keccak and sha 3 code and standard updates
play

Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan - PowerPoint PPT Presentation

Aug 13, 2023 •460 likes •1.11k views

Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2015, Brussels, January 31st & February 1st, 2015 1 / 39

  1. Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2015, Brussels, January 31st & February 1st, 2015 1 / 39

  2. Outline 1 What is Keccak 2 NIST plans 3 The CAESAR competition 4 Keccak code package 2 / 39

  3. What is Keccak Outline 1 What is Keccak 2 NIST plans 3 The CAESAR competition 4 Keccak code package 3 / 39

  4. 0 1 n What is Keccak What is a hash function? #!/bin/ash notmagritte() { echo ”this is a ash function!” } This is not a hash function! h 0 1 This is a hash function! 4 / 39

  5. 0 1 n What is Keccak What is a hash function? #!/bin/ash notmagritte() { echo ”this is a ash function!” } This is not a hash function! h 0 1 This is a hash function! 4 / 39

  6. 0 1 n What is Keccak What is a hash function? #!/bin/ash notmagritte() { echo ”this is a ash function!” } This is not a hash function! h 0 1 This is a hash function! 4 / 39

  7. What is Keccak What is a hash function? #!/bin/ash notmagritte() { echo ”this is a ash function!” } This is not a hash function! This is a hash function! 4 / 39 h : { 0 , 1 } ∗ → { 0 , 1 } n I n O u t

  8. What is Keccak Cryptographic hash functions …and Keccak ? It is a (cryptographic) sponge function! 5 / 39 h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t MD5: n = 128 (Ron Rivest, 1992) SHA-1/2: n ∈ { 160 , 224 , 256 , 384 , 512 } (NSA, NIST, 1995-2001)

  9. What is Keccak Cryptographic sponge functions Keccak uses the permutation Keccak - f c bits of capacity (defines the security level) r bits of rate (defines the speed) Parameters More flexible than regular hash functions Arbitrary input and output length 6 / 39 Var.-length input Variable-length output r 0 f f … f f f … f c 0 absorbing squeezing

  10. What is Keccak Keccak - f in pseudo-code 7 / 39 K ECCAK - F [b](A) { forall i in 0…n r -1 A = Round[b](A, RC[i]) return A } Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0…4 D[x] = C[x-1] xor rot(C[x+1],1), forall x in 0…4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0…4,0…4) ρ and π steps B[y,2*x+3*y] = rot(A[x,y], r[x,y]), forall (x,y) in (0…4,0…4) χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0…4,0…4) ι step A[0,0] = A[0,0] xor RC return A } 7 widths b ( = r + c ): 25, 50, 100, 200, 400, 800, and 1600 bits.

  11. What is Keccak 8 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Sponge tuning: capacity ⇒ security level Security 64 80 128 224 256 384 512 level Cost [bit] [cy/B] 20 cy/B Slower 15 cy/B 10 cy/B Faster 5 cy/B Capacity [bit] 128 160 256 448 512 768 1024 1600

  12. What is Keccak 8 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Sponge tuning: capacity ⇒ security level Security 64 80 128 224 256 384 512 level Cost [bit] [cy/B] 20 cy/B Slower 15 cy/B 10 cy/B Faster 5 cy/B Light- Script-kiddie Long-term Overkill Overkill / Insane weight Capacity [bit] 128 160 256 448 512 768 1024 1600

  13. What is Keccak 8 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Sponge tuning: capacity ⇒ security level Security 64 80 128 224 256 384 512 level Cost [bit] [cy/B] 20 cy/B Slower 15 cy/B 10 cy/B Keccak Faster 8 cy/B [b=1600] 5 cy/B Light- Script-kiddie Long-term Overkill Overkill / Insane weight Capacity [bit] 128 160 256 448 512 768 1024 1600

  14. What is Keccak 8 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Sponge tuning: capacity ⇒ security level Security 64 80 128 224 256 384 512 level Cost [bit] sha-256 [cy/B] 20 cy/B Slower 15 cy/B sha-512 10 cy/B Keccak Faster 8 cy/B [b=1600] L sha-1 L 5 cy/B md5 Light- Script-kiddie Long-term Overkill Overkill / Insane weight Capacity [bit] 128 160 256 448 512 768 1024 1600

  15. What is Keccak 9 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Keccak tuning: number of rounds ⇒ safety margin Cost sha-256 [cy/B] 20 cy/B Slower 15 cy/B sha-512 10 cy/B Faster L sha-1 5 cy/B L md5 Nr of rounds 2 4 6 6 8 10 12 14 16 18 20 22 24

  16. What is Keccak 9 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Keccak tuning: number of rounds ⇒ safety margin Cost sha-256 [cy/B] 20 cy/B Slower 15 cy/B sha-512 Keccak[c=256] 10 cy/B Faster 8 cy/B L sha-1 5 cy/B L md5 Nr of rounds 2 4 6 6 8 10 12 14 16 18 20 22 24

  17. What is Keccak 9 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Keccak tuning: number of rounds ⇒ safety margin Cost sha-256 [cy/B] 20 cy/B Practical attack Twilight zone No attack Slower 15 cy/B sha-512 Keccak[c=256] 10 cy/B Faster 8 cy/B L sha-1 5 cy/B L md5 Nr of rounds 2 4 6 8 10 11 12 14 16 18 20 22 24

  18. What is Keccak 9 / 39 [eBASH, hydra6, http://bench.cr.yp.to/ ] Keccak tuning: number of rounds ⇒ safety margin Cost sha-256 [cy/B] 20 cy/B Practical attack Twilight zone No attack Slower 15 cy/B sha-512 Keccak[c=256] 10 cy/B Faster 8 cy/B L sha-1 5 cy/B L md5 4 cy/B Keyak (single-pass authenticated encryption) Nr of rounds 2 4 6 8 10 11 12 14 16 18 20 22 24

  19. NIST plans Outline 1 What is Keccak 2 NIST plans 3 The CAESAR competition 4 Keccak code package 10 / 39

  20. NIST plans scope: stand-ins for all 4 SHA-2 [courtesy of C. De Cannière] The SHA-3 contest October 2012: Keccak = SHA-3 Summer 2008: start with 51 proposals response: 64 submissions method: public competition like AES 11 / 39 goal: FIPS standard November 2007: NIST announces SHA-2: serious doubts on foundations SHA-1: theoretically broken 2000-2006: crisis for standard hash function standards MD5: practically broken SHA-3 contest EDON-R BMW Sgàil LANE Grøstl Keccak ZK-Crypt Maraca NKS2D MD6 Hamsi MeshHash Waterfall StreamHash ECOH T wister Abacus EnRUPT WaMM Ponic MCSSHA3 AURORA Shabal LUX Skein SHAMATA CubeHash CRUNCH Cheetah DynamicSHA 2 Luffa Spectral Hash ECHO DCH Sarmal SIMD ESSENCE FSB SWIFFTX NaSHA ARIRANG Lesamnta Fugue SHAvite-3 Blender SANDstorm BLAKE HASH 2X T angle Vortex DynamicSHA BOOLE Khichidi-1 JH CHI TIB3 16/06/2009 2005 2006 2007 2008 2009 2010 2011 2012

  21. NIST plans The long road to the SHA-3 FIPS By Piet Musterd (flickr.com) February 2013: NIST- Keccak -team meeting SHA-2 replacement by now less urgent …but Keccak is more than just hashing! NIST disseminates joint SHA-3 proposal Summer 2013: Snowden revelations alleged NSA back door in DUAL EC DRBG SHA-3 proposal framed as “NIST weakening Keccak ” Early 2014: standard takes shape addressing public concerns Friday, April 4, 2014: draft FIPS 202 for public comments August 2014: NIST announces plans at SHA-3 conference Mid 2015 (expected): FIPS 202 official 12 / 39

  22. NIST plans FIPS 202: what is inside? By Nicole Doherty (flickr.com) Content Keccak instances for 4 hash functions 2 XOFs Keccak - f all 7 block widths even reduced-round versions unlike AES FIPS that has only 1 of the 5 Rijndael widths sponge construction Concept: toolbox for building other functions tree hashing, MAC, encryption, … dedicated special publications (NIST SP 800-XX) under development http://csrc.nist.gov/groups/ST/hash/sha-3/Aug2014/index.html 13 / 39

  23. NIST plans XOF: eXtendable Output Function “XOF: a function in which the output can be extended to any length.” Good for full domain hash, stream ciphers and key derivation [Ray Perlner, SHA 3 workshop 2014] Quite natural for sponge keeps state and delivers more output upon request bits of output do not depend on the number of bits requested Allows simplification: instead of separate hash functions per output length a single XOF can cover all use cases: 14 / 39 H-256 ( M ) = ⌊ XOF ( M ) ⌋ 256

  24. NIST plans Domain separation By Adam Fagen (flickr.com) Some protocols and applications need multiple hash functions or XOFs that should be independent With a single XOF? Yes: using domain separation …unless XOF has a cryptographic weakness Variable-length diversifiers: suffix-free set of strings 15 / 39 output of XOF ( M || 0 ) and XOF ( M || 1 ) are independent Generalization to 2 n functions with D an n -bit diversifier XOF D ( M ) = XOF ( M || D )

  25. NIST plans The XOFs and hash functions in FIPS 202 Four drop-in replacements identical to those in Keccak submission Two extendable output functions (XOF) Tree-hashing ready: Sakura coding [Keccak team, ePrint 2013/231] XOF SHA-2 drop-in replacements SHAKE128 and SHAKE256 SHA3-224 to SHA3-512 16 / 39 Keccak [ c = 256 ]( M || 11 || 11 ) ⌊ Keccak [ c = 448 ]( M || 01 ) ⌋ 224 Keccak [ c = 512 ]( M || 11 || 11 ) ⌊ Keccak [ c = 512 ]( M || 01 ) ⌋ 256 ⌊ Keccak [ c = 768 ]( M || 01 ) ⌋ 384 ⌊ Keccak [ c = 1024 ]( M || 01 ) ⌋ 512

  26. NIST plans Tree hashing CPU: Haswell with AVX2 256-bit SIMD 2.87 AVX2 5.30 AVX2 (128-bit only) 7.70 x86_64 cycles/byte instruction function performance: peer-to-peer applications: Gnutella, BitTorrent etc. hash recomputation when modifying small part of file Features: 17 / 39 Keccak [ c = 256 ] × 1 Keccak [ c = 256 ] × 2 Keccak [ c = 256 ] × 4

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
2019 Your Code of Standard Practice Understanding its Legal Implications David B.

2019 Your Code of Standard Practice Understanding its Legal Implications David B.

2019 Your Code of Standard Practice Understanding its Legal Implications David B. Ratterman Stites & Harbison, PLLC PDH 68636 Emeritus V Sce President 2 Your Code of Standard Practice The Preface The Glossary Section 1

631 views • 46 slides
Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

466 views • 42 slides
29 Illinois Administrative Code 301 Updates Currently in Effect 29 Illinois Administrative Code

29 Illinois Administrative Code 301 Updates Currently in Effect 29 Illinois Administrative Code

29 Illinois Administrative Code 301 Updates Currently in Effect 29 Illinois Administrative Code 301 Title 29: Emergency Services, Disasters, and Civil Defense Chapter 1: Emergency Management Agency SubChapter C: Administration and

848 views • 59 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
First Steps of YALES2 Code Towards GPU Acceleration on Standard and Prototype Cluster YALES2:

First Steps of YALES2 Code Towards GPU Acceleration on Standard and Prototype Cluster YALES2:

First Steps of YALES2 Code Towards GPU Acceleration on Standard and Prototype Cluster YALES2: Semi-industrial code for turbulent combustion and flows Jean-Matthieu Etancelin, ROMEO, NVIDIA GPU Application Lab, University of Reims GTC Europe -

364 views • 22 slides
Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

774 views • 52 slides
ORLAND PARK Development Services Department 14700 Ravinia Avenue . Orland Park, Illinois 60462 .

ORLAND PARK Development Services Department 14700 Ravinia Avenue . Orland Park, Illinois 60462 .

AGENDA 1. Welcome from Mayor Daniel McLaughlin 2. Permit process Updates 3. Inspections process Updates 4. Residential Building code Updates 5. Common issues and code enforcement Q&A ORLAND PARK Development Services Department 14700 Ravinia

727 views • 72 slides
Speeding Up Reactive Transport Code Using OpenMP By Jared McLaughlin OpenMP A standard for

Speeding Up Reactive Transport Code Using OpenMP By Jared McLaughlin OpenMP A standard for

Speeding Up Reactive Transport Code Using OpenMP By Jared McLaughlin OpenMP A standard for parallelizing Fortran and C/C++ on shared memory systems Minimal changes to sequential code required Incremental parallelization OpenMP

338 views • 13 slides
Agricultural Land Use Code Updates DC-18-0003 Board of County Commissioners December 13, 2018

Agricultural Land Use Code Updates DC-18-0003 Board of County Commissioners December 13, 2018

Agricultural Land Use Code Updates DC-18-0003 Board of County Commissioners December 13, 2018 Agricultural Code Updates Agenda Staff presentation and Board of County Commissioners clarifying questions Public hearing Board of County

615 views • 46 slides
Title 40 Code Updates: CPZ2019-00005 40.510.040 Type IV Process Legislative Decisions 40.560

Title 40 Code Updates: CPZ2019-00005 40.510.040 Type IV Process Legislative Decisions 40.560

Title 40 Code Updates: CPZ2019-00005 40.510.040 Type IV Process Legislative Decisions 40.560 Plan and Code Amendments Charter Amendments Sharon Lumbantobing, Community Planning Clark County Planning Commission Work Session April 4, 2019

982 views • 15 slides
Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January 2013 Key Wrapping Key wrap problem Multi-user system (e.g., industrial VPN): Many keys in use; Need of regular update; New session key

578 views • 29 slides
Abstract: Updates on Board rule changes within the last year, general updates on initiatives the

Abstract: Updates on Board rule changes within the last year, general updates on initiatives the

Abstract: Updates on Board rule changes within the last year, general updates on initiatives the Board is working on, information on enforcement statistics, and the engineering Code of Conduct. Title: Texas Board of Professional Engineers

1.06k views • 73 slides
Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

908 views • 71 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
CS 241 Data Organization Standard Libraries March 27, 2018 The Standard C Library by Plauger

CS 241 Data Organization Standard Libraries March 27, 2018 The Standard C Library by Plauger

CS 241 Data Organization Standard Libraries March 27, 2018 The Standard C Library by Plauger Comprehensive treatment of ANSI and ISO standards for the C Library. Contains the complete code of the Standard C Library and includes

380 views • 21 slides
CS 241 Data Organization Standard Libraries October 25, 2018 The Standard C Library by Plauger

CS 241 Data Organization Standard Libraries October 25, 2018 The Standard C Library by Plauger

CS 241 Data Organization Standard Libraries October 25, 2018 The Standard C Library by Plauger Comprehensive treatment of ANSI and ISO standards for the C Library. Contains the complete code of the Standard C Library and includes

495 views • 21 slides

More recommend