Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized...
Transcript of Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized...
![Page 1: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/1.jpg)
Portfolio of optimized cryptographic functionsbased on Keccak
Guido Bertoni1 Joan Daemen1,2 Michaël Peeters1Gilles Van Assche1 Ronny Van Keer1
1STMicroelectronics2Radboud University
FOSDEM, Brussels, February 4-5, 2017
1 / 41
![Page 2: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/2.jpg)
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
2 / 41
![Page 3: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/3.jpg)
Timeline
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
3 / 41
![Page 4: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/4.jpg)
Timeline
Crisis!
By Marcel Germain (flickr.com)
2004: SHA-0 broken (Joux et al.)2004: MD5 broken (Wang et al.)2005: practical attack on MD5(Lenstra et al., and Klima)2005: SHA-1 theoretically broken(Wang et al.)2006: SHA-1 broken further(De Cannière and Rechberger)2007: NIST calls for SHA-3
4 / 41
![Page 5: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/5.jpg)
Timeline
The SHA-3 competition (2008-2012)
ARIRANG
AURORA
BLAKEBlender
BOOLE
CHI
CRUNCHCubeHash
DCH
EDON-R
EnRUPT
ESSENCE FSB
Fugue
Grøstl
JH
LANE
Lesamnta
Luffa
MCSSHA3
MD6
Sgàil
Shabal
SHAMATA
SIMD
Skein
StreamHash
SWIFFTX
Tangle
TIB3
Twister
Vortex
WaMM
HASH 2X
Maraca
Ponic
ZK-Crypt
Waterfall
Sarmal
BMW
SANDstorm
Spectral Hash
DynamicSHA
NKS2D
Abacus
MeshHash
DynamicSHA 2
Khichidi-1
ECOH
LUX
NaSHA
Hamsi
Keccak
SHAvite-3
ECHOCheetah
2005 2006 2007 2008 2009 2010 2011 2012
16/06/2009
[courtesy of Christophe De Cannière]
5 / 41
![Page 6: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/6.jpg)
Timeline
Our candidate: Keccak
Keccak is a sponge function …
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
… that uses the Keccak-f permutation6 / 41
![Page 7: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/7.jpg)
Timeline
Standardization
By @Doug88888 (flickr.com)
2012: Keccak selected by NIST for SHA-32014: 3GPP adopts Keccak in TUAK2015: NIST’s FIPS 202
Of course: SHA3-{224, 256, 384, 512}But also: SHAKE{128, 256}
2016: NIST’s SP 800-185cSHAKEKMACTupleHashParallelHash
7 / 41
![Page 8: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/8.jpg)
Timeline
More designs building on Keccak
2014: Ketje and Keyaksubmitted to the CAESAR competition
2016: KangarooTwelve2017: Kravatte
… again using the Keccak-f permutation
8 / 41
![Page 9: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/9.jpg)
Security foundations
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
9 / 41
![Page 10: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/10.jpg)
Security foundations
Analyzing the sponge construction
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
10 / 41
![Page 11: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/11.jpg)
Security foundations
Analyzing the sponge construction
input output
outerinner
0
0
r
c
absorbing squeezing
10 / 41
![Page 12: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/12.jpg)
Security foundations
Generic security of the sponge construction
[EuroCrypt 2008]
Theorem, explained
Pr[attack] ≤ N2
2c+1 (or so)
⇒ if N≪ 2c/2, then the probability is negligible
11 / 41
![Page 13: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/13.jpg)
Security foundations
Generic security of the sponge construction
[EuroCrypt 2008]
Theorem, explained
Pr[attack] ≤ N2
2c+1 (or so)
⇒ if N≪ 2c/2, then the probability is negligible
11 / 41
![Page 14: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/14.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 15: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/15.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 16: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/16.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 17: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/17.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 18: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/18.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 19: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/19.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 20: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/20.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ lots of third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 21: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/21.jpg)
Security foundations
Two pillars of security in cryptography
Generic securityStrong mathematical proofs⇒ scope of cryptanalysis reduced to primitive
Security of the primitiveNo proof!⇒ open design rationale⇒ lots of third-party cryptanalysis!Confidence⇐ sustained cryptanalysis activity and no break⇐ proven properties
12 / 41
![Page 22: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/22.jpg)
Security foundations
Inside the permutation
f = …
rounds
13 / 41
![Page 23: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/23.jpg)
Security foundations
Status of Keccak
Kecc
ak-f
[160
0]
0
3
6
9
12
15
18
21
24
Practical (collision) attacks up to 5 roundsTheoretical collision attacks up to 6 rounds[Qiao, Song, Liu, Guo 2016]Theoretical attack up to 9 rounds (2256 time…)[Dinur, Morawiecki, Pieprzyk, Srebrny, Straus 2014]
Round function unchanged since 2008
14 / 41
![Page 24: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/24.jpg)
Unkeyed applications
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
15 / 41
![Page 25: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/25.jpg)
Unkeyed applications
Cryptographic hash functions
h : {0, 1}∗ → {0, 1}n
input output
outerinner
0
0
r
c
f f f f f f
absorbing squeezing
16 / 41
![Page 26: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/26.jpg)
Unkeyed applications
Impact of parallelism
Keccak-f[1600]× 1 1070 cyclesKeccak-f[1600]× 2 1360 cyclesKeccak-f[1600]× 4 1410 cycles
CPU: Intel® Core™ i5-6500 (Skylake) with AVX2 256-bit SIMD
17 / 41
![Page 27: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/27.jpg)
Unkeyed applications
Tree hashing
Example: ParallelHash [SP 800-185]
function instruction set cycles/byteKeccak[c = 256]× 1 x86_64 6.29Keccak[c = 256]× 2 AVX2 4.32Keccak[c = 256]× 4 AVX2 2.31CPU: Intel® Core™ i5-6500 (Skylake) with AVX2 256-bit SIMD
18 / 41
![Page 28: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/28.jpg)
Unkeyed applications
KangarooTwelve: a variant of Keccak
Safety margin: from rock-solid to comfortableSame round function, 12 instead of 24⇒ cryptanalysis since 2008 still valid
“Embarassingly” parallel modeProven generic security
[IACR ePrint 2016/770]
19 / 41
![Page 29: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/29.jpg)
Unkeyed applications
KangarooTwelve’s mode
S0 110* CV CV CV … CV CV n-1 FFFF 01
S1
110
S2
110
S3
110
Sn-2
110
Sn-1
110
Final node growing with kangaroo hopping and Sakura coding[ACNS 2014]
20 / 41
![Page 30: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/30.jpg)
Unkeyed applications
KangarooTwelve performance
Short input Long inputIntel® Core™ i5-4570 (Haswell) 4.15 c/b 1.44 c/bIntel® Core™ i5-6500 (Skylake) 3.72 c/b 1.22 c/bIntel® Xeon Phi™ 7250 (Knights Landing)∗ (4.56 c/b) 0.74 c/b
∗ Thanks to Romain Dolbeau
21 / 41
![Page 31: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/31.jpg)
Keyed applications
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
22 / 41
![Page 32: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/32.jpg)
Keyed applications
Pseudo-random function (PRF)
input
…
23 / 41
![Page 33: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/33.jpg)
Keyed applications
Stream cipher
nonce
plaintext = ciphertext
24 / 41
![Page 34: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/34.jpg)
Keyed applications
Message authentication code (MAC)
plaintext
plaintext
25 / 41
![Page 35: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/35.jpg)
Keyed applications
Authenticated encryption
nonce
plaintext = ciphertext
plaintext
26 / 41
![Page 36: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/36.jpg)
Keyed applications
Incrementality
packet #1
packet #1
27 / 41
![Page 37: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/37.jpg)
Keyed applications
Incrementality
packet #1 packet #2
packet #1 packet #2
27 / 41
![Page 38: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/38.jpg)
Keyed applications
Incrementality
packet #1 packet #2 packet #3
packet #1 packet #2 packet #3
27 / 41
![Page 39: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/39.jpg)
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
![Page 40: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/40.jpg)
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
![Page 41: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/41.jpg)
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
![Page 42: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/42.jpg)
Keyed applications
Keyak in a nutshell
An authenticated-encryption scheme submitted to CAESAR→ using Keccak-p[1600,nr = 12] or Keccak-p[800,nr = 12]←
0 SUV1
T(0)
A(1)P(1)
C(1) T(1)
P(2)
C(2) T(2)
A(3)
T(3)
SUV = Secret and Unique ValueWorks in sessions
28 / 41
![Page 43: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/43.jpg)
Keyed applications
Ketje in a nutshell
An authenticated-encryption scheme submitted to CAESAR
Similar to Keyak, but …mainly targeted at lightweight applications (e.g., IoT)also using smaller permutations (400 or 200 bits)
29 / 41
![Page 44: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/44.jpg)
Keyed applications
Kravatte with the new Farfalle constructionAn incremental and parallel pseudo-random function …
k f
M0
k f
M1
ik f
Mi
… …
f
k
Z0
f
k
Z1
f
k
j Zj
f
… using the Keccak-f permutation[IACR ePrint 2016/1188 — soon to be updated!]
30 / 41
![Page 45: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/45.jpg)
Keyed applications
Kravatte for many purposes
Kravatte-PRF AuthenticationKravatte-SAE Session authenticated encryptionKravatte-SIV Synthetic-IV authenticated encryptionKravatte-WBC Wide block cipher, authenticated en-
cryption with minimal expansion
31 / 41
![Page 46: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/46.jpg)
Keccak code package
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
32 / 41
![Page 47: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/47.jpg)
Keccak code package
The Keccak code package
https://github.com/gvanas/KeccakCodePackage
33 / 41
![Page 48: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/48.jpg)
Keccak code package
Using the KCP
Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a
Extracting the source filesmake generic64/libkeccak.a.pack
Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed
34 / 41
![Page 49: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/49.jpg)
Keccak code package
Using the KCP
Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a
Extracting the source filesmake generic64/libkeccak.a.pack
Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed
34 / 41
![Page 50: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/50.jpg)
Keccak code package
Using the KCP
Making a librarymake generic64/libkeccak.amake generic32/libkeccak.amake Nehalem/libkeccak.amake ARMv7A/libkeccak.amake compact/libkeccak.a
Extracting the source filesmake generic64/libkeccak.a.pack
Running the unit testsmake generic64/KeccakTestsKeccakTests --SnP --FIPS202 --Keyak --speed
34 / 41
![Page 51: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/51.jpg)
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
![Page 52: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/52.jpg)
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
![Page 53: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/53.jpg)
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
![Page 54: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/54.jpg)
Keccak code package
Inside the KCP: a layered approach
Keccak-f[200] Keccak-f[1600] Keccak-p[800, 12] Primitive
Sponge Duplex Construction
Hashing MAC PRNG Auth. Enc. Mode
SnP
Genericfocus on user
easy to usee.g., message queue
one implementationpointers and arithmetic
Specificfocus on developer
limited scope to optimizeunit tests
tailored implementationspermutationbulk data processing
35 / 41
![Page 55: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/55.jpg)
Inventory
Outline
1 Timeline
2 Security foundations
3 Unkeyed applications
4 Keyed applications
5 Keccak code package
6 Inventory
36 / 41
![Page 56: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/56.jpg)
Inventory
Hash and extendable-output functions
Standard, rock-solid: [FIPS 202, SP 800-185]SHA3-{224, 256, 384, 512}SHAKE{128, 256} or cSHAKE{128, 256}TupleHashParallelHash
Mature:KangarooTwelve [IACR ePrint 2016/770]
37 / 41
![Page 57: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/57.jpg)
Inventory
Pseudo-random number generation
Rock-solid:KeccakPRG [SAC 2011, implemented in KCP]
reseedable at any timeforward secrecy
38 / 41
![Page 58: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/58.jpg)
Inventory
Authentication
Standard, rock-solid:KMAC [SP 800-185]HMAC with SHA-3 is suboptimal!
Mature:Keyak [CAESAR competition]
Cutting edge:Kravatte-PRF [IACR ePrint 2016/1188]
39 / 41
![Page 59: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/59.jpg)
Inventory
Authenticated encryption
Mature:KetjeKeyak [CAESAR competition]
Cutting edge:Kravatte-SAEKravatte-SIVKravatte-WBC [IACR ePrint 2016/1188]
40 / 41
![Page 60: Portfolio of optimized cryptographic functions based on Keccak · Portfolio of optimized cryptographic functions based on Keccak Author: Guido Bertoni, Joan Daemen, Michaël Peeters,](https://reader034.fdocuments.net/reader034/viewer/2022050104/5f42d6c7ed0731529c751fb0/html5/thumbnails/60.jpg)
Conclusions
Thanks for your attention!
Any questions?
Q?http://keccak.noekeon.org/
@KeccakTeam
41 / 41