sha 3 and permutation based cryptography
play

SHA-3 and permutation-based cryptography Joan Daemen 1 Joint work - PowerPoint PPT Presentation

Oct 10, 2023 •112 likes •682 views

SHA-3 and permutation-based cryptography Joan Daemen 1 Joint work with Crypto summer school ibenik, Croatia, June 1-6, 2014 1 / 49 Guido Bertoni 1 , Michal Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Outline

  1. SHA-3 and permutation-based cryptography Joan Daemen 1 Joint work with Crypto summer school Šibenik, Croatia, June 1-6, 2014 1 / 49 Guido Bertoni 1 , Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors

  2. Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 2 / 49

  3. Prologue Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 3 / 49

  4. Prologue Cryptographic hash functions 2 Typical values for n : 128, 160, 256, 512 4 / 49 Function h from Z ∗ 2 to Z n Pre-image resistant: it shall take 2 n effort to given y , find x such that h ( x ) = y 2nd pre-image resistance: it shall take 2 n effort to given M and h ( M ) , find another M ′ with h ( M ′ ) = h ( M ) collision resistance: it shall take 2 n / 2 effort to find x 1 ̸ = x 2 such that h ( x 1 ) = h ( x 2 )

  5. Prologue Classical way to build hash functions Mode of use of a compression function: Fixed-input-length compression function Merkle-Damgård iterating mode Property-preserving paradigm hash function inherits properties of compression function …actually block cipher with feed-forward (Davies-Meyer) Compression function built on arithmetic-rotation-XOR: ARX Instances: MD5, SHA-1, SHA-2 (224, 256, 384, 512) … 5 / 49

  6. The sponge construction Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 6 / 49

  7. The sponge construction Sponge origin: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama arbitrary output length expressing security claim for arbitrary output length function Sponge functions [Keccak team, Ecrypt hash, 2007] random sponge instead of random oracle as security goal sponge construction calling random permutation … closest thing to a random oracle with a finite state … 7 / 49

  8. The sponge construction The sponge construction Generalizes hash function: extendable output function (XOF) r bits of rate c bits of capacity (security parameter) Property-preservation no longer applies 8 / 49 Calls a b -bit permutation f , with b = r + c

  9. The sponge construction Generic security: indistinguishability Success probability of distinguishing between: 9 / 49 ideal function: a monolithic random oracle RO construction S [ F ] calling an random permutation F Adversary D sends queries ( M , ℓ ) according to algorithm Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  10. The sponge construction Generic security: indifferentiability [Maurer et al. (2004)] Applied to hash functions in [Coron et al. (2005)] additional interface, covered by a simulator at right Methodology: 10 / 49 distinguishing mode-of-use from ideal function ( RO ) covers adversary with access to permutation F at left build P that makes left/right distinguishing difficult prove bound for advantage given this simulator P P may query RO for acting S -consistently: P [ RO ]

  11. The sponge construction Generic security of the sponge construction Concept of advantage : A: differentiating advantage of random sponge from random oracle N: total data complexity c: capacity [Keccak team, Eurocrypt 2008] 11 / 49 Pr ( success |D ) = 1 2 + 1 2Adv ( D ) Theorem (Bound on the RO -differentiating advantage of sponge) A ≤ N 2 2 c + 1

  12. The sponge construction Implications of the bound do pre-image attack N 2 Can be generalized to any attack Note that A is independent of output length n 12 / 49 Let D : n -bit output pre-image attack. Success probability: for random oracle: P pre ( D|RO ) = q 2 − n for random sponge: P pre ( D|S [ F ]) = ? A distinguisher D with A = P pre ( D|S [ F ]) − P pre ( D|RO ) if success, conclude random sponge and RO otherwise But we have a proven bound A ≤ 2 c + 1 , so P pre ( D|S [ F ]) ≤ P pre ( D|RO ) + N 2 2 c + 1

  13. The sponge construction Implications of the bound (cont’d) Security strength for output length n : Proof assumes f is a random permutation provably secure against generic attacks …but not against attacks that exploit specific properties of f No security against multi-stage adversaries 13 / 49 Informally, random sponge is like random oracle for N < 2 c / 2 collision-resistance: min ( c / 2 , n / 2 ) first pre-image resistance: min ( c / 2 , n ) second pre-image resistance: min ( c / 2 , n )

  14. The sponge construction A design approach Hermetic sponge strategy Instantiate a sponge function Remaining task Design permutation f without exploitable properties 14 / 49 Claim a security level of 2 c / 2

  15. The sponge construction How to build a strong permutation Like a block cipher sequence of identical rounds round consists of sequence of simple step mappings many approaches exist, e.g., wide-trail …but without need for key schedule efficient inverse width b that is power of two 15 / 49

  16. Keccak and SHA-3 Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 16 / 49

  17. Keccak and SHA-3 Sponge function using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: what SHA-1 should have offered See [The Keccak reference] for more details 17 / 49 Keccak [ r , c ] 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  18. Keccak and SHA-3 Sponge function using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: what SHA-1 should have offered See [The Keccak reference] for more details 17 / 49 Keccak [ r , c ] 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  19. Keccak and SHA-3 Sponge function using the permutation Keccak - f … from toy over lightweight to high-speed … permutation width: 1600 security strength 256: post-quantum sufficient permutation width: 200 security strength 80: what SHA-1 should have offered See [The Keccak reference] for more details 17 / 49 Keccak [ r , c ] 7 permutations: b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } SHA-3 instance: r = 1088 and c = 512 Lightweight instance: r = 40 and c = 160

  20. Keccak and SHA-3 The 3-dimensional Keccak - f state 18 / 49 state y z x 5 × 5 lanes, each containing 2 ℓ bits (1, 2, 4, 8, 16, 32 or 64) ( 5 × 5 ) -bit slices, 2 ℓ of them

  21. Keccak and SHA-3 The step mappings of the Keccak - f round function Keywords: wide-trail, lightweight, symmetry, bit-oriented, margin 19 / 49

  22. Keccak and SHA-3 256 128 10.02 keccakc512 256 13.73 sha512 21.66 8.25 sha256 128 [eBASH, hydra6 (AMD Bulldozer), http://bench.cr.yp.to/ ] KeccakTree : parallel tree hashing Speedup thanks to SIMD instructions keccakc256 80 Performance in software 4.98 C/b Algo Strength 4.79 keccakc256treed2 128 md5 broken! broken! 64 5.89 keccakc512treed2 256 6.09 sha1 20 / 49

  23. Keccak and SHA-3 free SHA-3 requirements and Keccak final submission 192 384 832 256 512 576 up to 288 256 up to 288 1024 1 Output-length oriented approach These instances address the SHA-3 requirements, but: security strength levels outside of [NIST SP 800-57] range performance penalty for high-capacity instances! 1088 21 / 49 128 Relative resistance resistance Rate instance perf. Keccak Pre-image 112 Collision 224 Output 1152 length n = 224 Keccak [ c = 448 ] × 1 . 125 n = 256 Keccak [ c = 512 ] × 1 . 063 n = 384 Keccak [ c = 768 ] ÷ 1 . 231 n = 512 Keccak [ c = 1024 ] ÷ 1 . 778 Keccak [ c = 576 ]

  24. Keccak and SHA-3 up to 128 SHA3-256 What we proposed to NIST 192 256 SHA3-384 256 256 SHA3-512 free 128 up to 128 SHAKE256 up to 256 free up to 256 SHAKE512 Security strength oriented approach consistent with [NIST SP 800-57] Underlying security strength levels reduced to 128 and 256 Strengths 384 and 512: not needed anymore 128 22 / 49 length 112 Relative Pre. Coll. strength Output perf. Capacity instance Security 128 res. SHA-3 SHA3-224 res. s ≥ 112 c = 256 n = 224 × 1 . 312 s ≥ 128 c = 256 n = 256 × 1 . 312 s ≥ 192 c = 512 n = 384 × 1 . 063 s ≥ 256 c = 512 n = 512 × 1 . 063 c = 256 × 1 . 312 c = 512 × 1 . 063

Recommend

Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp,

. . . . . . Permutation Based Cryptography for IoT Permutation Based Cryptography for IoT Guido Bertoni 1 Joint work with CIoT 2012, Antwerp, November 21 Joan Daemen 1 , Michal Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP

755 views • 41 slides
Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics

Permutation-based cryptography for the Internet of Things Gilles Van Assche 1 1 STMicroelectronics 2 Radboud University RIOT Summit 2017 Berlin, September 25-26, 2017 1 / 56 Joint work with Guido Bertoni, Joan Daemen 1 , 2 , Seth Hoffert,

871 views • 65 slides
Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . .

. .. . .. . . .. . . .. . . .. . . . .. . .. . . .. . . .. . Permutation-based symmetric cryptography and Keccak Permutation-based symmetric cryptography and Keccak Joan Daemen 1 joint work with . .. . . . . .. .

695 views • 52 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio

Permutation-based Combinatorial Optimization Problems under the Microscope Josu Ceberio Intelligent Systems Group Department of Computer Science and Artificial Intelligence University of the Basque Country (UPV/EHU) 1 Permutation-based

1.3k views • 89 slides
Outline More On Cryptography Permutation ciphers CS 239 Stream and block ciphers

Outline More On Cryptography Permutation ciphers CS 239 Stream and block ciphers

Outline More On Cryptography Permutation ciphers CS 239 Stream and block ciphers Computer Security Uses of cryptography January 25, 2006 Lecture 5 Lecture 5 Page 1 Page 2 CS 239, Winter 2006 CS 239, Winter 2006

234 views • 5 slides
Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work

Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work

Statistics on permutation tableaux Pawel Hitczenko Drexel University parts based on joint work with Sylvie Corteel (Paris-Sud) and parts with Svante Janson (Uppsala) LIPN, February 5, 2008 Permutation tableaux Permutation tableau T : a Ferrers

1.11k views • 50 slides
Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training

Innovations in permutation-based crypto based on joint work with Van Keer 1 Cryptacus Training School, Azores, April 17, 2018 1 Joan Daemen 1 , 2 Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny 1

843 views • 35 slides
Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni,

Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni,

Innovations in permutation-based crypto Joan Daemen based on joint work with Guido Bertoni, Seth Hoffert, Bart Mennink, Michal Peeters, Gilles Van Assche and Ronny Van Keer COINS Winter School, 5-10 May 2019, Finse 1 1 Radboud

986 views • 65 slides
Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert,

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert,

Innovations in permutation-based crypto based on joint work with Guido Bertoni 3 , Seth Hoffert, Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 ECC, Nijmegen, November 14, 2017 1 / 35 Joan Daemen 1 , 2 1 STMicroelectronics 2

1.09k views • 65 slides
Talk Overview Introduction 1 Table-based 2 Vector-Permutation 3 Bitslice 4 Results and

Talk Overview Introduction 1 Table-based 2 Vector-Permutation 3 Bitslice 4 Results and

Implementing Lightweight Block Ciphers on x86 Architectures Ryad Benadjila 1 Jian Guo 2 e 1 Thomas Peyrin 2 Victor Lomn 1 ANSSI, France 2 NTU, Singapore SAC, August 15, 2013 Introduction Table-based Vector-Permutation Bitslice Results and

899 views • 43 slides
Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER EPRINT.IACR.ORG/2014/794 BY DUCAS, LYUBASHEVSKY, AND PREST 2016-09-21, Royal Holloway, Egham OFFICIAL Public Key Cryptography (PKC) Also called

403 views • 26 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Enumeration of Permutation Classes by Inflation of Independent Sets of Graphs mile Nadeau

Enumeration of Permutation Classes by Inflation of Independent Sets of Graphs mile Nadeau

Enumeration of Permutation Classes by Inflation of Independent Sets of Graphs mile Nadeau (based on joint work with Christian Bean and Henning Ulfarsson) Reykjavik University Permutations Patterns 2019 Staircase encoding For any permutation

969 views • 78 slides
On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van

On Xoodoo Gilles Van Assche 1 based on joint work with Joan Daemen 2 , Seth Hoffert and Ronny Van Keer 1 1 STMicroelectronics 2 Radboud University Advances in Permutation-Based Cryptography Milano, Italy, October 2018 1 / 24 Outline 1 Xoodoo

645 views • 40 slides
Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola Theory vs. practice gap in cryptography Theoreticians have . . . - liberal

654 views • 21 slides
A Fast Algorithm for Permutation Pattern Matching Based on Alternating Runs Marie-Louise Bruner

A Fast Algorithm for Permutation Pattern Matching Based on Alternating Runs Marie-Louise Bruner

A Fast Algorithm for Permutation Pattern Matching Based on Alternating Runs Marie-Louise Bruner (Joint work with Martin Lackner) Vienna University of Technology June 13, 2012 Permutation Patterns, Glasgow Marie-Louise Bruner A Fast Algorithm

661 views • 37 slides
J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

Association schemes and Permutation groups permutation groups Let G be a permutation group on . Then the characteristic functions of the orbits of G on Peter J Cameron G

44 views • 3 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size &amp; speed

1.39k views • 97 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice

Quantum Cryptography Slides based in part on A talk on quantum cryptography or how Alice outwits Eve, by Samuel Lomonaco Jr. and Quantum Computing by Andr Bertiaume. The Classical World - Bits either 0 or 1. - Bits can be copied.

639 views • 11 slides
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides

More recommend