Sha3
1 like•8,061 views
The document summarizes the SHA3 hash algorithm competition hosted by NIST. It provides details on the winning algorithm called Keccak, including its sponge construction, Keccak-f permutation, and the algorithms used in each round. Performance experiments show SHA3-512 is slower than SHA256 but provides stronger security guarantees. In conclusion, SHA3 will be the next hash standard and Keccak offers a secure design suited for hardware implementations.
![Introduction: The Beginning Ideas of Keccak
• RADIOGATUN [NIST 2nd Work shop, 2006]
• Variable-length output
• Expressing security claim: non-trivial exercise
• But, neither did third-party cryptanalysis
• NIST SHA-3 deadline approaching …
• U-turn: design a sponge with strong permutation f
• Sponge functions
• closest thing to a random oracle with a finite state
• Sponge construction calling random permutation
SHA3 6](https://image.slidesharecdn.com/sha3-130607003906-phpapp02/85/Sha3-6-320.jpg)
![Sponge Construction
• SPONGE[f, pad, r]
• f: fixed-length permutation which operates b bits.
• pad: padding rule which is denoted by M||pad[b](|M|), where M is the sign
of message.
• r: bit rate.
• c:capacity equals to b – r and c<b
SHA3 8](https://image.slidesharecdn.com/sha3-130607003906-phpapp02/85/Sha3-8-320.jpg)
![The KECCAK-f permutation(1)
• KECCAK([ ] ) is a family of sponge functions that use as
a building block a permutation from a set of 7 permutations.
• The 7 permutations indicated by KECCAK-f[b], where b=25×2l
and l ranges from 0~6. KECCAK-f[b] is a permutation over .
• Three dimension array on state a over GF(2), namely a[5][5][w],
where w = 2l.
• a[x][y][z]: x, y Z5 and z Zw.
• The mapping between bits of s and a is
• The 7 permutations(b): {25, 50, 100, 200,400, 800, 1600}
SHA3 11](https://image.slidesharecdn.com/sha3-130607003906-phpapp02/85/Sha3-11-320.jpg)
![The KECCAK-f permutation(2)
• KECCAK-f[b] is an iterated permutation with a number of
rounds R, indexed by 0 to nr-1
SHA3 13](https://image.slidesharecdn.com/sha3-130607003906-phpapp02/85/Sha3-13-320.jpg)
![The KECCAK-f permutation(3)
• Addition and multiplications are in GF(2) except RC[ir].
• are defined as the output of LFSR(linear
feedback shift register.)
• Note that nr = 12 + 2l
SHA3 20](https://image.slidesharecdn.com/sha3-130607003906-phpapp02/85/Sha3-20-320.jpg)
Sha3
- 1. SHA3 Reporter: Jyun-Yao Huang ([email protected]) Date: June 4th, 2013 1SHA3
- 2. Outline • Introduction • SHA3 • Security Analysis • Experiments • Conclusion 2SHA3
- 3. Introduction • In 2005, Wang et al. introduced serious concerns about the security of SHA-1. • NIST opened a public competition on November 2, 2007, to develop a new cryptographic hash algorithm (referred to as SHA-3) to augment the hash algorithms specified in Federal Information Processing Standard (FIPS) 180-2, Secure Hash Standard • 1st -round: 51 candidates in 2008. • 2nd-round: 14 candidates in 2009. • 3rd -round: 5 candidates in 2010. SHA3 3
- 4. Introduction: Keccak wins! • Keccak (Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.) announced as the SHA-3 winner on October 2, 2012 SHA3 4 Table 1: The five final candidates of SHA3
- 5. The Keccak Team • Michaël Peeters, Guido Bertoni, Gilles Van Assche and Joan Daemen. SHA3 5
- 6. Introduction: The Beginning Ideas of Keccak • RADIOGATUN [NIST 2nd Work shop, 2006] • Variable-length output • Expressing security claim: non-trivial exercise • But, neither did third-party cryptanalysis • NIST SHA-3 deadline approaching … • U-turn: design a sponge with strong permutation f • Sponge functions • closest thing to a random oracle with a finite state • Sponge construction calling random permutation SHA3 6
- 7. SHA3 • Sponge Construction • Keccak Functions • Keccak-f Permutation • The algorithms of each operations SHA3 7
- 8. Sponge Construction • SPONGE[f, pad, r] • f: fixed-length permutation which operates b bits. • pad: padding rule which is denoted by M||pad[b](|M|), where M is the sign of message. • r: bit rate. • c:capacity equals to b – r and c<b SHA3 8
- 9. Sponge Construction(2) SHA3 9 Absorbing Phase Squeezing Phase
- 10. KECCAK Functions • By default, c=576 , b=1600, nr=24. SHA3 10
- 11. The KECCAK-f permutation(1) • KECCAK([ ] ) is a family of sponge functions that use as a building block a permutation from a set of 7 permutations. • The 7 permutations indicated by KECCAK-f[b], where b=25×2l and l ranges from 0~6. KECCAK-f[b] is a permutation over . • Three dimension array on state a over GF(2), namely a[5][5][w], where w = 2l. • a[x][y][z]: x, y Z5 and z Zw. • The mapping between bits of s and a is • The 7 permutations(b): {25, 50, 100, 200,400, 800, 1600} SHA3 11
- 13. The KECCAK-f permutation(2) • KECCAK-f[b] is an iterated permutation with a number of rounds R, indexed by 0 to nr-1 SHA3 13
- 14. Algorithm of θ • Without θ, the KECCAK-f function would not provide diffusion of any significance. • High average diffusion and low gate count: 2 XORs per bit. SHA3 14
- 15. Algorithm of θ SHA3 15
- 16. Algorithm of ρ SHA3 16
- 17. Algorithm of π SHA3 17
- 18. Algorithm of χ • χ is the only non-linear mapping in Keccak-f. • It could be implementable in parallel computing. • It has algebraic degree 2, but the inverse may not be degree 2. SHA3 18
- 19. Algorithm of ι • It is aimed at disrupting symmetry. • Without it, the round function would be translation-invariant in the z direction and all rounds would be equal making Keccak-f subject to attacks exploiting symmetry such as slide attacks. SHA3 19
- 20. The KECCAK-f permutation(3) • Addition and multiplications are in GF(2) except RC[ir]. • are defined as the output of LFSR(linear feedback shift register.) • Note that nr = 12 + 2l SHA3 20
- 21. The all procedures SHA3 21
- 22. The all procedures (cont.) SHA3 22
- 23. The all procedures (cont.) SHA3 23
- 24. The candidates of SHA3 SHA3 24
- 25. SecurityAnalysis • Immunity of Generic Attacks: • Given capacity c, the success probability is lower than 1- exp(-N(N+1)2-(c+1)) with N the number of calls to the underlying permutation or its reverse. If 1<< N << 2c/2, this bounds simplifies to 2-(c+1)N2. • The zero-sum distinguisher distinguisher for all 24 rounds has the complexity of 21579 SHA3 25
- 26. Experiments: Hardware • In Intel 8051 8-bits processor, 8-bits data bus, a 16-bit address bus and 512 bytes RAM: 128 bytes for lower internal RAM, 128 bytes for higher internal RAM and 256 bytes of external RAM (indirect access only) SHA3 26
- 27. Experiments: My Experiment • Platform • CPU: i5-2450m RAM: 8GB • Programming language : Microsoft C# • Testing Data: the message with 1, 10, 100 million bytes. • It runs 10 times and extracts the average values. • Algorithms for testing: MD5, SHA256, SHA3-512 27SHA3 Case(bytes) MD5 SHA256 SHA3-512 1 million 1.56001 31.20007 118.56019 10 million 35.88007 110.7602 1180.92206 100 million 352.56065 1098.24191 12124.34128 Table 2: The experimental result in milliseconds
- 28. Conclusions • SHA3 is the next hash function in the future. It can provide a secure scheme which provides the closest thing to a random oracle with a finite state. • It’s more slower than SHA256. • However, it provides a good hardware design architecture to make manufactures implement it. SHA3 28
- 29. Reference • Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document, http://keccak.noekeon.org/Keccak-main-2.1.pdf • Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche,” The Keccak sponge function family”, http://keccak.noekeon.org/ • Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche,” Keccak implementation overview”, http://keccak.noekeon.org/ SHA3 29