Keccak Slides at NIST
-
Upload
alexavila2010 -
Category
Documents
-
view
221 -
download
0
Transcript of Keccak Slides at NIST
-
8/12/2019 Keccak Slides at NIST
1/71
KeccakandtheSHA-3StandardizationGuidoBertoni1 JoanDaemen1
MichalPeeters2
GillesVanAssche1
1STMicroelectronics2NXPSemiconductors
NIST,Gaithersburg,MDFebruary6,2013
1/60
-
8/12/2019 Keccak Slides at NIST
2/71
Outline123456
ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard
2/60
-
8/12/2019 Keccak Slides at NIST
3/71
Thebeginning
Outline123456
ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard
3/60
-
8/12/2019 Keccak Slides at NIST
4/71
Thebeginning
Cryptographichashfunctionsh : {0,1} {0,1}n
Input message Digest
MD5:n=128(RonRivest,1992)SHA-1:n=160(NSA,NIST,1995)SHA-2:n{224,256,384,512}(NSA,NIST,2001)
4/60
-
8/12/2019 Keccak Slides at NIST
5/71
Thebeginning
Ourbeginning:RadioGatn
Initiativetodesignhash/streamfunction(late2005)rumoursaboutNISTcallforhashfunctionsformingofKeccakTeamstartingpoint:fixingPanama[Daemen,Clapp,FSE1998]
RadioGatn[Keccakteam,NIST2ndhashworkshop2006]moreconservativethanPanamavariable-lengthoutputexpressingsecurityclaim:non-trivialexercise
Spongefunctions
[Keccakteam,Ecrypthash,2007]closestthingtoarandomoraclewithafinitestateSpongeconstructioncallingrandompermutation
5/60
h b i i
-
8/12/2019 Keccak Slides at NIST
6/71
Thebeginning
FromRadioGatntoKeccak
RadioGatnconfidencecrisis(2007-2008)ownexperimentsdidnotinspireconfidenceinRadioGatnneitherdidthird-partycryptanalysis[Bouillaguet,Fouque,SAC2008][Fuhr,Peyrin,FSE2009]follow-updesignGnobliowentnowhereNISTSHA-3deadlineapproachingU-turn:designaspongewithstrongpermutationf
Keccak[Keccakteam,SHA-3,2008] 6/60
Th t ti
-
8/12/2019 Keccak Slides at NIST
7/71
Thespongeconstruction
Outline1234
56
ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard
7/60
The sponge construction
-
8/12/2019 Keccak Slides at NIST
8/71
Thespongeconstruction
Thespongeconstruction
Moregeneralthanahashfunction:arbitrary-lengthoutputCallsab-bitpermutationf,withb=r+c
rbitsofratecbitsofcapacity(securityparameter)
8/60
The sponge construction
-
8/12/2019 Keccak Slides at NIST
9/71
Thespongeconstruction
Genericsecurityofthespongeconstruction
RO-differentiatingadvantageN2/2c+1NisnumberofcallstofProven
in
[Keccakteam,Eurocrypt2008]AsstrongasarandomoracleagainstattackswithN
-
8/12/2019 Keccak Slides at NIST
10/71
Thespongeconstruction
Designapproach
HermeticspongestrategyInstantiateaspongefunctionClaimasecuritylevelof2c/2
MissionDesignpermutationfwithoutexploitableproperties
10/60
The sponge construction
-
8/12/2019 Keccak Slides at NIST
11/71
Thespongeconstruction
Howtobuildastrongpermutation
BuilditasisaniteratedpermutationLikeablockcipher
SequenceofidenticalroundsRoundconsistsofsequenceofsimplestepmappings
butnotquiteNokeyscheduleRoundconstantsinsteadofroundkeysInverse
permutation
need
not
be
efficient
11/60
The sponge construction
-
8/12/2019 Keccak Slides at NIST
12/71
espo geco st uct o
Criteriaforastrongpermutation
ClassicalLC/DCcriteriaAbsenceoflargedifferentialpropagationprobabilitiesAbsenceoflargeinput-outputcorrelations
InfeasibilityoftheCICOproblemConstrainedInputConstrainedOutputGivenpartialinputandpartialoutput,findmissingparts
ImmunitytoIntegralcryptanalysisAlgebraic
attacks
Slideandsymmetry-exploitingattacks
12/60
Inside Keccak
-
8/12/2019 Keccak Slides at NIST
13/71
Outline1234
56
ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard
13/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
14/71
Keccak
InstantiationofaspongefunctionthepermutationKeccak-f
7permutations:b{25,50,100,200,400,800,1600}Security-speedtrade-offsusingthesamepermutation,e.g.,SHA-3instance:r=1088andc=512
permutationwidth:1600securitystrength256:post-quantumsufficient
Lightweightinstance:r=40andc=160permutationwidth:200securitystrength80:sameasSHA-1
14/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
15/71
Thestate:anarrayof552 bits
x
yz
state
55lanes,eachcontaining2 bits(1,2,4,8,16,32or64)(55)-bitslices,2 ofthem
15/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
16/71
Thestate:anarrayof552 bits
x
yz
lane
55lanes,eachcontaining2 bits(1,2,4,8,16,32or64)(55)-bitslices,2 ofthem
15/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
17/71
Thestate:anarrayof552 bits
x
yz
slice
55lanes,eachcontaining2 bits(1,2,4,8,16,32or64)(55)-bitslices,2 ofthem
15/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
18/71
Thestate:anarrayof552 bits
x
yz
row
55lanes,eachcontaining2 bits(1,2,4,8,16,32or64)(55)-bitslices,2 ofthem
15/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
19/71
Thestate:anarrayof552 bits
x
yz
column
55lanes,eachcontaining2 bits(1,2,4,8,16,32or64)(55)-bitslices,2 ofthem
15/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
20/71
,thenonlinearmappinginKeccak-f
Flipbitifneighborsexhibit01patternOperatesindependentlyandinparallelon5-bitrowsAlgebraicdegree2,inversehasdegree3LC/DCpropagationpropertieseasytodescribeandanalyze
16/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
21/71
,afirstattemptatmixingbitsComputeparitycx,z ofeachcolumnAddtoeachcellparityofneighboringcolumns:
bx,y,z=ax,y,zcx1,zcx+1,z
+ =
column parity effect
combine
17/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
22/71
Diffusionof
18/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
23/71
Diffusionof (kernel)
19/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
24/71
Diffusionoftheinverseof
20/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
25/71
forinter-slicedispersionWeneeddiffusionbetweentheslices:cyclicshiftsoflaneswithoffsets
i(i+1)/2mod2Offsetscyclethroughallvaluesbelow2
21/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
26/71
tobreaksymmetry
XORofround-dependentconstanttolaneinoriginWithout,theroundmappingwouldbesymmetric
invarianttotranslationinthez-directionWithout,allroundswouldbethesame
susceptibilitytoslideattacksdefectivecyclestructure
Without,wegetsimplefixedpoints(000and111)
22/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
27/71
AfirstattemptatKeccak-fRoundfunction:R=Problem: low-weightperiodictrailsbychaining:
:maypropagateunchanged:propagatesunchanged,becauseallcolumnparitiesare0: ingeneralmovesactivebitstodifferentslicesbutnotalways
23/60
InsideKeccak
-
8/12/2019 Keccak Slides at NIST
28/71
TheMatryoshkaproperty
PatternsinQ arez-periodicversionsofpatternsinQ24/60
InsideKeccakf d b h l l l
-
8/12/2019 Keccak Slides at NIST
29/71
fordisturbinghorizontal/verticalalignment
x 0 1 x
ax,yax,y with = y 2 3 y25/60
InsideKeccakd f
-
8/12/2019 Keccak Slides at NIST
30/71
AsecondattemptatKeccak-f
Roundfunction:R=Solvesproblemencounteredbefore:
movesbitsinsamecolumntodifferentcolumns!
26/60
InsideKeccakT ki
-
8/12/2019 Keccak Slides at NIST
31/71
Tweaking to
27/60
InsideKeccakI f
-
8/12/2019 Keccak Slides at NIST
32/71
Inverseof
Diffusionfromsingle-bitoutputtoinputveryhighIncreasesresistanceagainstLC/DCandalgebraicattacks
28/60
InsideKeccakK cca f
-
8/12/2019 Keccak Slides at NIST
33/71
Keccak-fsummary
Roundfunction:R=
Numberofrounds:12+2Keccak-f[25]has12roundsKeccak-f[1600]has24rounds
Efficiencyhighlevelofparallellismflexibility:bit-interleavingsoftware:competitiveonwiderangeofCPUdedicatedhardware:verycompetitivesuitedforprotectionagainstside-channelattack
29/60
InsideKeccakPerformance in software
-
8/12/2019 Keccak Slides at NIST
34/71
Performanceinsoftware
Fasterthan
SHA-2
on
all
modern
PC
KeccakTreefasterthanMD5onsomeplatforms
C/b Algo Strength4.794.985.896.098.25
10.0213.7321.66
keccakc256treed2md5keccakc512treed2sha1keccakc256keccakc512sha512sha256
128
-
8/12/2019 Keccak Slides at NIST
35/71
EfficientandflexibleinhardwareFromKrisGajspresentationatSHA-3,Washington2012:
31/60
AnalysisunderlyingKeccakOutline
-
8/12/2019 Keccak Slides at NIST
36/71
Outline12
34
5
6
ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccak
Applicationsof
Keccak,or
sponge
SomeideasfortheSHA-3standard
32/60
AnalysisunderlyingKeccakOur analysis underlying the design of Keccak f
-
8/12/2019 Keccak Slides at NIST
37/71
OuranalysisunderlyingthedesignofKeccak-f
Presenceof
large
input-output
correlations
Abilitytocontrolpropagationofdifferences
Differential/lineartrailanalysisLowerboundsfortrailweightsAlignmentandtrailclusteringThisshaped,and
AlgebraicpropertiesDistributionof#termsofcertaindegreesAbilityofsolvingcertainproblems(CICO)algebraicallyZero-sumdistinguishers(thirdparty)Thisdeterminedthenumberofrounds
Analysisofsymmetryproperties:thisshapedSee[Keccakreference],[EcryptIIHash2011],[FSE2012]
33/60
AnalysisunderlyingKeccakThird party cryptanalysis of Keccak
-
8/12/2019 Keccak Slides at NIST
38/71
Third-partycryptanalysisofKeccakDistinguishersonKeccak-f[1600]
Rounds Work3 low CICOproblem[Aumasson,Khovratovich,2009]4 low cubetesters[Aumasson,Khovratovich,2009]8 2491 unalignedrebound[Duc,Guo,Peyrin,Wei,FSE2012]
24
21574
zero-sum
[Duan,
Lai,
ePrint
2011]
[Boura,
Canteaut,
DeCannire,FSE2011]Academic-complexityattacksonKeccak
6-8rounds:secondpreimage[Bernstein,2010]slightlyfasterthanexhaustivesearch,buthugememory
attackstakingadvantageofsymmetry4-roundpre-images[Morawiecki,Pieprzyk,Srebrny,FSE2013]5-roundscollisions[Dinur,Dunkelman,Shamir,FSE2013]
34/60
AnalysisunderlyingKeccakThird-party cryptanalysis of Keccak
-
8/12/2019 Keccak Slides at NIST
39/71
Third-partycryptanalysisofKeccak
Practical-complexityattacks
on
KeccakRounds
2 preimagesandcollisions[Morawiecki,CC]2 collisions[Duc,Guo,Peyrin,Wei,FSE2012andCC]3 40-bitpreimage[Morawiecki,Srebrny,2010]3 nearcollisions[Naya-Plasencia,Rck,Meier,Indocrypt2011]4 keyrecovery[Lathrop,2009]4 distinguishers[Naya-Plasencia,Rck,Meier,Indocrypt2011]4 collisions[Dinur,Dunkelman,Shamir,FSE2012andCC]5
near-collisions[Dinur,
Dunkelman,
Shamir,
FSE
2012]
CC=CrunchyCryptoCollisionandPreimageContest
35/60
AnalysisunderlyingKeccakObservations from third-party cryptanalysis
-
8/12/2019 Keccak Slides at NIST
40/71
Observationsfromthird partycryptanalysis
ExtendingdistinguishersofKeccak-ftoKeccakisnoteasyEffectofalignmentondifferential/linearpropagation
Strong: lowuncertaintyinprop.alongblockboundariesWeak:
high
uncertainty
in
prop.
along
block
boundaries
WeakalignmentinKeccak-flimitsfeasibilityofreboundattacks
Effectoftheinverseofthemixinglayer1 hasveryhighaveragediffusionLimitstheconstructionoflow-weighttrailsovermorethanafewrounds
36/60
ApplicationsofKeccak,orspongeOutline
-
8/12/2019 Keccak Slides at NIST
41/71
Outline
12
34
5
6
ThebeginningThespongeconstructionInsideKeccakAnalysisunderlyingKeccak
Applicationsof
Keccak,or
sponge
SomeideasfortheSHA-3standard
37/60
ApplicationsofKeccak,orspongeRegular hashing
-
8/12/2019 Keccak Slides at NIST
42/71
Regularhashing
ElectronicsignaturesDataintegrity(shaXsum)Dataidentifier(Git,onlineanti-virus,peer-2-peer)
38/60
ApplicationsofKeccak,orspongeSalted hashing
-
8/12/2019 Keccak Slides at NIST
43/71
Saltedhashing
Randomizedhashing(RSASSA-PSS)Passwordstorageandverification(Kerberos,/etc/shadow)
39/60
ApplicationsofKeccak,orspongeSalted hashing
-
8/12/2019 Keccak Slides at NIST
44/71
Saltedhashing
Randomizedhashing(RSASSA-PSS)Passwordstorageandverification(Kerberos,/etc/shadow)
Canbeasslowasyoulikeit!
39/60
Applicationsof
Keccak,or
sponge
Maskgenerationfunction
-
8/12/2019 Keccak Slides at NIST
45/71
g
KeyderivationfunctioninSSL,TLSFull-domainhashinginpublickeycryptography
electronicsignaturesRSASSA-PSS[PKCS#1]encryptionRSAES-OAEP[PKCS#1]keyencapsulationmethods(KEM)
40/60
Applicationsof
Keccak,or
sponge
Messageauthenticationcodes
-
8/12/2019 Keccak Slides at NIST
46/71
g
0 f f
Key
Padded message
f ff
MAC
AsamessageauthenticationcodeSimplerthanHMAC[FIPS198]
RequiredforSHA-1,SHA-2duetolengthextensionpropertyNolongerneededforsponge
41/60
Applicationsof
Keccak,or
sponge
Streamencryption
-
8/12/2019 Keccak Slides at NIST
47/71
yp
0 f f
Key IV
f
Key stream
AsastreamcipherLongoutputstreamperIV:similartoOFBmodeShortoutputstreamperIV:similartocountermode
42/60
Applicationsof
Keccak,or
sponge
Singlepassauthenticatedencryption
-
8/12/2019 Keccak Slides at NIST
48/71
g p yp
0 f f
Key
Padded messageIV
f
Key stream
ff
MAC
Authenticationandencryptioninasinglepass!Securemessaging(SSL/TLS,SSH,IPSEC)
43/60
Applicationsof
Keccak,or
sponge
Theduplexconstruction
-
8/12/2019 Keccak Slides at NIST
49/71
p
GenericsecurityequivalenttoSponge[KeccakTeam,SAC2011]Applicationsinclude:
Authenticatedencryption:spongeWrapReseedablepseudorandomsequencegenerator
44/60
Applicationsof
Keccak,or
sponge
Reseedablepseudorandomsequencegenerator
-
8/12/2019 Keccak Slides at NIST
50/71
Definedin[KeccakTeam,CHES2010]and[KeccakTeam,SAC2011]Supportforforwardsecrecybyforgettinginduplex:
45/60
Applicationsof
Keccak,or
sponge
Reseedablepseudorandomsequencegenerator
-
8/12/2019 Keccak Slides at NIST
51/71
Definedin[KeccakTeam,CHES2010]and[KeccakTeam,SAC2011]Supportforforwardsecrecybyforgettinginduplex:
45/60
Someideas
for
the
SHA-3
standard
Outline
-
8/12/2019 Keccak Slides at NIST
52/71
12
3456
ThebeginningThespongeconstruction
InsideKeccakAnalysisunderlyingKeccakApplicationsofKeccak,orspongeSomeideasfortheSHA-3standard
46/60
Someideas
for
the
SHA-3
standard
Capacity
and
security
strength
levels
Outputlengthorientedapproach
-
8/12/2019 Keccak Slides at NIST
53/71
Outputlength
Collisionresistance
Pre-imageresistance
Requiredcapacity
Relativeperf.
SHA-3instance
n=160 s80 s160 c=320 1.250 SHA3n160n=224 s112 s224 c=448 1.125 SHA3n224n=256 s128 s256 c=512 1.063 SHA3n256n=384 s192 s384 c=768 1.231 SHA3n384n=512 s256 s512 c=1024 1.778 SHA3n512n sn/2 sn c=2n 1600c1024
s:securitystrengthlevel[NISTSP800-57]TheseSHA-3instancesaddress
multiplesecuritystrengthseachlevelsoutsideof[NISTSP800-57]range
Performancepenalty!47/60
SomeideasfortheSHA-3standard Capacityandsecuritystrengthlevels
Securitystrengthorientedapproach
-
8/12/2019 Keccak Slides at NIST
54/71
Securitystrength
Collisionresistance
Pre-imageresistance
Requiredcapacity
Relativeperf.
SHA-3instance
s=80 n160 n80 c=160 1.406 SHA3c160s=112 n224 n112 c=224 1.343 SHA3c224s=128 n256 n128 c=256 1.312 SHA3c256s=192 n384 n192 c=384 1.188 SHA3c384s=256 n512 n256 c=512 1.063 SHA3c512s n2s ns c=2s 1600c1024 SHA3[c=2s]
s:securitystrengthlevel[NISTSP800-57]TheseSHA-3instances
areconsistentwithphilosophyof[NISTSP800-57]provideaone-to-onemappingtosecuritystrengthlevels
Higherefficiency48/60
SomeideasfortheSHA-3standard Capacityandsecuritystrengthlevels
Choosingthecapacity
-
8/12/2019 Keccak Slides at NIST
55/71
Ideasfordiscussion1 LetSHA-3beasponge
AllowfreedominchoosingcAllowvariableoutputlength
2 DecouplesecurityandoutputlengthSetminimumcapacityc2sfor[SP800-57]slevels
3 BasenamingschemeonsecuritylevelForinstanceSHA3c180forKeccak[c=180]
4 ForSHA-2-ndrop-inreplacements,avoidslowinstancesExampleoption1:c=nExampleoption2:c=min{2n,576}Exampleoption3:c=576
49/60
SomeideasfortheSHA-3standard Capacityandsecuritystrengthlevels
Choosingthecapacity
-
8/12/2019 Keccak Slides at NIST
56/71
Ideasfordiscussion1 LetSHA-3beasponge
AllowfreedominchoosingcAllowvariableoutputlength
2 DecouplesecurityandoutputlengthSetminimumcapacityc2sfor[SP800-57]slevels
3 BasenamingschemeonsecuritylevelForinstanceSHA3c180forKeccak[c=180]
4 ForSHA-2-ndrop-inreplacements,avoidslowinstancesExampleoption1:c=nExampleoption2:c=min{2n,576}Exampleoption3:c=576
49/60
SomeideasfortheSHA-3standard Capacityandsecuritystrengthlevels
Choosingthecapacity
-
8/12/2019 Keccak Slides at NIST
57/71
Ideasfordiscussion1 LetSHA-3beasponge
AllowfreedominchoosingcAllowvariableoutputlength
2 DecouplesecurityandoutputlengthSetminimumcapacityc2sfor[SP800-57]slevels
3 BasenamingschemeonsecuritylevelForinstanceSHA3c180forKeccak[c=180]
4 ForSHA-2-ndrop-inreplacements,avoidslowinstancesExampleoption1:c=nExampleoption2:c=min{2n,576}Exampleoption3:c=576
49/60
SomeideasfortheSHA-3standard Capacityandsecuritystrengthlevels
Choosingthecapacity
-
8/12/2019 Keccak Slides at NIST
58/71
Ideasfordiscussion1 LetSHA-3beasponge
AllowfreedominchoosingcAllowvariableoutputlength
2 DecouplesecurityandoutputlengthSetminimumcapacityc2sfor[SP800-57]slevels
3 BasenamingschemeonsecuritylevelForinstanceSHA3c180forKeccak[c=180]
4 ForSHA-2-ndrop-inreplacements,avoidslowinstancesExampleoption1:c=nExampleoption2:c=min{2n,576}Exampleoption3:c=576
49/60
SomeideasfortheSHA-3standard Structure
Structuringthestandard
-
8/12/2019 Keccak Slides at NIST
59/71
Permutation Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Ideasfordiscussion1 StandardizeKeccak-f,constructionsandmodesseparately
ConstructionsandmodesdefinedindependentlyofKeccak-fLikeblockciphersandtheirmodes(Itseemsyouhavethisinmindtoo.)
2 Proposeaguidelineforinterfacesbetweenthese
50/60
SomeideasfortheSHA-3standard Inputformatting
MultipleinstancesofKeccak
-
8/12/2019 Keccak Slides at NIST
60/71
Sponge Duplex
Valid sponge input, rate-separated
Multi-ratepaddingc1
=
c2
Keccak[c
=
c1]
and
Keccak[c
=
c2]
independent
Jointsecurityleveldeterminedbymin{c1,c2}[KeccakTeam,SAC2011]
51/60
SomeideasfortheSHA-3standard Inputformatting
Domainseparation
-
8/12/2019 Keccak Slides at NIST
61/71
Sponge Duplex
Valid sponge input, rate- and mode-separated
Ideafordiscussion1 Foreseedomainseparationfromthestart
TopreventpotentialclashesbetweendifferentmodesIfpossible,anyonecandefinehis/herdomain
52/60
SomeideasfortheSHA-3standard Inputformatting
Example:domainseparationwithnamespaces
-
8/12/2019 Keccak Slides at NIST
62/71
Basicidea:prefixinputwithnamespaceidentifier(URI)PayloadsyntaxdeterminedbynamespaceInspiredfromXML[http://www.w3.org/TR/REC-xml-names/]
Presenceofnamespaceindicatedbysuffixplaininput||0||101UTF8(URI)||08||specifically-formattedinput||1||101
53/60
SomeideasfortheSHA-3standard Parallelhashing
Parallelhashing
http://www.w3.org/TR/REC-xml-names/http://www.w3.org/TR/REC-xml-names/ -
8/12/2019 Keccak Slides at NIST
63/71
ProsCanexploitparallelisminSIMDinstructionsCanexploitparallelisminmulti-coreordistributedsystemsInducenothroughputpenaltywhenlessparallelismavailable(forlongmessages)
ConsNeedsmorememoryInduceaperformancepenaltyforshortmessages
54/60
SomeideasfortheSHA-3standard Parallelhashing
Auniversalwaytoencodeatree
-
8/12/2019 Keccak Slides at NIST
64/71
Tworelated,yetdistinct,aspectstospecify:theexact(parameterized)treelayoutandprocessing;theinputformattingofleavesandnodes.12
GoalsAddresstheinputformattingonlyBeuniversalagnosticoffuturetreestructurespecificationsBesound[KeccakTeam,ePrint2009/210]
ExtrafeaturesFlexiblewaystospreadmessagebitsonnodes,e.g.,
interleaved64-bitpiecesforSIMD1MBchunksforindependentprocesses
Possiblere-useofhashfunctioncontext(connectedhops)
55/60
SomeideasfortheSHA-3standard Parallelhashing
Auniversalwaytoencodeatree
-
8/12/2019 Keccak Slides at NIST
65/71
Tworelated,yetdistinct,aspectstospecify:theexact(parameterized)treelayoutandprocessing;theinputformattingofleavesandnodes.
GoalsAddresstheinputformattingonlyBeuniversal
12
agnosticoffuturetreestructurespecificationsBesound[KeccakTeam,ePrint2009/210]
ExtrafeaturesFlexiblewaystospreadmessagebitsonnodes,e.g.,
interleaved64-bitpiecesforSIMD1MBchunksforindependentprocesses
Possiblere-useofhashfunctioncontext(connectedhops)
55/60
SomeideasfortheSHA-3standard Parallelhashing
Auniversalwaytoencodeatree
-
8/12/2019 Keccak Slides at NIST
66/71
Tworelated,yetdistinct,aspectstospecify:theexact(parameterized)treelayoutandprocessing;theinputformattingofleavesandnodes.
GoalsAddresstheinputformattingonlyBeuniversal
12
agnosticoffuturetreestructurespecificationsBesound[KeccakTeam,ePrint2009/210]
ExtrafeaturesFlexiblewaystospreadmessagebitsonnodes,e.g.,
interleaved64-bitpiecesforSIMD1MBchunksforindependentprocesses
Possiblere-useofhashfunctioncontext(connectedhops)
55/60
SomeideasfortheSHA-3standard Parallelhashing
Example1/3
-
8/12/2019 Keccak Slides at NIST
67/71
CVi=h(Mi||{leaf}||nonfinal)h(M0||{leaf}||CV1||CV2||CV3||{#C=4,CH,I=64}||final)
56/60
SomeideasfortheSHA-3standard Parallelhashing
Example2/3
-
8/12/2019 Keccak Slides at NIST
68/71
CVi1=h(Mi1||{leaf}||nonfinal)CVi=h(Mi0||{leaf}||CVi1||{#C=2,CH}||nonfinal)h(CV0||CV1||{#C=2}||final)
57/60
SomeideasfortheSHA-3standard Parallelhashing
Example3/3
-
8/12/2019 Keccak Slides at NIST
69/71
h(M||{leaf}||final)
58/60
SomeideasfortheSHA-3standard Parallelhashing
ParallelhashinginSHA-3
-
8/12/2019 Keccak Slides at NIST
70/71
h(M||{leaf}||final)Ideafordiscussion
1 EvenifnoparallelhashingmodeisstandardizedatfirstForeseeitintheinputformattingMakedefaultsequentialhashingaparticularcaseofparallelhashing(i.e.,asinglerootnode)[KeccakTeam,ePrint2009/210]
59/60
Conclusion
Questions?
-
8/12/2019 Keccak Slides at NIST
71/71
http://sponge.noekeon.org/http://keccak.noekeon.org/
60/ 60
http://sponge.noekeon.org/http://keccak.noekeon.org/http://keccak.noekeon.org/http://sponge.noekeon.org/