Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption

Outline NIST SHA-3 competition Overall structure of SHA-3 as sponge function State representation in three dimensions SHA-3 round functions –Column-based parity function –Shifts in third dimension –Mixing in xy dimensions –Nonlinear row function –Round constant

3 SHA-3 Competition Open competition by NIST to design new standard for hashing algorithm –Ideally different from SHA2 –Announced in 2008, Finalists chosen in 2010 BLAKE Grøstel (Lars Knudsen) JH Keccak (Joan Daemen) Skein (Niels Ferguson, Bruce Schneier) Winner: Keccak

4 SHA-3 Structure Overall structure based on sponge functions –Receive input one block at a time from message (the “absorbing” stage) –Produce output of as many blocks as needed one block at a time (the “squeezing” stage)

SHA-3 Structure Each stage combines –Next block of message M –Bits from previous stage Output of previous round divided into: –“Rate”: r bits XORed with next message block –“Capacity”: c bits of state data passed directly from previous round –Both initially all 0’s 5

SHA-3 Structure Sizes for r + c: –25 –50 –100 –200 –400 –800 – “Lightweight” permutation: r = 40, c = 160 SHA-3 standard: r = 1088, c = 512

Keccak State Representation 3-dimensional array –Bit value b x,y,z 5 x 5 x 2 L –5 rows –5 columns –2 L “slices” –L = 0 – 6 for lane size = 1, 2, 4, 8, 16, 32, or 64 state size = 25, 50, 100, 200, 400, 800, or

Keccak State Representation Row Column Lane Slice 8

Keccak State Representation r-bit plaintext blocks read in one lane at a time –Lane size = 2 L –2 L /r lanes in rate –Remaining lanes in capacity Lane i (x, y) = Lane i-1 (x, y)  M i (x + 5*y) for lanes in rate Lane i (x, y) = Lane i-1 (x, y) for lanes in capacity 9

Keccak-f Permutation Function of form (r i, c i ) = f (r i-1  m i, c i-1 ) Basic ideas similar to AES: Stages within function with different purposes  : parity function to mix bits across columns  : diffusion of values along lanes based on matrix multiplication over GF(5)  : diffusion of values in slice in both x and y direction  : nonlinear function that alters rows  : combination with round constant (different for each round) 10

Keccak  function Goal: Diffusion across columns of state Parity function of values within a column C x,z = b x,1,z  b x,2,z  b x,3,z  b x,4,z  b x,5,z Each bit is function of parity of adjacent columns b x,y,z = b x,y,z  C x-1,z  C x+1,z 11

Keccak  function b x,y,z = b x,y,z  C x-1,z  C x+1,z 12

Keccak  function Tweaked to involve a column from adjacent slice –Additional diffusion across slices b x,y,z = b x,y,z  C x-1,z  C x+1,z-1 13

Keccak  function Goal: Complex diffusion along lanes –Sort of like ShiftRows, but more complex formula for how much each lane shifted 14

Keccak  function b x,y,z = b x,y,(z-(t+1)(t+2)/2) –t is complex function of (x, y) –Expressed as table 15

Keccak  function Goal: Disturb horizontal/vertical alignments in slice –Otherwise, could get repeated sequences of states 16

Keccak  function b y, 2x+3y, z = b x,y,z based on Example: (3, 2)  (2, 12) = (2, 2) –Note: (0, 0) in center for this transformation

Keccak  function Goal: Make each round nonlinear function of previous round –Prevent linear cryptanalysis attacks 18 Row at round t – 1 Same row at round t

Keccak  function Function from each row to itself (“mixing” bits within same row) b x,y,z = b x,y,z  (  b (x+1), y, z  b (x+2), y, z ) 19

Keccak  function Goal: Different behavior each round –Otherwise, could have fixed states which are same in every round b 0,0,z = b 0,0,z  RCON(i) –Modify center of each slice each round –Changes propagate to all bits 20

Keccak  function Round constants created as simple linear function shift register –Last bit XOR function of other bits –Bits shifted right each iteration 21

Keccak Round Function Functions applied in order listed above If S i = S rate + S capacity is state after round i Then S i+1 =  (  (  (  (  (S rate  M i + S capacity ))))) Number of rounds = L = 24 rounds in full SHA-3 22

Keccak Evaluation High diffusion, nonlinearity Efficiency –Bitwise operations –Complex functions implemented as simple tables –Few rounds Very different than SHA-2 –SHA-2 still secure now –But if weakness found in SHA-2, would be very unlikely to affect SHA-3 –Would then have immediate replacement for SHA-2 23