keccak
play

Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van - PowerPoint PPT Presentation

Nov 22, 2023 •243 likes •915 views

Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Eurocrypt 2013 Athens, Greece, May 28th, 2013 1 / 57 Symmetric crypto: what textbooks and intros say Symmetric

  1. Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Eurocrypt 2013 Athens, Greece, May 28th, 2013 1 / 57

  2. Symmetric crypto: what textbooks and intro’s say Symmetric cryptographic primitives: Block ciphers Stream ciphers Hash functions And their modes-of-use Picture by GlasgowAmateur 2 / 57

  3. Outline 1 The sponge construction 2 Inside Keccak 3 Outside Keccak (using sponge and duplex) 4 Keccak towards the SHA-3 standard 5 Further inside Keccak 3 / 57

  4. The sponge construction Outline 1 The sponge construction 2 Inside Keccak 3 Outside Keccak (using sponge and duplex) 4 Keccak towards the SHA-3 standard 5 Further inside Keccak 4 / 57

  5. The sponge construction Our beginning: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama arbitrary output length primitive expressing security claim for arbitrary output length primitive Sponge functions [Keccak team, Ecrypt hash, 2007] … closest thing to a random oracle with a finite state … Sponge construction calling random permutation 5 / 57

  6. The sponge construction The sponge construction More general than a hash function: arbitrary-length output r bits of rate c bits of capacity (security parameter) 6 / 57 Calls a b -bit permutation f , with b = r + c

  7. The sponge construction Generic security of the sponge construction Theorem (Indifferentiability of the sponge construction) N [Keccak team, Eurocrypt 2008] The bound assumes f is a random permutation It covers generic attacks …but not attacks that exploit specific properties of f 7 / 57 The sponge construction calling a random permutation, S ′ [ F ] , is ( t D , t S , N , ϵ ) -indifferentiable from a random oracle, for any t D , t S = O ( N 2 ) , N < 2 c and for any ϵ with ϵ > f P ( N ) ≈ 2 c + 1 . Informally, a random sponge is like a random oracle when N < 2 c / 2 . Collision-, preimage-resistance, etc., up to security strength c / 2

  8. The sponge construction Design approach Hermetic sponge strategy Instantiate a sponge function Our mission Design permutation f without exploitable properties 8 / 57 Claim a security level of 2 c / 2

  9. The sponge construction How to build a strong permutation Like a block cipher Sequence of identical rounds Round consists of sequence of simple step mappings …but not quite No key schedule Round constants instead of round keys Inverse permutation need not be efficient 9 / 57

  10. Inside Keccak Outline 1 The sponge construction 2 Inside Keccak 3 Outside Keccak (using sponge and duplex) 4 Keccak towards the SHA-3 standard 5 Further inside Keccak 10 / 57

  11. Inside Keccak Keccak Instantiation of a sponge function Using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: same as (initially expected from) SHA-1 See [The Keccak reference] for more details 11 / 57 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  12. Inside Keccak Keccak Instantiation of a sponge function Using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: same as (initially expected from) SHA-1 See [The Keccak reference] for more details 11 / 57 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  13. Inside Keccak Keccak Instantiation of a sponge function Using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: same as (initially expected from) SHA-1 See [The Keccak reference] for more details 11 / 57 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  14. 12 / 57 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits state y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  15. 12 / 57 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits lane y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  16. 12 / 57 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits slice y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  17. 12 / 57 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits row y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  18. 12 / 57 Inside Keccak The state: an array of 5 × 5 × 2 ℓ bits column y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  19. Inside Keccak “Flip bit if neighbors exhibit 01 pattern” Operates independently and in parallel on 5-bit rows Cheap: small number of operations per bit Algebraic degree 2, inverse has degree 3 LC/DC propagation properties easy to describe and analyze 13 / 57 χ , the nonlinear mapping in Keccak - f

  20. Inside Keccak The propagation weight… … is determined by input difference only; … is the size of the affine base; … is the number of affine conditions. 14 / 57 Propagating differences through χ … is equal to − log 2 ( fraction of pairs ) ;

  21. Inside Keccak Add to each cell parity of neighboring columns: Cheap: two XORs per bit 15 / 57 θ ′ , a first attempt at mixing bits Compute parity c x , z of each column b x , y , z = a x , y , z ⊕ c x − 1 , z ⊕ c x + 1 , z + = column parity θ ʹ effect combine

  22. mod Inside Keccak 16 / 57 Diffusion of θ ′ θʹ 1 + y + y 2 + y 3 + y 4 ) ( ( x + x 4 ) 1 + ( ⟨ 1 + x 5 , 1 + y 5 , 1 + z w ⟩)

  23. mod Inside Keccak 17 / 57 Diffusion of θ ′ (kernel) θʹ 1 + y + y 2 + y 3 + y 4 ) ( ( x + x 4 ) 1 + ( ⟨ 1 + x 5 , 1 + y 5 , 1 + z w ⟩)

  24. mod Inside Keccak 18 / 57 Diffusion of the inverse of θ ′ θʹ 1 + y + y 2 + y 3 + y 4 ) ( x 2 + x 3 ) ( 1 + ( ⟨ 1 + x 5 , 1 + y 5 , 1 + z w ⟩)

  25. Inside Keccak 1 0 3 2 19 / 57 We need diffusion between the slices … y ρ for inter-slice dispersion ρ : cyclic shifts of lanes with offsets ) i − 1 ( 1 ( x ) ( 0 ) i ( i + 1 ) / 2 mod 2 ℓ , with = Offsets cycle through all values below 2 ℓ

  26. Inside Keccak XOR of round-dependent constant to lane in origin invariant to translation in the z -direction susceptible to rotational cryptanalysis susceptibility to slide attacks defective cycle structure 20 / 57 ι to break symmetry Without ι , the round mapping would be symmetric Without ι , all rounds would be the same Without ι , we get simple fixed points (000 and 111)

  27. Inside Keccak A first attempt at Keccak - f Problem: low-weight periodic trails by chaining: χ θʹ ρ …but not always 21 / 57 Round function: R = ι ◦ ρ ◦ θ ′ ◦ χ χ : propagates unchanged with weight 4 θ ′ : propagates unchanged, because all column parities are 0 ρ : in general moves active bits to different slices …

  28. Inside Keccak The Matryoshka property χ θʹ ρ χ θʹ ρ 22 / 57 Patterns in Q ′ are z -periodic versions of patterns in Q Weight of trail Q ′ is twice that of trail Q (or 2 n times in general)

  29. Inside Keccak y 1 2 3 23 / 57 π for disturbing horizontal/vertical alignment ) ( x ′ ( x ) ( 0 ) a x , y ← a x ′ , y ′ with = y ′

  30. Inside Keccak A second attempt at Keccak - f Solves problem encountered before: χ θʹ ρ π Almost there, still a final tweak … 24 / 57 Round function: R = ι ◦ π ◦ ρ ◦ θ ′ ◦ χ π moves bits in same column to different columns!

  31. Inside Keccak mod 25 / 57 Tweaking θ ′ to θ θ 1 + y + y 2 + y 3 + y 4 ) ( ( ) 1 + x + x 4 z ( ⟨ 1 + x 5 , 1 + y 5 , 1 + z w ⟩)

  32. Q is dense, so: Inside Keccak Diffusion from single-bit output to input very high Increases resistance against LC/DC and algebraic attacks 26 / 57 Inverse of θ θ 1 + y + y 2 + y 3 + y 4 ) ( 1 + Q , with Q = 1 + ( 1 + x + x 4 z ) − 1 mod ⟨ 1 + x 5 , 1 + z w ⟩

  33. Inside Keccak Keccak - f summary Round function: Efficiency [ Keccak implementation overview] high level of parallellism flexibility: bit-interleaving software: fast on wide range of CPU dedicated hardware: very fast suited for protection against side-channel attack [Debande, Le and Keccak team, HASP 2012 + ePrint 2013/067] 27 / 57 R = ι ◦ χ ◦ π ◦ ρ ◦ θ Number of rounds: 12 + 2 ℓ Keccak - f [ 25 ] has 12 rounds Keccak - f [ 1600 ] has 24 rounds

  34. Inside Keccak 256 80 8.25 keccakc256 128 10.02 keccakc512 13.73 sha1 sha512 256 21.66 sha256 128 [eBASH, hydra6 (AMD Bulldozer), http://bench.cr.yp.to/ ] broken! 6.09 Performance in software 4.79 Faster than SHA-2 on all modern PCs KeccakTree faster than MD5 on some platforms C/b Algo Strength keccakc256treed2 256 128 4.98 md5 broken! 64 5.89 keccakc512treed2 28 / 57

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

774 views • 52 slides
Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January 2013 Key Wrapping Key wrap problem Multi-user system (e.g., industrial VPN): Many keys in use; Need of regular update; New session key

578 views • 29 slides
Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

908 views • 71 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy ibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen,

907 views • 88 slides
1 Timothy 4:1-4 (ESV) Now the Spirit expressly says that in later times some will depart from the

1 Timothy 4:1-4 (ESV) Now the Spirit expressly says that in later times some will depart from the

1 Timothy 4:1-4 (ESV) Now the Spirit expressly says that in later times some will depart from the faith by devoting themselves to deceitful spirits and teachings of demons, 2 through the insincerity of liars whose consciences are seared, 3 who

331 views • 3 slides
The Spirit Jacques Ellul The Spirit In Galatians 5:16-26 And because you are children, 1.

The Spirit Jacques Ellul The Spirit In Galatians 5:16-26 And because you are children, 1.

2019-10-01 The glorious liberty of the children of God is not the happy fluttering of a butterfly from one attractive flower to another. It is joyous, but it is also radical, hard, and absolute Giving Galatians 5 : 22 - 26 us our burden,

465 views • 4 slides
Preserving the Spirit of the Epoch: Digital Conversion of Nordic Music Magazines Amalie rum

Preserving the Spirit of the Epoch: Digital Conversion of Nordic Music Magazines Amalie rum

Preserving the Spirit of the Epoch: Digital Conversion of Nordic Music Magazines Amalie rum Hansen Development Consultant Gentofte Centralbibliotek Sergey Borovoy CEO ATAPY Software Quick facts about Gentofte Central Library Gentofte

372 views • 20 slides
SpongeFiles Mitigating Data Skew in MapReduce Using Distributed Memory Khaled Elmeleegy

SpongeFiles Mitigating Data Skew in MapReduce Using Distributed Memory Khaled Elmeleegy

SpongeFiles Mitigating Data Skew in MapReduce Using Distributed Memory Khaled Elmeleegy Benjamin Reed Christopher Olston Turn Inc. Facebook Inc. Google Inc. kelmeleegy@turn.com br33d@fb.com olston@google.com 1 Background

434 views • 25 slides
Prt rt

Prt rt

Prt rt s rt rst trs st

626 views • 36 slides
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd

SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd

1.27k views • 86 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides

More recommend