SHA-3 vs the world - OWASP...SHA-2 Merkle–Damgård MD4. Snefru MD5 SHA-1 SHA-2 Merkle–Damgård...
86
SHA-3 vs the world David Wong
Transcript of SHA-3 vs the world - OWASP...SHA-2 Merkle–Damgård MD4. Snefru MD5 SHA-1 SHA-2 Merkle–Damgård...
SHA-3 vs the worldDavid Wong
Snefru
MD4
Snefru
MD4
Snefru
MD4
MD5
SHA-1
SHA-2
Merkle–Damgård
Snefru
MD4
MD5
SHA-1
SHA-2
Merkle–Damgård
Snefru
MD5
SHA-1
SHA-2
Merkle–Damgård
MD4
Snefru
MD5
SHA-1
SHA-2
Merkle–Damgård
MD4
KeccakBLAKE, Grøstl, JH, Skein
Outline
1.SHA-3 2.derived functions 3.derived protocols
f
permutation-based cryptography
AES
AES is a permutation
input
output
AES
AES is a permutation
input
output
key
0000000000000000
f
Sponge Construction
f
Sponge Construction
00000000
01011001
f
Sponge Construction
r
c
00000
000
01011
001
f
Sponge Construction
AES key
0000000000000000
r cr
c
00000
000
01011
001
f
message
⊕
Sponge Construction
00000
000
11100
010
f
message
⊕ ⊕
Sponge Construction
00000
000
f
message
⊕ ⊕f
Sponge Construction
00000
000
f
message
⊕ ⊕f
⊕
Sponge Construction
00000
000
f
message
⊕ ⊕f
⊕f
Sponge Construction
00000
000
f
message
⊕ ⊕f
⊕f
absorbing
Sponge Construction
00000
000
absorbing
00000
000
f
message
⊕ ⊕f
⊕f
outputSponge Construction
absorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f
Sponge Construction
absorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f
Sponge Construction
absorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f f
Sponge Construction
f
message
⊕ ⊕f
⊕f
output
f f
squeezing
Sponge Construction
absorbing
00000
000
Keccak Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
SHA-3 competition
2012
2007
SHA-3 competition
2012
2007
SHA-3 standard (FIPS 202) 2015
Where is SHA-3 being used?
Outline
1.SHA-3 2.derived functions 3.derived protocols
SHAKE is a XOF
SHA-3 competition
2012
2007
SHA-3 standard (FIPS 202) 2015SP 800-185 2016
KMAC
TupleHash
ParallelHash
KMAC
TupleHash
ParallelHash
message || SHA-256(message)
KMAC
TupleHash
ParallelHash
message || SHA-256(key||message)
KMAC
TupleHash
ParallelHash
message || more || SHA-256(key||message||more)
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
my RSA public key = (e, N)
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
my RSA public key = (e, N) fingerprint = SHA-256(e || N)
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
fingerprint1 = SHA-256(1010110000000010001…) e N
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
fingerprint1 = SHA-256(1010110000000010001…) e N
fingerprint2 = SHA-256(1010110000000010001…) e N
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
SHAKE(len(e) || e || len(N) || N)
squeezingabsorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f f
Sponge Construction
squeezingabsorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f f
Sponge Construction
squeezingabsorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f f
Sponge Construction
squeezingabsorbing
00000
000
f
message
⊕ ⊕f
⊕f
output
f f
Sponge Construction
KMAC
TupleHash
ParallelHash
message || SHAKE(key || message)
SHAKE(len(e) || e || len(N) || N)
SHAKE(SHAKE(b1) || SHAKE(b2) || SHAKE(b3) || …)
SHA-3 competition
2012
2007
SHA-3 / SHAKE 2015TupleHash / ParallelHash / KMAC 2016
Keyak and Ketje
SHA-3 competition
2012
2007
SHA-3 / SHAKE 2015TupleHash / ParallelHash / KMAC 2016
KangarooTwelve & MarsupilamiFourteen
SHA-3 competition
2012
2007
SHA-3 / SHAKE 2015TupleHash / ParallelHash / KMAC 2016
KangarooTwelve & MarsupilamiFourteen
Outline
1.SHA-3 2.derived functions 3.derived protocols
f
mes
sage
⊕⊕
f
⊕f
outp
ut
ff
Spon
ge C
onst
ruct
ion
sque
ezin
gab
sorb
ing
0 0 0 0 0 0 0 0
f
input
⊕
init
output
duplexing
Duplex Construction
f
input
⊕
output
duplexing
f
input output
duplexing
⊕
00000
000
Keyed-mode
f
key
⊕
init duplexing
00000000
Keyed-mode
f
key
⊕
init duplexing
00000000
secret part
leak
f
key
⊕
init duplexing
00000000
Encryption?
f
key
⊕
init duplexing
00000000
ciphertext1
plaintext1⊕
Encryption
f
key
⊕
init duplexing
00000000
ciphertext1
plaintext1⊕
f⊕
tag1
duplexing
Authenticated Encryption
f
key
⊕
init duplexing
00000000
ciphertext1
plaintext1⊕
f⊕
tag1
duplexing
f
ciphertext2
duplexing
f⊕
tag2
duplexing
plaintext2⊕
Sessions
myProtocol = Strobe_init(“myWebsite.com”)
myProtocol.KEY(sharedSecret)
buffer += myProtocol.send_ENC(“GET /”)
buffer += myProtocol.send_MAC(len=16)
// send the buffer
// receive a ciphertext
message = myProtocol.recv_ENC(ciphertext[:-16])
ok = myProtocol.recv_MAC(ciphertext[-16:])
if !ok {
// reset the connection
}
Strobe
myHash = Strobe_init(“hash”)
myHash.AD(“something to be hashed”)
hash = myHash.PRF(outputLen=16)
Hash Function
KDF = Strobe_init(“deriving keys”)
KDF.KEY(keyExchangeOutput)
keys = KDF.PRF(outputLen=32)
key1 = keys[:16]
key2 = keys[16:]
Key Derivation Function
data = 010100…
⊕
operation = AD
⊕
data = 010100…operation = send_MAC
f⊕ ⊕
operation = AD
⊕len = 16
tag
init
00000000
operation = KEY
f⊕
data = 010100…
init
00000000
operation = KEY
f⊕
data = 010100…
f⊕
operation = send_ENCdata = hello
⊕ciphertext
init
00000000
operation = KEY
f⊕
data = 010100…
f f⊕
operation = send_ENCdata = hello
⊕ciphertext
len = 16
tag
⊕
operation = send_MAC
Outline
1.SHA-3 2.derived functions 3.derived protocols 4.Disco?
I write about crypto at www.cryptologie.net
I tweet my mind on twitter.com/lyon01_david
and I work here
