keccak and the sha 3 standardization
play

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 - PowerPoint PPT Presentation

Mar 03, 2023 •181 likes •908 views

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

  1. Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60

  2. Outline 1 2 3 4 5 6 The beginning The sponge construction Inside Keccak Analysis underlying Keccak Applications of Keccak , or sponge Some ideas for the SHA-3 standard 2 / 60

  3. The beginning Outline 1 2 3 4 5 6 The beginning The sponge construction Inside Keccak Analysis underlying Keccak Applications of Keccak , or sponge Some ideas for the SHA-3 standard 3 / 60

  4. The beginning Cryptographic hash functions , 2001) , 1995) 4 / 60 h : { 0 , 1 } * ≤ { 0 , 1 } n I n p u t me s s a g e D i g e s t MD5: n = 128 (Ron Rivest, 1992) SHA-1: n = 160 (NSA, NIST SHA-2: n → { 224 , 256 , 384 , 512 } (NSA, NIST

  5. The beginning Our beginning: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama variable-length output expressing security claim: non-trivial exercise Sponge functions [Keccak team, Ecrypt hash, 2007] closest thing to a random oracle with a finite state Sponge construction calling random permutation 5 / 60

  6. The beginning From RadioGatún to Keccak RadioGatún confidence crisis (2007-2008) own experiments did not inspire confidence in RadioGatún neither did third-party cryptanalysis [Bouillaguet, Fouque, SAC 2008] [Fuhr , Peyrin, FSE 2009] follow-up design Gnoblio went nowhere NIST SHA-3 deadline approaching … U-turn: design a sponge with strong permutation f Keccak [Keccak team, SHA-3, 2008] 6 / 60

  7. The sponge construction Outline 1 2 3 4 5 6 The beginning The sponge construction Inside Keccak Analysis underlying Keccak Applications of Keccak , or sponge Some ideas for the SHA-3 standard 7 / 60

  8. The sponge construction The sponge construction More general than a hash function: arbitrary-length output r bits of rate c bits of capacity (security parameter) 8 / 60 Calls a b -bit permutation f , with b = r + c

  9. The sponge construction Generic security of the sponge construction N is number of calls to f Proven in [Keccak team, Eurocrypt 2008] Bound assumes f is random permutation It covers generic attacks …but not attacks that exploit specific properties of f 9 / 60 RO-differentiating advantage ∗ N 2 / 2 c + 1 As strong as a random oracle against attacks with N < 2 c / 2

  10. The sponge construction Design approach Hermetic sponge strategy Instantiate a sponge function Mission Design permutation f without exploitable properties 10 / 60 Claim a security level of 2 c / 2

  11. The sponge construction How to build a strong permutation Build it as is an iterated permutation Like a block cipher Sequence of identical rounds Round consists of sequence of simple step mappings …but not quite No key schedule Round constants instead of round keys Inverse permutation need not be efficient 11 / 60

  12. The sponge construction Criteria for a strong permutation Classical LC/DC criteria Absence of large differential propagation probabilities Absence of large input-output correlations Infeasibility of the CICO problem Constrained Input Constrained Output Given partial input and partial output, find missing parts Immunity to Integral cryptanalysis Algebraic attacks Slide and symmetry-exploiting attacks … 12 / 60

  13. Inside Keccak Outline 1 2 3 4 5 6 The beginning The sponge construction Inside Keccak Analysis underlying Keccak Applications of Keccak , or sponge Some ideas for the SHA-3 standard 13 / 60

  14. Inside Keccak Keccak Instantiation of a sponge function the permutation Keccak - f Security-speed trade-offs using the same permutation, e.g., permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: same as SHA-1 14 / 60 7 permutations: b → { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  15. 15 / 60 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits state y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  16. 15 / 60 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits lane y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  17. 15 / 60 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits slice y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  18. 15 / 60 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits row y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  19. 15 / 60 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits column y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  20. Inside Keccak “Flip bit if neighbors exhibit 01 pattern” Operates independently and in parallel on 5-bit rows Algebraic degree 2, inverse has degree 3 LC/DC propagation properties easy to describe and analyze 16 / 60 χ , the nonlinear mapping in Keccak - f

  21. Inside Keccak Add to each cell parity of neighboring columns: 17 / 60 ′ , a first attempt at mixing bits θ Compute parity c x , z of each column b x , y , z = a x , y , z E c x − 1 , z E c x + 1 , z + = column parity θʹ effect combine

  22. Inside Keccak 18 / 60 ′ Diffusion of θ θʹ

  23. Inside Keccak 19 / 60 ′ (kernel) Diffusion of θ θʹ

  24. Inside Keccak 20 / 60 ′ Diffusion of the inverse of θ θʹ

  25. Inside Keccak We need diffusion between the slices … 21 / 60 ρ for inter-slice dispersion ρ : cyclic shifts of lanes with offsets i ( i + 1 ) / 2 mod 2 ℓ Offsets cycle through all values below 2 ℓ

  26. Inside Keccak XOR of round-dependent constant to lane in origin invariant to translation in the z -direction susceptibility to slide attacks defective cycle structure 22 / 60 ι to break symmetry Without ι , the round mapping would be symmetric Without ι , all rounds would be the same Without ι , we get simple fixed points (000 and 111)

  27. Inside Keccak A first attempt at Keccak - f Problem: low-weight periodic trails by chaining: …but not always 23 / 60 ′ o χ Round function: R = ι o ρ o θ θʹ ρ χ : may propagate unchanged ′ : propagates unchanged, because all column parities are 0 θ ρ : in general moves active bits to different slices …

  28. Inside Keccak The Matryoshka property Patterns in Q 24 / 60 θʹ ρ θʹ ρ ′ are z -periodic versions of patterns in Q

  29. Inside Keccak 0 1 y 2 3 y x 25 / 60 x π for disturbing horizontal/vertical alignment ′ ( ) ( ) ( ) a x , y ◦ a x = ′ , y ′ with ′

  30. Inside Keccak A second attempt at Keccak - f Solves problem encountered before: 26 / 60 ′ o χ Round function: R = ι o π o ρ o θ θ ρ π π moves bits in same column to different columns!

  31. Inside Keccak 27 / 60 ′ to θ Tweaking θ θ

  32. Inside Keccak Diffusion from single-bit output to input very high Increases resistance against LC/DC and algebraic attacks 28 / 60 Inverse of θ θ

  33. Inside Keccak Keccak - f summary Round function: Efficiency high level of parallellism flexibility: bit-interleaving software: competitive on wide range of CPU dedicated hardware: very competitive suited for protection against side-channel attack 29 / 60 R = ι o χ o π o ρ o θ Number of rounds: 12 + 2 ℓ Keccak - f [ 25 ] has 12 rounds Keccak - f [ 1600 ] has 24 rounds

  34. Inside Keccak Performance in software [eBASH, hydra6, http://bench.cr.yp.to/ ] 128 256 256 128 256 128 sha256 sha512 keccakc512 keccakc256 sha1 keccakc512treed2 md5 keccakc256treed2 21.66 Faster than SHA-2 on all modern PC KeccakTree faster than MD5 on some platforms C/b Algo Strength 30 / 60 4.79 4.98 5.89 6.09 8.25 10.02 13.73 < 64 < 80

  35. Inside Keccak Efficient and flexible in hardware From Kris Gaj’s presentation at SHA-3, Washington 2012: 31 / 60

  36. Analysis underlying Keccak Outline 1 2 3 4 5 6 The beginning The sponge construction Inside Keccak Analysis underlying Keccak Applications of Keccak , or sponge Some ideas for the SHA-3 standard 32 / 60

  37. Analysis underlying Keccak Our analysis underlying the design of Keccak - f Presence of large input-output correlations Ability to control propagation of differences Differential/linear trail analysis Lower bounds for trail weights Alignment and trail clustering Algebraic properties Ability of solving certain problems (CICO) algebraically Zero-sum distinguishers (third party) This determined the number of rounds See [ Keccak reference] , [Ecrypt II Hash 2011] , [FSE 2012] 33 / 60 This shaped θ , π and ρ Distribution of # terms of certain degrees Analysis of symmetry properties: this shaped ι

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
Standardization Using Output Goal Tables Standardization Concepts The purpose of

Standardization Using Output Goal Tables Standardization Concepts The purpose of

Standardization Using Output Goal Tables Standardization Concepts The purpose of standardization is to reduce variability in fish catchability (q); a more constant q helps CPUE data track population trends more accurately Components to

413 views • 13 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
TEST STANDARDIZATION: SOME PRACTICAL GUIDANCE Why standardization matters: a review LEARNING

TEST STANDARDIZATION: SOME PRACTICAL GUIDANCE Why standardization matters: a review LEARNING

TEST STANDARDIZATION: SOME PRACTICAL GUIDANCE Why standardization matters: a review LEARNING Impact of the testing setting POL and de-centralized testing on standardization examples considerations OBJECTIVES Systematically managing the

558 views • 20 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Protocols, Checklists and I HAVE NOTHING TO DISCLOSE Standardization Steven L. Clark, M.D.

Protocols, Checklists and I HAVE NOTHING TO DISCLOSE Standardization Steven L. Clark, M.D.

Protocols, Checklists and I HAVE NOTHING TO DISCLOSE Standardization Steven L. Clark, M.D. Texas Childrens Hospital/Baylor College of Medicine AUDIENCE RESPONSE QUESTION PROTOCOLS AND STANDARDIZATION Rationale for standardization How

266 views • 11 slides
Updated and latest news from international standardization International ISO standardization

Updated and latest news from international standardization International ISO standardization

Updated and latest news from international standardization International ISO standardization seminar for the reliability technology and cost area. Statoil Business Centre, Stavanger, 26 April 2016 Runar steb, Advisor, Statoil ISO/TC 67/WG4

676 views • 18 slides
Standardization Considerations Standardization Positioning for Town of Cary Parks, Recreation

Standardization Considerations Standardization Positioning for Town of Cary Parks, Recreation

Standardization Considerations Standardization Positioning for Town of Cary Parks, Recreation &amp; Cultural Resources CURRENT SITUATION IMAGE CONTROL: CPRCR has so much to ofger, yet, the message of its programs, benefjts and ownership may

789 views • 21 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Standardization Strategy for FMBC Realization for FMBC Realization Standardization activity

Standardization Strategy for FMBC Realization for FMBC Realization Standardization activity

Standardization Strategy for FMBC Realization for FMBC Realization Standardization activity for Telecom Operators FMBC with ultra 3G in NEW ERA Standardization areas for FMBC Summary Summary 2009.9.8 Hi Hiroshi TANAKA

575 views • 10 slides
Final Rule Medicaid HCBS Disabled and Elderly Health Programs Group Center for Medicaid and CHIP

Final Rule Medicaid HCBS Disabled and Elderly Health Programs Group Center for Medicaid and CHIP

Final Rule Medicaid HCBS Disabled and Elderly Health Programs Group Center for Medicaid and CHIP Services Final Rule CMS 2249-F and CMS 2296-F Published in the Federal Register on January 16, 2014 Title: Medicaid Program; State Plan Home and

709 views • 59 slides
Clinical Quality Management Program Bal4more City Health Department

Clinical Quality Management Program Bal4more City Health Department

Clinical Quality Management Program Bal4more City Health Department Ryan White Office 410-396-1408 Categories Reviewed in 2010 OAHS Primary Medical

331 views • 17 slides
The Trouble with Types Martin Odersky EPFL and Typesafe

The Trouble with Types Martin Odersky EPFL and Typesafe

The Trouble with Types Martin Odersky EPFL and Typesafe Types Everyone has an opinion on them Industry: Used to be the norm (C/C++,

710 views • 48 slides
Indifferentiable Authenticated Encryption Pooya Farshim Manuel Barbosa (Porto) (CNRS

Indifferentiable Authenticated Encryption Pooya Farshim Manuel Barbosa (Porto) (CNRS

Indifferentiable Authenticated Encryption Pooya Farshim Manuel Barbosa (Porto) (CNRS &amp; ENS) Indifferentiable Authenticated Encryption Pooya Farshim Manuel Barbosa (Porto) (CNRS &amp; ENS) Hash Functions long &amp; short

1.25k views • 79 slides
Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on

Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on

Key Separation, Key Reuse, and Cryptographic Agility Joint Security Key Reuse in EMV Cryptographic Agility BC Attacks Concluding Remarks Key Reuse: Theory and Practice Kenny Paterson Royal Holloway, University of London based on joint work

819 views • 57 slides
http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

CS224W: Social and Information Network Analysis Jure Leskovec Stanford University Jure Leskovec, Stanford University http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups Network communities: Sets of

351 views • 34 slides
Requesting Research Identifiable Data for HCIA Awardees 02/19/2014 Presented by Faith Asper,

Requesting Research Identifiable Data for HCIA Awardees 02/19/2014 Presented by Faith Asper,

Requesting Research Identifiable Data for HCIA Awardees 02/19/2014 Presented by Faith Asper, ResDAC Director of Assistance Work performed under CMS Contract #HHSM-500-2013-00166C About ResDAC Centers for Medicare and Medicaid (CMS)

507 views • 27 slides
(FC FCEP) Brothers Keeper Init itia iati tive RFPGC16-013 Full proposals must be

(FC FCEP) Brothers Keeper Init itia iati tive RFPGC16-013 Full proposals must be

7/22/2016 FAMILY AND D COMMUNIT MUNITY Y ENGAGEME GEMENT NT PROGRAM ROGRAM A New ew York rk State e My (FC FCEP) Brothers Keeper Init itia iati tive RFPGC16-013 Full proposals must be postmarked by 8/26/16 IMPORTANT DATES

680 views • 15 slides

More recommend