Keccak

Presenters:Pratheep Joe Siluvai

Rajeev Verma

Overview

● Introduction to Hash function.● Secure Hash Algorithm (SHA)● SHA-3/Keccak

○ Design approach○ Inside Keccak○ Parts of Keccak-f

● Application & Strength● Efficiency● Our work● References

Hashing and Hash Function

• Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string.

• In addition to faster data retrieval, hashing is also used to encrypt and decrypt digital signatures.

• The hashing algorithm is called the Hash Function which generates hash codes.

• Hash codes are stored in a table called hash table.

Hash function

• Algorithm that takes an arbitrary block of data and returns a fixed-size bit string.

• Used from digital signature to git repository to peer to peer transmission.

• Encoded data is called the "message," and the hash value is sometimes called the “message digest” or simply “digest”.

MD5 MD = 128 (Ron Rivest, 1992)SHA-1 MD = 160 (NSA, NIST, 1995)SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)

Secure Hash Algorithms (SHA’s)

• Family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST)

• SHA defines as U.S. Federal Information Processing Standard (FIPS)

• SHA determine the integrity of a message. So, that any change in the message in the message result in different hash values with high probability.

• Steps for SHA :

– Preprocessing : Padding the data for blocking

– Hash Computation : Process blocks using the hash function.

SHA basics

SHA History

SHA–3 / Keccak● Selected on October 2012 as the winner of the NIST hash

function competition

● Not only a hash function.

● Based on the sponge function.

● Not meant to replace SHA-2.

Keccak Team

Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche

Keccak, a sponge function

● Variable input and output length

● More Flexible than regular hash function

● Parameters○ r bits– rate (defines the speed)○ c bits – capacity (defines the security level)

Design Approach● Instantiate a sponge function● Select the capacity and rate parameters

○ capacity + rate = 1600● Rata and capacity decides the strength.● Building an iterated permutation ● Like a block cipher

○ Sequence of identical rounds○ Round consists of sequence of simple step mappings

● No key Schedule , instead round constantsCapacity Rate Strength

256 1344 128

384 1216 192

512 1088 256

Inside Keccak

● The permutation Keccak-f ○ 7 permutations: b → {25, 50, 100, 200, 400, 800,

1600}

● Uses 24 permutation rounds○ Each round invokes 5 modules ○ Theta(θ), rho(ρ), Pi(Π), Chi(χ), iota(ϊ)

Pieces of states

Note : State is 5x5x64bits block.

Theta● Renders the internal state into a 5-by-5 array of 64-bit elements.● Computes the parities of each column and combines them with an

exclusive-or (XOR) operator. ● Then it XORs the resulting parity to each state bit as follows:

S[i][j][k] ^= parity(S[0...4][j-1][k]) ^ parity(S[0...4][j+1][k-1]) where i = 0...4; j = 0...4; k = 0...63

Rho

• The rho module rotates each 64-bit element by a triangular number 0, 1, 3, 6, 10, 15, …..

Pi• The pi module permutes the 64-bit elements.• Permutation follows the fixed pattern assignment shown below:

S[j][2*i + 3*j] = S[i][j]

Chi

• The chi module adds a non-linear aspect to the permutation round.• It combines the row elements using only three bitwise

operators: AND, NOT, and XOR. • Then it writes the result back to the state array as follows:

S[i][j][k] ^= ~S[i][j + 1][k] & S[i][j + 2][k]

Iota● The iota module breaks up any symmetry caused by the

other modules. ● This is done by XORing one of the array elements to a

round constant ● The module has 24 round constants to choose from.

These constants are defined internally by Keccak● Without ϊ , the round mapping would be symmetric

● Without ϊ , all rounds would be the same ○ susceptibility to slide attacks ○ defective cycle structure

Code Reference

Keccak-f[b](A) { forall i in 0…nr-1 A = Round[b](A, RC[i]) return A}

Round[b](A,RC) { θ step C[x] = A[x,0] xor A[x,1] xor A[x,2] xor A[x,3] xor A[x,4], forall x in 0…4 D[x] = C[x-1] xor rot(C[x+1],1), forall x in 0…4 A[x,y] = A[x,y] xor D[x], forall (x,y) in (0…4,0…4)

ρ and π steps B[y,2*x+3*y] = rot(A[x,y], r[x,y]), forall (x,y) in (0…4,0…4)

χ step A[x,y] = B[x,y] xor ((not B[x+1,y]) and B[x+2,y]), forall (x,y) in (0…4,0…4)

ι step A[0,0] = A[0,0] xor RC

return A}

Keccak Summary• Round function:

R = (ϊ) XOR (χ) XOR (Π) XOR (ρ) XOR (θ)• Number of rounds: 12 + 2ℓ

– Keccak-f[25] has 12 rounds – Keccak-f[1600] has 24 rounds

• Efficiency – high level of parallelism – flexibility: bit-interleaving – software: competitive on wide range of CPU – dedicated hardware: very competitive – suited for protection against side-channel attack

Applications

• Regular hashing – Electronic signatures – Data integrity– Data identifier

• Salted hashing (more complex security measure)– Randomized hashing – Password Storage and verification

• Message Authentication Code (MAC)• Single Pass authenticated encryption

– Authentication and Encryption in a single pass– Secure messaging ( SSL, TLS, SSH,…. )– Version control systems.

• Reseedable Pseudorandom sequence generator

Strength of Keccak

• High level of parallelism• Flexibility: bit-interleaving• Software: competitive on wide range of

CPU (also implem. for CUDA)• Dedicated hardware: very competitive• Suited for protection against side-channel

attack• Faster than SHA-2 on all modern PC

Efficiency

Our Work• Keccak source code is available for public access.

• Keccak hash function implementation on microblaze and analyze the hardware performance to perform hashing.

• Analysing the the factors like timing/clock cycles for different bit-rate and capacity factors.

References

● J.-P. Aumasson and D. Khovratovich, First analysis of Keccak, Available online, 2009, http://131002.net/data/papers/AK09.pdf.

● Online Keccak reference site, http://keccak.noekeon.org/

● G. Bertoni, J. Daemen, M. Peeters, G. Van Assche and R. Van Keer, Keccak implementation overview, round 3 submission to NIST SHA-3, 2011

Thank you