keccak more than just sha3sum
play

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal - PowerPoint PPT Presentation

Feb 26, 2023 •46 likes •466 views

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

  1. Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36

  2. Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 2 / 36

  3. How it all began Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 3 / 36

  4. How it all began Let’s talk about hash functions... These are “hashes” of some sort, but they ain’t hash functions ... 4 / 36 ? ? ?

  5. How it all began Cryptographic hash functions 5 / 36 h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t MD5: n = 128 (Ron Rivest, 1992) SHA-1: n = 160 (NSA, NIST, 1995) SHA-2: n ∈ { 224 , 256 , 384 , 512 } (NSA, NIST, 2001)

  6. How it all began Why should you care? You probably use them several times a day: website authentication, digital signature, home banking, secure internet connections, software integrity, version control software, … 6 / 36

  7. How it all began Breaking news in crypto 2004: SHA-0 broken (Joux et al.) 2004: MD5 broken (Wang et al.) 2005: practical attack on MD5 (Lenstra et al., and Klima) 2005: SHA-1 theoretically broken (Wang et al.) 2006: SHA-1 broken further (De Cannière and Rechberger) 2007: NIST calls for SHA-3 Who answered NIST’s call? 7 / 36

  8. How it all began Keccak Team to the rescue! 8 / 36

  9. How it all began The battlefield [courtesy of Christophe De Cannière] 9 / 36 EDON-R BMW Sgàil LANE Grøstl Keccak ZK-Crypt NKS2D Maraca Hamsi MD6 MeshHash Waterfall StreamHash ECOH T wister EnRUPT Abacus MCSSHA3 WaMM Ponic AURORA Shabal LUX Skein SHAMATA CubeHash CRUNCH Luffa Cheetah DynamicSHA 2 Spectral Hash ECHO DCH Sarmal SIMD ESSENCE SWIFFTX FSB ARIRANG NaSHA Lesamnta Fugue SHAvite-3 SANDstorm BLAKE Blender HASH 2X Vortex DynamicSHA T angle BOOLE Khichidi-1 JH CHI TIB3 16/06/2009 2005 2006 2007 2008 2009 2010 2011 2012

  10. How it all began SHA-3 time schedule 2007: SHA-3 initial call 2008: submission deadline 2009: first SHA-3 conference 2010: second SHA-3 conference 2010: finalists are Blake, Grøstl, JH, Keccak and Skein 2012: final SHA-3 conference Oct. 2, 2012: Keccak wins! 10 / 36 Participants: 64 → 51 → 14 → 5 → 1

  11. Introducing Keccak Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 11 / 36

  12. Introducing Keccak The sponge construction Use the permutation Keccak - f c bits of capacity (defines the security level) r bits of rate (defines the speed) Parameters More flexible than regular hash functions Arbitrary input and output length 12 / 36 Keccak , a sponge function Var.-length input Variable-length output 0 f f … f f f … f absorbing squeezing

  13. Introducing Keccak The sponge construction The seven permutation army up to 64-bit each 7 permutations: 25, 50, 100, 200, 400, 800, 1600 bits toy, lightweight, fastest repetition of a simple round function operates on a 3D state like a block cipher but without a key 13 / 36 ( 5 × 5 ) lanes

  14. Introducing Keccak 1344 1.000 288 576 1024 256 512 1088 192 384 1216 128 The sponge construction 256 Speed Strength The seven permutation army up to 64-bit each First, choose your permutation … …then choose the rate and capacity 13 / 36 Security-speed trade-offs using the same permutation: Rate Capacity e.g. width = 1600 such that rate + capacity = 1600 ( 5 × 5 ) lanes × 1 . 312 × 1 . 188 × 1 . 063

  15. More than just SHA3SUM Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 14 / 36

  16. More than just SHA3SUM simple & straightforward usage cipher modes very different from AES and block very different from SHA-1 and SHA-2 portfolio …and increasing diversity of standard easy to understand security claim …in a simple way One primitive to rule them all authenticated encryption encryption message authentication key derivation hashing (regular, salted) Full range of cryptographic functions One primitive to rule them all 15 / 36

  17. More than just SHA3SUM One primitive to rule them all Use Keccak for regular hashing Electronic signatures, message integrity ( GPG, X.509 … ) Data integrity ( shaxsum … ) Data identifier ( Git, Mercurial, online anti-virus, peer-2-peer … ) 16 / 36

  18. More than just SHA3SUM One primitive to rule them all Use Keccak for salted hashing Goal: defeat rainbow tables Web cookie Password storage and verification ( Kerberos, /etc/shadow … ) 17 / 36

  19. More than just SHA3SUM One primitive to rule them all Use Keccak for salted hashing Goal: defeat rainbow tables Web cookie Password storage and verification ( Kerberos, /etc/shadow … ) …Can be as slow as you like it! 17 / 36

  20. More than just SHA3SUM One primitive to rule them all Use Keccak as a mask generation function Key derivation function in SSL, TLS Full-domain hashing in public key cryptography electronic signatures RSA PSS [PKCS#1] encryption RSA OAEP [PKCS#1] key establishment RSA KEM [IEEE Std 1363a] 18 / 36

  21. More than just SHA3SUM One primitive to rule them all No longer needed for Keccak which is sound Required to plug a security hole in SHA-1 and SHA-2 HMAC: special construction for MACing with SHA-1 and SHA-2 Simpler than HMAC [FIPS 198] As a message authentication code 19 / 36 Use Keccak for MACing Key Padded message MAC 0 f f f … f f

  22. More than just SHA3SUM One primitive to rule them all Use Keccak for (stream) encryption As a stream cipher 20 / 36 Key IV 0 f f f Key stream

  23. More than just SHA3SUM One primitive to rule them all Also for random generation with reseeding ( /dev/urandom …) Duplex construction Same primitive Keccak - f but in a (slightly) different mode Secure messaging ( SSL/TLS, SSH, IPSEC … ) Authentication and encryption in a single pass! 21 / 36 Single pass authenticated encryption Key IV Padded message MAC 0 f f f … f f Key stream

  24. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  25. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  26. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  27. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  28. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  29. Inside Keccak Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 23 / 36

  30. Inside Keccak Keccak - f in pseudo-code http://keccak.noekeon.org/specs_summary.html 24 / 36 K ECCAK - F [b](A) { forall i in 0…n r -1 A = Round[b](A, RC[i]) return A } Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0…4 D[x] = C[x-1] xor rot(C[x+1],1), forall x in 0…4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0…4,0…4) ρ and π steps B[y,2*x+3*y] = rot(A[x,y], r[x,y]), forall (x,y) in (0…4,0…4) χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0…4,0…4) ι step A[0,0] = A[0,0] xor RC return A }

  31. Inside Keccak 256 80 8.25 keccakc256 128 10.02 keccakc512 13.73 sha1 sha512 256 21.66 sha256 128 [eBASH, hydra-6, http://bench.cr.yp.to/ ] broken! 6.09 Performance in software 4.79 Faster than SHA-2 on all modern PC KeccakTree faster than MD5 on some platforms C/b Algo Strength keccakc256treed2 256 128 4.98 md5 broken! 64 5.89 keccakc512treed2 25 / 36

  32. Inside Keccak Efficient and flexible in hardware From Kris Gaj’s presentation at SHA-3, Washington 2012: 26 / 36

  33. Inside Keccak Can be generalized [ Keccak impl. overview, Section 2.1] level No mismatch CPU words vs. security with most other techniques with lane/slice-wise architectures Can be combined to 16- and 8-bit words 27 / 36 Implementation tricks Odd bits in a second word Even bits in one word Ex.: map 64-bit lane to 32-bit words Bit interleaving ρ seems the critical step ROT 64 ↔ 2 × ROT 32 = +

  34. Keccak and the community Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 28 / 36

  35. Keccak and the community SHA-3, an open contest SHA-3, an open contest Open submissions, as required by NIST: Public algorithm details Open-source reference and optimized implementations No patents Open cryptanalysis Open benchmarks [eBASH] [XBX] KeccakTools A set of documented C++ classes to help analyze Keccak - f To encourage cryptanalysis (we use it too!) To help verify our claims [ Keccak Team, FSE 2012] And also to generate optimized code 29 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

774 views • 52 slides
Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January 2013 Key Wrapping Key wrap problem Multi-user system (e.g., industrial VPN): Many keys in use; Need of regular update; New session key

578 views • 29 slides
Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

908 views • 71 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
MATHEMATICS: DISCOVERED OR CONSTRUCTED? Klaus Truemper Erik Jonsson School of Engineering and

MATHEMATICS: DISCOVERED OR CONSTRUCTED? Klaus Truemper Erik Jonsson School of Engineering and

MATHEMATICS: DISCOVERED OR CONSTRUCTED? Klaus Truemper Erik Jonsson School of Engineering and Computer Science University of Texas at Dallas Aussois, January 711, 2013 The talk was given during the 17th Combinatorial Workshop 2013 in

543 views • 42 slides
Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla

Introduction Methodology Implementations Results Lightweight Implementations of SHA-3 Candidates on FPGAs Jens-Peter Kaps Panasayya Yalla Kishore Kumar Surapathi Bilal Habib Susheel Vadlamudi Smriti Gurung John Pham Cryptographic

461 views • 29 slides
Pr r t

Pr r t

Pr r t s ts r rt rt

576 views • 43 slides
Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types

Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types

Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types April 2011 School of Computer Science Empirical Study: Protocols in Java Object Protocol [Beckman, Kim, & A to appear in ECOOP 2011]

734 views • 21 slides
Cello Celebrations at UNCG: Cooperation between the University Libraries and the School of Music

Cello Celebrations at UNCG: Cooperation between the University Libraries and the School of Music

Cello Celebrations at UNCG: Cooperation between the University Libraries and the School of Music Mac Nelson, Cello Music Cataloger UNCG University Libraries SEMLA, Jacksonville, FL October 19, 2007 Why Cooperate? The Cello Music

473 views • 43 slides
The Two Nucleon System in Chiral Effective Field Theory: Searching for the Power Counting M.

The Two Nucleon System in Chiral Effective Field Theory: Searching for the Power Counting M.

The Two Nucleon System in Chiral Effective Field Theory: Searching for the Power Counting M. Pav on Valderrama Institut de Physique Nucl eaire dOrsay Chiral 13, Beijing, October 2012 Nuclear EFT p. 1 Contents The Nuclear

714 views • 33 slides
Music Informatics Alan Smaill Jan 29, 2018 Alan Smaill Music Informatics Jan 29, 2018 1/1

Music Informatics Alan Smaill Jan 29, 2018 Alan Smaill Music Informatics Jan 29, 2018 1/1

N I V E U R S E I H T T Y O H F G R E U D I B N Music Informatics Alan Smaill Jan 29, 2018 Alan Smaill Music Informatics Jan 29, 2018 1/1 Today N I V E U R S E I H T T Y O H F G R E U D I B N

225 views • 20 slides
Ian Cross Centre for Music & Science University of Cambridge http://www.mus.cam.ac.uk/~ic108

Ian Cross Centre for Music & Science University of Cambridge http://www.mus.cam.ac.uk/~ic108

Ian Cross Centre for Music & Science University of Cambridge http://www.mus.cam.ac.uk/~ic108 Two prevailing ideas: music constitutes an autonomous, discrete domain of human experience the privileged mode of engagement with music is

1.01k views • 70 slides

More recommend