Secure Hash Algorithm-3 Cryptographic Hash Functions

SHA-3 is a cryptographic hash function (designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche)

A cryptographic hash function takes an arbitrary block of data (message) and returns a fixed-size bit string (hash value)

H : {0, 1}* --> {0,1}n

Hash functions provides integrity and has applications in digital signatures, message authentication codes,etc. Need for SHA-3

Widespread Hash functions before 2004: MD4, MD5, RIPE-MD, RIPE-MD160, SHA0, SHA1, SHA2

• 1991-1993: Den Boer and Bosselaers attack MD4 and MD5 • 1996: Dobbertin improves attacks on MD4 and MD5 • 1998: Chabaud and Joux attack SHA-0 • 2004: Joux et al. break SHA-0 • 2004: Wang et al. break MD5 • 2005: Lenstra et al., and Klima, make MD5 attack practical • 2005: Wang et al. theoretically break SHA-1 • 2006: De Cannière and Rechberger further break SHA-1 Cypto 2004

In the conference,

Joux shows a surprising property in Merkle-Damgaard hashes ►Multicollisions ►Cascaded hashes don’t help security much

Wang, Feng, Lai, and Yu found a collison attack on SHA-0 with complexity of 2^40. Attacks on MD4, MD5 and RIPEMD were also found.

Biham/Chen announced new results in cryptanalyzing SHA-1, including a collision attack in a reduced-round version of SHA-1.

Wang's algorithm was extended to find collision in SHA-1 in 2^63 steps in 2005. Need for SHA3 and the NIST competition

Algorithm Ouput size Collision attack Second Preimage (in bits) preimage attack attack MD5 128 Yes (2^20.96) Yes (2^123.4) Yes (2^123.4)

SHA-0 160 Yes (2^33.6) No No SHA-1 160 Yes (2^51) No No SHA-2 256/224 Theoretical Theoretical Theoretical (2^28.5 : 24) (2^248.4 : 42) (2^248.4: 42) SHA-2 512/384 Theoretical Theoretical Theoretical (2^32.5 : 24) (2^494.6 : 42) (2^494.6 : 42) SHA-3 224/256/384/512 NO NO NO Keccak sponge construction

Keccak uses the sponge construction

The sponge construction builds a function SPONGE [f, pad, r] with variable length input and arbitrary length output where, f A fixed-length transformation/ permutaion (The permutation f operates on a fixed number of bits, the width b) pad A padding rule

r A parameter called bitrate

The value c = b − r is called the capacity. Keccak SHA-3 standardization

For SHA-3, KECCAK == SPONGE[ Keccak-f (5×5×64), pad 10*1, r ]

Value of bitrate r depends on the output hash size Output hash size 224 256 384 512 (in bits) Bitrate r 1152 1088 832 576 (in bits)

There are 7 Keccak- f permutations, indicated by Keccak-f [b] , where b = 25 × 2^ℓ and ℓ ranges from 0 to 6. Here, 2^ℓ represents the word size,w.

SHA-3 uses words of size 64 bits. Hence the Keccak -f permutation with b =( 25 × 2 ^ 6 ) is used in SHA-3. Keccak - f [b] permutation

A sequence of operations on a state a which is a 3D array of elements of GF(2). a[5][5][w], with w = 2^ℓ

Mapping between the bits of s and those of a is s[w(5y + x)+ z]= a[x][y][z] with x, y ∈ Z5 and z ∈ Zw.

Keccak- f [b] is an iterated permutation, consisting of a sequence of nr rounds of R where R = and nr is 12+2ℓ θ

Compute parity of each column

Add to each bit a[x][y][z] the parity of the neighboring columns.

Mapping is linear and provides diffusion within the slice. ρ

The lanes are cyclically shifted by an offset equal to a triangular number n(n+1)/2.

Creates inter-slice diffusion π

Mapping is a transposition of lanes that disturbs the horizontal and vertical alignment within the slice

π applied to aslice. Note that x = y = 0 is depicted at the center of the slice χ

Only non-linear mapping of Keccak-f[b] (algebraic degree of 2) “Flip bit if neighbors exhibit 01 pattern” Operates independently and in parallel on 5-bit rows l

All other values of RC[ir][x][y][z] are zero

Only mapping that disrupts symmetry between the rounds. The bits of the round constants are different from round to round and are taken as the output of a maximum-length LFSR. The constants are only added in a single lane of the state. The disruption diffuses through θ and χ to all lanes of the state after a single round. SHA-3 summary

Sponge function= State Memory (S) + function f + padding p ( 25* 64= 1600 bits ) Round function Keccak-f [1600]: f = θ o ρ o π o χ o ι Number of rounds: 12 + 2ℓ = 24

Operation of SHA3 • S is initialized to zero • Input string is padded • S XOR First r-bit block of padded input • S replaced by f(S) • S XOR Next r-bit block of padded input • S replaced by f(S) abd so on..

Process repeated till all blocks of padded input string are used up or "absorbed"

• First r bits of S are outputted • S replaced by f(S) • Next r bits of S are outputted and so on.. Process repeated till the desired number of output bits are produced or "sqeezed out". If the output length is not a multiple of r bits,then it will be truncated. Analysis of SHA-3

Security level ( against all attacks) at CHES 2013

SHA3 Security level

SHA3-224 128 bits SHA3-256 SHA3-384 256 bits SHA3-512

Keccak has high performance in hardware as well as software implementations.This coupled with its high security margin made it the winner of the NIST competition in 2012. Keccak-f[b] state naming convention