SHA-3 and The Hash Function Keccak

Chistof Paa Jan Pelzl SHA-3 and The Hash Function Keccak An extension chapte fo Undestanding Cyptogaphy A Textbook fo Students and Pactitiones www.cypto-textbook.com Spinge

2

Table of Contents 1 The Hash Function Keccak and the Upcoming SHA-3 Standad..... 1 1.1 Bief Histoy of the SHA Family of Hash Functions.............. 2 1.2 High-level Desciption of Keccak............................. 3 1.3 Input Padding and Geneating of Output....................... 6 1.4 The Function Keccak- f (o the Keccak- f Pemutation)........... 7 1.4.1 Theta (θ) Step....................................... 9 1.4.2 Steps Rho (ρ) and Pi (π).............................. 9 1.4.3 Chi (χ) Step........................................ 10 1.4.4 Iota (ι) Step......................................... 11 1.5 Implementation in Softwae and Hadwae..................... 12 1.6 Discussion and Futhe Reading.............................. 12 1.7 Lessons Leaned........................................... 14 Poblems...................................................... 15 Refeences......................................................... 17 v

Chapte 1 The Hash Function Keccak and the Upcoming SHA-3 Standad This document 1 is a stand-alone desciption of the Keccak hash function which is the basis of the upcoming SHA-3 standad. The desciption is consistent with the appoach used in ou book Undestanding Cyptogaphy A Textbook fo Students and Pactiones [11]. If you own the book, this document can be consideed Chapte 11b. Howeve, the book is most cetainly not necessay fo using the SHA-3 desciption in this document. You may want to check the companion web site of Undestanding Cyptogaphy fo moe infomation on Keccak: www.cypto-textbook.com. In this chapte you will lean: A bief histoy of the SHA-3 selection pocess A high-level desciption of SHA-3 The intenal stuctue of SHA-3 A discussion of the softwae and hadwae implementation of SHA-3 A poblem set and ecommended futhe eadings 1 We would like to thank the Keccak designes as well as Pawel Swieczynski and Chistian Zenge fo thei extemely helpful input to this document. Thanks go also to Fiedich Wieme fo doing the gaphics in this chapte. 1

2 1 The Hash Function Keccak and the Upcoming SHA-3 Standad 1.1 Bief Histoy of the SHA Family of Hash Functions A lage numbe of hash functions have been poposed ove the last two decades. In pactice, by fa the most popula ones have been the hash algoithms of what is called the MD4 family. MD5, the SHA family and RIPEMD ae all based on the pinciples of MD4. This message digest algoithm was developed by Ronald Rivest. MD4 was an innovative idea because it was especially designed to allow vey efficient softwae implementation. It uses 32-bit vaiables, and all opeations ae bitwise Boolean functions such as logical AND, OR, XOR and negation. All subsequent hash functions in the MD4 family ae based on the same softwae-fiendly pinciples. A stengthened vesion of MD4, named MD5, was poposed by Rivest in 1991. Both hash functions compute a 128-bit output, i.e., they possess a collision esistance of about 2 64. MD5 became extemely widely used, e.g., in Intenet secuity potocols, fo computing checksums of files o fo stoing of passwod hashes. Thee wee, howeve, ealy signs of potential weaknesses. Thus, NIST, the US National Institute of Standads and Technology, published a new message digest standad, which was coined the Secue Hash Algoithm (SHA), in 1993. This is the fist membe of the SHA family and is officially called SHA, even though it is nowadays commonly efeed to as SHA-0. In 1995, SHA-0 was modified to SHA-1. The diffeence between the SHA-0 and SHA-1 algoithms lies in an impoved schedule of the compession function. Both algoithms have an output length of 160 bit. In 1996, a patial attack against the hash function MD5, on which SHA-0 is based, by Hans Dobbetin led to moe and moe expets ecommending SHA-1 as a eplacement fo the widely used MD5. Since then, SHA-1 has gained wide adoption in numeous poducts and standads. In the absence of analytical attacks, the maximum collision esistance of SHA- 0 and SHA-1 is about 2 80, which is not a good fit if they ae used in potocols togethe with algoithms such as AES, which has a secuity level of 128 256 bits. Similaly, most public-key schemes can offe highe secuity levels, fo instance, elliptic cuves can have secuity levels of 128 bits if 256 bits cuves ae used. Thus, in 2001 NIST intoduced thee moe vaiants of SHA-1: SHA-256, SHA-384 and SHA-512, with message digest lengths of 256, 384 and 512 bits, espectively. A futhe modification, SHA-224, was intoduced in 2004 in ode to fit the secuity level of 3DES. These fou hash functions ae often efeed to as SHA-2. In 2004, collision-finding attacks against MD5 and SHA-0 whee announced by Xiaoyun Wang. One yea late it was claimed that the attack could be extended to SHA-1 and it was claimed that a collision seach would take 2 63 steps, which is consideably less than the 2 80 achieved by the bithday attack. It should be noted that the attack has neve been successfully applied against SHA-1 at the time of witing, i.e., about eight yeas afte the attack had been descibed. In any case, the Wang attack should be taken seious and NIST held two public wokshops to assess the status of SHA and to solicit public input on its cyptogaphic hash function policy and standad. Subsequently, NIST decided to develop an additional hash function, to be named SHA-3, though a public competition. This

1.2 High-level Desciption of Keccak 3 appoach is quite simila to the selection pocess of AES in the late 1990s. Howeve, unlike AES which was clealy meant as a eplacement fo DES, it was planned that SHA-2 and SHA-3 should co-exist assuming thee ae no new attacks against SHA- 2. In fact, at the time of witing, i.e., ealy 2013, SHA-2 is still consideed highly secue. Fo that easons both SHA-2 and SHA-3, once it is finalized, will both be fedeal US standads. Below is a ough time line of the SHA-3 selection pocess: Novembe 2, 2007: NIST announces the SHA-3 call fo algoithm. Octobe 31, 2008: 64 submissions ae eceived fom the intenational cyptogaphy community. Decembe 2008: NIST selects 51 algoithms fo Round 1 of the SHA-3 competition. July 2009: Afte much input fom the scientific community, NIST selects 14 Round 2 algoithms. Decembe 9, 2010: NIST announces five Round 3 candidates. These ae the hash functions: BLAKE by Jean-Philippe Aumasson, Luca Henzen, Willi Meie, and Raphael C.-W. Phan Gøstl by Paveen Gauavaam, Las Knudsen, Kystian Matusiewicz, Floian Mendel, Chistian Rechbege, Matin Schläffeand Søen S. Thomsen JH by Hongjun Wu Keccak by Guido Betoni, Joan Daemen, Michaël Peetesand Gilles Van Assche Skein by Buce Schneie, Stefan Lucks, Niels Feguson, Doug Whiting, Mihi Bellae, Tadayoshi Kohno, Jon Callas and Jesse Walke Octobe 2, 2012: NIST selects Keccak as basis fo the SHA-3 hash function 2. It should be stessed that Keccak has a quite diffeent intenal stuctue than hash functions that belong to the MD4 family, including SHA-1 and SHA-2. Please see Section 1.6 fo moe infomation on the SHA-3 competition. 1.2 High-level Desciption of Keccak In the following we will descibe the hash function Keccak. Keccak has seveal paametes that can be chosen by the use. At the time of witing, NIST has not made a final decision which paametes will be used fo the SHA-3 standad. Thus, all efeences to SHA-3 ae peliminay. We will update this document in the futue should thee be changes with espect to the SHA-3 paametes. A cental equiement by NIST fo the SHA-3 hash function was the suppot of the following output lengths: 2 Like AES, Keccak was designed by a team of Euopean cyptogaphes. One membe of the Keccak team, Joan Daemen fom Belgium, is also one of the two AES designes.

4 1 The Hash Function Keccak and the Upcoming SHA-3 Standad 224 bits 256 bits 384 bits 512 bits If a collision seach attack is applied to the hash function an attack that due to the bithday paadox is in pinciple always feasible as we ecall fom Section 12.2.3 of Undestanding Cyptogaphy [11] SHA-3 with 256, 384 and 512 bit output shows an attack complexity of appoximately 2 128, 2 192 and 2 256, espectively. This is an exact match fo the cyptogaphic stength that the thee key lengths of AES povide against bute-foce attacks (cf. [11, Chapte 6.2.4]). Similaly, 3DES has a cyptogaphic stength of 2 112, and SHA-3 with 224 bit output shows the same esistance against collision attacks. It tuns out that Keccak also allows the geneation of abitaily many output bits. This is entiely diffeent fom the hash functions SHA-1 and SHA-2 that output a block of fixed length. Because of this behavio, SHA-3 can be used in two pinciple modes: SHA-2 Replacement Mode In this mode, SHA-3 poduces a fixed-length output of 224, 256, 384, o 512 bits, as descibed above. Vaiable-length Output Mode This mode allows to use SHA-3 fo the geneation of abitaily many output bits. Thee ae many applications in cyptogaphy, e.g., when using SHA-3 as a steam ciphe o fo geneating pseudo-andom bits. Unlike SHA-1 and SHA-2, Keccak does not ely on the Mekle Damgåd constuction. Rathe, the hash function is based on what is called a sponge constuction. Afte the pe-pocessing (which divides the message into blocks and povides padding), the sponge constuction consists of two phases: Absobing (o input) phase The message blocks x i ae passed to the algoithm and pocessed. Squeezing (o output) phase An output of configuable length is computed. Figue 1.1 shows a high-level diagam of Keccak. Fo both phases the same function is being used. This function is named Keccak- f. Figue 1.2 shows how the sponge constuction eads in the input blocks x i, and how the output blocks y j ae geneated. The sponge constuction allows abitay-length outputs y 0 y n. When SHA-3 is used as SHA-2 eplacement only the fist bits of the fist output block y 0 ae equied. Thee ae seveal paametes with which the input and output sizes as well as the secuity level of Keccak can be configued. The coesponding paametes ae: b is the width of the state, i.e., b = + c (cf. Figue 1.2). b in tun depends on the exponent l and can take the following values: b = 25 2 l, l = 0,1,...,6

1.2 High-level Desciption of Keccak 5 Keccak m pepoc.... x 1 x 0 inne Keccak y n... y 0 = h(m) absobing phase squeezing phase sponge constuction Fig. 1.1 High-level view on Keccak x 0 x 1 x t-1 y u c f........ f... f f... f y 0 y 1 absobing squeezing Fig. 1.2 Absobing and squeezing phases of the sponge constuction That means the state can have a width of b {25,50,100,200,400,800,1600}. Note that the two small paametes b = 25 and b = 50 ae only toy values fo analyzing the algoithm and should not be used in pactice. is called the bit ate. is equal to the length of one message block x i, cf. Figue 1.2 c is called the capacity. It must hold that + c is a valid state width, i.e., + c = b {25,50,100,200,400,800,1600} Fo SHA-3 a state of b = 1600 bits is used. In this case the two bit ates = 1344 and = 1088 ae allowed, fom which the two capacities c = 256 and c = 512, espectively, follow. When used as SHA-2 eplacement mode, SHA-3 uses the paametes given in Table 1.1. The secuity level denotes the numbe of computations an attacke has to pefom in ode to beak the hash function, e.g., a secuity level of 128 bits implies that an advesay has to pefom 2 128 computations (cf. [11, Section 6.2.4]). Note that the paametes ae not standadized yet. Inteestingly, the message padding is diffeent fo each of the fou output lengths, as will be explained in Section 1.3.

6 1 The Hash Function Keccak and the Upcoming SHA-3 Standad Table 1.1 The paametes of SHA-3 when used as SHA-2 eplacement b c secuity level hash (state) output [bits] [bits] [bits] [bits] [bits] 1600 1344 256 128 224 1600 1344 256 128 256 1600 1088 512 256 384 1600 1088 512 256 512 Let s look at Figue 1.2. We can see that the main thing we need to develop is the function Keccak- f. Befoe we do this, we intoduce the input padding and output geneation. 1.3 Input Padding and Geneating of Output Pio to the actual pocessing of a message m by the hash function, the input has to be padded 3. One eason fo this is that the padded input has a length which is a multiple of bits. (We ecall fom Figue 1.2 that blocks of bits ae fed into SHA- 3.) Thee ae also secuity consideations which equie the specific padding used in SHA-3. The padding ule fo an input message m is as follows: pad(m) = m P10 1 =...,x 1,x 0 The scheme appends a pedetemined bit sting P followed by a 1, then by the smallest numbe of 0s and a teminating 1 such that the total length of the new sting is a multiple of. Note that the sting 0 = 0 0 can be the empty sting, i.e., it can consist of no zeos. The value of P depends on the mode and the output length in which SHA-3 is being used and is given in Table 1.2. When using the hash function Table 1.2 Poposed input padding fo SHA-3 mode output length P 10 1 SHA-2 eplacement 224 11001 10 1 SHA-2 eplacement 256 11101 10 1 SHA-2 eplacement 384 11001 10 1 SHA-2 eplacement 512 11101 10 1 vaiable-length output abitay 1111 10 1 as SHA-2 eplacement, the minimum numbe of bits appended by the padding ule is seven (i.e., the bits 110 0111 o 111 0111), and the maximum numbe of padding bits appended is + 1. The latte case occus if the last message block consists of 3 Note that the padding ules fo SHA-3 descibed in this section ae not finalized by NIST at the time of witing.

1.4 The Function Keccak- f (o the Keccak- f Pemutation) 7 6 bits. In the othe mode, i.e., using SHA-3 with vaiable output length, at least 6 bits ae added and at most 5 bits. At the end of the padding pocess we obtain a seies of blocks x i, whee each block x i has a length of bits. Output When using the SHA-2 eplacement mode the last evocation of the function Keccak- f, i.e., the last ound of the absobing phase, will poduce the hash output which is pat of y 0 (cf. Figue 1.2). In contast, when the vaiable-length output mode is used, the squeezing phase of the sponge constuction allows to compute as many hash output blocks as desied by the use. As one can see fom Figue 1.2, Keccak computes chunks of output bits. In the case of SHA-3, = 1344 o = 1088, i.e., y 0 is aleady 1344 o 1088, espectively, bits long. If SHA-3 is used as SHA- 2 eplacement, only 224, 256, 384, o 512 bits ae equied. In ode to obtain the desied output length, the least significant bits of y 0 ae used as hash output and the emaining bits of y 0 ae discaded. When using Keccak in the vaiable-length output mode, all bits of y 0 can be used as well as, of couse, all subsequent output blocks y 1,y 2,... 1.4 The Function Keccak- f (o the Keccak- f Pemutation) The function Keccak- f is at the heat of the hash algoithm and is used in both phases of the sponge constuction, cf. Figue 1.2. Keccak- f is also efeed to as Keccak- f pemutation. The latte name stems fom the fact that the function pemutes the 2 b input values, i.e., evey b-bit intege is mapped to exactly one b-bit output intege in a bijective manne 4 (a one-to-one mapping). We look now at the inne stuctue of Keccak- f, which is visualized in Figue 1.3. c f c c b Round 1 b... b Round n b c b θ ρ π χ ι b Fig. 1.3 Intenal stuctue of function Keccak- f 4 Note that such a pemutation function is diffeent fom the bit pemutations that ae utilized within DES.

8 1 The Hash Function Keccak and the Upcoming SHA-3 Standad The function consists of n ounds. Each ound has an input which consists of b = + c bits. The numbe of ounds depends on the paamete l: n = 12 + 2l As mentioned in Subsection 1.2, l also detemines the state width b = 25 2 l. Table 1.3 shows the coesponding numbe of ounds as a function of the state width. We note that fo SHA-3 thee ae n = 24 ounds because l = 6. The ounds ae iden- Table 1.3 Numbe of ounds within Keccak- f (fo SHA-3: b = 1600 and n = 24) state width b # ounds [bits] n 25 12 50 14 100 16 200 18 400 20 800 22 1600 24 tical except the ound constant RC[i] which takes a diffeent value in each ound i. The ound constants ae only used in the Iota Step of the ound function, cf. Subsection 1.4.4. As shown in Figue 1.3, each ound consists of a sequence of five steps denoted by Geek lettes: θ (theta), ρ (ho), π (pi), χ (chi) and ι (iota). Each step manipulates the entie state. The state can be viewed as a 3-dimensional aay as shown in Figue 1.4. The state aay consists of b = 5 5 w bits, whee w = 2 l. As mentioned Fig. 1.4 The state of Keccak whee each small cube epesents one bit. Fo SHA-3, the state is a 5 5 64 bit aay. (Gaphic taken fom [4] and used with pemission by the Keccak designes.) above,one has to choose l = 6 fo SHA-3 and thus:

1.4 The Function Keccak- f (o the Keccak- f Pemutation) 9 w = 64 bits The w bits fo a given (x,y) coodinate ae called a lane (i.e., the bits in the wod along the z-axis). In the following we descibe the five steps θ, ρ, π, χ and ι of Keccak- f. Inteestingly, even though one has to compute the θ Step fist, the ode in which the emaining fou steps ae executed does not matte. Reades with a backgound in hadwae design will ecognize that the steps ae elatively hadwae-fiendly. This means that Keccak can be implemented quite compact in digital hadwae esulting in high pefomance and, sometimes moe impotantly, with less enegy usage than the moe softwae-oiented SHA-1 and SHA-2 algoithms. 1.4.1 Theta (θ) Step The easiest way to gasp the function of the θ Step is to view the state as a twodimensional aay (moe pecisely: a 5 5 aay), whee each aay element consists of a single wod with w bits, as shown in Figue 1.4. If we denote this aay by A(x, y), with x, y = 0, 1,..., 4, the θ Step pefoms the following opeation: C[x] = A[x,0] A[x,1] A[x,2] A[x,3] A[x,4], x = 0,1,2,3,4 D[x] = C[x 1] ot(c[x + 1],1), x = 0,1,2,3,4 A[x,y] = A[x,y] D[x], x,y = 0,1,2,3,4 C[x] and D[x] ae one-dimensional aays which contain five wods of length w bits. denotes the bit-wise XOR opeation of the two w-bit opeands, and ot(c[], 1) denotes a otation of the opeand by one bit. This otation is in the diection of the z- axis if we conside Figue 1.4. Note that all indices ae taken modulo 5, e.g., C[ 1] efes to C[4]. Figue 1.5 shows the θ Step on a bit level. Roughly speaking, evey bit is eplaced by the XOR sum of 10 bits in its neighbohood and the oiginal bit itself. To be exact: One adds to the bit being pocessed the five bits foming the column to the left plus the column which is on the ight and one position to the font. Remembe that thee ae a total of 25w = 25 64 = 1600 bits in the state. It is a good mental execise to figue out how Figue 1.5 follows fom the pseudo code above. 1.4.2 Steps Rho (ρ) and Pi (π) The next two steps compute an auxiliay 5 5 aay B fom the state aay A. Note that B[i, j] efes to a wod with w bits. Both steps can be expessed jointly by the following simple pseudo-code. B[y,2x + 3y] = ot(a[x,y],[x,y]), x,y = 0,1,2,3,4

10 1 The Hash Function Keccak and the Upcoming SHA-3 Standad Fig. 1.5 The θ Step of Keccak- f (Gaphic taken fom [4] and used with pemission by the Keccak designes.) ot(a[],i) otates one wod of A by i bit positions. The numbe of otations is specified by [x,y] which is a table with intege values that ae efeed to as otation offsets, given in Table 1.4 below. Note that the table enties ae constants. The opeation of the ρ and π Step is quite easy: They take each of the 25 lanes (i.e., wods with w bits) of the state aay A, otate it by a fixed numbe of positions (this is the Rho Step), and place the otated lane at a diffeent position in the new aay B (this is the Pi Step) 5. As an example, let s look at the lane at location [3,1], i.e., the w-bit wod A[3,1]. Fist, this wod is otated by 55 bit positions, cf. Table 1.4 fo x = 3,y = 1. The otated wod is then placed in the B aay at location B[1,2 3 + 3 1] = B[1,4]. Note that the indices ae computed modulo 5. Table 1.4 The otation constants (aka otation offsets) x = 3 x = 4 x = 0 x = 1 x = 2 y=2 25 39 3 10 43 y=1 55 20 36 44 6 y=0 28 27 0 1 62 y=4 56 14 18 2 61 y=3 21 8 41 45 15 1.4.3 Chi (χ) Step The χ Step manipulates the B aay computed in the pevious step and places the esult in the state aay A. The χ Step opeates on lanes, i.e., wods with w bits. The 5 Rho can be thought of as a mnemonic fo otation, and Pi fo pemuation.

1.4 The Function Keccak- f (o the Keccak- f Pemutation) 11 pseudo code of the step is as follows: A[x,y] = B[x,y] (( B[x + 1,y]) B[x + 2,y]), x,y = 0,1,2,3,4 whee B[i, j] denotes the bitwise complement of the lane at addess [i, j], and is the bitwise Boolean AND opeation of the two opeands. As in all othe steps, the indices ae to be taken modulo 5. Descibing the opeation vebally, one could say that the χ Steps takes the lane at location [x,y] and XORs it with the logical AND of the lane at addess [x + 2,y] and the invese at location [x + 1,y]. Figue 1.6 visualizes the step. Again, it is helpful to find out how the figue is elated to the pseudo code above. Fig. 1.6 The χ Step of Keccak- f. The uppe ow epesents five lanes of the B aay, wheeas the lowe ow shows five lanes of the state aay A. (Gaphic taken fom [4] and used with pemission by the Keccak designes.) 1.4.4 Iota (ι) Step The Iota Step is the most staightfowad one. It adds a pedefined w-bit constant to the lane at location [0,0] of the state aay A: A[0,0] = A[0,0] RC[i] The constant RC[i] diffes depending on which ound i is being executed. We ecall fom Table 1.5 that the numbe of ounds n vaies with the paamete b chosen fo Keccak. Fo SHA-3, thee ae n = 24 ounds. The coesponding ound constants RC[0]...RC[23] ae shown in Table 1.5

12 1 The Hash Function Keccak and the Upcoming SHA-3 Standad Table 1.5 The ound constants RC[i], whee each constant is 64 bits long and given in hexadecimal notation RC[ 0] = 0x0000000000000001 RC[12] = 0x000000008000808B RC[ 1] = 0x0000000000008082 RC[13] = 0x800000000000008B RC[ 2] = 0x800000000000808A RC[14] = 0x8000000000008089 RC[ 3] = 0x8000000080008000 RC[15] = 0x8000000000008003 RC[ 4] = 0x000000000000808B RC[16] = 0x8000000000008002 RC[ 5] = 0x0000000080000001 RC[17] = 0x8000000000000080 RC[ 6] = 0x8000000080008081 RC[18] = 0x000000000000800A RC[ 7] = 0x8000000000008009 RC[19] = 0x800000008000000A RC[ 8] = 0x000000000000008A RC[20] = 0x8000000080008081 RC[ 9] = 0x0000000000000088 RC[21] = 0x8000000000008080 RC[10] = 0x0000000080008009 RC[22] = 0x0000000080000001 RC[11] = 0x000000008000000A RC[23] = 0x8000000080008008 1.5 Implementation in Softwae and Hadwae When computing the hash algoithm, the majoity of time is spent on Keccak- f. Thus, the following discussion will focus on implementing this function in softwae and hadwae. If Keccak is used as SHA-3, the state is 1600 bits which is stoed in 25 wods of 64 bits each (cf. Figue 1.4). On 64 bit CPUs, which ae in the majoity of moden PCs, one 64 bit lane can be stoed natually in one egiste. Also, most 32 bit CPUs fom Intel and AMD suppot some instuctions on 64 bits, especially bitwise Boolean opeations which ae the main opeations in the five steps of Keccak- f. Geneally speaking, Keccak is quite amenable to softwae implementation. It shaes this popety with the othe SHA hash algoithms. A highly optimized SHA-3 implementation on moden Intel Coe CPUs can be executed at a ate of about 13 cycles/byte which tanslates, e.g., to a thoughput of appoximately 230 MByte/s (o about 1.84 Gbit/s) if the pocesso is clocked at 3 GHz. On 8 bit CPUs, which ae vey popula in embedded systems, SHA-3 can be implemented at about 1110 cycles/byte. Assuming a clock fequency of 10 MHz, this esults in a thoughput of about 9 kbyte/s, o oughly 72 kbit/s. Keccak tuns out to be vey well suited fo hadwae implementations. The algoithm is consideably moe efficient in hadwae than SHA-2. A high-speed paallelized achitectue can easily achieve thoughputs of 30 Gbit/sec o beyond with an aea of about 100,000 gate equivalences. On the othe hand of the pefomance spectum, a vey small seial hadwae engine with less than 10,000 gate equivalences can still achieve thoughputs of seveal 10 Mbit/sec. 1.6 Discussion and Futhe Reading The SHA-3 Selection Pocess The Request fo Candidate Algoithm by NIST, the US National Institute of Standads and Technology, was issued in 2007. The

1.6 Discussion and Futhe Reading 13 fou citeia fo selecting the new hash function wee secuity, pefomance, cyptogaphic matuity (i.e., how well an algoithm is undestood and has been analyzed) and divesity (i.e., how dissimila the intenal stuctue is fom SHA-2). Afte the submissions wee eceived in late 2008, thee wee fou yeas duing which the 51 algoithms consideed by NIST undewent intensive analysis by the intenational scientific community. The main focus was to cyptanalyze the algoithms and to study thei pefomance. The official NIST website has many esouces about the competition, including the official epots at the end of Round 1, 2 and 3 [10]. The best oveview of the multifaceted selection effot is the SHA-3 Zoo poject [1] povided by ECRYPT (Euopean Netwok of Excellence in Cyptogaphy). The SHA-3 Zoo is a wiki-like web esouce which in paticula (i) povides an oveview of each SHA-3 algoithm and (ii) summaizes the cyptanalysis of each hash function. Regading Keccak, the official efeence descibing the algoithm is document [8]. The fou algoithm designes maintain a website with many useful infomation on the hash function [3], including softwae and hadwae code (HDL), and a pseudo code desciption of Keccak which can be quite useful fo implementes [5]. Keccak vs. SHA-2 Keccak is based on a sponge constuction and has thus a quite diffeent stuctue fom hash functions that belong to the MD4 family, such as SHA- 1 and SHA-2. As mentioned in Section 1.1, even though seious weaknesses wee found in SHA-1 in 2004, they have until now not caied ove to SHA-2, which is an ensemble of hash functions which ae consideably stonge than SHA-1. Many symmetic cypto eseaches seiously doubt that the SHA-1 attack will eve pose a pactical theat against SHA-2. As a esult of this development thee will eventually be two hash functions (to be exact: the SHA-2 family and the SHA-3 family) which will be NIST standads. This is not necessaily a bad situation fo the following easons. Fist, SHA-2 and Keccak ae based on vey diffeent design pinciples. Should thee eve be a majo cyptanalytical beakthough (and this is a big should) against one of the hash functions, thee is a high likelihood that the attack will not apply to the othe one. Second, SHA-2 and Keccak posses diffeent implementation chaacteistics. Thus, fo a given application it can be beneficial to be able to select the algoithm which shows the moe favoable behavio fo the given platfom. Fo instance, Keccak is moe hadwae-fiendly and is bette suited fo embedded application that ae powe o cost constained, which is often tue fo battey-poweed devices (cf. the paagaph on implementation below). Finally, Keccak is moe vesatile and can be used fo moe puposes than mee hashing, which can be attactive fo cetain applications. Sponge Constuctions and the Secuity of Keccak The sponge constuction, o sponge function, is a new appoach to building hash functions. It was poposed by the Keccak designes on an ECRYPT wokshop in 2007. In geneal, a sponge constuction can be viewed as function which takes an abitay sized input and computes an output of any length needed by the use. A sponge constuction can easily be built by iteating a given pemutation function f. Inteestingly, a sponge constuction can also be used fo building steam ciphes and message authentication codes (MACs). A geneal intoduction to and moe esouces about sponge con-

14 1 The Hash Function Keccak and the Upcoming SHA-3 Standad stuctions can be found on the The Sponge Functions Cone website maintained by the Keccak designes [3]. A moe exhaustive teatment, including much moe about the theoy behind sponge constuctions and thei secuity popeties, is povided in efeence [7]. As pat of the SHA-3 competition thee have been extensive effots by the scientific community to discove weaknesses in Keccak (and, of couse, all othe SHA-3 candidate algoithms). To date, thee appeas no attack which has even a emote chance of success. To give the eade an idea of the state-of-the-at: The best attack known so fa equies about 2 500 (!) steps and only woks against a scaled-down vesion of Keccak with 8 ounds. We ecall fom Section 1.4 that SHA-3 equies 24 ounds. An oveview on the vaious eseach papes dealing with the secuity analysis of Keccak can be found in efeence [6]. Keccak Implementation Thee is a host of low-level implementation ticks available in ode to speed-up Keccak on moden 32 and 64 bit CPUs. A good oveview is povided in efeence [9]. A benchmak test suite which automatically povides pefomance measuements is ebacs, which was ceated as pat of ECRYPT and is maintained by Dan Benstein and Tanja Lange [2]. ebacs povides pefomance numbes fo SHA-3 and many othe hash functions, symmetic and asymmetic algoithms on a lage vaiety of softwae platfoms. As stated in Section 1.5, SHA-3 shows a simila pefomance as SHA-1 on moden 64 bit CPUs. The situation is diffeent in hadwae. Keccak is consideably moe efficient than SHA-1 and the othe finalist algoithms of the SHA-3 competition. In one compaison, which took the thoughput-to-aea atio into account, Keccak was by a facto of about 5 moe efficient than the othe finalist hash functions and SHA-1. Two ecommended efeences which povide absolute numbes and also discuss the difficulties of poviding eliable hadwae compaisons ae [12] and [13]. 1.7 Lessons Leaned Keccak was developed as pat of a five-yea intenational hash function competition administeed by NIST. At the time of witing, the SHA-3 standad is being specified based on Keccak. SHA-3 will become a fedeal US standad and will co-exist togethe with SHA- 2. Both seem vey secue at the moment, i.e., thee ae no attacks known with a easonable chance of success in pactice. Keccak is based on a sponge constuction and has thus a quite diffeent intenal stuctue than SHA-1 and SHA-2. Keccak can be opeated with the output lengths 224, 256, 384 and 512 bits and in contast to the block-based functions SHA-1 and SHA-2 with an abitay output length. Keccak is oughly as fast in softwae than SHA-1 but consideably moe efficient (fast, little enegy) in hadwae and thus well suited fo embedded applications.

1.7 Poblems 15 Poblems 1.1. Assume that SHA-3 is used as a eplacement fo SHA-2 with an output size of 256 bits. In a given softwae implementation a thoughput of 120 MBytes/s is achieved. The same implementation is now used fo SHA-3 with 384 output bits. What is the thoughput of the latte implementation? (Hint: You just have to study Subsection 1.2.) 1.2. We want to hash a shot message consisting of the two bytes 0xCCCC with SHA-3. The hash function should be used as a eplacement fo SHA-2 with 256 bits. What is the message afte padding? Povide an answe in binay notation. 1.3. Keccak- f is a pemutation, i.e., evey of the 2 d input values gets a unique output value assigned in a bijective (i.e., one-to-one) manne. In this poblem we will study how pemutation functions ae diffeent fom the bit pemutations that ae used within DES, e.g., the P o IP pemutation. Let s conside a toy example, a function with 2 I/O bits. How many diffeent bit pemutations exist with 2 input and output bits? Daw one diagam fo each possible bit pemutation. Now we conside a pemutation function f that has 2 input and output bits. How many diffeent (i) input values and (ii) output values exist? Moe impotantly: How many diffeent pemutations exist, i.e., how many diffeent bijective (oneto-one) mappings exist between the input and output? List all possible pemutations. You can do this in a table which has in its leftmost column all input combinations listed, and fo each possible pemutation you wite a new column to the ight? (You may want to wite you solution on a piece of pape in landscape oientation.) It tuns out that a bit pemutation is a subset of the pemutation function. In the example above, which of the pemutation geneated by f ae the bit pemutations? In geneal: How many pemutations functions ae thee fo d input bits, and how many bit pemutations ae thee fo this case? 1.4. We conside Keccak- f with an input state A whee all 1600 bits have the value 0. What is the state afte the fist ound? 1.5. Descibe vebally how Figue 1.5 follows fom the pseudo code of the θ Step in Subsection 1.4.1. 1.6. We conside a SHA-3 state A whee all 1600 bits have the value 0 except the bits whose z coodinate is equal to zeo, i.e., A[x,y,0] = 1. How many state bits have the value 1? By looking at Figue 1.4, whee ae those bits located? We apply now the θ Step to A. What is the new state?

Refeences 1. The SHA-3 Zoo. http://ehash.iaik.tugaz.at/wiki/the_sha-3_zoo. 2. Dan Benstein and Tanja Lange (eds.). ebacs: ECRYPT Benchmaking of Cyptogaphic Systems. http://bench.c.yp.to. 3. Guido Betoni, Joan Daemen, Michaël Peetes and Gilles Van Assche. The Keccak sponge function family. http://keccak.noekeon.og. 4. Guido Betoni, Joan Daemen, Michaël Peetes and Gilles Van Assche. The Keccak sponge function family Files. http://keccak.noekeon.og/files.html. 5. Guido Betoni, Joan Daemen, Michaël Peetes and Gilles Van Assche. The Keccak sponge function family Specification summay. http://keccak.noekeon.og/specs_ summay.html. 6. Guido Betoni, Joan Daemen, Michaël Peetes and Gilles Van Assche. The Keccak sponge function family Thid-paty cyptanalysis. http://keccak.noekeon.og/thid_ paty.html. 7. Guido Betoni, Joan Daemen, Michaël Peetes and Gilles Van Assche. Cyptogaphic sponge functions, 2011. http://sponge.noekeon.og/csf-0.1.pdf. 8. Guido Betoni, Joan Daemen, Michaël Peetes and Gilles Van Assche. The Keccak Refeence, 2011. http://keccak.noekeon.og/keccak-efeence-3.0.pdf. 9. Guido Betoni, Joan Daemen, Michaël Peetes, Gilles Van Assche and Ronny Van Kee. Keccak implementation oveview, 2012. http://keccak.noekeon.og/ Keccak-implementation-3.2.pdf. 10. National Institute of Standads and Technology. Cyptogaphic Hash Algoithm Competition. http://csc.nist.gov/goups/st/hash/sha-3/index.html. 11. Chistof Paa and Jan Pelzl. Undestanding Cyptogaphy - A Textbook fo Students and Pactitiones. Spinge, 2010. 12. S. Matsuo, M. Knezevic, P. Schaumont, I. Vebauwhede, A. Satoh, K. Sakiyama and K. Ota. How can we conduct fai and consistent hadwae evaluation fo SHA-3 candidate?, 2010. NIST 2nd SHA-3 Candidate Confeence. 13. Xu Guo, Sinan Huang, Leyla Nazhandali and Patick Schaumont. Fai and Compehensive Pefomance Evaluation of 14 Second Round SHA-3 ASIC Implementations, 2010. NIST 2nd SHA-3 Candidate Confeence. 17