem Tabula rasa: sponge construction simplification message bits and chaining bits are treated the same way no feedforward, no length coding in padding uses a permutation, known how to design 7 / 46

  8. Advanced hash function design: inside Keccak Advancing the mode The sponge construction The sponge construction More general than hash function: arbitrary-length output stream encryption, MGF, … duplex mode: authenticated encryption, reseedable PRG, … r bits of rate c bits of capacity (security parameter) 8 / 46 Calls a b -bit permutation f , with b = r + c

  9. Advanced hash function design: inside Keccak Advancing the mode The sponge construction Generic security of the sponge construction N is number of calls to f Bounds success probability of all generic attacks Bound assumes f is random permutation it covers generic attacks …but not attacks that exploit specific properties of f 9 / 46 RO-differentiating advantage ≤ N 2 / 2 c + 1

  10. Advanced hash function design: inside Keccak Advancing the mode The Hermetic sponge strategy Design approach Hermetic sponge strategy instantiate a sponge function Mission Design permutation f without exploitable properties 10 / 46 claim a security level of 2 c / 2

  11. Advanced hash function design: inside Keccak Advancing the inner function Outline 1 Advancing hash function design 2 Advancing the mode 3 Advancing the inner function 4 Motivating the design of Keccak - f 5 Keccak resources 11 / 46

  12. Advanced hash function design: inside Keccak absence of large input-output correlations … slide and symmetry-exploiting attacks algebraic attacks integral cryptanalysis Immunity to infeasibility of the CICO problem absence of large differential propagation probabilities Advancing the inner function Classical LC/DC criteria …on a wide range of CPU platforms and in hardware fast and compact, straight and hardened Efficiency and flexibility Desired properties of f Criteria 12 / 46

  13. Advanced hash function design: inside Keccak Advancing the inner function Criteria The CICO problem Given partial input and output, determine remaining parts Important in many attacks Pre-image generation in hashing 13 / 46

  14. Advanced hash function design: inside Keccak Advancing the inner function Criteria The CICO problem Given partial input and output, determine remaining parts Important in many attacks State recovery in stream encryption 14 / 46

  15. Advanced hash function design: inside Keccak Advancing the inner function absence of systematic clustering of trails Ambition is to assure: active S-boxes 15 / 46 Goal: prevent control over difference propagation Criteria Differential ( A , B ) is composed of trails Q from A to B : ∑ # pairs ( A , B ) = # pairs ( Q ) Q ∈ ( A , B ) w r ( Q ) : number of conditions Q imposes on its pairs: ∑ w r ( Q ) = w r ( q i , q o ) If w r ( Q ) < b : # pairs ( Q ) ≈ 2 b − w r ( Q ) , else few or no pairs ∀ Q : w r ( Q ) > b : wide trail strategy

  16. Advanced hash function design: inside Keccak Advancing the inner function absence of systematic clustering of trails Ambition is to assure: active S-boxes 16 / 46 Criteria Goal: avoid large input-output correlations Correlation ( v , u ) is composed of trails Q to u from v C ( v , u ) = ∑ C ( Q ) Q ∈ ( v , u ) Correlation contribution: C ( Q ) = ( − 1 ) sign ( Q ) 2 − w c ( Q ) / 2 with ∑ w c ( Q ) = w c ( q i , q o ) If w c ( Q ) > b , Q contributes very little ∀ Q : w c ( Q ) > b : wide trail strategy

  17. Advanced hash function design: inside Keccak Like a block cipher inverse permutation need not be efficient round constants instead of round keys no need for key schedule …but not quite round function that is nonlinear and has good diffusion sequence of identical rounds width ranges from 600 to 2400 bits Advancing the inner function capacity up to 512 bits long term: security strength up to 256 bits Required width b : Designing the permutation f Choices for the permutation f 17 / 46 rate: b − 512 bits

  18. Advanced hash function design: inside Keccak Advancing the inner function Choices for the permutation f The obvious choices addition - rotation - XOR (ARX) appears very powerful, but … unsuited for dedicated hardware and DPA protection hard to evaluate strength all of the MD4 and SHA family is already based on ARX Square-inspired, like Rijndael (AES) S-box with optimum worst-case LC and DC properties mixing layer with optimum worst-case diffusion: MDS transposition layer with optimum dispersion results in strong bounds for trail weights let’s try it! 18 / 46

  19. Advanced hash function design: inside Keccak Advancing the inner function Inspiration from AES AES-based approach: size parameters AES structure must be scaled up from 128 to 600-2400 bits Three size parameters: S-box width: n bits MDS width: m S-boxes Dimension: d 19 / 46 Permutation width: b = m d n AES: n = 8 , m = 4 , d = 2 so b = 128

  20. Advanced hash function design: inside Keccak Advancing the inner function Inspiration from AES Scaling up AES structure Increase S-box width n ? software: # elements in lookup tables: 2 n hardware: strong increase in # gates decreasing S-box width would be a better idea … Increase MDS matrix size m ? SW with T -tables: size of elements is nm HW and compact SW: strong increase in # operations/gates Increase the dimension d ? slows down diffusion strong increase in number of rounds All in all, scaling up appears very expensive 20 / 46

  21. Advanced hash function design: inside Keccak Advancing the inner function Inspiration from AES A greedy aspect in AES-inspired design Choice of nonlinear layer for given width n , choose S-boxes with optimum worst-case nonlinearity irrespective of implementation cost Choice of mixing layer for given size m , choose mixing transformation with optimum worst-case diffusion irrespective of implementation cost Focus on worst-case LC/DC propagation over few rounds Tends to result in expensive round function 21 / 46

  22. Advanced hash function design: inside Keccak no requirement for high worst-case diffusion globally more efficient Ambition: cheaper round function, more rounds but clustering of trails chaining of low-weight structures into narrow trails A matching transposition layer should prevent average diffusion preferably high A modest mixing layer Advancing the inner function no requirement for high worst-case nonlinearity A modest nonlinear layer Go for a less greedy approach An alternative to imitating AES 22 / 46 log ( DP ( a , b )) ≈ O ( HW ( a )) log ( C 2 ( v , u )) ≈ O ( HW ( u ))

  23. Advanced hash function design: inside Keccak Motivating the design of Keccak - f Outline 1 Advancing hash function design 2 Advancing the mode 3 Advancing the inner function 4 Motivating the design of Keccak - f 5 Keccak resources 23 / 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg LUX Hash Function Outline 1 Design 2 Security Analysis 3 Implementation 4 Advantages LUX Hash Function Design Design LUX Hash

539 views • 28 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | &gt; 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash Functions June 2013 Bart Preneel Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis: basic topics Bart Preneel This is an input to

402 views • 14 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

R ADIO G ATN , R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni, Joan Daemen, Michal Peeters * and Gilles Van Assche STMicroelectronics * De Valck Consultants Second Cryptographic Hash Workshop

474 views • 16 slides
Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Dictionaries 1/19/2005 11:37 PM Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to Dictionaries and Hash Tables integers in a fixed interval [0, N 1] Example: h ( x ) = x mod N 0 is a hash function for

503 views • 4 slides
The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009

The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009

The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009 Niels Ferguson Stefan Lucks Bruce Schneier Doug Whiting Mihir Bellare Tadayoshi Kohno Jon Callas Jesse Walker Overview Fast 6.1 cycles/byte on

581 views • 16 slides
Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into arrays: hash tables Converting long strings into shorter strings in an irreversible way: one-way function Turn a 200 KB document into a 16

434 views • 5 slides
Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill Harrison University of Missouri Adam Procter Intel Corp. Gerard Allwein US Naval Research Laboratory October 7, 2016 Challenge: High Assurance Hardware

495 views • 14 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing: basic plan Save items in a key-indexed table (index is a function of the key). Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;) = 3 Tyler Moore 3 &quot;it&quot; ?? 4 CS 2123, The

559 views • 6 slides
Music Informatics Alan Smaill Jan 29, 2018 Alan Smaill Music Informatics Jan 29, 2018 1/1

Music Informatics Alan Smaill Jan 29, 2018 Alan Smaill Music Informatics Jan 29, 2018 1/1

N I V E U R S E I H T T Y O H F G R E U D I B N Music Informatics Alan Smaill Jan 29, 2018 Alan Smaill Music Informatics Jan 29, 2018 1/1 Today N I V E U R S E I H T T Y O H F G R E U D I B N

225 views • 20 slides
The Two Nucleon System in Chiral Effective Field Theory: Searching for the Power Counting M.

The Two Nucleon System in Chiral Effective Field Theory: Searching for the Power Counting M.

The Two Nucleon System in Chiral Effective Field Theory: Searching for the Power Counting M. Pav on Valderrama Institut de Physique Nucl eaire dOrsay Chiral 13, Beijing, October 2012 Nuclear EFT p. 1 Contents The Nuclear

714 views • 33 slides
Cello Celebrations at UNCG: Cooperation between the University Libraries and the School of Music

Cello Celebrations at UNCG: Cooperation between the University Libraries and the School of Music

Cello Celebrations at UNCG: Cooperation between the University Libraries and the School of Music Mac Nelson, Cello Music Cataloger UNCG University Libraries SEMLA, Jacksonville, FL October 19, 2007 Why Cooperate? The Cello Music

473 views • 43 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
Ian Cross Centre for Music &amp; Science University of Cambridge http://www.mus.cam.ac.uk/~ic108

Ian Cross Centre for Music &amp; Science University of Cambridge http://www.mus.cam.ac.uk/~ic108

Ian Cross Centre for Music &amp; Science University of Cambridge http://www.mus.cam.ac.uk/~ic108 Two prevailing ideas: music constitutes an autonomous, discrete domain of human experience the privileged mode of engagement with music is

1.01k views • 70 slides
HTK Version 3.4 Features (cont) Mark Gales, Andrew Liu &amp; Phil Woodland 19th April 2007 HTK3

HTK Version 3.4 Features (cont) Mark Gales, Andrew Liu &amp; Phil Woodland 19th April 2007 HTK3

HTK Version 3.4 Features (cont) Mark Gales, Andrew Liu &amp; Phil Woodland 19th April 2007 HTK3 Development Team Cambridge University Engineering Department HTK users meeting ICASSP07 HTK Version 3.4 HTK Large Vocabulary Decoder - HDecode

207 views • 17 slides
Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2015, Brussels, January 31st &amp; February 1st, 2015 1 / 39

1.11k views • 63 slides
The Hitchhikers Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department

The Hitchhikers Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department

History First Second Third The Hitchhikers Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department University of Haifa 4 July, 2012 Orr Dunkelman The Hitchhikers Guide to the SHA-3 Competition 1/ 46 History First

909 views • 75 slides

More recommend