keccak more than just sha3sum
play

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal - PowerPoint PPT Presentation

Feb 26, 2023 •46 likes •466 views

Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36 Outline 1 How it all began 2 Introducing Keccak 3

  1. Keccak, More Than Just SHA3SUM Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2013, Brussels, February 2-3, 2013 1 / 36

  2. Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 2 / 36

  3. How it all began Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 3 / 36

  4. How it all began Let’s talk about hash functions... These are “hashes” of some sort, but they ain’t hash functions ... 4 / 36 ? ? ?

  5. How it all began Cryptographic hash functions 5 / 36 h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t MD5: n = 128 (Ron Rivest, 1992) SHA-1: n = 160 (NSA, NIST, 1995) SHA-2: n ∈ { 224 , 256 , 384 , 512 } (NSA, NIST, 2001)

  6. How it all began Why should you care? You probably use them several times a day: website authentication, digital signature, home banking, secure internet connections, software integrity, version control software, … 6 / 36

  7. How it all began Breaking news in crypto 2004: SHA-0 broken (Joux et al.) 2004: MD5 broken (Wang et al.) 2005: practical attack on MD5 (Lenstra et al., and Klima) 2005: SHA-1 theoretically broken (Wang et al.) 2006: SHA-1 broken further (De Cannière and Rechberger) 2007: NIST calls for SHA-3 Who answered NIST’s call? 7 / 36

  8. How it all began Keccak Team to the rescue! 8 / 36

  9. How it all began The battlefield [courtesy of Christophe De Cannière] 9 / 36 EDON-R BMW Sgàil LANE Grøstl Keccak ZK-Crypt NKS2D Maraca Hamsi MD6 MeshHash Waterfall StreamHash ECOH T wister EnRUPT Abacus MCSSHA3 WaMM Ponic AURORA Shabal LUX Skein SHAMATA CubeHash CRUNCH Luffa Cheetah DynamicSHA 2 Spectral Hash ECHO DCH Sarmal SIMD ESSENCE SWIFFTX FSB ARIRANG NaSHA Lesamnta Fugue SHAvite-3 SANDstorm BLAKE Blender HASH 2X Vortex DynamicSHA T angle BOOLE Khichidi-1 JH CHI TIB3 16/06/2009 2005 2006 2007 2008 2009 2010 2011 2012

  10. How it all began SHA-3 time schedule 2007: SHA-3 initial call 2008: submission deadline 2009: first SHA-3 conference 2010: second SHA-3 conference 2010: finalists are Blake, Grøstl, JH, Keccak and Skein 2012: final SHA-3 conference Oct. 2, 2012: Keccak wins! 10 / 36 Participants: 64 → 51 → 14 → 5 → 1

  11. Introducing Keccak Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 11 / 36

  12. Introducing Keccak The sponge construction Use the permutation Keccak - f c bits of capacity (defines the security level) r bits of rate (defines the speed) Parameters More flexible than regular hash functions Arbitrary input and output length 12 / 36 Keccak , a sponge function Var.-length input Variable-length output 0 f f … f f f … f absorbing squeezing

  13. Introducing Keccak The sponge construction The seven permutation army up to 64-bit each 7 permutations: 25, 50, 100, 200, 400, 800, 1600 bits toy, lightweight, fastest repetition of a simple round function operates on a 3D state like a block cipher but without a key 13 / 36 ( 5 × 5 ) lanes

  14. Introducing Keccak 1344 1.000 288 576 1024 256 512 1088 192 384 1216 128 The sponge construction 256 Speed Strength The seven permutation army up to 64-bit each First, choose your permutation … …then choose the rate and capacity 13 / 36 Security-speed trade-offs using the same permutation: Rate Capacity e.g. width = 1600 such that rate + capacity = 1600 ( 5 × 5 ) lanes × 1 . 312 × 1 . 188 × 1 . 063

  15. More than just SHA3SUM Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 14 / 36

  16. More than just SHA3SUM simple & straightforward usage cipher modes very different from AES and block very different from SHA-1 and SHA-2 portfolio …and increasing diversity of standard easy to understand security claim …in a simple way One primitive to rule them all authenticated encryption encryption message authentication key derivation hashing (regular, salted) Full range of cryptographic functions One primitive to rule them all 15 / 36

  17. More than just SHA3SUM One primitive to rule them all Use Keccak for regular hashing Electronic signatures, message integrity ( GPG, X.509 … ) Data integrity ( shaxsum … ) Data identifier ( Git, Mercurial, online anti-virus, peer-2-peer … ) 16 / 36

  18. More than just SHA3SUM One primitive to rule them all Use Keccak for salted hashing Goal: defeat rainbow tables Web cookie Password storage and verification ( Kerberos, /etc/shadow … ) 17 / 36

  19. More than just SHA3SUM One primitive to rule them all Use Keccak for salted hashing Goal: defeat rainbow tables Web cookie Password storage and verification ( Kerberos, /etc/shadow … ) …Can be as slow as you like it! 17 / 36

  20. More than just SHA3SUM One primitive to rule them all Use Keccak as a mask generation function Key derivation function in SSL, TLS Full-domain hashing in public key cryptography electronic signatures RSA PSS [PKCS#1] encryption RSA OAEP [PKCS#1] key establishment RSA KEM [IEEE Std 1363a] 18 / 36

  21. More than just SHA3SUM One primitive to rule them all No longer needed for Keccak which is sound Required to plug a security hole in SHA-1 and SHA-2 HMAC: special construction for MACing with SHA-1 and SHA-2 Simpler than HMAC [FIPS 198] As a message authentication code 19 / 36 Use Keccak for MACing Key Padded message MAC 0 f f f … f f

  22. More than just SHA3SUM One primitive to rule them all Use Keccak for (stream) encryption As a stream cipher 20 / 36 Key IV 0 f f f Key stream

  23. More than just SHA3SUM One primitive to rule them all Also for random generation with reseeding ( /dev/urandom …) Duplex construction Same primitive Keccak - f but in a (slightly) different mode Secure messaging ( SSL/TLS, SSH, IPSEC … ) Authentication and encryption in a single pass! 21 / 36 Single pass authenticated encryption Key IV Padded message MAC 0 f f f … f f Key stream

  24. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  25. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  26. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  27. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  28. More than just SHA3SUM Security Tuning Keccak to your own security requirements Online tool available at http://keccak.noekeon.org/tune.html 22 / 36

  29. Inside Keccak Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 23 / 36

  30. Inside Keccak Keccak - f in pseudo-code http://keccak.noekeon.org/specs_summary.html 24 / 36 K ECCAK - F [b](A) { forall i in 0…n r -1 A = Round[b](A, RC[i]) return A } Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0…4 D[x] = C[x-1] xor rot(C[x+1],1), forall x in 0…4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0…4,0…4) ρ and π steps B[y,2*x+3*y] = rot(A[x,y], r[x,y]), forall (x,y) in (0…4,0…4) χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0…4,0…4) ι step A[0,0] = A[0,0] xor RC return A }

  31. Inside Keccak 256 80 8.25 keccakc256 128 10.02 keccakc512 13.73 sha1 sha512 256 21.66 sha256 128 [eBASH, hydra-6, http://bench.cr.yp.to/ ] broken! 6.09 Performance in software 4.79 Faster than SHA-2 on all modern PC KeccakTree faster than MD5 on some platforms C/b Algo Strength keccakc256treed2 256 128 4.98 md5 broken! 64 5.89 keccakc512treed2 25 / 36

  32. Inside Keccak Efficient and flexible in hardware From Kris Gaj’s presentation at SHA-3, Washington 2012: 26 / 36

  33. Inside Keccak Can be generalized [ Keccak impl. overview, Section 2.1] level No mismatch CPU words vs. security with most other techniques with lane/slice-wise architectures Can be combined to 16- and 8-bit words 27 / 36 Implementation tricks Odd bits in a second word Even bits in one word Ex.: map 64-bit lane to 32-bit words Bit interleaving ρ seems the critical step ROT 64 ↔ 2 × ROT 32 = +

  34. Keccak and the community Outline 1 How it all began 2 Introducing Keccak 3 More than just SHA3SUM 4 Inside Keccak 5 Keccak and the community 28 / 36

  35. Keccak and the community SHA-3, an open contest SHA-3, an open contest Open submissions, as required by NIST: Public algorithm details Open-source reference and optimized implementations No patents Open cryptanalysis Open benchmarks [eBASH] [XBX] KeccakTools A set of documented C++ classes to help analyze Keccak - f To encourage cryptanalysis (we use it too!) To help verify our claims [ Keccak Team, FSE 2012] And also to generate optimized code 29 / 36

Recommend

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Advanced hash function design: inside Keccak Advanced hash function design: inside Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ecrypt II summer school, Albena June 2, 2011 1 / 46 1 STMicroelectronics 2 NXP

774 views • 52 slides
Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January

Key Wrapping with the Keccak Permutation Dmitry Khovratovich University of Luxembourg 17 January 2013 Key Wrapping Key wrap problem Multi-user system (e.g., industrial VPN): Many keys in use; Need of regular update; New session key

578 views • 29 slides
Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van

Keccak and the SHA-3 Standardization Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors NIST , Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 2 3 4 5 6 The beginning The sponge

908 views • 71 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 ,

New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1 , 2 Joan Daemen 1 , 3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast Software Encryption March 5-8, 2017

476 views • 44 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1

On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins 2 The sponge construction 3 Inside

1.12k views • 71 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2

Keccak and SHA-3: code and standard updates Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 Ronny Van Keer 1 1 STMicroelectronics 2 NXP Semiconductors FOSDEM 2015, Brussels, January 31st & February 1st, 2015 1 / 39

1.11k views • 63 slides
Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge

Modern Session Encryption David Wong outline 3. NOISE 2. STROBE 4. ??? 1. KECCAK Sponge Construction 00101 01001 01100 11001 01011 10101 0 0 0 0 f f f f f 0 0 0 0 absorbing squeezing Duplex Construction input

808 views • 60 slides
Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

. .. . .. . . .. . . .. . . .. . . . .. . .. . . .. . . .. . Permutation-based symmetric cryptography and Keccak Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . . . .. .

695 views • 52 slides
Multi-Purpose Keccak for Modern FPGAs Panasayya Yalla Ekawat Homsirikamol Jens-Peter Kaps

Multi-Purpose Keccak for Modern FPGAs Panasayya Yalla Ekawat Homsirikamol Jens-Peter Kaps

Introduction Modes of Operation Implementation Results and Conclusion Multi-Purpose Keccak for Modern FPGAs Panasayya Yalla Ekawat Homsirikamol Jens-Peter Kaps Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu

648 views • 36 slides
Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2

Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2

Keccak Guido Bertoni 1 Joan Daemen 1 Michal Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Eurocrypt 2013 Athens, Greece, May 28th, 2013 1 / 57 Symmetric crypto: what textbooks and intros say Symmetric

915 views • 67 slides
Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides

More recommend