1. SHA3
Reporter: Jyun-Yao Huang (allen501pc@gmail.com)
Date: June 4th, 2013
1SHA3

2. Outline
• Introduction
• SHA3
• Security Analysis
• Experiments
• Conclusion
2SHA3

3. Introduction
• In 2005, Wang et al. introduced serious concerns about the
security of SHA-1.
• NIST opened a public competition on November 2, 2007, to
develop a new cryptographic hash algorithm (referred to as
SHA-3) to augment the hash algorithms specified in Federal
Information Processing Standard (FIPS) 180-2, Secure Hash
Standard
• 1st -round: 51 candidates in 2008.
• 2nd-round: 14 candidates in 2009.
• 3rd -round: 5 candidates in 2010.
SHA3 3

4. Introduction: Keccak wins!
• Keccak (Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.)
announced as the SHA-3 winner on October 2, 2012
SHA3 4
Table 1: The five final candidates of SHA3

5. The Keccak Team
• Michaël Peeters, Guido Bertoni, Gilles Van Assche and Joan Daemen.
SHA3 5

6. Introduction: The Beginning Ideas of Keccak
• RADIOGATUN [NIST 2nd Work shop, 2006]
• Variable-length output
• Expressing security claim: non-trivial exercise
• But, neither did third-party cryptanalysis
• NIST SHA-3 deadline approaching …
• U-turn: design a sponge with strong permutation f
• Sponge functions
• closest thing to a random oracle with a finite state
• Sponge construction calling random permutation
SHA3 6

7. SHA3
• Sponge Construction
• Keccak Functions
• Keccak-f Permutation
• The algorithms of each operations
SHA3 7

8. Sponge Construction
• SPONGE[f, pad, r]
• f: fixed-length permutation which operates b bits.
• pad: padding rule which is denoted by M||pad[b](|M|), where M is the sign
of message.
• r: bit rate.
• c:capacity equals to b – r and c<b
SHA3 8

9. Sponge Construction(2)
SHA3 9
Absorbing Phase
Squeezing Phase

10. KECCAK Functions
• By default, c=576 , b=1600, nr=24.
SHA3 10

11. The KECCAK-f permutation(1)
• KECCAK([ ] ) is a family of sponge functions that use as
a building block a permutation from a set of 7 permutations.
• The 7 permutations indicated by KECCAK-f[b], where b=25×2l
and l ranges from 0~6. KECCAK-f[b] is a permutation over .
• Three dimension array on state a over GF(2), namely a[5][5][w],
where w = 2l.
• a[x][y][z]: x, y Z5 and z Zw.
• The mapping between bits of s and a is
• The 7 permutations(b): {25, 50, 100, 200,400, 800, 1600}
SHA3 11

12. Keccak-f State
SHA3 12

13. The KECCAK-f permutation(2)
• KECCAK-f[b] is an iterated permutation with a number of
rounds R, indexed by 0 to nr-1
SHA3 13

14. Algorithm of θ
• Without θ, the KECCAK-f function would not provide
diffusion of any significance.
• High average diffusion and low gate count: 2 XORs per bit.
SHA3 14

15. Algorithm of θ
SHA3 15

16. Algorithm of ρ
SHA3 16

17. Algorithm of π
SHA3 17

18. Algorithm of χ
• χ is the only non-linear mapping in Keccak-f.
• It could be implementable in parallel computing.
• It has algebraic degree 2, but the inverse may not be degree 2.
SHA3 18

19. Algorithm of ι
• It is aimed at disrupting symmetry.
• Without it, the round function would be translation-invariant in
the z direction and all rounds would be equal making Keccak-f
subject to attacks exploiting symmetry such as slide attacks.
SHA3 19

20. The KECCAK-f permutation(3)
• Addition and multiplications are in GF(2) except RC[ir].
• are defined as the output of LFSR(linear
feedback shift register.)
• Note that nr = 12 + 2l
SHA3 20

21. The all procedures
SHA3 21

22. The all procedures (cont.)
SHA3 22

23. The all procedures (cont.)
SHA3 23

24. The candidates of SHA3
SHA3 24

25. SecurityAnalysis
• Immunity of Generic Attacks:
• Given capacity c, the success probability is lower than
1- exp(-N(N+1)2-(c+1)) with N the number of calls to the underlying
permutation or its reverse. If 1<< N << 2c/2, this bounds simplifies to
2-(c+1)N2.
• The zero-sum distinguisher distinguisher for all 24 rounds has
the complexity of 21579
SHA3 25

26. Experiments: Hardware
• In Intel 8051 8-bits processor, 8-bits data bus, a 16-bit address
bus and 512 bytes RAM: 128 bytes for lower internal RAM,
128 bytes for higher internal RAM and 256 bytes of external
RAM (indirect access only)
SHA3 26

27. Experiments: My Experiment
• Platform
• CPU: i5-2450m RAM: 8GB
• Programming language : Microsoft C#
• Testing Data: the message with 1, 10, 100 million bytes.
• It runs 10 times and extracts the average values.
• Algorithms for testing: MD5, SHA256, SHA3-512
27SHA3
Case(bytes) MD5 SHA256 SHA3-512
1 million 1.56001 31.20007 118.56019
10 million 35.88007 110.7602 1180.92206
100 million 352.56065 1098.24191 12124.34128
Table 2: The experimental result in milliseconds

28. Conclusions
• SHA3 is the next hash function in the future. It can provide a
secure scheme which provides the closest thing to a random
oracle with a finite state.
• It’s more slower than SHA256.
• However, it provides a good hardware design architecture to
make manufactures implement it.
SHA3 28

29. Reference
• Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak
sponge function family main document,
http://keccak.noekeon.org/Keccak-main-2.1.pdf
• Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van
Assche,” The Keccak sponge function family”,
http://keccak.noekeon.org/
• Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van
Assche,” Keccak implementation overview”,
http://keccak.noekeon.org/
SHA3 29

30. Appendices: Zero-Sum Distinguisher
SHA3 30