DOCSLIB.ORG

Keccak Sponge Function Family Main Document

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Keccak Sponge Function Family Main Document Keccak sponge function family main document Guido Bertoni1 Joan Daemen1 Micha¨el Peeters2 Gilles Van Assche1 http://keccak.noekeon.org/ Version 1.2 1STMicroelectronics April 23, 2009 2NXP Semiconductors Keccak 2 / 93 Contents 1 Introduction 7 1.1 Specifications summary . .8 1.2 NIST requirements . 10 1.3 Acknowledgments . 11 2 Design rationale summary 13 2.1 Choosing the sponge construction . 13 2.2 Choosing an iterated permutation . 14 2.3 Designing the Keccak-f permutations . 14 2.4 Choosing the parameter values . 15 3 The sponge construction 17 3.1 Security of the sponge construction . 17 3.1.1 Indifferentiability from a random oracle . 17 3.1.2 Indifferentiability of multiple sponge functions . 18 3.1.3 Immunity to generic attacks . 19 3.1.4 Randomized hashing . 19 3.1.5 Keyed modes . 20 3.2 Rationale for the padding . 20 3.2.1 Sponge input preparation . 20 3.2.2 Multi-capacity property . 21 3.2.3 Digest-length dependent digest . 21 3.3 Parameter choices . 21 3.3.1 Capacity . 21 3.3.2 Width . 22 3.3.3 The default sponge function Keccak[] . 22 3.4 The four critical operations of a sponge . 23 3.4.1 Definitions . 23 3.4.2 The operations . 23 4 Sponge functions with an iterated permutation 25 4.1 The philosophy . 25 4.1.1 The hermetic sponge strategy . 25 4.1.2 The impossibility of implementing a random oracle . 25 4.1.3 The choice between a permutation and a transformation . 26 4.1.4 The choice of an iterated permutation . 26 3 / 93 Keccak CONTENTS 4.2 Some structural distinguishers . 27 4.2.1 Differential cryptanalysis . 27 4.2.2 Linear cryptanalysis . 28 4.2.3 Algebraic expressions . 29 4.2.4 The constrained-input constrained-output (CICO) problem . 30 4.2.5 Multi-block CICO problems . 31 4.2.6 Cycle structure . 32 4.3 Inner collision . 32 4.3.1 Exploiting a differential trail . 32 4.3.2 Exploiting a differential . 33 4.3.3 Truncated trails and differentials . 33 4.4 Path to an inner state . 34 4.5 Detecting a cycle . 34 4.6 Binding an output to a state . 34 4.7 Classical hash function criteria . 34 4.7.1 Collision resistance . 34 4.7.2 Preimage resistance . 35 4.7.3 Second preimage resistance . 35 4.7.4 Length extension . 35 4.7.5 Pseudo-random function . 35 4.7.6 Output subset properties . 36 5 The Keccak-f permutations 37 5.1 Translation invariance . 37 5.2 The Matryoshka structure . 38 5.3 The step mappings of Keccak-f ......................... 38 5.3.1 Properties of χ ............................... 39 5.3.2 Properties of θ ............................... 41 5.3.3 Properties of π ............................... 43 5.3.4 Properties of ρ ............................... 44 5.3.5 Properties of ι ............................... 45 5.3.6 The order of steps within a round . 45 5.4 Choice of parameters: the number of rounds . 46 5.5 Differential and linear cryptanalysis . 46 5.5.1 Trail propagation . 46 5.5.2 The Matryoshka consequence . 47 5.5.3 The column parity kernel . 47 5.5.4 One and two-round trails . 48 5.5.5 Three-round trails: kernel vortices . 48 5.5.6 Beyond three-round trails: choice of π .................. 50 5.5.7 Truncated trails and differentials . 51 5.5.8 Other group operations . 52 5.5.9 Differential and linear cryptanalysis variants . 52 5.5.10 Bounds for symmetric trails . 53 5.6 Solving CICO problems . 53 5.7 Strength in keyed mode . 54 5.8 Symmetry weaknesses . 54 4 / 93 CONTENTS Keccak 5.9 Experimental data . 54 5.9.1 Differential probability distributions . 54 5.9.2 Correlation distributions . 55 5.9.3 Algebraic normal form experiments . 59 5.9.4 Solving CICO problems algebraically . 62 5.9.5 Cycle distributions . 63 6 Usage 65 6.1 Usage scenario's for a sponge function . 65 6.1.1 Random-oracle interface . 65 6.1.2 Linking to the security claim . 65 6.1.3 Examples of modes of use . 66 6.2 Backward compatibility with old standards . 67 6.2.1 Input block length and output length . 67 6.2.2 Initial value . 67 6.2.3 HMAC . 67 6.2.4 NIST and other relevant standards . 67 6.3 Input formatting and diversification . 68 6.4 Parallel and tree hashing . 69 6.4.1 Definitions . 69 6.4.2 Discussion . 71 7 Implementation 73 7.1 Bit and byte numbering conventions . 73 7.2 General aspects . 74 7.2.1 The lane complementing transform . 74 7.2.2 Bit interleaving . 76 7.3 Software implementation . 76 7.3.1 Optimized for speed . 77 7.3.2 Using SIMD instructions . 79 7.3.3 SIMD instructions and KeccakTree .................. 79 7.3.4 Protection against side channel attacks . 81 7.3.5 Estimation on 8-bit processors . 81 7.4 Hardware implementation . 82 7.4.1 High-speed core . 83 7.4.2 Variants of the high-speed core . 84 7.4.3 Low-area coprocessor . 84 7.4.4 Protection against side channel attacks . 86 A Change log 93 A.1 From 1.1 to 1.2 . 93 A.2 From 1.0 to 1.1 . 93 5 / 93 Keccak CONTENTS 6 / 93 Chapter 1 Introduction Keccak [8] is a family of cryptographic hash functions [68] or, more accurately, sponge functions [7]. This document describes the properties of the Keccak family and presents its members as candidates to NIST's request for a new cryptographic hash algorithm family called SHA-3 [51]. This introduction offers in Section 1.1 a summary of the Keccak specifications using pseudocode, sufficient to understand its structure and building blocks. In no way should this introductory text be considered as a formal and reference description of Keccak. For the formal definition of the Keccak family, we refer to the separate document [8], to which we assume the reader has access. While the Keccak definition is fixed, this present document is likely to evolve over time, so we suggest the reader to obtain the latest version from our website http://keccak.noekeon.org/. The document is organized as follows. The design choices behind the Keccak sponge functions are summarized in Chapter 2. Chapters 3{5 provide a security analysis and a rationale for our design choices. Each of these three chapters looks at a particular level, from top to bottom. • Chapter 3 looks at the use of the sponge construction in our submission. • Chapter 4 gives more insight on the use of an iterated permutation in the sponge construction. • Chapter 5 looks more particularly at Keccak-f, the chosen permutation. Examples of modes of use, as well as other details regarding the use of the Keccak sponge functions, are provided in Chapter 6. Finally, Chapter 7 takes a look at the software and hardware implementation aspects. 7 / 93 Keccak 1. Introduction 1.1 Specifications summary Any instance of the Keccak sponge function family makes use of one of the.
Load more

Recommended publications
  • Fast Hashing and Stream Encryption with Panama
    Fast Hashing and Stream Encryption with Panama Joan Daemen1 and Craig Clapp2 1 Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium [email protected] 2 PictureTel Corporation, 100 Minuteman Rd., Andover, MA 01810, USA [email protected] Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low work-factor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a com- mercially available VLIW micro-processor. 1 Introduction Panama is a cryptographic module that can be used both as a cryptographic hash function and a stream cipher. It is designed to be very efficient in software implementations on 32-bit architectures. Its basic operations are on 32-bit words. The hashing state is updated by a parallel nonlinear transformation, the buffer operates as a linear feedback shift register, similar to that applied in the compression function of SHA [6]. Panama is largely based on the StepRightUp stream/hash module that was described in [4]. Panama has a low per-byte work factor while still claiming very high security. The price paid for this is a relatively high fixed computational overhead for every execution of the hash function. This makes the Panama hash function less suited for the hashing of messages shorter than the equivalent of a typewritten page. For the stream cipher it results in a relatively long initialization procedure. Hence, in applications where speed is critical, too frequent resynchronization should be avoided.
    [Show full text]
  • Permutation-Based Encryption, Authentication and Authenticated Encryption
    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
    [Show full text]
  • Hash Functions and Thetitle NIST of Shapresentation-3 Competition
    The First 30 Years of Cryptographic Hash Functions and theTitle NIST of SHAPresentation-3 Competition Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash functions decoded Insert presenter logo here on slide master Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 SHA-3 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). Hash function history 101 DES RSA 1980 single block ad hoc length schemes HARDWARE MD2 MD4 1990 SNEFRU double MD5 block security SHA-1 length reduction for RIPEMD-160 factoring, SHA-2 2000 AES permu- DLOG, lattices Whirlpool SOFTWARE tations SHA-3 2010 Applications • digital signatures • data authentication • protection of passwords • confirmation of knowledge/commitment • micropayments • pseudo-random string generation/key derivation • construction of MAC algorithms, stream ciphers, block ciphers,… Agenda Definitions Iterations (modes) Compression functions SHA-{0,1,2,3} Bits and bytes 5 Hash function flavors cryptographic hash function this talk MAC MDC OWHF CRHF UOWHF (TCR) Security requirements (n-bit result) preimage 2nd preimage collision ? x ? ? ? h h h h h h(x) h(x) = h(x‘) h(x) = h(x‘) 2n 2n 2n/2 Informal definitions (1) • no secret parameters
    [Show full text]
  • SPHINCS: Practical Stateless Hash-Based Signatures
    SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein1;3, Daira Hopwood2, Andreas Hülsing3, Tanja Lange3, Ruben Niederhagen3, Louiza Papachristodoulou4, Peter Schwabe4, and Zooko Wilcox O'Hearn2 1 Department of Computer Science University of Illinois at Chicago Chicago, IL 606077045, USA [email protected] 2 Least Authority 3450 Emerson Ave. Boulder, CO 803056452 USA [email protected],[email protected] 3 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands [email protected], [email protected], [email protected] 4 Radboud University Nijmegen Digital Security Group P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper introduces a high-security post-quantum stateless hash-based sig- nature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. The signature scheme is designed to provide long-term 2128 security even against attackers equipped with quantum computers. Unlike most hash-based designs, this signature scheme is stateless, allowing it to be a drop-in replacement for current signature schemes. Keywords: post-quantum cryptography, one-time signatures, few-time signatures, hyper- trees, vectorized implementation 1 Introduction It is not at all clear how to securely sign operating-system updates, web-site certicates, etc. once an attacker has constructed a large quantum computer: RSA and ECC are perceived today as being small and fast, but they are broken in polynomial time by Shor's algorithm.
    [Show full text]
  • High Performance Cryptographic Engine PANAMA: Hardware Implementation G
    High Performance Cryptographic Engine PANAMA: Hardware Implementation G. Selimis, P. Kitsos, and O. Koufopavlou VLSI Design Labotaroty Electrical & Computer Engineering Department, University of Patras Patras, Greece Email: [email protected] hardware implementations are more efficiency in FPGAs ABSTRACT than general purpose CPUs due to the fact that the algorithm specifications suits much better in FPGA structure. In this paper a hardware implementation of a dual operation cryptographic engine PANAMA is presented. The Typical application with high speed requirements is implementation of PANAMA algorithm can be used both as encryption or decryption of video-rate in conditional access a hash function and a stream cipher. A basic characteristic applications (e-g pay TV). The modern networks have been of PANAMA is a high degree of parallelism which has as implemented to satisfy the demand for high bandwidth result high rates for the overall system throughput. An other multimedia services. Then the switches which they are profit of the PANAMA is that one only architecture placed at the nodes of the network must provide high throughput. So if there is a need for secure networks, the supports two cryptographic operations – encryption/ systems in the network switches should not introduce delays. decryption and data hashing. The proposed system operates PANAMA [3] is a cryptographic module that can be used in 96.5 MHz frequency with maximum data rate 24.7 Gbps. both as a cryptographic hash function and as stream cipher in The proposed system outperforms previous any hash applications with ultra high speed requirements functions and stream ciphers implementations in terms of In this paper an efficient implementation of the PANAMA is performance.
    [Show full text]
  • Table of Contents
    PANAMA COUNTRY READER TABLE OF CONTENTS Edward W. Clark 1946-1949 Consular Officer, Panama City 1960-1963 Deputy Chief of Mission, Panama City Walter J. Silva 1954-1955 Courier Service, Panama City Peter S. Bridges 1959-1961 Visa Officer, Panama City Clarence A. Boonstra 1959-1962 Political Advisor to Armed Forces, Panama Joseph S. Farland 1960-1963 Ambassador, Panama Arnold Denys 1961-1964 Communications Supervisor/Consular Officer, Panama City David E. Simcox 1962-1966 Political Officer/Principal Officer, Panama City Stephen Bosworth 1962-1963 Rotation Officer, Panama City 1963-1964 Principle Officer, Colon 1964 Consular Officer, Panama City Donald McConville 1963-1965 Rotation Officer, Panama City John N. Irwin II 1963-1967 US Representative, Panama Canal Treaty Negotiations Clyde Donald Taylor 1964-1966 Consular Officer, Panama City Stephen Bosworth 1964-1967 Panama Desk Officer, Washington, DC Harry Haven Kendall 1964-1967 Information Officer, USIS, Panama City Robert F. Woodward 1965-1967 Advisor, Panama Canal Treaty Negotiations Clarke McCurdy Brintnall 1966-1969 Watch Officer/Intelligence Analyst, US Southern Command, Panama David Lazar 1968-1970 USAID Director, Panama City 1 Ronald D. Godard 1968-1970 Rotational Officer, Panama City William T. Pryce 1968-1971 Political Officer, Panama City Brandon Grove 1969-1971 Director of Panamanian Affairs, Washington, DC Park D. Massey 1969-1971 Development Officer, USAID, Panama City Robert M. Sayre 1969-1972 Ambassador, Panama J. Phillip McLean 1970-1973 Political Officer, Panama City Herbert Thompson 1970-1973 Deputy Chief of Mission, Panama City Richard B. Finn 1971-1973 Panama Canal Negotiating Team James R. Meenan 1972-1974 USAID Auditor, Regional Audit Office, Panama City Patrick F.
    [Show full text]
  • Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
    I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.
    [Show full text]
  • The Second Cryptographic Hash Workshop
    Workshop Report The Second Cryptographic Hash Workshop University of California, Santa Barbara August 24-25, 2006 Report prepared by James Nechvatal and Shu-jen Chang Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 20899 Available online: http://csrc.nist.gov/groups/ST/hash/documents/SecondHashWshop_2006_Report.pdf 1. Introduction The Second Cryptographic Hash Workshop was held on Aug. 24-25, 2006, at University of California, Santa Barbara, in conjunction with Crypto 2006. 210 members of the global cryptographic community attended the workshop. The workshop was organized to encourage hash function research and discuss hash function development strategy. 2. Workshop Program The workshop program consisted of a day and a half of presentations of papers that were submitted to the workshop and panel discussion sessions. The main topics of the workshop included survey of hash function applications, new structures and designs of hash functions, cryptanalysis and attack tools, and development strategy of new hash functions. The program is available at http://csrc.nist.gov/groups/ST/hash/second_workshop.html . This report only briefly summarizes the presentations, because the above web site for the program includes links to the speakers' slides and papers. The main ideas of the discussion sessions, however, are described in considerable detail; in fact, the panelists and attendees are often paraphrased very closely, to minimize misinterpretation. Their statements are not necessarily presented in the order that they occurred, in order to organize them according to NIST's questions for each session. 3. Session Summary Session 1: Papers - New Structures of Hash Functions Session 1 included three talks dealing with new structures of hash functions.
    [Show full text]
  • SHA-3 and Permutation-Based Cryptography
    SHA-3 and permutation-based cryptography Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors Crypto summer school Šibenik, Croatia, June 1-6, 2014 1 / 49 Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 2 / 49 Prologue Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 3 / 49 Prologue Cryptographic hash functions ∗ n Function h from Z2 to Z2 Typical values for n: 128, 160, 256, 512 Pre-image resistant: it shall take 2n effort to given y, find x such that h(x) = y 2nd pre-image resistance: it shall take 2n effort to 0 0 given M and h(M), find another M with h(M ) = h(M) collision resistance: it shall take 2n/2 effort to find x1 6= x2 such that h(x1) = h(x2) 4 / 49 Prologue Classical way to build hash functions Mode of use of a compression function: Fixed-input-length compression function Merkle-Damgård iterating mode Property-preserving paradigm hash function inherits properties of compression function …actually block cipher with feed-forward (Davies-Meyer) Compression function built on arithmetic-rotation-XOR: ARX Instances: MD5, SHA-1, SHA-2 (224, 256, 384, 512) … 5 / 49 The sponge construction Outline 1 Prologue 2 The sponge construction 3 Keccak and SHA-3 4 Sponge modes of use 5 Block cipher vs permutation 6 Variations on sponge 6 / 49 The sponge construction Sponge origin: RadioGatún Initiative
    [Show full text]
  • Theory and Practice Theory and Practice for Hash Functions
    www.ecrypt . eu. org Theory and practiceTitle of Presentation for hash functions Bart Preneel Kath o lie ke Un ivers ite it Leuven - COSIC [email protected] Cambridge, 1 February 2012 Insert presenter logo here on slide master Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 SHA-3 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto - graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 2 Applications • short unique identifier to a string – digital signatures – data authentication • one-way function of a string – protection of passwords – micro-payments • confirma tion o f k nowl e dge /comm itmen t • pseudo-random string generation/key derivation • entropy extraction • construction of MAC algorithms, stream ciphers, block ciphers,… 2005: 800 uses of MD5 in Microsoft Windows 3 Bridging theory and practice? 4 Agenda Definitions Iterations (modes) Compression functions Hash functions SHA-3 5 Security requirements (n-bit result) preimage 2nd preimage collision ? x ≠ ? ? ≠ ? h h h h h h(()x) h(()x) = h(()x’) h(()x) = h(x’) 2n 2n 2n/2 6 Length extension length extension: if one knows h(x), easy to compute h(x || y) without knowing x or IV IV H H 1 2 H = h(x) f f f 3 x1 x2 x3 IV H1 H2 H3 H4= h(x || y) f f f f x1 x2 x3 y solution: output transformation IV H1
    [Show full text]
  • Keccak and the SHA-3 Standardization
    Keccak and the SHA-3 Standardization Guido Bertoni1 Joan Daemen1 Michaël Peeters2 Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors NIST, Gaithersburg, MD February 6, 2013 1 / 60 Outline 1 The beginning 2 The sponge construction 3 Inside Keccak 4 Analysis underlying Keccak 5 Applications of Keccak, or sponge 6 Some ideas for the SHA-3 standard 2 / 60 The beginning Outline 1 The beginning 2 The sponge construction 3 Inside Keccak 4 Analysis underlying Keccak 5 Applications of Keccak, or sponge 6 Some ideas for the SHA-3 standard 3 / 60 The beginning Cryptographic hash functions * h : f0, 1g ! f0, 1gn Input message Digest MD5: n = 128 (Ron Rivest, 1992) SHA-1: n = 160 (NSA, NIST, 1995) SHA-2: n 2 f224, 256, 384, 512g (NSA, NIST, 2001) 4 / 60 The beginning Our beginning: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama variable-length output expressing security claim: non-trivial exercise Sponge functions [Keccak team, Ecrypt hash, 2007] closest thing to a random oracle with a finite state Sponge construction calling random permutation 5 / 60 The beginning From RadioGatún to Keccak RadioGatún confidence crisis (2007-2008) own experiments did not inspire confidence in RadioGatún neither did third-party cryptanalysis [Bouillaguet, Fouque, SAC 2008] [Fuhr, Peyrin, FSE 2009] follow-up design Gnoblio went nowhere NIST SHA-3
    [Show full text]
  • Panamanian Música Típica and the Quest for National and Territorial Sovereignty
    “Cien por Ciento Nacional!” Panamanian Música Típica and the Quest for National and Territorial Sovereignty Melissa Gonzalez Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2015 ©2015 Melissa Gonzalez All Rights Reserved ABSTRACT “Cien por Ciento Nacional!” Panamanian Música Típica and the Quest for National and Territorial Sovereignty Melissa Gonzalez This dissertation investigates the socio-cultural and musical transfigurations of a rural-identified musical genre known as música típica as it engages with the dynamics of Panama’s rural-urban divide and the country’s nascent engagement with the global political economy. Though regarded as emblematic of Panama’s national folklore, música típica is also the basis for the country’s principal and most commercially successful popular music style known by the same name. The primary concern of this project is to examine how and why this particular genre continues to undergo simultaneous processes of folklorization and commercialization. As an unresolved genre of music, I argue that música típica can offer rich insight into the politics of working out individual and national Panamanian identities. Based on eighteen months of ethnographic fieldwork conducted in Panama City and several rural communities in the country’s interior, I examine the social struggles that subtend the emergence of música típica’s genre variations within local, national, and transnational contexts. Through close ethnographic analysis of particular case studies, this work explores how musicians, fans, and the country’s political and economic structures constitute divisions in regards to generic labeling and how differing fields of musical circulation and meaning are imagined.
    [Show full text]