The Customizeable Shake Function (Cshake)
|
|
- Sabrina Watts
- 6 years ago
- Views:
Transcription
1 NIST Special Publication 800-XXX The Customizeable Shake Function (Cshake) John Kelsey Computer Security Division Information Technology Laboratory Month and Year of Publication U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director
2 Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800-XXX Natl. Inst. Stand. Technol. Spec. Publ. 800-XXX, NNN pages (Month YYYY) CODEN: NSPUE2 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at Public comment period: Month Day, YYYY through Month Day, YYYY National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory! 1
3 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. The Special Publication 800-series reports on ITL s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations. Abstract This Recommendation specifies Cshake, a customizeable variant of Shake128 and Shake256, as defined in FIPS 202. Cshake provides a rich functionality for customizing the behavior of the Shake functions, which may be used both directly by users, and by NIST in defining addtional named functions. Keywords hash function; cryptography; information security; integrity; KECCAK; pseudorandom function; SHA-3.! 2
4 Acknowledgements The author thanks the KECCAK team members: Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche.! 3
5 Table of Contents 1. INTRODUCTION GLOSSARY TERMS AND ACRONYMS BASIC OPERATIONS AND FUNCTIONS PRELIMINARY FUNCTIONS AND CONSTANTS OVERVIEW ENCODING STRINGS PADDING CSHAKE OVERVIEW PARAMETERS CSHAKE DEFINITION BASED ON KECCAK SECURITY PROPERTIES EQUIVALENT SECURITY TO SHAKE FOR ANY LEGAL S, N ANY CHANGE TO S, N, OR BOTH LEADS TO COMPLETELY UNRELATED FUNCTIONS SEPARATION BETWEEN N AND S USING THE CUSTOMIZATION STRING USING THE NAME TO DEFINE ADDITIONAL SHA3-DERIVED FUNCTIONS PERFORMANCE ISSUES REFERENCES APPENDIX A: INTEGER TO BYTE STRING ENCODING... 14! 4
6 1. Introduction FIPS 202 introduces a new kind of cryptographic primitive, called a XOF (extendible Output Function). The specific XOFs defined in FIPS 202 are called Shake128 and Shake256. Unlike earlier hash functions, the Shakes are named for their expected security level. FIPS 202 also provides a flexible scheme for domain separation between different functions derived from Keccak. This is used to ensure that different named functions (such as SHA3-512 and Shake128) give unrelated outputs. However, the domain separation also makes it possible, with some additional work, to offer users the ability to customize their use of these and other functions. Allowing a user to customize a particular use of a function is analogous to strong typing in a programming language--it makes it virtually certain that computing that function with two different customizations will not give the same answer, and thus that (for example), a key fingerprint and an signature can never be confused for each other. In this document, we define two new functions: Cshake128 and Cshake256. Each function is based on Keccak as defined in FIPS202, and provides a customizeable version of the Shake functions from that document. These functions have the following properties: a. Cshake128 provides a 128-bit security level; Cshake256 provides a 256-bit security level. b. Both Cshake functions take four parameters: An input string, X An output length in bits, L An optional customization string, S, a byte string which may be empty. (An empty string should be considered the "default value" for S.) An optional function name string, N, a byte string which may be empty. (An empty string should be considered the "default value" for N.) c. When S and N are both empty strings, Cshake128 behaves exactly like Shake128, and Cshake256 behaves exactly like Shake256. Thus, Cshake provides a kind of backward-compatibility with Shake as defined in FIPS 202. d. By convention, S is an optional user-selected customization string, useful for naming a particular use of a function. e. By convention, N is an optional string describing the name of some function defined by NIST in terms of Cshake, to provide some additional useful functionality beyond what SHA3 and Shake provide. Only NIST-defined name strings should be used, but an implementation of Cshake should usually not try to enforce this, as it would complicate the definition and use of additional NIST-defined functions derived from Cshake.! 5
7 f. An implementation of Cshake may reasonably support only byte-oriented output lengths; if so, a request for a non-byte-oriented output length would result in an error. 2. Glossary In this document, bits are indicated in the Courier New font. Bytes are typically written as two-digit hexadecimal numbers from the ASCII characters 0 through 9 and A through F, preceded by the prefix 0x. In binary representation, bytes are written low order bit first, while in hexadecimal representation, bytes are written with the high order digit first. E.g., 0x01 = and 0x80 = These bit-ordering conventions follow the conventions established in Sec. B.1 of [5]. 2.1 Terms and Acronyms Bit A binary digit: 0 or 1. Capacity In the sponge construction, the width of the underlying function minus the rate. Domain Separation For a function, a partitioning of the inputs to different application domains so that no input is assigned to more than one domain. Extendable-Output Function (XOF) A function on bit strings in which the output can be extended to any desired length. FIPS FISMA Hash Function HMAC KDF Federal Information Processing Standard. Federal Information Security Management Act. A function on bit strings in which the length of the output is fixed. The output often serves as a condensed representation of the input. Keyed-Hash Message Authentication Code. Key Derivation Function. KECCAK The family of all sponge functions with a KECCAK-f permutation as the underlying function and multi-rate padding as the padding rule. KECCAK is standardized in [5] and was originally specified in [7].! 6
8 KMAC Length MAC NIST PRF KECCAK Message Authentication Code. For a given bit string, the number of bits in the string. Message Authentication Code. National Institute of Standards and Technology. See Pseudorandom Function. Pseudorandom Function (PRF) A function that can be used to generate output from a random seed and a data variable, such that the output is computationally indistinguishable from truly random output. Rate SHA-3 In the sponge construction, the number of input bits processed or output bits generated per invocation of the underlying function. Secure Hash Algorithm-3. Sponge Construction The method originally specified in [6] for defining a function from the following: 1) an underlying function on bit strings of a fixed length, 2) a padding rule, and 3) a rate. Both the input and the output of the resulting function are bit strings that can be arbitrarily long. Sponge Function A function that is defined according to the sponge construction, possibly specialized to a fixed output length. String XOF A sequence of bits. See extendable-output function. 2.2 Basic Operations and Functions [T]2 An integer T represented as a binary string (denoted by the 2 ) with a length specified by the function, an algorithm, or a protocol that uses T as an input. x For a real number x, x is the least integer that is not strictly less than x. For example, 3.2 = 4, 3.2 = 3, and 6 = 6.! 7
9 0 s For a positive integer s, 0 s is the string that consists of s consecutive 0s. enc8(i) For an integer i ranging from 0 to 255, enc8(i) is the byte encoding of i, with bit 0 being the low order bit of the byte. len(x) X Y left_encode(n) For a bit string X, len(x) is the length of X in bits. For strings X and Y, X Y is the concatenation of X and Y. For example, = A function for encoding an integer n as a string, so that the string may be unambiguously parsed from the beginning. The definition of left_encode appears in Appendix A. right_encode(n) A function for encoding an integer n as a string, so that the string may be unambiguously parsed from the end. The definition of right_encode appears in Appendix A. 3. Preliminary Functions and Constants 3.1 Overview The following internal functions are used in the definition of Cshake in the remainder of this Recommendation. 3.2 Encoding Strings The string_encode function is used to encode strings in a way that may be parsed unambiguously from the beginning of the string. The function is defined as follows: string_encode(s): if len(s) is not divisible by 8: raise an error condition return left_encode(len(s)/8) S 3.3 Padding! 8
10 The bytepad(x,w) function encodes an input string X in a way that can be parsed unambiguously from the beginning of the string, and that also takes up an integer multiple of w bytes. The definition of pad() is as follows: bytepad(k,w): if len(k) is not divisible by 8: raise an error condition if w <1: raise an error condition z = K while (len(z)/8) mod w!= 0: z = z 0x00 4. Cshake 4.1 Overview Cshake128( X, L, C, N) and Cshake256( X, L, C, N) are defined in terms of the Shake and Keccak functions, both of which appear in FIPS Parameters The parameters of Cshake are: X = the input string, which must be a byte string L = the output length requested, in bits C = the customization string, with a default value of "" (empty string) N = the function name, with a default value of "" (empty string) When C and N are both set to the empty string, Cshake(X, L, S, N) works exactly like Shake as defined in FIPS 202. Thus Cshake128(X, L, "", "") = Shake128(X, L) Cshake256(X, L, "", "") = Shake256(X, L) Cshake is designed so that for any two instances Cshake(X1, L1, S1, N1) Cshake(X2, L2, S2, N2) unless S1==S2 and N1==N2, the two instances are completely unrelated; knowledge of Cshake(X1, L1, S1, N1) gives no information about the value of Cshake(X2, L2, S2, N2)! 9
11 for any choice of the inputs such that S1<>S2 and N1<>N2. Note that this includes the case where S1=="" and N1=="". That is, Cshake with any customization is domainseparated from ordinary Shake. Cshake itself is defined in terms of Keccak, as specified in FIPS Cshake Definition Based on Keccak Cshake either returns the result of a call to Shake (if S and N are both empty strings), or a call to Keccak with a padded encoding of S and N concatenated to the input X. Cshake128(X, L, S, N): if S=="" and N=="": return Shake128(X, L) else: return Keccak[256]( bytepad(encode_string(s) encode_string(n), 168) X 00, L) Cshake256(X, L, S, N): if S=="" and N=="": return Shake256(X, L) else: return Keccak[512]( bytepad(encode_string(s) encode_string(n), 136) X 00, L) 5 Security Properties 5.1 Equivalent Security to Shake for Any Legal S, N For a given choice of S and N, Cshake(X, L, S, N) has exactly the same security properties as Shake(X, L). Specifically, Cshake128() claims a security level of 128 bits, and Cshake256 claims a security level of 256 bits. When Cshake128() is called with an output of at least 256 bits, the function provides 128 bits of collision-resistance; that is, an attacker seeking to find a pair of inputs X1, X2 such that Cshake128(X1, L, S, N) == Cshake128(X2, L, S, N) expects to need at least 2^{128} operations to find such a pair.! 10
12 When Cshake128() is called with an output of at least 128 bits, the function provides 128 bits of preimage-resistance: that is, an attacker given a target value T and seeking to find some input X such that Cshake128(X, L, S, N) = T, expects to need at least 2^{128} operations to find such a value. Similarly, Cshake256(), when called with an output of at least 512 bits, provides 256 bits of collision resistance, and when called with an output of at least 256 bits, provides 256 bits of preimage resistance. 5.2 Any Change to S, N, or Both Leads to Completely Unrelated Functions Suppose that either S1 <> S2, or N1 <> N2, or both. Then, f1(x, L) = Cshake(X, L, S1, N1) and f2(x,l) = Cshake(X, L, S2, N2) are entirely unrelated functions. Specifically, knowing the value of Cshake(X, L, S1, N1) gives an attacker no information at all about the value of Cshake(X', L', S2, N2) for any X', L'. 5.3 Separation Between N and S The padding scheme used to define Cshake encodes the two strings in a way that can be parsed unambiguously from the beginning of the string input to Keccak. N and S are separated in the padding, and so there is no ambiguity introduced between the contents of N and S. 6 Using the Customization String Cshake provides an input string intended to allow users to customize their use of the function. For example, someone using Cshake128 to compute a key fingerprint (the hash of a public key) might use: KF = Cshake128( public_key, 256, "key fingerprint", "") Later, the same user might decide to customize a different Cshake computation used for signing an H = Cshake128( _contents, 256, " signature", "")! 11
13 The power of the customization string is that there is now essentially no chance of a collision between these two values--it will never be possible for an attacker to somehow use one computation (the signature) to get the result of the other computation (the key fingerprint). Conceptually, this is like strong typing in a programming language. The result of computing Cshake128() for a key fingerprint and for an signature are different "types," and so they will never give the same result. Thus KF == H has a negligible probability of being true. S may be any legal sequence of bytes. However, implementations may restrict the length of S they will accept. 6 Using the Name to Define Additional SHA3-Derived Functions Cshake also includes a name input (N). This is intended for use by NIST in defining additional SHA3-derived functions, and should only be set to values defined by NIST for named Keccak-derived functions. This provides a level of domain separation by function name. Users of Cshake should not make up their own names--that kind of customization is the purpose of the customization string S. In order to define a new SHA3-derived function, N is set to a new reserved value that isn't the empty string, and typically some additional operations are done to construct the inputs to Cshake. For example, a not-very-useful function to generate a single bit from the date could be defined as follows: bit_from_time(year, month, day, S): X = year as a 4-digit decimal character string X = X month as a 2-digit decimal character string X = X day as a 2-digit decimal character string N = "bit_from_time" L = 1 return Cshake128(X, L, S, N) Note that this example function is customizeable--any string contents in S will customize the function, so that bit_from_time(2000,01,01,"hello, world") is unrelated to bit_from_time(2000,01,01,"happy new year!").! 12
14 7 Performance Issues Cshake is defined to fill one entire call to the underlying Keccak-F function with the padded C and N. However, an efficient implementation will precompute the result of processing this padded block with Cshake, and so will suffer no performance penalty when reusing the same choices of C and N multiple times.! 13
15 References 1. Federal Information Processing Standards Publication 180-4, Secure Hash Standard (SHS), Information Technology Laboratory, National Institute of Standards and Technology, March 2012, fips180-4/fips pdf. 2. R. Merkle, One way hash functions and DES, Advances in Cryptology - CRYPTO '89 Proceedings, Lecture Notes in Computer Science, Vol. 435, G. Brassard, ed., Springer-Verlag, 1989, pp I. Damgård, A Design Principle for Hash Functions, Advances in Cryptology - CRYPTO '89 Proceedings, Lecture Notes in Computer Science, Vol. 435, G. Brassard, ed., Springer-Verlag, 1989, pp Federal Information Processing Standards Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), Information Technology Laboratory, National Institute of Standards and Technology, July 2008, publications/fips/fips198-1/fips-198-1_final.pdf. 5. Federal Information Processing Standards Publication 202, the SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, Information Technology Laboratory, National Institute of Standards and Technology, August 2015, 6. G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, Cryptographic sponge functions, January 2011, 7. G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche an, The KECCAK reference, version 3.0, January 2011, 8. G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, and R. Van Keer, CAESAR submission: KETJE v1, March 2014, ketjev1.pdf. Appendix A: Integer to Byte String Encoding This Recommendation uses two internal functions for encoding integers as strings. Both functions are capable of encoding integers up to an extremely large maximum. The! 14
16 largest integer that may be encoded (max_integer) is also a constant used in the remainder of this document. left_encode(n) encodes the integer n as a string in a way that can be unambiguously parsed from the beginning of the string. right_encode(n) encodes the integer n as a string in a way that can be unambiguously parsed from the end of the string. [[ Note: I'm more than happy to take someone else's standard encoding scheme here, I just want one that parses from the left and one that parses from the right. --JMK]] The definitions (using enc8() to encode individual bytes) is as follows: right_encode(x): 1. n is the smallest integer for which 2 8n > x. 2. Let x1, x2,, xn be the base-256 digits of x satisfying: x = 2 8(n-i) xi, for i = 1 to n. 3. Let Oi = enc8(xi), for i = 1 to n. 4. Let On+1 = enc8(n). 5. Return O = O1 O2 On On+1. left_encode(x): 1. n is the smallest integer for which 2 8n > x. 2. Let x1, x2,, xn be the base-256 digits of x satisfying: x = 2 8(n-i) xi, for i = 1 to n. 3. Let Oi = enc8(xi), for i = 1 to n. 4. Let O0 = enc8(n). 5. Return O = O0 O1 On-1 On.! 15
17 ! 16
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast
21 ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards
More informationFEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
DRAFT FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationPIV Data Model Test Guidelines
This publication is available free of charge from http://csrc.nist.gov/publications/ Draft NIST Special Publication 800-85B-4 PIV Data Model Test Guidelines Ramaswamy Chandramouli Hildegard Ferraiolo Ketan
More informationSHA-3 vs the world. David Wong
SHA-3 vs the world David Wong Sneru MD4 Sneru MD4 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård
More informationA j-lanes tree hashing mode and j-lanes SHA-256
A j-lanes tree hashing mode and j-lanes SHA-5 Shay Gueron 1, 1 Department of Mathematics, University of Haifa, Israel Intel Corporation, Israel Development Center, Haifa, Israel August 1, Abstract. j-lanes
More informationGuide for Assessing the Security Controls in Federal Information Systems
NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems Ron Ross Arnold Johnson Stu Katzke Patricia Toth George Rogers I N F O R M A T I O N S E C U R
More informationKeccak discussion. Soham Sadhu. January 9, 2012
Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is
More informationPower Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationKeccak specifications
Keccak specifications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors http://keccak.noekeon.org/ Version 2 September 10, 2009 Keccak
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationCSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code
More informationOutline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question
Hash function lengths Outline AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationOutline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.
AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationUse of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance
More informationSponge-based pseudo-random number generators
Sponge-based pseudo-random number generators Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. This paper proposes a new construction
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationThe road from Panama to Keccak via RadioGatún
The road from Panama to Keccak via RadioGatún Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. In this paper, we explain the
More informationInternet Engineering Task Force (IETF) Request for Comments: 6194 Category: Informational. IECA P. Hoffman VPN Consortium March 2011
Internet Engineering Task Force (IETF) Request for Comments: 6194 Category: Informational ISSN: 2070-1721 T. Polk L. Chen NIST S. Turner IECA P. Hoffman VPN Consortium March 2011 Security Considerations
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationPublic Comments on the Draft Federal Information Processing Standard (FIPS) Draft FIPS 180-2, Secure Hash Standard (SHS)
Public Comments on the Draft Federal Information Processing Standard (FIPS) Draft FIPS 180-2, Secure Hash Standard (SHS) [in response to a notice in the May 30, 2001 Federal Register (Volume 66, No. 104;
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationSHA3 Core Specification. Author: Homer Hsing
SHA3 Core Specification Author: Homer Hsing homer.hsing@gmail.com Rev. 0.1 January 29, 2013 This page has been intentionally left blank. www.opencores.org Rev 0.1 ii Rev. Date Author Description 0.1 01/29/2013
More informationAssessing Security Requirements for Controlled Unclassified Information
Draft NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information RON ROSS KELLEY DEMPSEY VICTORIA PILLITTERI This publication contains procedures to assess
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-73-3 Interfaces for Personal Identity Verification Part 3: End-Point PIV Client Application Programming Interface Ramaswamy Chandramouli David Cooper James F. Dray Hildegard
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011
Internet Engineering Task Force (IETF) S. Turner Request for Comments: 6149 IECA Obsoletes: 1319 L. Chen Category: Informational NIST ISSN: 2070-1721 March 2011 Abstract MD2 to Historic Status This document
More informationNEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.
NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES. 1 ZAKARIA KADDOURI, 2 FOUZIA OMARY, 3 ABDOLLAH ABOUCHOUAR, 4 MOHSSIN DAARI, 5 KHADIJA ACHKOUN. LRI Laboratory (Ex: Networks and Data
More informationfips185 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 185 1994 February 9 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology ESCROWED ENCRYPTION STANDARD CATEGORY: TELECOMMUNICATIONS
More informationMessage Authentication with MD5 *
Message Authentication with MD5 * Burt Kaliski and Matt Robshaw RSA Laboratories 100 Marine Parkway, Suite 500 Redwood City, CA 94065 USA burt@rsa.com matt@rsa.com Message authentication is playing an
More informationRecommendation for Random Number Generation Using Deterministic Random Bit Generators
NIST SP 800-90A January 2012 NIST Special Publication 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators Elaine Barker and John Kelsey Computer Security Division
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationAppendix K SHA-3. William Stallings
Appendix K SHA-3 William Stallings K.1 THE ORIGINS OF SHA-3... 2 K.2 EVALUATION CRITERIA FOR SHA-3... 4 K.3 THE SPONGE CONSTRUCTION... 6 K.4 THE SHA-3 ITERATION FUNCTION f... 13 Structure of f... 14 Theta
More informationViews on the Framework for Improving Critical Infrastructure Cybersecurity
This document is scheduled to be published in the Federal Register on 12/11/2015 and available online at http://federalregister.gov/a/2015-31217, and on FDsys.gov Billing Code: 3510-13 DEPARTMENT OF COMMERCE
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationENTITY AUTHENTICATION USING PUBLIC KEY CRYPTOGRAPHY DRAFT
FIPS PUB JJJ FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 1996 March 29 U.S. DEPARTMENT OF COMMERCE / National Institute of Standards and Technology ENTITY AUTHENTICATION USING PUBLIC KEY CRYPTOGRAPHY
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationCategory: Informational January 2010 ISSN:
Independent Submission A. Keromytis Request for Comments: 5708 Columbia University Category: Informational January 2010 ISSN: 2070-1721 Abstract X.509 Key and Signature Encoding for the KeyNote Trust Management
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationSufficient conditions for sound hashing using a truncated permutation
Sufficient conditions for sound hashing using a truncated permutation Joan Daemen 1, Tony Dusenge 2, and Gilles Van Assche 1 1 STMicroelectronics 2 Université Libre de Bruxelles Abstract. In this paper
More informationParallelized Hashing via j-lanes and j-pointers Tree Modes, with Applications to SHA-256
Journal of Information Security, 2014, 5, 91-113 Published Online July 2014 in SciRes. http://www.scirp.org/journal/jis http://dx.doi.org/10.4236/jis.2014.53010 Parallelized Hashing via j-lanes and j-pointers
More informatione-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text Cryptography and Network Security Module 28- Hash Algorithms
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationDue: April 17, 11:59pm. Project 2
COS 433: Cryptography (Spring 2018) Project 2 Princeton University Due: April 17, 11:59pm Project 2 Introduction You are interning at the super secretive TLA (Three Letter Agency) again. This time, the
More informationPushing the Limits of SHA-3 Hardware Implementations to Fit on RFID
Motivation Keccak Our Designs Results Comparison Conclusions 1 / 24 Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID Peter Pessl and Michael Hutter Motivation Keccak Our Designs Results
More informationNetwork Working Group Request for Comments: 4432 March 2006 Category: Standards Track
Network Working Group B. Harris Request for Comments: 4432 March 2006 Category: Standards Track Status of This Memo RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol This document specifies
More informationThe Keyed-Hash Message Authentication Code Validation System (HMACVS)
The Keyed-Hash Message Authentication Code Validation System (HMACVS) December 3, 2004 Lawrence E. Bassham III National Institute of Standards and Technology Information Technology Laboratory Computer
More informationCS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012
CS 645 : Lecture 6 Hashes, HMAC, and Authentication Rachel Greenstadt May 16, 2012 Reminders Graded midterm, available on bbvista Project 3 out (crypto) Hash Functions MAC HMAC Authenticating SSL Man-in-the-middle
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationHOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &
Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect
More informationFurther Analysis of a Proposed Hash-Based Signature Standard
Further Analysis of a Proposed Hash-Based Signature Standard Scott Fluhrer Cisco Systems, USA sfluhrer@cisco.com Abstract. We analyze the concrete security of a hash-based signature scheme described in
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationS. Erfani, ECE Dept., University of Windsor Network Security
4.11 Data Integrity and Authentication It was mentioned earlier in this chapter that integrity and protection security services are needed to protect against active attacks, such as falsification of data
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationObservations and Attacks On The SHA-3 Candidate Blender
Observations and Attacks On The SHA-3 Candidate Blender Craig Newbold cjnewbold@googlemail.com Abstract 51 candidates have been accepted as first round candidates in NIST s SHA-3 competition, to decide
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationThe Keyed-Hash Message Authentication Code (HMAC)
FIPS PUB 198 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION The Keyed-Hash Message Authentication Code (HMAC) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory
More informationPower Analysis of MAC-Keccak: A Side Channel Attack
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn Professor Stanislaw Radziszowski May 6, 2018 1 Introduction Recently in the spring of 2017, two documents were discovered
More informationInternet Engineering Task Force (IETF) Category: Standards Track March 2011 ISSN:
Internet Engineering Task Force (IETF) D. McGrew Request for Comments: 6188 Cisco Systems, Inc. Category: Standards Track March 2011 ISSN: 2070-1721 Abstract The Use of AES-192 and AES-256 in Secure RTP
More informationInterfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation
Draft NIST Special Publication 800-73-4 Interfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation Ramaswamy Chandramouli David Cooper Hildegard
More informationComputer Security: Hashing
Computer Security: Hashing B. Jacobs and J. Daemen Institute for Computing and Information Sciences Digital Security Radboud University Nijmegen Version: fall 2016 Page 1 of 52 Jacobs and Daemen Version:
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationSingle Block Attacks and Statistical Tests on CubeHash
Single Block Attacks and Statistical Tests on CubeHash Benjamin Bloom Alan Kaminsky August 21, 2009 Abstract This paper describes a second preimage attack on the CubeHash cryptographic one-way hash function.
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Friday, 17 April, 2015 09:59 10. Hash Function Cryptanalysis (v3) Cryptographic hash functions map messages of arbitrary size to a fixed size hash, e.g. a bitstring
More informationarxiv: v3 [cs.cr] 13 Aug 2016
Some observations on the optimization of a parallel SHAKE function using Sakura Kevin Atighehchi arxiv:1608.00492v3 [cs.cr] 13 Aug 2016 Aix Marseille Univ, CNRS, LIF, Marseille, France kevin.atighehchi@univ-amu.fr
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationMinimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs
Minimizing Bandwidth for Remote Access to Cryptographically Protected Audit Logs John Kelsey and Bruce Schneier Counterpane Internet Security, Inc. 101 E. Minnehaha Pkwy Minneapolis, MN 55419 {kelsey,schneier}@counterpane.com
More informationCryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000
Cryptography Trends: A US-Based Perspective Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000 Outline Advanced Encryption Standard Dominant design Thoughts on key size Advanced
More informationUpdates: 6126 May 2015 Category: Experimental ISSN: Extension Mechanism for the Babel Routing Protocol
Independent Submission J. Chroboczek Request for Comments: 7557 PPS, University of Paris-Diderot Updates: 6126 May 2015 Category: Experimental ISSN: 2070-1721 Abstract Extension Mechanism for the Babel
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-73-3 Interfaces for Personal Identity Verification Part 2: End-Point PIV Card Application Card Command Interface Ramaswamy Chandramouli David Cooper James F. Dray Hildegard
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationRequest for Comments: 3566 Category: Standards Track Intel September The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec
Network Working Group Request for Comments: 3566 Category: Standards Track S. Frankel NIST H. Herbert Intel September 2003 Status of this Memo The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec This
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCS525 Winter 2012 \ Class Assignment #2 Preparation
1 CS525 Winter 2012 \ Class Assignment #2 Preparation Ariel Stolerman 2.26) Let be a CFG in Chomsky Normal Form. Following is a proof that for any ( ) of length exactly steps are required for any derivation
More informationNetwork Working Group Request for Comments: 4419 Category: Standards Track March 2006
Network Working Group Request for Comments: 4419 Category: Standards Track M. Friedl N. Provos W. Simpson March 2006 Status of This Memo Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport
More informationDATA ENCRYPTION STANDARD (DES)
FIPS PUB 46-3 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Reaffirmed 1999 October 25 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology DATA ENCRYPTION STANDARD (DES) CATEGORY:
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationSatisfying CC Cryptography Requirements through CAVP/CMVP Certifications. International Crypto Module Conference May 19, 2017
Satisfying CC Cryptography Requirements through CAVP/CMVP Certifications International Crypto Module Conference May 19, 2017 Synopsis Background NIAP policy relating to cryptographic requirements NIAP
More information