3. A cryptographic hash function is an algorithm that takes an
arbitrary block of data and returns a fixed-size bit string, the
(cryptographic) hash value, such that any change to the
data will change the hash value. The data to be encoded
are often called the "message," and the hash value is
sometimes called the message digest or simply digest.
MD5 MD = 128 (Ron Rivest, 1992)
SHA-1 MD = 160 (NSA, NIST, 1995)
SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)
SHA-3 MD = arbitrary (Bertoni, Daemen, Peeters, Van Assche, NIST, 20
4. • Cryptographic hash function, SHA family
• Selected on October 2012 as the winner of the NIST
hash function competition
• Not meant to replace SHA-2
• Based on the sponge construction
5. More general than a hash function: arbitrary-length output
Calls a b-bit permutation f, with b = r + c
r bits of rate
c bits of capacity
6.
7.
8. The duplex construction allows the alternation of input and
output blocks at the same rate as the sponge construction,
like a full-duplex communication
9. • High level of parallelism
• Flexibility: bit-interleaving
• Software: competitive on wide range of CPU (also implem. for
CUDA)
• Dedicated hardware: very competitive
• Suited for protection against side-channel attack
• Faster than SHA-2 on all modern PC (12.5cpb on C2D)
10. • http://keccak.noekeon.org/tune.html
If an attacker has access to one billion computers, each
performing one billion evaluations of Keccak-f per second,
it would take about 1.6×1061 years (1.1×1051 times the
estimated age of the universe) to evaluate the permutation
2288 times
KECCAK-f[r+c]
KECCAK-f[1024+576]
KECCAK-f[1600]
11.
12. In the pseudo-code above, S denotes the state as an array of
lanes. The padded message P is organised as an array of blocks
Pi, themselves organized as arrays of lanes. The || operator
denotes the usual byte string concatenation.
13.
14.
15.
16. • Currently best attack on KECCAK: 4 rounds
• Sufficient nr. of rounds for security claim on KECCAK: 13
rounds
• KECCAK has 24 rounds (complexity 215xx)