sha 3 and permutation based cryptography
play

SHA-3 and permutation-based cryptography Joan Daemen 1 Joint work - PowerPoint PPT Presentation

Oct 10, 2023 •112 likes •682 views

SHA-3 and permutation-based cryptography Joan Daemen 1 Joint work with Crypto summer school ibenik, Croatia, June 1-6, 2014 1 / 49 Guido Bertoni 1 , Michal Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Outline

  1. SHA-3 and permutation-based cryptography Joan Daemen 1 Joint work with Crypto summer school Šibenik, Croatia, June 1-6, 2014 1 / 49 Guido Bertoni 1 , Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors

  2. Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 2 / 49

  3. Prologue Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 3 / 49

  4. Prologue Cryptographic hash functions 2 Typical values for n : 128, 160, 256, 512 4 / 49 Function h from Z ∗ 2 to Z n Pre-image resistant: it shall take 2 n effort to given y , find x such that h ( x ) = y 2nd pre-image resistance: it shall take 2 n effort to given M and h ( M ) , find another M ′ with h ( M ′ ) = h ( M ) collision resistance: it shall take 2 n / 2 effort to find x 1 ̸ = x 2 such that h ( x 1 ) = h ( x 2 )

  5. Prologue Classical way to build hash functions Mode of use of a compression function: Fixed-input-length compression function Merkle-Damgård iterating mode Property-preserving paradigm hash function inherits properties of compression function …actually block cipher with feed-forward (Davies-Meyer) Compression function built on arithmetic-rotation-XOR: ARX Instances: MD5, SHA-1, SHA-2 (224, 256, 384, 512) … 5 / 49

  6. The sponge construction Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 6 / 49

  7. The sponge construction Sponge origin: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama arbitrary output length expressing security claim for arbitrary output length function Sponge functions [Keccak team, Ecrypt hash, 2007] random sponge instead of random oracle as security goal sponge construction calling random permutation … closest thing to a random oracle with a finite state … 7 / 49

  8. The sponge construction The sponge construction Generalizes hash function: extendable output function (XOF) r bits of rate c bits of capacity (security parameter) Property-preservation no longer applies 8 / 49 Calls a b -bit permutation f , with b = r + c

  9. The sponge construction Generic security: indistinguishability Success probability of distinguishing between: 9 / 49 ideal function: a monolithic random oracle RO construction S [ F ] calling an random permutation F Adversary D sends queries ( M , ℓ ) according to algorithm Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  10. The sponge construction Generic security: indifferentiability [Maurer et al. (2004)] Applied to hash functions in [Coron et al. (2005)] additional interface, covered by a simulator at right Methodology: 10 / 49 distinguishing mode-of-use from ideal function ( RO ) covers adversary with access to permutation F at left build P that makes left/right distinguishing difficult prove bound for advantage given this simulator P P may query RO for acting S -consistently: P [ RO ]

  11. The sponge construction Generic security of the sponge construction Concept of advantage : A: differentiating advantage of random sponge from random oracle N: total data complexity c: capacity [Keccak team, Eurocrypt 2008] 11 / 49 Pr ( success |D ) = 1 2 + 1 2Adv ( D ) Theorem (Bound on the RO -differentiating advantage of sponge) A ≤ N 2 2 c + 1

  12. The sponge construction Implications of the bound do pre-image attack N 2 Can be generalized to any attack Note that A is independent of output length n 12 / 49 Let D : n -bit output pre-image attack. Success probability: for random oracle: P pre ( D|RO ) = q 2 − n for random sponge: P pre ( D|S [ F ]) = ? A distinguisher D with A = P pre ( D|S [ F ]) − P pre ( D|RO ) if success, conclude random sponge and RO otherwise But we have a proven bound A ≤ 2 c + 1 , so P pre ( D|S [ F ]) ≤ P pre ( D|RO ) + N 2 2 c + 1

  13. The sponge construction Implications of the bound (cont’d) Security strength for output length n : Proof assumes f is a random permutation provably secure against generic attacks …but not against attacks that exploit specific properties of f No security against multi-stage adversaries 13 / 49 Informally, random sponge is like random oracle for N < 2 c / 2 collision-resistance: min ( c / 2 , n / 2 ) first pre-image resistance: min ( c / 2 , n ) second pre-image resistance: min ( c / 2 , n )

  14. The sponge construction A design approach Hermetic sponge strategy Instantiate a sponge function Remaining task Design permutation f without exploitable properties 14 / 49 Claim a security level of 2 c / 2

  15. The sponge construction How to build a strong permutation Like a block cipher sequence of identical rounds round consists of sequence of simple step mappings many approaches exist, e.g., wide-trail …but without need for key schedule efficient inverse width b that is power of two 15 / 49

  16. Keccak and SHA-3 Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 16 / 49

  17. Keccak and SHA-3 Sponge function using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: what SHA-1 should have offered See [The Keccak reference] for more details 17 / 49 Keccak [ r , c ] 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  18. Keccak and SHA-3 Sponge function using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: what SHA-1 should have offered See [The Keccak reference] for more details 17 / 49 Keccak [ r , c ] 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  19. Keccak and SHA-3 Sponge function using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: what SHA-1 should have offered See [The Keccak reference] for more details 17 / 49 Keccak [ r , c ] 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  20. Keccak and SHA-3 The 3-dimensional Keccak - f state 18 / 49 state y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  21. Keccak and SHA-3 The step mappings of the Keccak - f round function Keywords: wide-trail, lightweight, symmetry, bit-oriented, margin 19 / 49

  22. Keccak and SHA-3 256 128 10.02 keccakc512 256 13.73 sha512 21.66 8.25 sha256 128 [eBASH, hydra6 (AMD Bulldozer), http://bench.cr.yp.to/ ] KeccakTree : parallel tree hashing Speedup thanks to SIMD instructions keccakc256 80 Performance in software 4.98 C/b Algo Strength 4.79 keccakc256treed2 128 md5 broken! broken! 64 5.89 keccakc512treed2 256 6.09 sha1 20 / 49

  23. Keccak and SHA-3 free SHA-3 requirements and Keccak final submission 192 384 832 256 512 576 up to 288 256 up to 288 1024 1 Output-length oriented approach These instances address the SHA-3 requirements, but: security strength levels outside of [NIST SP 800-57] range performance penalty for high-capacity instances! 1088 21 / 49 128 Relative resistance resistance Rate instance perf. Keccak Pre-image 112 Collision 224 Output 1152 length n = 224 Keccak [ c = 448 ] × 1 . 125 n = 256 Keccak [ c = 512 ] × 1 . 063 n = 384 Keccak [ c = 768 ] ÷ 1 . 231 n = 512 Keccak [ c = 1024 ] ÷ 1 . 778 Keccak [ c = 576 ]

  24. Keccak and SHA-3 up to 128 SHA3-256 What we proposed to NIST 192 256 SHA3-384 256 256 SHA3-512 free 128 up to 128 SHAKE256 up to 256 free up to 256 SHAKE512 Security strength oriented approach consistent with [NIST SP 800-57] Underlying security strength levels reduced to 128 and 256 Strengths 384 and 512: not needed anymore 128 22 / 49 length 112 Relative Pre. Coll. strength Output perf. Capacity instance Security 128 res. SHA-3 SHA3-224 res. s ≥ 112 c = 256 n = 224 × 1 . 312 s ≥ 128 c = 256 n = 256 × 1 . 312 s ≥ 192 c = 512 n = 384 × 1 . 063 s ≥ 256 c = 512 n = 512 × 1 . 063 c = 256 × 1 . 312 c = 512 × 1 . 063

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

. . . . . . Permutation Based Cryptography for IoT Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp, November 21 Joan Daemen 1 , Michal Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP

755 views • 41 slides
Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University RIOT Summit 2017 Berlin, September 25-26, 2017 1 / 56 Joint work with Guido Bertoni, Joan Daemen 1 , 2 , Seth Hoffert,

871 views • 65 slides
Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

. .. . .. . . .. . . .. . . .. . . . .. . .. . . .. . . .. . Permutation-based symmetric cryptography and Keccak Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . . . .. .

695 views • 52 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio Intelligent Systems Group Department of Computer Science and Artificial Intelligence University of the Basque Country (UPV/EHU) 1 Permutation-based

1.3k views • 89 slides
Outline More On Cryptography Permutation ciphers CS 239 Stream and block ciphers

Outline More On Cryptography Permutation ciphers CS 239 Stream and block ciphers

Outline More On Cryptography Permutation ciphers CS 239 Stream and block ciphers Computer Security Uses of cryptography January 25, 2006 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2006 CS 239, Winter 2006

234 views • 5 slides
Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work

Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work

Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work with Sylvie Corteel (Paris-Sud) and parts with Svante Janson (Uppsala) LIPN, February 5, 2008 Permutation tableaux Permutation tableau T : a Ferrers

1.11k views • 50 slides
Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 Joan Daemen 1 , 2 Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny 1

843 views • 35 slides
Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni,

Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni,

Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni, Seth Hoffert, Bart Mennink, Michal Peeters, Gilles Van Assche and Ronny Van Keer COINS Winter School, 5-10 May 2019, Finse 1 1 Radboud

986 views • 65 slides
Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert,

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert,

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 ECC, Nijmegen, November 14, 2017 1 / 35 Joan Daemen 1 , 2 1 STMicroelectronics 2

1.09k views • 65 slides
Talk Overview Introduction 1 Table-based 2 Vector-Permutation 3 Bitslice 4 Results and

Talk Overview Introduction 1 Table-based 2 Vector-Permutation 3 Bitslice 4 Results and

Implementing Lightweight Block Ciphers on x86 Architectures Ryad Benadjila 1 Jian Guo 2 e 1 Thomas Peyrin 2 Victor Lomn 1 ANSSI, France 2 NTU, Singapore SAC, August 15, 2013 Introduction Table-based Vector-Permutation Bitslice Results and

899 views • 43 slides
Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER EPRINT.IACR.ORG/2014/794 BY DUCAS, LYUBASHEVSKY, AND PREST 2016-09-21, Royal Holloway, Egham OFFICIAL Public Key Cryptography (PKC) Also called

403 views • 26 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Enumeration of Permutation Classes by Inflation of Independent Sets of Graphs mile Nadeau

Enumeration of Permutation Classes by Inflation of Independent Sets of Graphs mile Nadeau

Enumeration of Permutation Classes by Inflation of Independent Sets of Graphs mile Nadeau (based on joint work with Christian Bean and Henning Ulfarsson) Reykjavik University Permutations Patterns 2019 Staircase encoding For any permutation

969 views • 78 slides
Our Father |Aramaic Rendition, Georgia (2016) We Didnt Start the Fire | Church

Our Father |Aramaic Rendition, Georgia (2016) We Didnt Start the Fire | Church

Our Father |Aramaic Rendition, Georgia (2016) We Didnt Start the Fire | Church History in 4 Minutes Lighting of the Candles We light a candle in the name of the Maker, We light a candle in the name of the Maker, Who lit the

413 views • 29 slides
Science Ms Ong Siew Choo Mrs Juliana Chia Overview of the Primary Science Syllabus Themes

Science Ms Ong Siew Choo Mrs Juliana Chia Overview of the Primary Science Syllabus Themes

Parents Symposium 2017 (P3 and P4 Science) Inquiry-Based Learning in Science Ms Ong Siew Choo Mrs Juliana Chia Overview of the Primary Science Syllabus Themes Lower Block (P3 &amp; P4) Upper Block (P5 &amp; P6) Diversity

734 views • 34 slides
Class 17: Relational Query Optimization Instructor: Manos Athanassoulis

Class 17: Relational Query Optimization Instructor: Manos Athanassoulis

CAS CS 460 [Fall 2020] - https://bu-disc.github.io/CS460/ - Manos Athanassoulis CS460: Intro to Database Systems Class 17: Relational Query Optimization Instructor: Manos Athanassoulis https://bu-disc.github.io/CS460/ CAS CS 460 [Fall 2020] -

1.03k views • 71 slides
New Standards Track? New Document reference Theory? Draft-hardie-category-descriptions-00.txt

New Standards Track? New Document reference Theory? Draft-hardie-category-descriptions-00.txt

New Standards Track? New Document reference Theory? Draft-hardie-category-descriptions-00.txt Draft-iesg-hardie-outline-01.txt Feedback to hardie@qualcomm.com, or the usual suspect mailing lists.

390 views • 6 slides
Informed Search (2) Introduction to Artificial Intelligence H di M Hadi Moradi di 1 Last

Informed Search (2) Introduction to Artificial Intelligence H di M Hadi Moradi di 1 Last

Informed Search (2) Introduction to Artificial Intelligence H di M Hadi Moradi di 1 Last time: search strategies I I nformed: Use heuristics to guide the search f d U h i i id h h Best first: Greedy search: A* search: 2

286 views • 15 slides
Recent Progress in Understanding the Electrical Reliability of GaN High-Electron Mobility

Recent Progress in Understanding the Electrical Reliability of GaN High-Electron Mobility

Recent Progress in Understanding the Electrical Reliability of GaN High-Electron Mobility Transistors J. A. del Alamo Microsystems Technology Laboratories Massachusetts Institute of Technology RSAMD 2014 Golden, CO, Sept. 7-9, 2014

412 views • 39 slides
Eli Ben-Ham LPNHE - IN2P3 - Sorbonne University (Paris) On behalf of the BABAR collaboration

Eli Ben-Ham LPNHE - IN2P3 - Sorbonne University (Paris) On behalf of the BABAR collaboration

Eli Ben-Ham LPNHE - IN2P3 - Sorbonne University (Paris) On behalf of the BABAR collaboration The BABAR detector Silicon Vertex Tracker Magnet 1.5T PEP-II: asymmetric e + (3GeV) beams at (4S) threshold Drift Chamber (9 GeV) - e

394 views • 18 slides
Release Engineering as More than a Part-time Pastime Dinah McNutt Google, Inc.

Release Engineering as More than a Part-time Pastime Dinah McNutt Google, Inc.

Release Engineering as More than a Part-time Pastime Dinah McNutt Google, Inc. mcnutt@google.com What does a Release Engineer Do? Writes Makefiles What does a Release Engineer Do? Writes Makefiles Yells at the developers What

316 views • 29 slides

More recommend