3. Introduction
• In 2005, Wang et al. introduced serious concerns about the
security of SHA-1.
• NIST opened a public competition on November 2, 2007, to
develop a new cryptographic hash algorithm (referred to as
SHA-3) to augment the hash algorithms specified in Federal
Information Processing Standard (FIPS) 180-2, Secure Hash
Standard
• 1st -round: 51 candidates in 2008.
• 2nd-round: 14 candidates in 2009.
• 3rd -round: 5 candidates in 2010.
SHA3 3
4. Introduction: Keccak wins!
• Keccak (Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.)
announced as the SHA-3 winner on October 2, 2012
SHA3 4
Table 1: The five final candidates of SHA3
5. The Keccak Team
• Michaël Peeters, Guido Bertoni, Gilles Van Assche and Joan Daemen.
SHA3 5
6. Introduction: The Beginning Ideas of Keccak
• RADIOGATUN [NIST 2nd Work shop, 2006]
• Variable-length output
• Expressing security claim: non-trivial exercise
• But, neither did third-party cryptanalysis
• NIST SHA-3 deadline approaching …
• U-turn: design a sponge with strong permutation f
• Sponge functions
• closest thing to a random oracle with a finite state
• Sponge construction calling random permutation
SHA3 6
8. Sponge Construction
• SPONGE[f, pad, r]
• f: fixed-length permutation which operates b bits.
• pad: padding rule which is denoted by M||pad[b](|M|), where M is the sign
of message.
• r: bit rate.
• c:capacity equals to b – r and c<b
SHA3 8
11. The KECCAK-f permutation(1)
• KECCAK([ ] ) is a family of sponge functions that use as
a building block a permutation from a set of 7 permutations.
• The 7 permutations indicated by KECCAK-f[b], where b=25×2l
and l ranges from 0~6. KECCAK-f[b] is a permutation over .
• Three dimension array on state a over GF(2), namely a[5][5][w],
where w = 2l.
• a[x][y][z]: x, y Z5 and z Zw.
• The mapping between bits of s and a is
• The 7 permutations(b): {25, 50, 100, 200,400, 800, 1600}
SHA3 11
13. The KECCAK-f permutation(2)
• KECCAK-f[b] is an iterated permutation with a number of
rounds R, indexed by 0 to nr-1
SHA3 13
14. Algorithm of θ
• Without θ, the KECCAK-f function would not provide
diffusion of any significance.
• High average diffusion and low gate count: 2 XORs per bit.
SHA3 14
18. Algorithm of χ
• χ is the only non-linear mapping in Keccak-f.
• It could be implementable in parallel computing.
• It has algebraic degree 2, but the inverse may not be degree 2.
SHA3 18
19. Algorithm of ι
• It is aimed at disrupting symmetry.
• Without it, the round function would be translation-invariant in
the z direction and all rounds would be equal making Keccak-f
subject to attacks exploiting symmetry such as slide attacks.
SHA3 19
20. The KECCAK-f permutation(3)
• Addition and multiplications are in GF(2) except RC[ir].
• are defined as the output of LFSR(linear
feedback shift register.)
• Note that nr = 12 + 2l
SHA3 20
25. SecurityAnalysis
• Immunity of Generic Attacks:
• Given capacity c, the success probability is lower than
1- exp(-N(N+1)2-(c+1)) with N the number of calls to the underlying
permutation or its reverse. If 1<< N << 2c/2, this bounds simplifies to
2-(c+1)N2.
• The zero-sum distinguisher distinguisher for all 24 rounds has
the complexity of 21579
SHA3 25
26. Experiments: Hardware
• In Intel 8051 8-bits processor, 8-bits data bus, a 16-bit address
bus and 512 bytes RAM: 128 bytes for lower internal RAM,
128 bytes for higher internal RAM and 256 bytes of external
RAM (indirect access only)
SHA3 26
27. Experiments: My Experiment
• Platform
• CPU: i5-2450m RAM: 8GB
• Programming language : Microsoft C#
• Testing Data: the message with 1, 10, 100 million bytes.
• It runs 10 times and extracts the average values.
• Algorithms for testing: MD5, SHA256, SHA3-512
27SHA3
Case(bytes) MD5 SHA256 SHA3-512
1 million 1.56001 31.20007 118.56019
10 million 35.88007 110.7602 1180.92206
100 million 352.56065 1098.24191 12124.34128
Table 2: The experimental result in milliseconds
28. Conclusions
• SHA3 is the next hash function in the future. It can provide a
secure scheme which provides the closest thing to a random
oracle with a finite state.
• It’s more slower than SHA256.
• However, it provides a good hardware design architecture to
make manufactures implement it.
SHA3 28
29. Reference
• Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak
sponge function family main document,
http://keccak.noekeon.org/Keccak-main-2.1.pdf
• Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van
Assche,” The Keccak sponge function family”,
http://keccak.noekeon.org/
• Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van
Assche,” Keccak implementation overview”,
http://keccak.noekeon.org/
SHA3 29