Keccak discussion. Soham Sadhu. January 9, 2012
|
|
- Damian Arnold
- 5 years ago
- Views:
Transcription
1 Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is one of the five finalists in the NIST hash function competition to select SHA-3 algorithm.[2] Background What is a hash function? A cryptographic hash function is a deterministic procedure that can take strings of any length and return a string of a fixed size which should be ideally unique to the given input string provided.[1] Ideally a cryptographic hash function should be: 1. Easy to compute. 2. Should be infeasible to compute a input string given a hash output string. 3. Should be infeasible to modify a input string without changing the hash output string. 4. Should be infeasible to find two different input strings that map to same hash output string. Previous and currently used hash functions: One of the popular cryptographic functions previously used was MD5 which produces a 128 bit or 16 byte hash value, designed in mid 90s. However MD5 is not collision resistant, that is two different input strings that map to the same hash value.[3] As per US Computer Emergency and Readiness Team (US-CERT) MD5 is cryptographically broken and unsuitable for further use. SHA-1(Secure Hash Algorithm-1) hash function which is currently being used has a output length of 160 bits. In 2005 a security weakness, likelyhood of a existence of a mathematical weakness in SHA-1 was shown. SHA-2 family of algorithms which have different output lengths or called as message digests namely of length 224, 256, 384, and 512 bits. Though SHA-2 differs from SHA-1 and no successfull attack has been found on those family of algorithms. But SHA-2 do bear some resemblance to SHA-1 structure. [4][5] All the previously stated hash functions are built or have a core of Merkle-Damgȧrd construction which has limitations like being sequential thus not able to take advantage of currently popular parallel processing. Other weaknesses include like able to find other collisions cheaply provided you have a collision.[6] 1
2 Sponge function: The security of a hashing algorithm is generally taken in terms of random oracle whose output has been truncated to desired n bits. Which implies that hash function has a security of 2 n/2 for collision and 2 n for second preimage attacks. A sponge construction or a sponge function is closest approximation to a random oracle except for the side effects of finite memory or internal state collisions which are absent in a random oracle. The sponge construction consists of building a function that takes arbitrary length input and outputs. It does some fixed length of transformations on fixed number of bits say b called width. This width can be expressed as b = r + c where r is the bit rate and c is the capacity. The input message is divided into pieces of length r bits each. The following two things are then done.[7] 1. Absorption: The sponge state initially consists of all zeros. The first input block of length r is XORED with r bits of the state; and transform functions are applied on the state. Next input block is then XORED with this state like the previous one and transformed. This continues till all the input is consumed. 2. Squeezing: the first r blocks of the output are returned from this state and the transformations on the state are continued till all the blocks make for the output length required are got. The last c blocks are never directly output by the input or are never taken as output. Due to existence of inner collisions, iterated hash functions can never be like real random oracle. Probability of success for a number of attacks. The expected number of calls to generate a collision is 2 n/2 and for second pre image it is 2 n. The hash function is considered broken if some one finds attack on hash function with complexity smaller than random oracle. Sponge in general has shown to have the security of the complexity 2 c/2 where c is the capacity of the sponge. And the attacks are generic that is they do not exploit specific 2
3 properties of transformation in the state. Hence one can increase the security of the sponge transformations by increasing capacity and reducting bit rate. In the sponge itself the number of states for transformation will be 2 b2b while the number of permutations will be 2 b! where b is the width of the sponge. This shows that having a transformation sponge will be better than permutation sponge with just one exception of output cycling. If you consider that sponge has a state and map it to nodes then you get 2 b nodes with 2 b edges. If you get a tree like this then analysis on same for the attacks leads to complexity figures given in the below table. The above table gives a cost of the attack for the sponge attack based on the assumption that attacker has no knowledge of the internal working of algorithms. In the above table N is for the number of nodes that can represent a state of the sponge, this number should be almost 2 b where b is the width of the sponge. c is the capacity of the sponge and Z is the output string with Z r being the output truncated to r bits. Inner collisions are those where the bits that are not involved in input or output that is the capacity are same for two different states. Output binding and state recovery can be thought to be analogous to preimage and second pre image attacks. Path finding is given a state find a sequence of steps that map to another step. Output cycles is finding a integer d such that when string say 0 d appended to input gives the same output or you get a periodicity in the output based on the input pattern. It has to be noted that the security strength of the sponge analysed here is independent of the transformation or permutation function included in sponge and is based on the strength of its own structure. [8] 3
4 Keccak algorithm: It is a sponge function with members KECCAK[r, c]. The parameters r = bit rate, c = capacity determine width of Keccak-f permutation, and also applied to sponge construction. The width values are restricted to 25, 50, 100, 200, 400, 800, 1600 right now. Thus the width can be thought as 25 2 l where the values for l are (0, 1, 2, 3, 4, 5, 6). It also does not require masking in case the output is smaller since you can generate arbitrarily long outputs.[9] Given a message M the following procedure takes place.[10] The state is first initialised to zero. operator below stands for concatenation. S[x,y] = 0, forall (x,y) in (04,04) P = M 0x01 0x00 0x00 P = P xor (0x00 0x00 0x80) So the message is ready with the correct number of bits. Here the Pi is the block of initialised message of length r which is the bit rate. w is the word or the width of state given by 2 l. In squeezing phase the blocks of the message are sent to the Keccak functions till they are exhausted. Do note here that the initialised message first block is XORED with the initial state and then sent for processing. The next block is then XORED with the state that comes back after being processed in the first iteration. Thus the transformation function and the absorbing of the messages are interleaved. for all block Pi in P S[x,y] = S[x,y] xor Pi[x+5*y], XOR with the initial state forall (x,y) such that x+5*y < r/w S = Keccak-f[r+c](S) Calling the functions to be applied on the state. end for Squeezing phase. After all the blocks of the message have been consumed by the absorbing phase, next is to squeeze the given amount of bits required. Note that transformations are squeezing are interleaved. That is the number of bits are extracted from the state at bitrate and appended to the empty string, and at each iteration till the bit rate makes up for the required number of bits the Keccak-f function is also called. Z = empty string while output is requested Z = Z S[x,y], forall (x,y) such that x+5*y < r/w S = Keccak-f[r+c](S) end while The Keccak-f function called to do the transformation function does the transformation l on the provided data. All the five sub rounds in transformation that will be dealt later are applied for l times. Below is the pseudo code. Keccak-f[b](A) for all i in 0... nr-1 A = Round[b](A, RC[i]) end for return A Before we move to the main transform functions some terminology. 4
5 5
6 The sponge state consists for Keccak consists of a three dimensional matrix as shown in state with cells consisting of individual bits. The rows and columns of state are 5 each while the number of slices mentioned above or the number of lanes is given by word length which is 2 l where is l is a integer number from 0 to 6.[11] There are five steps in the transformation which round like the following R = ι χ π ρ θ. TThe steps can be executed in arbitrary order. But the step theta has to be done first for the diffusion and it provides the avalanche effect for this cipher. The number of iterations for these five steps are determined by l. Step theta (θ). Which can be mathematically expressed as 4 θ : a[x][y][z] a[x][y][z] + a[x1][y ][z] + y =0 4 a[x1][y ][z 1], y =0 This can be stated as XOR each bit in the state with the XOR value of one column that in same slice but in adjacent column and again XOR with another adjacent column that is not in the same slice but adjacent sheet. [12] 6
7 Step Rho (ρ). Which can be mathematically stated as ρ : a[x][y][z] a[ x ][y][z (t + 1)(t + 2)/2], with t satisfying 0 t < 24 and the x and y values come out of matrix multiplication of 2 2 matrix which has elements 0, 1,2,3, 4 and raise to power of t into a matrix 2 1 consisting of 0 and 1, or t = -1 if x = y = 0. So the bits are shifted in their lanes by a given number of prefixed transformation bits. The bits are shifted in direction z as per the transformation offset table given below. XY values x=3 x=4 x=0 x=1 x=2 y = y = y = y = y =
8 Step Pi (π). The pi transformation is row permutation of columns where π : a[x][y] a[x ][y ] where x = y and y = 2x +3y Please note that in below diagrams for Pi transformation the center is in the middle of the state cell. 8
9 Step Chi (χ). χ : a[x] a [ x ] + ( a [ x + 1] + 1) a [ x + 2] You XOR a particular column with AND of negation of the adjacent column and the column next to it. This is the only non linear operation which kind of breaks the symmetry. Step Iota (ι) Exclusive-or a round constant into one word of the state. To be precise, in round n, for 0ml, a[0][0][2 m 1] is exclusive-ored with bit m+7n of a degree-8 Linear feedback shift register sequence. The following are the round constants for the standard Keccak-f function. RC[0] = 0x , RC[1] 0x , RC[2] 0x A, RC[3] 0x , RC[4] 0x B, RC[5] 0x , RC[6] 0x , RC[7] 0x , RC[8] 0x A, RC[9] 0x , RC[10] 0x , RC[11] 0x A, RC[12] 0x B, RC[13] 0x B, RC[14] 0x , RC[15] 0x , RC[16] 0x , RC[17] 0x , RC[18] 0x A, RC[19] 0x A, RC[20] 0x , RC[21] 0x , RC[22] 0x , RC[23] 0x Since this step one that is different for each round performed, increasing the number of rounds increases security due to this step. 9
10 How much easy it is to put it into a program and other performance criteria Implementation costs for differing levels of parameters is almost the same. As a part of standardisation the Keccak team has suggested use of bit state 1600 since a single implementation supports all the permutations and favours 64-bit CPU but is efficient also on a 32-bit CPU. Keccak right now has a speed of 12.5 cycles per byte on Intel Core 2 or 64 bit architecture, the fastest in hardware implementation amongst the finalists. Keccak transformations and permutations are bitwise Boolean operations and cyclic shifts on CPU words, thus choice of lane as CPU word favours 64-bit architecture. For 32-bit architecture bit interleaving can be applied. The Keccak-f[1600] that is proposed to be standardised requires only 200 bytes of RAM for the state and some working memory. The sponge function lends itself well to application in message authentication codes, pseudo random bit generator, stream cipher. Cryptanalysis 1. Since Keccak is based on sponge construction it is secure to upper limit of 2 c/2 where c is the capacity chosen. So if a higher capacity is chosen, naturally higher security but a decrease in performance. 2. Most of the rounds in the Keccak-f are identical with exception of Iota which adds the round constants. Thus if there is a need to increase the security then number of rounds can be increased. 3. Based on the standard b=1600 the number of rounds required to provide security against the following attacks are: Keccak-f distinguisher below 2 b/2 by birthday paradox: 21 rounds. Keccak distinguisher: 13 rounds. Inner collisions: 11 rounds. State recovery: 11 rounds. 4. Keccak can be implemented only with AND, NOT, XOR and thus this allows the algorithm to go for masking which makes it good counter measure for the side channel attacks. 5. Zero sum distinguishers is a method where you find a input set that sums to zero and so does its output. Although theoretically zero sum distinguishers have been extended to 18 rounds of Keccak but are ineffective if the input set is taken large. The attack is valid but infeasible with Keccak-f[1600] when reduced to 18 rounds will have to take in about of states that generate a vector space of limited dimension, to compute backwards and obtain inputs that will give zero sum. Infact from round 11 onwards the figure for state consideration starts touching 2 60.[13] 6. Thus though valid it is infeasible attack option, especially when the number of rounds have been increased to 24 in new standard. Although even in the previous version the algorithm was safe because even for 12 rounds the number of states you have to consider go upto My personal opinion is that the algorithm looks strong enough on surface. It seems to be build on strong fundamentals of sponge construction which makes easy to compare 10
11 and analyse. Also it does not show any weakness. Most of the exploits that have been raised with respect to permutation and transformation have been addressed by the designers. Also the algorithm is fast, which makes this as a worthy candidate for SHA-3. References 1. en.wikipedia.org/wiki/cryptographic hash function 2. keccak.noekeon.org 3. en.wikipedia.org/wiki/md5 4. en.wikipedia.org/wiki/sha-1 5. en.wikipedia.org/wiki/sha-2 6. en.wikipedia.org/wiki/merkle-damgȧrd construction 7. Cryptographic sponge functions, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. 8. Sponge Functions, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. 9. The Keccak SHA-3 submission, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche summary.html 11. The Keccak reference, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche Note on zero sum distinguishers of Keccak-f, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. 11
Keccak specifications
Keccak specifications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors http://keccak.noekeon.org/ Version 2 September 10, 2009 Keccak
More informationAppendix K SHA-3. William Stallings
Appendix K SHA-3 William Stallings K.1 THE ORIGINS OF SHA-3... 2 K.2 EVALUATION CRITERIA FOR SHA-3... 4 K.3 THE SPONGE CONSTRUCTION... 6 K.4 THE SHA-3 ITERATION FUNCTION f... 13 Structure of f... 14 Theta
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationPreimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis
Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis Pawe l Morawiecki 1,3, Josef Pieprzyk 2, Marian Srebrny 1,3, and Micha l Straus 1 1 Section of Informatics, University
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationThe road from Panama to Keccak via RadioGatún
The road from Panama to Keccak via RadioGatún Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. In this paper, we explain the
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationOn the parallelization of slice-based Keccak implementations on Xilinx FPGAs
On the parallelization of slice-based Keccak implementations on Xilinx FPGAs Jori Winderickx, Joan Daemen and Nele Mentens KU Leuven, ESAT/COSIC & iminds, Leuven, Belgium STMicroelectronics Belgium & Radboud
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationPushing the Limits of SHA-3 Hardware Implementations to Fit on RFID
Motivation Keccak Our Designs Results Comparison Conclusions 1 / 24 Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID Peter Pessl and Michael Hutter Motivation Keccak Our Designs Results
More informationSponge-based pseudo-random number generators
Sponge-based pseudo-random number generators Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. This paper proposes a new construction
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationFEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationA Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications
A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications Elif Bilge Kavun and Tolga Yalcin Department of Cryptography Institute of Applied Mathematics, METU
More informationCube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function
Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function Itai Dinur 1, Pawe l Morawiecki 2,3, Josef Pieprzyk 4 Marian Srebrny 2,3, and Micha l Straus 3 1 Computer Science
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationCSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code
More informationOutline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question
Hash function lengths Outline AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationOutline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.
AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationSHA3 Core Specification. Author: Homer Hsing
SHA3 Core Specification Author: Homer Hsing homer.hsing@gmail.com Rev. 0.1 January 29, 2013 This page has been intentionally left blank. www.opencores.org Rev 0.1 ii Rev. Date Author Description 0.1 01/29/2013
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationECE646 Project Final Report: Towards an Area-Constrained Implementation of the SHA-3 Final Round Keccak Algorithm. Project by Kim Turley
ECE646 Project Final Report: Towards an Area-Constrained Implementation of the SHA-3 Final Round Keccak Algorithm Project by Kim Turley Project Overview Goal: To explore in detail the elements of an areaconstrained
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationKeccak. Final Paper. Team Bletchley. Chris Bentivenga Frederick Christie Michael Kitson
Keccak Final Paper Team Bletchley Chris Bentivenga Frederick Christie Michael Kitson Description of the Algorithm Keccak is the winner of NIST hash function competition, and is the accepted standard for
More informationA j-lanes tree hashing mode and j-lanes SHA-256
A j-lanes tree hashing mode and j-lanes SHA-5 Shay Gueron 1, 1 Department of Mathematics, University of Haifa, Israel Intel Corporation, Israel Development Center, Haifa, Israel August 1, Abstract. j-lanes
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More informationAvailable online at ScienceDirect. Procedia Technology 24 (2016 )
Available online at www.sciencedirect.com ScienceDirect Procedia Technology 24 (2016 ) 918 924 International Conference on Emerging Trends in Engineering, Science and Technology (ICETEST - 2015) Design
More informationFEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
DRAFT FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationPower Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationPower Analysis of MAC-Keccak: A Side Channel Attack
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn Professor Stanislaw Radziszowski May 6, 2018 1 Introduction Recently in the spring of 2017, two documents were discovered
More informationSHA-3 vs the world. David Wong
SHA-3 vs the world David Wong Sneru MD4 Sneru MD4 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård SHA-1 SHA-2 Sneru MD4 MD5 Merkle Damgård
More informationSecure Hash Algorithm-3(SHA-3) implementation on Xilinx FPGAs, Suitable for IoT Applications
Secure Hash Algorithm-3(SHA-3) implementation on Xilinx FPGAs, Suitable for IoT Applications Muzaffar Rao, Thomas Newe and Ian Grout University of Limerick, Ireland muhammad.rao @ ul.ie, thomas.newe @
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationThe SHA-3 Process. Keccak & SHA-3 day Brussels, 27 March 2013
The SHA-3 Process Keccak & SHA-3 day Brussels, 27 March 2013 Timeline 05 06 07 08 09 10 11 12 13 Summer 2005: Attacks on MD5, RIPEMD, SHA-0, SHA-1 The Wang effect Before 2005 MD4 (Dobbertin) MD5 (Boss.,
More informationThe Customizeable Shake Function (Cshake)
NIST Special Publication 800-XXX The Customizeable Shake Function (Cshake) John Kelsey Computer Security Division Information Technology Laboratory http://dx.doi.org/10.6028/nist.sp.xxx Month and Year
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationDifferential Power Analysis of MAC-Keccak at Any Key-Length
Differential Power Analysis of MAC-Keccak at Any Key-Length Mostafa Taha and Patrick Schaumont Secure Embedded Systems Center for Embedded Systems for Critical Applications Bradley Department of ECE Virginia
More informationCS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012
CS 645 : Lecture 6 Hashes, HMAC, and Authentication Rachel Greenstadt May 16, 2012 Reminders Graded midterm, available on bbvista Project 3 out (crypto) Hash Functions MAC HMAC Authenticating SSL Man-in-the-middle
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationAn Improved Algebraic Attack on Hamsi-256
An Improved Algebraic Attack on Hamsi-256 Itai Dinur and Adi Shamir Computer Science department The Weizmann Institute Rehovot 76100, Israel Abstract. Hamsi is one of the 14 second-stage candidates in
More informatione-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text Cryptography and Network Security Module 28- Hash Algorithms
More informationEfficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing
Efficient Hardware Implementations of High Throughput SHA-3 Candidates Keccak, Luffa and Blue Midnight Wish for Single- and Multi-Message Hashing Abdulkadir Akın, Aydın Aysu, Onur Can Ulusel, and Erkay
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationObservations and Attacks On The SHA-3 Candidate Blender
Observations and Attacks On The SHA-3 Candidate Blender Craig Newbold cjnewbold@googlemail.com Abstract 51 candidates have been accepted as first round candidates in NIST s SHA-3 competition, to decide
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationNetwork Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services
Chair for Network Architectures and Services Technische Universität München Network Security Cryptographic Hash Functions Add-on Benjamin s slides are authoritative Motivation (1) Common practice in data
More informationStatistical Analysis of the 3WAY Block Cipher
Statistical Analysis of the 3WAY Block Cipher By Himanshu Kale Project Report Submitted In Partial Fulfilment of the Requirements for the Degree of Master of Science In Computer Science Supervised by Professor
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationComputer Security: Hashing
Computer Security: Hashing B. Jacobs and J. Daemen Institute for Computing and Information Sciences Digital Security Radboud University Nijmegen Version: fall 2016 Page 1 of 52 Jacobs and Daemen Version:
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationSIMD Instruction Set Extensions for KECCAK with Applications to SHA-3, Keyak and Ketje!
SIMD Instruction Set Extensions for KECCAK with Applications to SHA-3, Keyak and Ketje! Hemendra K. Rawat and Patrick Schaumont! Virginia tech, Blacksburg, USA! {hrawat, schaum}@vt.edu! 1 Motivation q
More informationCAESAR submission: K v1
CAESAR submission: K v1 Designed and submi ed by: Guido B 1 Joan D 1 Michaël P 2 Gilles V A 1 Ronny V K 1 http://keyak.noekeon.org/ keyak (at) noekeon (dot) org Version 1.0 March 13, 2014 1 STMicroelectronics
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCryptographic algorithm acceleration using CUDA enabled GPUs in typical system configurations
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 8-1-2010 Cryptographic algorithm acceleration using CUDA enabled GPUs in typical system configurations Maksim
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5 January 23, 2012 CPSC 467b, Lecture 5 1/35 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationSecurity Enhancement of the Vortex Family of Hash Functions
Security Enhancement of the Vortex Family of Hash Functions Shay Gueron 1,2 and ichael Kounavis 3 1 obility Group, Intel Corporation 2 University of Haifa, Israel 3 Intel Labs, Circuits and Systems Research
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationThe MD6 Hash Function (aka Pumpkin Hash ) Ronald L. Rivest MIT CSAIL CRYPTO 2008
The MD6 Hash Function (aka Pumpkin Hash ) Ronald L. Rivest MIT CSAIL CRYPTO 2008 MD6 Team Dan Bailey Sarah Cheng Christopher Crutchfield Yevgeniy Dodis Elliott Fleming Asif Khan Jayant Krishnamurthy Yuncheng
More informationFirst practical results on reduced-round Keccak Unaligned rebound attack. María Naya-Plasencia INRIA Paris-Rocquencourt, France
First practical results on reduced-round Keccak Unaligned rebound attack María Naya-Plasencia INRIA Paris-Rocquencourt, France Outline Introduction First Practical Results [NP-Röck-Meier11] CP-Kernel:
More informationIntroduction to Cryptology. Lecture 17
Introduction to Cryptology Lecture 17 Announcements HW7 due Thursday 4/7 Looking ahead: Practical constructions of CRHF Start Number Theory background Agenda Last time SPN (6.2) This time Feistel Networks
More informationSecret Key Cryptography
Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:
More informationVortex. A New Family of One-Way Hash Functions. Based on AES Rounds and Carry-less Multiplication. Intel Corporation, IL
Vortex A New Family of One-Way Hash Functions Based on AES Rounds and Carry-less Multiplication Shay Gueron Michael E. Kounavis Intel Corporation, IL Intel Corporation, US and University of Haifa, IL Information
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 5a January 29, 2013 CPSC 467b, Lecture 5a 1/37 Advanced Encryption Standard AES Alternatives CPSC 467b,
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationMILP-aided Cube-attack-like Cryptanalysis on Keccak Keyed Modes
MILP-aided Cube-attack-like Cryptanalysis on Keccak Keyed Modes Wenquan Bi 1, Xiaoyang Dong 2, Zheng Li 1, Rui Zong 1, and Xiaoyun Wang 1,2 1 Key Laboratory of Cryptologic Technology and Information Security,
More informationNEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.
NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES. 1 ZAKARIA KADDOURI, 2 FOUZIA OMARY, 3 ABDOLLAH ABOUCHOUAR, 4 MOHSSIN DAARI, 5 KHADIJA ACHKOUN. LRI Laboratory (Ex: Networks and Data
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security In crypto, CHF instantiates a Random Oracle paradigm In security,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Friday, 17 April, 2015 09:59 10. Hash Function Cryptanalysis (v3) Cryptographic hash functions map messages of arbitrary size to a fixed size hash, e.g. a bitstring
More informationCryptanalysis of Haraka
Cryptanalysis of Haraka Jérémy Jean Agence Nationale de la Sécurité des Systèmes d Information Crypto Laboratory FSE 2017 @ Tokyo, Japan March 6, 2017 Jeremy.Jean@ssi.gouv.fr Introduction Let n be a positive
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationBlock Ciphers. Secure Software Systems
1 Block Ciphers 2 Block Cipher Encryption function E C = E(k, P) Decryption function D P = D(k, C) Symmetric-key encryption Same key is used for both encryption and decryption Operates not bit-by-bit but
More informationParallel Cube Testing on GPUs
Parallel Cube Testing on GPUs by Sudarshan Rao Supervised by Prof. Alan Kaminsky Associate Professor Committee Chair Prof. S. Radziszowski Professor Reader Prof. E. Hemaspaandra Professor Observer Department
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 5, 2012 Part 3 Modern Crypto SSN Week 2 Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Book Chapter 1 in full Chapter 2
More informationComputer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency.
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1 Origin of AES 1999: NIST
More informationPOMELO A Password Hashing Algorithm (Version 2)
POMELO A Password Hashing Algorithm (Version 2) Designer and Submitter: Hongjun Wu Division of Mathematical Sciences Nanyang Technological University wuhongjun@gmail.com 2015.01.31 Contents 1 Specifications
More information