Download - Keccak
Keccak
Presenters:Pratheep Joe Siluvai
Rajeev Verma
Overview
● Introduction to Hash function.● Secure Hash Algorithm (SHA)● SHA-3/Keccak
○ Design approach○ Inside Keccak○ Parts of Keccak-f
● Application & Strength● Efficiency● Our work● References
Hashing and Hash Function
• Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string.
• In addition to faster data retrieval, hashing is also used to encrypt and decrypt digital signatures.
• The hashing algorithm is called the Hash Function which generates hash codes.
• Hash codes are stored in a table called hash table.
Hash function
• Algorithm that takes an arbitrary block of data and returns a fixed-size bit string.
• Used from digital signature to git repository to peer to peer transmission.
• Encoded data is called the "message," and the hash value is sometimes called the “message digest” or simply “digest”.
MD5 MD = 128 (Ron Rivest, 1992)SHA-1 MD = 160 (NSA, NIST, 1995)SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)
Secure Hash Algorithms (SHA’s)
• Family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST)
• SHA defines as U.S. Federal Information Processing Standard (FIPS)
• SHA determine the integrity of a message. So, that any change in the message in the message result in different hash values with high probability.
• Steps for SHA :
– Preprocessing : Padding the data for blocking
– Hash Computation : Process blocks using the hash function.
SHA basics
SHA History
SHA–3 / Keccak● Selected on October 2012 as the winner of the NIST hash
function competition
● Not only a hash function.
● Based on the sponge function.
● Not meant to replace SHA-2.
Keccak Team
Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
Keccak, a sponge function
● Variable input and output length
● More Flexible than regular hash function
● Parameters○ r bits– rate (defines the speed)○ c bits – capacity (defines the security level)
Design Approach● Instantiate a sponge function● Select the capacity and rate parameters
○ capacity + rate = 1600● Rata and capacity decides the strength.● Building an iterated permutation ● Like a block cipher
○ Sequence of identical rounds○ Round consists of sequence of simple step mappings
● No key Schedule , instead round constantsCapacity Rate Strength
256 1344 128
384 1216 192
512 1088 256
Inside Keccak
● The permutation Keccak-f ○ 7 permutations: b → {25, 50, 100, 200, 400, 800,
1600}
● Uses 24 permutation rounds○ Each round invokes 5 modules ○ Theta(θ), rho(ρ), Pi(Π), Chi(χ), iota(ϊ)
Pieces of states
Note : State is 5x5x64bits block.
Theta● Renders the internal state into a 5-by-5 array of 64-bit elements.● Computes the parities of each column and combines them with an
exclusive-or (XOR) operator. ● Then it XORs the resulting parity to each state bit as follows:
S[i][j][k] ^= parity(S[0...4][j-1][k]) ^ parity(S[0...4][j+1][k-1]) where i = 0...4; j = 0...4; k = 0...63
Rho
• The rho module rotates each 64-bit element by a triangular number 0, 1, 3, 6, 10, 15, …..
Pi• The pi module permutes the 64-bit elements.• Permutation follows the fixed pattern assignment shown below:
S[j][2*i + 3*j] = S[i][j]
Chi
• The chi module adds a non-linear aspect to the permutation round.• It combines the row elements using only three bitwise
operators: AND, NOT, and XOR. • Then it writes the result back to the state array as follows:
S[i][j][k] ^= ~S[i][j + 1][k] & S[i][j + 2][k]
Iota● The iota module breaks up any symmetry caused by the
other modules. ● This is done by XORing one of the array elements to a
round constant ● The module has 24 round constants to choose from.
These constants are defined internally by Keccak● Without ϊ , the round mapping would be symmetric
● Without ϊ , all rounds would be the same ○ susceptibility to slide attacks ○ defective cycle structure
Code Reference
Keccak-f[b](A) { forall i in 0…nr-1 A = Round[b](A, RC[i]) return A}
Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0…4 D[x] = C[x-1] xor rot(C[x+1],1), forall x in 0…4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0…4,0…4)
ρ and π steps B[y,2*x+3*y] = rot(A[x,y], r[x,y]), forall (x,y) in (0…4,0…4)
χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0…4,0…4)
ι step A[0,0] = A[0,0] xor RC
return A}
Keccak Summary• Round function:
R = (ϊ) XOR (χ) XOR (Π) XOR (ρ) XOR (θ)• Number of rounds: 12 + 2ℓ
– Keccak-f[25] has 12 rounds – Keccak-f[1600] has 24 rounds
• Efficiency – high level of parallelism – flexibility: bit-interleaving – software: competitive on wide range of CPU – dedicated hardware: very competitive – suited for protection against side-channel attack
Applications
• Regular hashing – Electronic signatures – Data integrity– Data identifier
• Salted hashing (more complex security measure)– Randomized hashing – Password Storage and verification
• Message Authentication Code (MAC)• Single Pass authenticated encryption
– Authentication and Encryption in a single pass– Secure messaging ( SSL, TLS, SSH,…. )– Version control systems.
• Reseedable Pseudorandom sequence generator
Strength of Keccak
• High level of parallelism• Flexibility: bit-interleaving• Software: competitive on wide range of
CPU (also implem. for CUDA)• Dedicated hardware: very competitive• Suited for protection against side-channel
attack• Faster than SHA-2 on all modern PC
Efficiency
Our Work• Keccak source code is available for public access.
• Keccak hash function implementation on microblaze and analyze the hardware performance to perform hashing.
• Analysing the the factors like timing/clock cycles for different bit-rate and capacity factors.
References
● J.-P. Aumasson and D. Khovratovich, First analysis of Keccak, Available online, 2009, http://131002.net/data/papers/AK09.pdf.
● Online Keccak reference site, http://keccak.noekeon.org/
● G. Bertoni, J. Daemen, M. Peeters, G. Van Assche and R. Van Keer, Keccak implementation overview, round 3 submission to NIST SHA-3, 2011
Thank you