SLIDE 1
SHA-3 vs the world
David Wong
Snefru MD4
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 - - PowerPoint PPT Presentation
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 - - PowerPoint PPT Presentation
SHA-3 vs the world David Wong Snefru MD4 Snefru MD4 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd SHA-1 SHA-2 Snefru MD4 MD5 MerkleDamgrd
SLIDE 2
SLIDE 3
Snefru MD4
SLIDE 4
Snefru MD4 MD5 SHA-1 SHA-2
Merkle–Damgård
SLIDE 5
Snefru MD4 MD5 SHA-1 SHA-2
Merkle–Damgård
SLIDE 6
Snefru MD5 SHA-1 SHA-2
Merkle–Damgård
MD4
SLIDE 7
SLIDE 8
Snefru MD5 SHA-1 SHA-2
Merkle–Damgård
MD4
SLIDE 9
SLIDE 10
SLIDE 11
Keccak
BLAKE, Grøstl, JH, Skein
SLIDE 12
Outline
1.SHA-3 2.derived functions 3.derived protocols
SLIDE 13
f
permutation-based cryptography
SLIDE 14
AES
AES is a permutation input
- utput
SLIDE 15
AES
AES is a permutation input
- utput
key
SLIDE 16
f
Sponge Construction
SLIDE 17
f
Sponge Construction
1 1 1 1
SLIDE 18
f
Sponge Construction r c
1 1 1 1
SLIDE 19
f
Sponge Construction
AES
key r c r c
1 1 1 1
SLIDE 20
f
message ⊕ Sponge Construction
1 1 1 1
SLIDE 21
f
message
⊕ ⊕
Sponge Construction
SLIDE 22
f
message
⊕ ⊕
f
Sponge Construction
SLIDE 23
f
message
⊕ ⊕
f
⊕
Sponge Construction
SLIDE 24
f
message
⊕ ⊕
f
⊕
f
Sponge Construction
SLIDE 25
f
message
⊕ ⊕
f
⊕
f
absorbing
Sponge Construction
SLIDE 26
absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
Sponge Construction
SLIDE 27
absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f
Sponge Construction
SLIDE 28
absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f
Sponge Construction
SLIDE 29
absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f f
Sponge Construction
SLIDE 30
f
message
⊕ ⊕
f
⊕
f
- utput
f f
squeezing
Sponge Construction
absorbing
SLIDE 31
SLIDE 32
Keccak
Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
SLIDE 33
SHA-3 competition 2012 2007
SLIDE 34
SLIDE 35
SHA-3 competition 2012 2007 SHA-3 standard (FIPS 202) 2015
SLIDE 36
SLIDE 37
SLIDE 38
Where is SHA-3 being used?
SLIDE 39
Outline
1.SHA-3 2.derived functions 3.derived protocols
SLIDE 40
SLIDE 41
SHAKE is a XOF
SLIDE 42
SLIDE 43
SHA-3 competition 2012 2007 SHA-3 standard (FIPS 202) 2015 SP 800-185 2016
SLIDE 44
KMAC TupleHash ParallelHash
SLIDE 45
KMAC TupleHash ParallelHash message || SHA-256(message)
SLIDE 46
KMAC TupleHash ParallelHash message || SHA-256(key||message)
SLIDE 47
KMAC TupleHash ParallelHash message || more || SHA-256(key||message||more)
SLIDE 48
KMAC TupleHash ParallelHash message || SHAKE(key || message)
SLIDE 49
KMAC TupleHash ParallelHash message || SHAKE(key || message) my RSA public key = (e, N)
SLIDE 50
KMAC TupleHash ParallelHash message || SHAKE(key || message) my RSA public key = (e, N) fingerprint = SHA-256(e || N)
SLIDE 51
KMAC TupleHash ParallelHash message || SHAKE(key || message) fingerprint1 = SHA-256(1010110000000010001…) e N
SLIDE 52
KMAC TupleHash ParallelHash message || SHAKE(key || message) fingerprint1 = SHA-256(1010110000000010001…) e N fingerprint2 = SHA-256(1010110000000010001…) e N
SLIDE 53
KMAC TupleHash ParallelHash message || SHAKE(key || message) SHAKE(len(e) || e || len(N) || N)
SLIDE 54
squeezing absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f f
Sponge Construction
SLIDE 55
squeezing absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f f
Sponge Construction
SLIDE 56
squeezing absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f f
Sponge Construction
SLIDE 57
squeezing absorbing
f
message
⊕ ⊕
f
⊕
f
- utput
f f
Sponge Construction
SLIDE 58
KMAC TupleHash ParallelHash message || SHAKE(key || message) SHAKE(len(e) || e || len(N) || N) SHAKE(SHAKE(b1) || SHAKE(b2) || SHAKE(b3) || …)
SLIDE 59
SHA-3 competition 2012 2007 SHA-3 / SHAKE 2015 TupleHash / ParallelHash / KMAC 2016
SLIDE 60
Keyak and Ketje
SLIDE 61
SHA-3 competition 2012 2007 SHA-3 / SHAKE 2015 TupleHash / ParallelHash / KMAC 2016 KangarooTwelve & MarsupilamiFourteen
SLIDE 62
SLIDE 63
SHA-3 competition 2012 2007 SHA-3 / SHAKE 2015 TupleHash / ParallelHash / KMAC 2016 KangarooTwelve & MarsupilamiFourteen
SLIDE 64
github.com/gvanas/KeccakCodePackage
SLIDE 65
Outline
1.SHA-3 2.derived functions 3.derived protocols
SLIDE 66
f
message
⊕ ⊕
f
⊕
f
- utput
f f
Sponge Construction
squeezing absorbing
SLIDE 67
f
input
⊕
init
- utput
duplexing
Duplex Construction
f
input
⊕
- utput
duplexing
f
input
- utput
duplexing
⊕
SLIDE 68
Keyed-mode
f
key
⊕
init duplexing
SLIDE 69
Keyed-mode
f
key
⊕
init duplexing
secret part leak
SLIDE 70
f
key
⊕
init duplexing
Encryption?
SLIDE 71
f
key
⊕
init duplexing
ciphertext1 plaintext1
⊕
Encryption
SLIDE 72
f
key
⊕
init duplexing
ciphertext1 plaintext1
⊕
f
⊕
tag1
duplexing
Authenticated Encryption
SLIDE 73
f
key
⊕
init duplexing
ciphertext1 plaintext1
⊕
f
⊕
tag1
duplexing
f
ciphertext2
duplexing
f
⊕
tag2
duplexing
plaintext2
⊕
Sessions
SLIDE 74
myProtocol = Strobe_init(“myWebsite.com”) myProtocol.KEY(sharedSecret) buffer += myProtocol.send_ENC(“GET /”) buffer += myProtocol.send_MAC(len=16) // send the buffer // receive a ciphertext message = myProtocol.recv_ENC(ciphertext[:-16])
- k = myProtocol.recv_MAC(ciphertext[-16:])
if !ok { // reset the connection } Strobe
SLIDE 75
SLIDE 76
myHash = Strobe_init(“hash”) myHash.AD(“something to be hashed”) hash = myHash.PRF(outputLen=16) Hash Function
SLIDE 77
KDF = Strobe_init(“deriving keys”) KDF.KEY(keyExchangeOutput) keys = KDF.PRF(outputLen=32) key1 = keys[:16] key2 = keys[16:] Key Derivation Function
SLIDE 78
data = 010100…
⊕
- peration = AD
⊕
SLIDE 79
data = 010100…
- peration = send_MAC
f
⊕ ⊕
- peration = AD
⊕
len = 16 tag
SLIDE 80
init
- peration = KEY
f
⊕
data = 010100…
SLIDE 81
init
- peration = KEY
f
⊕
data = 010100…
f
⊕
- peration = send_ENC
data = hello
⊕
ciphertext
SLIDE 82
init
- peration = KEY
f
⊕
data = 010100…
f f
⊕
- peration = send_ENC
data = hello
⊕
ciphertext
len = 16 tag
⊕
- peration = send_MAC
SLIDE 83
strobe.sourceforge.io
SLIDE 84
Outline
1.SHA-3 2.derived functions 3.derived protocols 4.Disco?
SLIDE 85
www.discocrypto.com
Noise + Strobe = Disco
SLIDE 86
I write about crypto at www.cryptologie.net I tweet my mind on twitter.com/lyon01_david
and I work here