DOCSLIB.ORG

Analysis of SHA-3 Candidates Cubehash and Keccak

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of SHA-3 Candidates Cubehash and Keccak Analysis of SHA-3 Candidates CubeHash and Keccak ALEXANDER ROS and CARL SIGURJONSSON Bachelor of Science Thesis Stockholm, Sweden 2010 Analysis of SHA-3 Candidates CubeHash and Keccak ALEXANDER ROS and CARL SIGURJONSSON Bachelor’s Thesis in Computer Science (15 ECTS credits) at the School of Computer Science and Engineering Royal Institute of Technology year 2010 Supervisor at CSC was Cristian Bogdan Examiner was Mads Dam URL: www.csc.kth.se/utbildning/kandidatexjobb/datateknik/2010/ ros_alexander_OCH_sigurjonsson_carl_K10067.pdf Royal Institute of Technology School of Computer Science and Communication KTH CSC 100 44 Stockholm URL: www.kth.se/csc Abstract In 2005 the popular hash algorithm standard SHA-1 was revealed to be vulnerable to attacks much faster than brute force. Although a serious weakness in theory, due to the large amount of computations required to mount such an attack it did not pose any immediate threat in practice. In a few years however given technological advancements and improved cryptoanalysis on these algorithms, this is likely not to be the case. Thus the need for a modern set of secure hash algorithms. In an effort to realize this NIST announced in 2007 a public competition to develop the best possible replacement to be named SHA-3 by 2012. In this report we analyze two promising candidates, namely CubeHash and Keccak. A series of tests are conducted measuring their efficiency with regards to performance. Referat Analys av SHA-3 kandidaterna CubeHash och Keccak 2005 visade det sig att den populära hashstandarden SHA-1 innehåll svagheter mot attacker snabbare än en brute force attack. Detta medför allvarliga följder i teorin men på grund av det massiva antalet uträkning- ar har det inte än någon praktisk tillämpning. Med åren kommer dock datorer att utvecklas till den grad att detta kan utgöra ett problem. Av den anledningen ökade kraven på en modernare hashstandard och 2007 tillkännagav NIST att man har inlett en tävling för att hitta den bästa ersättaren som beräknas vara klar 2012. I denna rapport kommer vi analysera två lovande kandidater, Cubehash och Keccak, genom att utföra en serie tester med avseende på prestanda. Contents 1 Introduction 1 1.1 Brief description . 1 1.2 New hash standard . 1 1.3 Purpose of the report . 2 2 Background 3 2.1 Hash Functions . 3 2.2 Constructions . 4 2.2.1 Merkle-Damgård . 4 2.2.2 HAIFA . 5 2.2.3 Cryptographic sponges . 6 3 Secure Hash Algorithm 9 3.1 Overview of SHA-3 candidates . 9 4 Keccak Algorithm 11 4.1 Padding . 11 4.2 Overview . 11 4.3 Parameters . 12 4.4 Keccak-f . 12 5 CubeHash Algorithm 13 5.1 Parameters . 13 5.2 Overview . 13 5.3 Transformation . 14 6 Tests 15 6.1 Results . 15 7 Discussion 17 7.1 The tests . 17 7.2 Conclusion . 18 7.3 References . 18 Chapter 1 Introduction Hash functions have come to play a major role in modern cryptography being widely deployed in various security protocols and applications. The most common uses include digital signatures, message authentication code (MAC) and password pro- tection schemes. They are also useful when storing large data sets by means of fast lookups but used in a different context to cryptographic hash functions they will not be covered in this report. 1.1 Brief description A cryptographic hash function takes a message of arbitrary length as input and produces a value of fixed length as output. This value is usually called a message digest or simply a hash. Much like the signature of a document proving it’s au- thentic; the hash assures the integrity of the original message. Since altering the message even the slightest results in a different hash, the alteration becomes clear to anyone comparing the hashes. Generally for a hash function to be considered secure it should resist the following three types of attacks: • Collision - Find any two messages that produce the same hash • 1st preimage - Find the message given its hash. • 2nd preimage - Given a message, find another message that has the same hash. 1.2 New hash standard Currently the most used hash algorithm is SHA-1 (Secure Hash Algorithm ver- sion 1) and was thought secure until a team of Chinese cryptographers in 2005 discovered a weakness that made it significantly easier to produce collisions [13]. It was recommended that SHA-2 be used instead and although no known attacks exist for SHA-2, considering the structural similarities with SHA-1 it is not an ideal long time replacement. In 2007 the National Institute of Standards and Technology 1 CHAPTER 1. INTRODUCTION (NIST) proposed an open competition for the development of SHA-3, the next hash standard. 1.3 Purpose of the report In this report we study two of the currently fourteen candidates in the SHA-3 competition. Our main focus is evaluating their performance with the previous standards (SHA-1, SHA-2) as a point of reference. We begin with a brief look at traditional construction models used to design hash functions as well as some new ones common among the SHA-3 candidates. In chapter 4 and 5 we analyse the hash algorithms for our chosen candidates and discuss their features. This is followed by the main benchmarking tests. Finally we present the results and our conclusions based on them. 2 Chapter 2 Background 2.1 Hash Functions Hash functions process arbitrary messages and produce fixed-length outputs and ideally each possible message should map to a distinct hash. The function is then said to be collision free. In reality however, hash functions are bound to have collisions given the infinite domain and finite range. The probability of a collision occurring by chance depends on the hash size but in most cases it is negligibly small. Furthermore hash functions should be strictly one-way, i.e. it should not be possible to find the original message from the hash. Or if given a message it should not be possible to find another message that produce the same hash. These are the main properties required of a hash function and more formally defined as Collision resistance Function H is considered collision resistant if it.s infeasible to find two distinct messages m and m. such that H(m) = H(m0). Preimage resistance Function H is considered preimage resistant if given hash h it.s infeasible to find H(m) = h. 2nd preimage resistance Function H is considered 2nd preimage resistant if given message m it is infeasible to find a m0 such that m 6= m0 and H(m) = H(m0). n The generic “brute force” collision attack has a complexity of 2 2 where n is the bitlength of the hash. This is also known as a birthday attack due to the math- ematical similarities to the birthday problem [5]. Preimage attacks pose a greater practical threat than collision attacks and requires O(2n) computations for an n-bit hash. A common model used in cryptography is the random oracle model, a theoretical black box that generates a completely random output. Yet if called again with the same input it returns the same result. Although impossible to implement in practice they are of great help when designing secure hash functions and used in many proofs. 3 CHAPTER 2. BACKGROUND 2.2 Constructions Since hash functions have an infinite domain processing arbitrary long data inputs they are generally constructed to divide the data into fixed sized blocks. The blocks are then either chained though a series of compress function calls or incorporated into an inner state, which is an internal data structure used to keep track of the intermediate hash data. In this section we describe some of the common constructions for the different SHA-3 candidates. 2.2.1 Merkle-Damgård Merkle-Damgård (MD) is the construction model that the majority of commonly used hash functions like MD5, SHA-1 and SHA-2 are based on. It was named after the authors Merkle and Damgård who proved that if the compression function is collision resistant then so is also the hash function that builds on it [20]. Figure 2.1. Merkle-Damgård construction The figure above illustrates how the message is broken up in n fixed b-size blocks and passed to the underlying compression function f. The compression function expects two input values of size b and outputs a value of size b. An initialization vector (IV) that is predefined and set depending on implementation is first passed to f along with the first message block. The resulting value is then chained to the next iteration of f along with subsequent message block. This procedure is repeated until all blocks have been processed. Padding is applied in the last block by appending a single 1 followed by enough 0.s to ensure block size of b. The length of the original message must be included, either in the padding space (i.e. replacing zeros) or in an extra block should it not fit. The finalisation step varies with implementation but most times it is designed to achieve good avalanche effect, which is mixing of the hash bits so that even near identical input messages generates greatly differing hash outputs. 4 2.2. CONSTRUCTIONS Merkle-Damgård strengthening The length padding procedure is known as Merkle-Damgård strengthening and is important as without it the collision resistance proof mentioned above is invalid. To illustrate this point, say we have a MD based hash function H with a com- pression function f. We are given two messages m0 and m1 with the effect that H(m1) = H(m0 || m1) and f(iv, m0) = iv.
Load more

Recommended publications
  • Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor
    Hello, and welcome to this presentation of the STM32MP1 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 HASH1 is a secure peripheral (under ETZPC control through ETZPC_DECPROT0 bit 8) while HASH2 is a non secure peripheral. HASH1 instance can be allocated to: • The Arm® Cortex®-A7 secure core to be controlled in OP-TEE by the HASH OP-TEE driver or • The Arm® Cortex® -A7 non-secure core for using in Linux® with Linux Crypto framework HASH2 instance can be allocated to the Arm® Cortex®-M4 core to be controlled in the STM32Cube MPU Package using the STM32Cube HASH driver. HASH1 instance is used as boot device to support binary authentication. 3 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding.
    [Show full text]
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS
    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
    [Show full text]
  • CS-466: Applied Cryptography Adam O'neill
    Hash functions CS-466: Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage • Today we will study a second lower-level primitive, hash functions. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. • Primary purpose is data compression, but they have many other uses and are often treated like a “magic wand” in protocol design. Collision resistance (CR) Collision Resistance n Definition: A collision for a function h : D 0, 1 is a pair x1, x2 D → { } ∈ of points such that h(x1)=h(x2)butx1 = x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a | | collision for h. Mihir Bellare UCSD 3 Collision resistance (CR) Collision resistanceCollision Resistance (CR) n Definition: A collision for a function h : D 0, 1 n is a pair x1, x2 D Definition: A collision for a function h : D → {0, 1} is a pair x1, x2 ∈ D of points such that h(x1)=h(x2)butx1 = →x2.{ } ∈ of points such that h(x1)=h(x2)butx1 ≠ x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a If |D| > 2n then the pigeonhole principle tells us that there must exist a collision| | for h. collision for h. We want that even though collisions exist, they are hard to find.
    [Show full text]
  • Linearization Framework for Collision Attacks: Application to Cubehash and MD6
    Linearization Framework for Collision Attacks: Application to CubeHash and MD6 Eric Brier1, Shahram Khazaei2, Willi Meier3, and Thomas Peyrin1 1 Ingenico, France 2 EPFL, Switzerland 3 FHNW, Switzerland Abstract. In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on lineariza- tion of compression functions in order to find low weight differential characteris- tics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differ- ential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the con- dition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in ac- celerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates. Keywords: Hash functions, collisions, differential attack, SHA-3, CubeHash and MD6. 1 Introduction Hash functions are important cryptographic primitives that find applications in many areas including digital signatures and commitment schemes. A hash function is a trans- formation which maps a variable-length input to a fixed-size output, called message digest. One expects a hash function to possess several security properties, one of which is collision resistance.
    [Show full text]
  • Nasha, Cubehash, SWIFFTX, Skein
    6.857 Homework Problem Set 1 # 1-3 - Open Source Security Model Aleksandar Zlateski Ranko Sredojevic Sarah Cheng March 12, 2009 NaSHA NaSHA was a fairly well-documented submission. Too bad that a collision has already been found. Here are the security properties that they have addressed in their submission: • Pseudorandomness. The paper does not address pseudorandomness directly, though they did show proof of a fairly fast avalanching effect (page 19). Not quite sure if that is related to pseudorandomness, however. • First and second preimage resistance. On page 17, it references a separate document provided in the submission. The proofs are given in the file Part2B4.pdf. The proof that its main transfunction is one-way can be found on pages 5-6. • Collision resistance. Same as previous; noted on page 17 of the main document, proof given in Part2B4.pdf. • Resistance to linear and differential attacks. Not referenced in the main paper, but Part2B5.pdf attempts to provide some justification for this. • Resistance to length extension attacks. Proof of this is given on pages 4-5 of Part2B4.pdf. We should also note that a collision in the n = 384 and n = 512 versions of the hash function. It was claimed that the best attack would be a birthday attack, whereas a collision was able to be produced within 2128 steps. CubeHash According to the author, CubeHash is a very simple cryptographic hash function. The submission does not include almost any of the security details, and for the ones that are included the analysis is very poor. But, for the sake of making this PSet more interesting we will cite some of the authors comments on different security issues.
    [Show full text]
  • Quantum Preimage and Collision Attacks on Cubehash
    Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, [email protected] Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. This kind of attack is expected to cost 2256 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2256 operations, as explained in the CubeHash submission document. This attack only uses very simple techniques, most of which are borrowed from previous analysis of CubeHash: we just combine symmetry based attacks [1,8] with Grover’s algo- rithm. However, it is arguably the first attack on a second-round SHA-3 candidate that is more efficient than the attacks considered by the designer. 1 Introduction CubeHash is a hash function designed by Bernstein and submitted to the SHA-3 com- petition [2]. It has been accepted for the second round of the competition. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. We show that this attack should be considered as better that the attacks considered by the designer, and we explain what were our expectations of the security of CubeHash. P P Fig. 1. CubeHash follows the sponge construction 1.1 CubeHash Versions CubeHash is built following the sponge construction with a 1024-bit permutation. The small size of the state allows for compact hardware implementations, but it is too small to build a fast 512-bit hash function satisfying NIST security requirements.
    [Show full text]
  • Inside the Hypercube
    Inside the Hypercube Jean-Philippe Aumasson1∗, Eric Brier3, Willi Meier1†, Mar´ıa Naya-Plasencia2‡, and Thomas Peyrin3 1 FHNW, Windisch, Switzerland 2 INRIA project-team SECRET, France 3 Ingenico, France Some force inside the Hypercube occasionally manifests itself with deadly results. http://www.staticzombie.com/2003/06/cube 2 hypercube.html Abstract. Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The sub- missions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. This paper presents the first external analysis of CubeHash, with • improved standard generic attacks for collisions and preimages • a multicollision attack that exploits fixed points • a study of the round function symmetries • a preimage attack that exploits these symmetries • a practical collision attack on a weakened version of CubeHash • a study of fixed points and an example of nontrivial fixed point • high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parame- ters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions. 1 CubeHash Bernstein’s CubeHash is a hash function family submitted to the NIST Hash Competition.
    [Show full text]
  • Recommendation for Applications Using Approved Hash Algorithms
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-107 Title: Recommendation for Applications Using Approved Hash Algorithms Publication Date(s): February 2009 Withdrawal Date: August 2012 Withdrawal Note: SP 800-107 is superseded in its entirety by the publication of SP 800-107 Revision 1 (August 2012). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-107 Revision 1 Title: Recommendation for Applications Using Approved Hash Algorithms Author(s): Quynh Dang Publication Date(s): August 2012 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.107r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-107 Rev. 1 (as of August 12, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϭϮ, 2015 NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department of Commerce Otto J. Wolff, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NIST SP 800-107 Abstract Cryptographic hash functions that compute a fixed- length message digest from arbitrary length messages are widely used for many purposes in information security. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3.
    [Show full text]
  • Rebound Attack
    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
    [Show full text]
  • The Hitchhiker's Guide to the SHA-3 Competition
    History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department 20 June, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 33 History First Second Third Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 33 History First Second Third History Sad Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 33 History First Second Third History Sad A(n Extremely) Short History of Hash Functions 1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ard present the Merkle-Damg˚ard hash function.
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • Re-Visiting HAIFA and Why You Should Visit Too
    Merkle-Damg˚ard HAIFA New Results Summary Re-Visiting HAIFA and why you should visit too Orr Dunkelman D´epartement d’Informatique Ecole´ Normale sup´erieure and France Telecom Chaire 3rd of June 2008 Joint work with Eli Biham, Charles Bouillaguet, Pierre-Alain Fouque, S´ebastian Zimmer. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 1/ 42 Merkle-Damg˚ard HAIFA New Results Summary Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 2/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 3/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Merkle-Damg˚ard Construction ◮ Presented by Merkle and Damg˚ard independently as an answer to the following problem: ◮ Given a compression function f : {0, 1}mc × {0, 1}n → {0, 1}mc , how would you ∗ m generate a hash function Hf : {0, 1} → {0, 1} .
    [Show full text]