Keccak Slides at NIST

8/12/2019 Keccak Slides at NIST

1/71

KeccakandtheSHA-3StandardizationGuidoBertoni1 JoanDaemen1

MichalPeeters2

GillesVanAssche1

1STMicroelectronics2NXPSemiconductors

NIST,Gaithersburg,MDFebruary6,2013

1/60


2/71

Outline123456

ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard

2/60


3/71

Thebeginning

Outline123456


3/60


4/71

Thebeginning

Cryptographichashfunctionsh : {0,1} {0,1}n

Input message Digest

MD5:n=128(RonRivest,1992)SHA-1:n=160(NSA,NIST,1995)SHA-2:n{224,256,384,512}(NSA,NIST,2001)

4/60


5/71

Thebeginning

Ourbeginning:RadioGatn

Initiativetodesignhash/streamfunction(late2005)rumoursaboutNISTcallforhashfunctionsformingofKeccakTeamstartingpoint:fixingPanama[Daemen,Clapp,FSE1998]

RadioGatn[Keccakteam,NIST2ndhashworkshop2006]moreconservativethanPanamavariable-lengthoutputexpressingsecurityclaim:non-trivialexercise

Spongefunctions

[Keccakteam,Ecrypthash,2007]closestthingtoarandomoraclewithafinitestateSpongeconstructioncallingrandompermutation

5/60

h b i i


6/71

Thebeginning

FromRadioGatntoKeccak

RadioGatnconfidencecrisis(2007-2008)ownexperimentsdidnotinspireconfidenceinRadioGatnneitherdidthird-partycryptanalysis[Bouillaguet,Fouque,SAC2008][Fuhr,Peyrin,FSE2009]follow-updesignGnobliowentnowhereNISTSHA-3deadlineapproachingU-turn:designaspongewithstrongpermutationf

Keccak[Keccakteam,SHA-3,2008] 6/60

Th t ti


7/71

Thespongeconstruction

Outline1234

56


7/60

The sponge construction


8/71



Moregeneralthanahashfunction:arbitrary-lengthoutputCallsab-bitpermutationf,withb=r+c

rbitsofratecbitsofcapacity(securityparameter)

8/60



9/71


Genericsecurityofthespongeconstruction

RO-differentiatingadvantageN2/2c+1NisnumberofcallstofProven

in

[Keccakteam,Eurocrypt2008]AsstrongasarandomoracleagainstattackswithN


10/71


Designapproach

HermeticspongestrategyInstantiateaspongefunctionClaimasecuritylevelof2c/2

MissionDesignpermutationfwithoutexploitableproperties

10/60



11/71


Howtobuildastrongpermutation

BuilditasisaniteratedpermutationLikeablockcipher

SequenceofidenticalroundsRoundconsistsofsequenceofsimplestepmappings

butnotquiteNokeyscheduleRoundconstantsinsteadofroundkeysInverse

permutation

need

not

be

efficient

11/60



12/71

espo geco st uct o

Criteriaforastrongpermutation

ClassicalLC/DCcriteriaAbsenceoflargedifferentialpropagationprobabilitiesAbsenceoflargeinput-outputcorrelations

InfeasibilityoftheCICOproblemConstrainedInputConstrainedOutputGivenpartialinputandpartialoutput,findmissingparts

ImmunitytoIntegralcryptanalysisAlgebraic

attacks

Slideandsymmetry-exploitingattacks

12/60

Inside Keccak


13/71

Outline1234

56


13/60

InsideKeccak


14/71

Keccak

InstantiationofaspongefunctionthepermutationKeccak-f

7permutations:b{25,50,100,200,400,800,1600}Security-speedtrade-offsusingthesamepermutation,e.g.,SHA-3instance:r=1088andc=512

permutationwidth:1600securitystrength256:post-quantumsufficient

Lightweightinstance:r=40andc=160permutationwidth:200securitystrength80:sameasSHA-1

14/60

InsideKeccak


15/71

Thestate:anarrayof552 bits

x

yz

state

55lanes,eachcontaining2 bits(1,2,4,8,16,32or64)(55)-bitslices,2 ofthem

15/60

InsideKeccak


16/71


x

yz

lane


15/60

InsideKeccak


17/71


x

yz

slice


15/60

InsideKeccak


18/71


x

yz

row


15/60

InsideKeccak


19/71


x

yz

column


15/60

InsideKeccak


20/71

,thenonlinearmappinginKeccak-f

Flipbitifneighborsexhibit01patternOperatesindependentlyandinparallelon5-bitrowsAlgebraicdegree2,inversehasdegree3LC/DCpropagationpropertieseasytodescribeandanalyze

16/60

InsideKeccak


21/71

,afirstattemptatmixingbitsComputeparitycx,z ofeachcolumnAddtoeachcellparityofneighboringcolumns:

bx,y,z=ax,y,zcx1,zcx+1,z

+ =

column parity effect

combine

17/60

InsideKeccak


22/71

Diffusionof

18/60

InsideKeccak


23/71

Diffusionof (kernel)

19/60

InsideKeccak


24/71

Diffusionoftheinverseof

20/60

InsideKeccak


25/71

forinter-slicedispersionWeneeddiffusionbetweentheslices:cyclicshiftsoflaneswithoffsets

i(i+1)/2mod2Offsetscyclethroughallvaluesbelow2

21/60

InsideKeccak


26/71

tobreaksymmetry

XORofround-dependentconstanttolaneinoriginWithout,theroundmappingwouldbesymmetric

invarianttotranslationinthez-directionWithout,allroundswouldbethesame

susceptibilitytoslideattacksdefectivecyclestructure

Without,wegetsimplefixedpoints(000and111)

22/60

InsideKeccak


27/71

AfirstattemptatKeccak-fRoundfunction:R=Problem: low-weightperiodictrailsbychaining:

:maypropagateunchanged:propagatesunchanged,becauseallcolumnparitiesare0: ingeneralmovesactivebitstodifferentslicesbutnotalways

23/60

InsideKeccak


28/71

TheMatryoshkaproperty

PatternsinQ arez-periodicversionsofpatternsinQ24/60

InsideKeccakf d b h l l l


29/71

fordisturbinghorizontal/verticalalignment

x 0 1 x

ax,yax,y with = y 2 3 y25/60

InsideKeccakd f


30/71

AsecondattemptatKeccak-f

Roundfunction:R=Solvesproblemencounteredbefore:

movesbitsinsamecolumntodifferentcolumns!

26/60

InsideKeccakT ki


31/71

Tweaking to

27/60

InsideKeccakI f


32/71

Inverseof

Diffusionfromsingle-bitoutputtoinputveryhighIncreasesresistanceagainstLC/DCandalgebraicattacks

28/60

InsideKeccakK cca f


33/71

Keccak-fsummary

Roundfunction:R=

Numberofrounds:12+2Keccak-f[25]has12roundsKeccak-f[1600]has24rounds

Efficiencyhighlevelofparallellismflexibility:bit-interleavingsoftware:competitiveonwiderangeofCPUdedicatedhardware:verycompetitivesuitedforprotectionagainstside-channelattack

29/60

InsideKeccakPerformance in software


34/71

Performanceinsoftware

Fasterthan

SHA-2

on

all

modern

PC

KeccakTreefasterthanMD5onsomeplatforms

C/b Algo Strength4.794.985.896.098.25

10.0213.7321.66

keccakc256treed2md5keccakc512treed2sha1keccakc256keccakc512sha512sha256

128


35/71

EfficientandflexibleinhardwareFromKrisGajspresentationatSHA-3,Washington2012:

31/60

AnalysisunderlyingKeccakOutline


36/71

Outline12

34

5

6

ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccak

Applicationsof

Keccak,or

sponge

SomeideasfortheSHA-3standard

32/60

AnalysisunderlyingKeccakOur analysis underlying the design of Keccak f


37/71

OuranalysisunderlyingthedesignofKeccak-f

Presenceof

large

input-output

correlations

Abilitytocontrolpropagationofdifferences

Differential/lineartrailanalysisLowerboundsfortrailweightsAlignmentandtrailclusteringThisshaped,and

AlgebraicpropertiesDistributionof#termsofcertaindegreesAbilityofsolvingcertainproblems(CICO)algebraicallyZero-sumdistinguishers(thirdparty)Thisdeterminedthenumberofrounds

Analysisofsymmetryproperties:thisshapedSee[Keccakreference],[EcryptIIHash2011],[FSE2012]

33/60

AnalysisunderlyingKeccakThird party cryptanalysis of Keccak


38/71

Third-partycryptanalysisofKeccakDistinguishersonKeccak-f[1600]

Rounds Work3 low CICOproblem[Aumasson,Khovratovich,2009]4 low cubetesters[Aumasson,Khovratovich,2009]8 2491 unalignedrebound[Duc,Guo,Peyrin,Wei,FSE2012]

24

21574

zero-sum

[Duan,

Lai,

ePrint

2011]

[Boura,

Canteaut,

DeCannire,FSE2011]Academic-complexityattacksonKeccak

6-8rounds:secondpreimage[Bernstein,2010]slightlyfasterthanexhaustivesearch,buthugememory

attackstakingadvantageofsymmetry4-roundpre-images[Morawiecki,Pieprzyk,Srebrny,FSE2013]5-roundscollisions[Dinur,Dunkelman,Shamir,FSE2013]

34/60

AnalysisunderlyingKeccakThird-party cryptanalysis of Keccak


39/71

Third-partycryptanalysisofKeccak

Practical-complexityattacks

on

KeccakRounds

2 preimagesandcollisions[Morawiecki,CC]2 collisions[Duc,Guo,Peyrin,Wei,FSE2012andCC]3 40-bitpreimage[Morawiecki,Srebrny,2010]3 nearcollisions[Naya-Plasencia,Rck,Meier,Indocrypt2011]4 keyrecovery[Lathrop,2009]4 distinguishers[Naya-Plasencia,Rck,Meier,Indocrypt2011]4 collisions[Dinur,Dunkelman,Shamir,FSE2012andCC]5

near-collisions[Dinur,

Dunkelman,

Shamir,

FSE

2012]

CC=CrunchyCryptoCollisionandPreimageContest

35/60

AnalysisunderlyingKeccakObservations from third-party cryptanalysis


40/71

Observationsfromthird partycryptanalysis

ExtendingdistinguishersofKeccak-ftoKeccakisnoteasyEffectofalignmentondifferential/linearpropagation

Strong: lowuncertaintyinprop.alongblockboundariesWeak:

high

uncertainty

in

prop.

along

block

boundaries

WeakalignmentinKeccak-flimitsfeasibilityofreboundattacks

Effectoftheinverseofthemixinglayer1 hasveryhighaveragediffusionLimitstheconstructionoflow-weighttrailsovermorethanafewrounds

36/60

ApplicationsofKeccak,orspongeOutline


41/71

Outline

12

34

5

6

ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccak

Applicationsof

Keccak,or

sponge

SomeideasfortheSHA-3standard

37/60

ApplicationsofKeccak,orspongeRegular hashing


42/71

Regularhashing

ElectronicsignaturesDataintegrity(shaXsum)Dataidentifier(Git,onlineanti-virus,peer-2-peer)

38/60

ApplicationsofKeccak,orspongeSalted hashing


43/71

Saltedhashing

Randomizedhashing(RSASSA-PSS)Passwordstorageandverification(Kerberos,/etc/shadow)

39/60

ApplicationsofKeccak,orspongeSalted hashing


44/71

Saltedhashing

Randomizedhashing(RSASSA-PSS)Passwordstorageandverification(Kerberos,/etc/shadow)

Canbeasslowasyoulikeit!

39/60

Applicationsof

Keccak,or

sponge

Maskgenerationfunction


45/71

g

KeyderivationfunctioninSSL,TLSFull-domainhashinginpublickeycryptography

electronicsignaturesRSASSA-PSS[PKCS#1]encryptionRSAES-OAEP[PKCS#1]keyencapsulationmethods(KEM)

40/60

Applicationsof

Keccak,or

sponge

Messageauthenticationcodes


46/71

g

0 f f

Key

Padded message

f ff

MAC

AsamessageauthenticationcodeSimplerthanHMAC[FIPS198]

RequiredforSHA-1,SHA-2duetolengthextensionpropertyNolongerneededforsponge

41/60

Applicationsof

Keccak,or

sponge

Streamencryption


47/71

yp

0 f f

Key IV

f

Key stream

AsastreamcipherLongoutputstreamperIV:similartoOFBmodeShortoutputstreamperIV:similartocountermode

42/60

Applicationsof

Keccak,or

sponge

Singlepassauthenticatedencryption


48/71

g p yp

0 f f

Key

Padded messageIV

f

Key stream

ff

MAC

Authenticationandencryptioninasinglepass!Securemessaging(SSL/TLS,SSH,IPSEC)

43/60

Applicationsof

Keccak,or

sponge

Theduplexconstruction


49/71

p

GenericsecurityequivalenttoSponge[KeccakTeam,SAC2011]Applicationsinclude:

Authenticatedencryption:spongeWrapReseedablepseudorandomsequencegenerator

44/60

Applicationsof

Keccak,or

sponge

Reseedablepseudorandomsequencegenerator


50/71

Definedin[KeccakTeam,CHES2010]and[KeccakTeam,SAC2011]Supportforforwardsecrecybyforgettinginduplex:

45/60

Applicationsof

Keccak,or

sponge

Reseedablepseudorandomsequencegenerator


51/71

Definedin[KeccakTeam,CHES2010]and[KeccakTeam,SAC2011]Supportforforwardsecrecybyforgettinginduplex:

45/60

Someideas

for

the

SHA-3

standard

Outline


52/71

12

3456

ThebeginningThespongeconstruction

InsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard

46/60

Someideas

for

the

SHA-3

standard

Capacity

and

security

strength

levels

Outputlengthorientedapproach


53/71

Outputlength

Collisionresistance

Pre-imageresistance

Requiredcapacity

Relativeperf.

SHA-3instance

n=160 s80 s160 c=320 1.250 SHA3n160n=224 s112 s224 c=448 1.125 SHA3n224n=256 s128 s256 c=512 1.063 SHA3n256n=384 s192 s384 c=768 1.231 SHA3n384n=512 s256 s512 c=1024 1.778 SHA3n512n sn/2 sn c=2n 1600c1024

s:securitystrengthlevel[NISTSP800-57]TheseSHA-3instancesaddress

multiplesecuritystrengthseachlevelsoutsideof[NISTSP800-57]range

Performancepenalty!47/60

SomeideasfortheSHA-3standard Capacityandsecuritystrengthlevels

Securitystrengthorientedapproach


54/71

Securitystrength

Collisionresistance

Pre-imageresistance

Requiredcapacity

Relativeperf.

SHA-3instance

s=80 n160 n80 c=160 1.406 SHA3c160s=112 n224 n112 c=224 1.343 SHA3c224s=128 n256 n128 c=256 1.312 SHA3c256s=192 n384 n192 c=384 1.188 SHA3c384s=256 n512 n256 c=512 1.063 SHA3c512s n2s ns c=2s 1600c1024 SHA3[c=2s]

s:securitystrengthlevel[NISTSP800-57]TheseSHA-3instances

areconsistentwithphilosophyof[NISTSP800-57]provideaone-to-onemappingtosecuritystrengthlevels

Higherefficiency48/60


Choosingthecapacity


55/71

Ideasfordiscussion1 LetSHA-3beasponge

AllowfreedominchoosingcAllowvariableoutputlength

2 DecouplesecurityandoutputlengthSetminimumcapacityc2sfor[SP800-57]slevels

3 BasenamingschemeonsecuritylevelForinstanceSHA3c180forKeccak[c=180]

4 ForSHA-2-ndrop-inreplacements,avoidslowinstancesExampleoption1:c=nExampleoption2:c=min{2n,576}Exampleoption3:c=576

49/60


Choosingthecapacity


56/71






49/60


Choosingthecapacity


57/71






49/60


Choosingthecapacity


58/71






49/60

SomeideasfortheSHA-3standard Structure

Structuringthestandard


59/71

Permutation Primitive

Sponge Duplex Construction

Hashing MAC PRNG Auth. Enc. Mode

Ideasfordiscussion1 StandardizeKeccak-f,constructionsandmodesseparately

ConstructionsandmodesdefinedindependentlyofKeccak-fLikeblockciphersandtheirmodes(Itseemsyouhavethisinmindtoo.)

2 Proposeaguidelineforinterfacesbetweenthese

50/60

SomeideasfortheSHA-3standard Inputformatting

MultipleinstancesofKeccak


60/71

Sponge Duplex

Valid sponge input, rate-separated

Multi-ratepaddingc1

=

c2

Keccak[c

=

c1]

and

Keccak[c

=

c2]

independent

Jointsecurityleveldeterminedbymin{c1,c2}[KeccakTeam,SAC2011]

51/60


Domainseparation


61/71

Sponge Duplex

Valid sponge input, rate- and mode-separated

Ideafordiscussion1 Foreseedomainseparationfromthestart

TopreventpotentialclashesbetweendifferentmodesIfpossible,anyonecandefinehis/herdomain

52/60


Example:domainseparationwithnamespaces


62/71

Basicidea:prefixinputwithnamespaceidentifier(URI)PayloadsyntaxdeterminedbynamespaceInspiredfromXML[http://www.w3.org/TR/REC-xml-names/]

Presenceofnamespaceindicatedbysuffixplaininput||0||101UTF8(URI)||08||specifically-formattedinput||1||101

53/60

SomeideasfortheSHA-3standard Parallelhashing

Parallelhashing
http://www.w3.org/TR/REC-xml-names/http://www.w3.org/TR/REC-xml-names/


63/71

ProsCanexploitparallelisminSIMDinstructionsCanexploitparallelisminmulti-coreordistributedsystemsInducenothroughputpenaltywhenlessparallelismavailable(forlongmessages)

ConsNeedsmorememoryInduceaperformancepenaltyforshortmessages

54/60


Auniversalwaytoencodeatree


64/71

Tworelated,yetdistinct,aspectstospecify:theexact(parameterized)treelayoutandprocessing;theinputformattingofleavesandnodes.12

GoalsAddresstheinputformattingonlyBeuniversalagnosticoffuturetreestructurespecificationsBesound[KeccakTeam,ePrint2009/210]

ExtrafeaturesFlexiblewaystospreadmessagebitsonnodes,e.g.,

interleaved64-bitpiecesforSIMD1MBchunksforindependentprocesses

Possiblere-useofhashfunctioncontext(connectedhops)

55/60




65/71

Tworelated,yetdistinct,aspectstospecify:theexact(parameterized)treelayoutandprocessing;theinputformattingofleavesandnodes.

GoalsAddresstheinputformattingonlyBeuniversal

12

agnosticoffuturetreestructurespecificationsBesound[KeccakTeam,ePrint2009/210]




55/60




66/71

Tworelated,yetdistinct,aspectstospecify:theexact(parameterized)treelayoutandprocessing;theinputformattingofleavesandnodes.

GoalsAddresstheinputformattingonlyBeuniversal

12

agnosticoffuturetreestructurespecificationsBesound[KeccakTeam,ePrint2009/210]




55/60


Example1/3


67/71

CVi=h(Mi||{leaf}||nonfinal)h(M0||{leaf}||CV1||CV2||CV3||{#C=4,CH,I=64}||final)

56/60


Example2/3


68/71

CVi1=h(Mi1||{leaf}||nonfinal)CVi=h(Mi0||{leaf}||CVi1||{#C=2,CH}||nonfinal)h(CV0||CV1||{#C=2}||final)

57/60


Example3/3


69/71

h(M||{leaf}||final)

58/60


ParallelhashinginSHA-3


70/71

h(M||{leaf}||final)Ideafordiscussion

1 EvenifnoparallelhashingmodeisstandardizedatfirstForeseeitintheinputformattingMakedefaultsequentialhashingaparticularcaseofparallelhashing(i.e.,asinglerootnode)[KeccakTeam,ePrint2009/210]

59/60

Conclusion

Questions?


71/71

http://sponge.noekeon.org/http://keccak.noekeon.org/

60/ 60
http://sponge.noekeon.org/http://keccak.noekeon.org/http://keccak.noekeon.org/http://sponge.noekeon.org/

Keccak Slides at NIST

Documents

Transcript of Keccak Slides at NIST