Keccak discussion. Soham Sadhu. January 9, 2012

Transcription

1 Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is one of the five finalists in the NIST hash function competition to select SHA-3 algorithm.[2] Background What is a hash function? A cryptographic hash function is a deterministic procedure that can take strings of any length and return a string of a fixed size which should be ideally unique to the given input string provided.[1] Ideally a cryptographic hash function should be: 1. Easy to compute. 2. Should be infeasible to compute a input string given a hash output string. 3. Should be infeasible to modify a input string without changing the hash output string. 4. Should be infeasible to find two different input strings that map to same hash output string. Previous and currently used hash functions: One of the popular cryptographic functions previously used was MD5 which produces a 128 bit or 16 byte hash value, designed in mid 90s. However MD5 is not collision resistant, that is two different input strings that map to the same hash value.[3] As per US Computer Emergency and Readiness Team (US-CERT) MD5 is cryptographically broken and unsuitable for further use. SHA-1(Secure Hash Algorithm-1) hash function which is currently being used has a output length of 160 bits. In 2005 a security weakness, likelyhood of a existence of a mathematical weakness in SHA-1 was shown. SHA-2 family of algorithms which have different output lengths or called as message digests namely of length 224, 256, 384, and 512 bits. Though SHA-2 differs from SHA-1 and no successfull attack has been found on those family of algorithms. But SHA-2 do bear some resemblance to SHA-1 structure. [4][5] All the previously stated hash functions are built or have a core of Merkle-Damgȧrd construction which has limitations like being sequential thus not able to take advantage of currently popular parallel processing. Other weaknesses include like able to find other collisions cheaply provided you have a collision.[6] 1

2 Sponge function: The security of a hashing algorithm is generally taken in terms of random oracle whose output has been truncated to desired n bits. Which implies that hash function has a security of 2 n/2 for collision and 2 n for second preimage attacks. A sponge construction or a sponge function is closest approximation to a random oracle except for the side effects of finite memory or internal state collisions which are absent in a random oracle. The sponge construction consists of building a function that takes arbitrary length input and outputs. It does some fixed length of transformations on fixed number of bits say b called width. This width can be expressed as b = r + c where r is the bit rate and c is the capacity. The input message is divided into pieces of length r bits each. The following two things are then done.[7] 1. Absorption: The sponge state initially consists of all zeros. The first input block of length r is XORED with r bits of the state; and transform functions are applied on the state. Next input block is then XORED with this state like the previous one and transformed. This continues till all the input is consumed. 2. Squeezing: the first r blocks of the output are returned from this state and the transformations on the state are continued till all the blocks make for the output length required are got. The last c blocks are never directly output by the input or are never taken as output. Due to existence of inner collisions, iterated hash functions can never be like real random oracle. Probability of success for a number of attacks. The expected number of calls to generate a collision is 2 n/2 and for second pre image it is 2 n. The hash function is considered broken if some one finds attack on hash function with complexity smaller than random oracle. Sponge in general has shown to have the security of the complexity 2 c/2 where c is the capacity of the sponge. And the attacks are generic that is they do not exploit specific 2

3 properties of transformation in the state. Hence one can increase the security of the sponge transformations by increasing capacity and reducting bit rate. In the sponge itself the number of states for transformation will be 2 b2b while the number of permutations will be 2 b! where b is the width of the sponge. This shows that having a transformation sponge will be better than permutation sponge with just one exception of output cycling. If you consider that sponge has a state and map it to nodes then you get 2 b nodes with 2 b edges. If you get a tree like this then analysis on same for the attacks leads to complexity figures given in the below table. The above table gives a cost of the attack for the sponge attack based on the assumption that attacker has no knowledge of the internal working of algorithms. In the above table N is for the number of nodes that can represent a state of the sponge, this number should be almost 2 b where b is the width of the sponge. c is the capacity of the sponge and Z is the output string with Z r being the output truncated to r bits. Inner collisions are those where the bits that are not involved in input or output that is the capacity are same for two different states. Output binding and state recovery can be thought to be analogous to preimage and second pre image attacks. Path finding is given a state find a sequence of steps that map to another step. Output cycles is finding a integer d such that when string say 0 d appended to input gives the same output or you get a periodicity in the output based on the input pattern. It has to be noted that the security strength of the sponge analysed here is independent of the transformation or permutation function included in sponge and is based on the strength of its own structure. [8] 3

4 Keccak algorithm: It is a sponge function with members KECCAK[r, c]. The parameters r = bit rate, c = capacity determine width of Keccak-f permutation, and also applied to sponge construction. The width values are restricted to 25, 50, 100, 200, 400, 800, 1600 right now. Thus the width can be thought as 25 2 l where the values for l are (0, 1, 2, 3, 4, 5, 6). It also does not require masking in case the output is smaller since you can generate arbitrarily long outputs.[9] Given a message M the following procedure takes place.[10] The state is first initialised to zero. operator below stands for concatenation. S[x,y] = 0, forall (x,y) in (04,04) P = M 0x01 0x00 0x00 P = P xor (0x00 0x00 0x80) So the message is ready with the correct number of bits. Here the Pi is the block of initialised message of length r which is the bit rate. w is the word or the width of state given by 2 l. In squeezing phase the blocks of the message are sent to the Keccak functions till they are exhausted. Do note here that the initialised message first block is XORED with the initial state and then sent for processing. The next block is then XORED with the state that comes back after being processed in the first iteration. Thus the transformation function and the absorbing of the messages are interleaved. for all block Pi in P S[x,y] = S[x,y] xor Pi[x+5*y], XOR with the initial state forall (x,y) such that x+5*y < r/w S = Keccak-f[r+c](S) Calling the functions to be applied on the state. end for Squeezing phase. After all the blocks of the message have been consumed by the absorbing phase, next is to squeeze the given amount of bits required. Note that transformations are squeezing are interleaved. That is the number of bits are extracted from the state at bitrate and appended to the empty string, and at each iteration till the bit rate makes up for the required number of bits the Keccak-f function is also called. Z = empty string while output is requested Z = Z S[x,y], forall (x,y) such that x+5*y < r/w S = Keccak-f[r+c](S) end while The Keccak-f function called to do the transformation function does the transformation l on the provided data. All the five sub rounds in transformation that will be dealt later are applied for l times. Below is the pseudo code. Keccak-f[b](A) for all i in 0... nr-1 A = Round[b](A, RC[i]) end for return A Before we move to the main transform functions some terminology. 4

5 5

6 The sponge state consists for Keccak consists of a three dimensional matrix as shown in state with cells consisting of individual bits. The rows and columns of state are 5 each while the number of slices mentioned above or the number of lanes is given by word length which is 2 l where is l is a integer number from 0 to 6.[11] There are five steps in the transformation which round like the following R = ι χ π ρ θ. TThe steps can be executed in arbitrary order. But the step theta has to be done first for the diffusion and it provides the avalanche effect for this cipher. The number of iterations for these five steps are determined by l. Step theta (θ). Which can be mathematically expressed as 4 θ : a[x][y][z] a[x][y][z] + a[x1][y ][z] + y =0 4 a[x1][y ][z 1], y =0 This can be stated as XOR each bit in the state with the XOR value of one column that in same slice but in adjacent column and again XOR with another adjacent column that is not in the same slice but adjacent sheet. [12] 6

7 Step Rho (ρ). Which can be mathematically stated as ρ : a[x][y][z] a[ x ][y][z (t + 1)(t + 2)/2], with t satisfying 0 t < 24 and the x and y values come out of matrix multiplication of 2 2 matrix which has elements 0, 1,2,3, 4 and raise to power of t into a matrix 2 1 consisting of 0 and 1, or t = -1 if x = y = 0. So the bits are shifted in their lanes by a given number of prefixed transformation bits. The bits are shifted in direction z as per the transformation offset table given below. XY values x=3 x=4 x=0 x=1 x=2 y = y = y = y = y =

8 Step Pi (π). The pi transformation is row permutation of columns where π : a[x][y] a[x ][y ] where x = y and y = 2x +3y Please note that in below diagrams for Pi transformation the center is in the middle of the state cell. 8

9 Step Chi (χ). χ : a[x] a [ x ] + ( a [ x + 1] + 1) a [ x + 2] You XOR a particular column with AND of negation of the adjacent column and the column next to it. This is the only non linear operation which kind of breaks the symmetry. Step Iota (ι) Exclusive-or a round constant into one word of the state. To be precise, in round n, for 0ml, a[0][0][2 m 1] is exclusive-ored with bit m+7n of a degree-8 Linear feedback shift register sequence. The following are the round constants for the standard Keccak-f function. RC[0] = 0x , RC[1] 0x , RC[2] 0x A, RC[3] 0x , RC[4] 0x B, RC[5] 0x , RC[6] 0x , RC[7] 0x , RC[8] 0x A, RC[9] 0x , RC[10] 0x , RC[11] 0x A, RC[12] 0x B, RC[13] 0x B, RC[14] 0x , RC[15] 0x , RC[16] 0x , RC[17] 0x , RC[18] 0x A, RC[19] 0x A, RC[20] 0x , RC[21] 0x , RC[22] 0x , RC[23] 0x Since this step one that is different for each round performed, increasing the number of rounds increases security due to this step. 9

10 How much easy it is to put it into a program and other performance criteria Implementation costs for differing levels of parameters is almost the same. As a part of standardisation the Keccak team has suggested use of bit state 1600 since a single implementation supports all the permutations and favours 64-bit CPU but is efficient also on a 32-bit CPU. Keccak right now has a speed of 12.5 cycles per byte on Intel Core 2 or 64 bit architecture, the fastest in hardware implementation amongst the finalists. Keccak transformations and permutations are bitwise Boolean operations and cyclic shifts on CPU words, thus choice of lane as CPU word favours 64-bit architecture. For 32-bit architecture bit interleaving can be applied. The Keccak-f[1600] that is proposed to be standardised requires only 200 bytes of RAM for the state and some working memory. The sponge function lends itself well to application in message authentication codes, pseudo random bit generator, stream cipher. Cryptanalysis 1. Since Keccak is based on sponge construction it is secure to upper limit of 2 c/2 where c is the capacity chosen. So if a higher capacity is chosen, naturally higher security but a decrease in performance. 2. Most of the rounds in the Keccak-f are identical with exception of Iota which adds the round constants. Thus if there is a need to increase the security then number of rounds can be increased. 3. Based on the standard b=1600 the number of rounds required to provide security against the following attacks are: Keccak-f distinguisher below 2 b/2 by birthday paradox: 21 rounds. Keccak distinguisher: 13 rounds. Inner collisions: 11 rounds. State recovery: 11 rounds. 4. Keccak can be implemented only with AND, NOT, XOR and thus this allows the algorithm to go for masking which makes it good counter measure for the side channel attacks. 5. Zero sum distinguishers is a method where you find a input set that sums to zero and so does its output. Although theoretically zero sum distinguishers have been extended to 18 rounds of Keccak but are ineffective if the input set is taken large. The attack is valid but infeasible with Keccak-f[1600] when reduced to 18 rounds will have to take in about of states that generate a vector space of limited dimension, to compute backwards and obtain inputs that will give zero sum. Infact from round 11 onwards the figure for state consideration starts touching 2 60.[13] 6. Thus though valid it is infeasible attack option, especially when the number of rounds have been increased to 24 in new standard. Although even in the previous version the algorithm was safe because even for 12 rounds the number of states you have to consider go upto My personal opinion is that the algorithm looks strong enough on surface. It seems to be build on strong fundamentals of sponge construction which makes easy to compare 10

11 and analyse. Also it does not show any weakness. Most of the exploits that have been raised with respect to permutation and transformation have been addressed by the designers. Also the algorithm is fast, which makes this as a worthy candidate for SHA-3. References 1. en.wikipedia.org/wiki/cryptographic hash function 2. keccak.noekeon.org 3. en.wikipedia.org/wiki/md5 4. en.wikipedia.org/wiki/sha-1 5. en.wikipedia.org/wiki/sha-2 6. en.wikipedia.org/wiki/merkle-damgȧrd construction 7. Cryptographic sponge functions, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. 8. Sponge Functions, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. 9. The Keccak SHA-3 submission, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche summary.html 11. The Keccak reference, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche Note on zero sum distinguishers of Keccak-f, Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. 11