on keccak and sha 3
play

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 - PowerPoint PPT Presentation

Apr 28, 2023 •397 likes •1.12k views

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins 2 The sponge construction 3 Inside

  1. On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61

  2. Outline 1 Origins 2 The sponge construction 3 Inside Keccak 4 SHA-3 forecast 2 / 61

  3. Origins Outline 1 Origins 2 The sponge construction 3 Inside Keccak 4 SHA-3 forecast 3 / 61

  4. Origins Symmetric crypto around ’89 Stream ciphers: LFSR-based schemes no actual design many mathematical papers on linear complexity Block ciphers: DES design criteria not published DC [Biham-Shamir 1990] : “DES designers knew what they were doing” LC [Matsui 1992] : “well, kind of” Popular paradigms, back then (but even now) property-preservation: strong cipher requires strong S-boxes confusion (nonlinearity): distance to linear functions diffusion: (strict) avalanche criterion you have to trade them off 4 / 61

  5. Origins The banality of DES Data encryption standard: datapath 5 / 61

  6. Origins The banality of DES Data encryption standard: F-function 6 / 61

  7. Origins Cellular automata based crypto A different angle: cellular automata Simple local evolution rule, complex global behaviour Popular 3-bit neighborhood rule: 7 / 61 a i ⇐ a i − 1 ⊕ ( a i OR a i + 1 )

  8. Origins Cellular automata based crypto Crypto based on cellular automata CA guru Stephen Wolfram at Crypto ’85: looking for applications of CA concrete stream cipher proposal Crypto guru Ivan Damgård at Crypto ’89 hash function from compression function proof of collision-resistance preservation compression function with CA Both broken stream cipher in [Meier-Staffelbach, Eurocrypt ’91] hash function in [Daemen et al., Asiacrypt ’91] 8 / 61

  9. Origins Cellular automata based crypto The trouble with Damgård’s compression function 9 / 61

  10. Origins Cellular automata based crypto Salvaging CA-based crypto First experiments: investigate cycle distributions The following rule exhibited remarkable cycle lengths: Invertible if periodic boundary conditions and odd length nonlinear , but unfortunately, weak diffusion 10 / 61 γ : flip the bit iff 2 cells at the right are not 01 a i ⇐ a i + 1 + ( a i + 1 + 1 ) a i + 2

  11. Origins Cellular automata based crypto Salvaging CA-based crypto, second attempt Found invertible 5-bit neighborhood rules with good diffusion 11 / 61 Turned out to be composition of γ and following rule θ : a i ⇐ a i + a i + 1 + a i + 2 Idea: alternate γ (nonlinearity) and variant of θ (mixing) Polynomial representation of θ variant: 1 + x 3 + x 6 mod ( 1 + x n )

  12. Origins Cellular automata based crypto Salvaging CA-based crypto, third attempt Abandon locality by adding in bit transpositions: full diffusion after few rounds! 12 / 61 π : move bit in cell i to cell 9 i modulo the length Round function: R = π ◦ θ ◦ γ

  13. Origins Subterranean (1992), StepRightUp (1994) and Panama (1997): wide trail strategy correlation matrices branch number Theoretical basis: DC and LC 3-Way and BaseKing (1993-94): block ciphers hash/stream cipher modules Cellhash (1991): hash function Cellular automata based crypto Designs directly using this [PhD Thesis Daemen, 1995] Round function composed of specialized steps Resulting designs 13 / 61 γ : non-linearity θ : mixing π : transposition ι : addition of some constants for breaking symmetry

  14. The sponge construction Outline 1 Origins 2 The sponge construction 3 Inside Keccak 4 SHA-3 forecast 14 / 61

  15. The sponge construction Our beginning: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama arbitrary output length primitive expressing security claim for arbitrary output length primitive Sponge functions [Keccak team, Ecrypt hash, 2007] … closest thing to a random oracle with a finite state … Random sponge 15 / 61

  16. The sponge construction Intermezzo: block-cipher based compression function Block cipher in Davies-Meyer mode 16 / 61

  17. The sponge construction Is a block cipher appropriate? No diffusion from data path to key (and tweak) schedule Let’s remove these artificial barriers… That’s an iterative permutation! 17 / 61

  18. The sponge construction Is a block cipher appropriate? No diffusion from data path to key (and tweak) schedule Let’s remove these artificial barriers… That’s an iterative permutation! 17 / 61

  19. The sponge construction Is a block cipher appropriate? No diffusion from data path to key (and tweak) schedule Let’s remove these artificial barriers… That’s an iterative permutation! 17 / 61

  20. The sponge construction The sponge construction More general than a hash function: arbitrary-length output r bits of rate c bits of capacity (security parameter) 18 / 61 Calls a b -bit permutation f , with b = r + c

  21. The sponge construction Generic security of the sponge construction Theorem (Indifferentiability of the sponge construction) A: differentiating advantage of random sponge from a random oracle N: total data complexity in r-bit blocks c: capacity [Keccak team, Eurocrypt 2008] Assumes f is a random permutation provably secure against generic attacks …but not against attacks that exploit specific properties of f 19 / 61 A ≤ N 2 2 c + 1 Informally, a random sponge is like a random oracle when N < 2 c / 2 . Collision-, preimage-resistance, etc., up to security strength c / 2

  22. The sponge construction Regular hashing Electronic signatures Data integrity ( shaXsum … ) Data identifier ( Git, online anti-virus, peer-2-peer … ) See [Cryptographic sponge functions] for more details 20 / 61

  23. The sponge construction Salted hashing Randomized hashing (RSASSA-PSS) Password storage and verification ( Kerberos , /etc/shadow) 21 / 61

  24. The sponge construction Mask generation function output length often dictated by application … … rather than by security strength level Key derivation function in SSL, TLS Full-domain hashing in public key cryptography electronic signatures RSASSA-PSS [PKCS#1] encryption RSAES-OAEP [PKCS#1] key encapsulation methods (KEM) 22 / 61

  25. The sponge construction Message authentication codes HMAC is no longer needed for sponge! Required for SHA-1, SHA-2 due to length extension property Simpler than HMAC [FIPS 198] As a message authentication code 23 / 61 Key Padded message MAC 0 f f f … f f

  26. The sponge construction Stream encryption As a stream cipher Long output stream per IV: similar to OFB mode Short output stream per IV: similar to counter mode 24 / 61 Key IV 0 f f f Key stream

  27. The sponge construction Single pass authenticated encryption Secure messaging ( SSL/TLS, SSH, IPSEC … ) Authentication and encryption in a single pass! 25 / 61 Key IV Padded message MAC 0 f f f … f f Key stream

  28. The sponge construction The duplex construction Generic security equivalent to Sponge [Keccak team, SAC 2011] Applications include: Authenticated encryption: spongeWrap Reseedable pseudorandom sequence generator 26 / 61

  29. The sponge construction A new branch of symmetric crypto Primitive: (iterative) permutation Modes can be made for quasi all functions Simpler than block ciphers: no key input Permutation-based cryptography! 27 / 61 More flexible: r − c trade-off

  30. Inside Keccak Outline 1 Origins 2 The sponge construction 3 Inside Keccak 4 SHA-3 forecast 28 / 61

  31. Inside Keccak Design approach Hermetic sponge strategy Instantiate a sponge function Our mission Design permutation f without exploitable properties 29 / 61 Claim a security level of 2 c / 2

  32. Inside Keccak Criteria for a strong permutation Classical LC/DC criteria absence of large differential propagation probabilities absence of large input-output correlations …differential and linear trails and clustering Infeasibility of the CICO problem Resistance against Slide and symmetry-exploiting attacks Algebraic attacks … Keeping efficiency in mind 30 / 61

  33. Inside Keccak The CICO problem Given partial input and output, determine remaining parts Important in many attacks Pre-image generation in hashing 31 / 61

  34. Inside Keccak The CICO problem Given partial input and output, determine remaining parts Important in many attacks State recovery in stream encryption 32 / 61

  35. Inside Keccak How to build a strong permutation Like a block cipher Sequence of identical rounds Round consists of sequence of simple step mappings …but not quite No key schedule Round constants instead of round keys Inverse permutation need not be efficient 33 / 61

  36. Inside Keccak Keccak Instantiation of a sponge function Using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: same as (initially expected from) SHA-1 See [The Keccak reference] for more details 34 / 61 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

774 views • 52 slides
Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January 2013 Key Wrapping Key wrap problem Multi-user system (e.g., industrial VPN): Many keys in use; Need of regular update; New session key

578 views • 29 slides
Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

908 views • 71 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre-

Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre-

Computational Survivalism Compiler(s) for the End of Moores Law: a case study Pierre- Evariste Dagand Joint work with Darius Mercadier Based on an original idea from Xavier Leroy LIP6 CNRS Inria Sorbonne Universit e 1 / 31

775 views • 76 slides
Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI

Lightweight Circuits with Shift and Swap Subhadeep Banik Asian Symmetric Key Workshop, ISI Kolkata November 18, 2018 Introduction Types of Circuits: Brief background. Block cipher circuits: Round based vs Serial. Eg: Working example

489 views • 44 slides
Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS REMINDER 2: Security Services in X.800 Authentication 1. Pear entity authentication Data origin authentication Access Control 2.

618 views • 13 slides
Strings l Chapter 3s problem context is cryptography, but mostly it is about strings and

Strings l Chapter 3s problem context is cryptography, but mostly it is about strings and

Starting chapter 3 Strings l Chapter 3s problem context is cryptography, but mostly it is about strings and related ideas l Strings are basically sequences of characters l A string literal is enclosed in quotes ( '' or in Python):

292 views • 12 slides
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech IBM Research 8 September 2011 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N

1.2k views • 82 slides
Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides

More recommend