DOCSLIB.ORG

Keccak Sponge Function Family Main Document

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Keccak Sponge Function Family Main Document Keccak sponge function family main document Guido Bertoni1 Joan Daemen1 Micha¨el Peeters2 Gilles Van Assche1 http://keccak.noekeon.org/ Version 2.1 1STMicroelectronics June 19, 2010 2NXP Semiconductors Keccak 2 / 121 Contents 1 Introduction 7 1.1 Specifications summary . .8 1.2 NIST requirements . 11 1.3 Acknowledgments . 12 2 Design rationale summary 13 2.1 Choosing the sponge construction . 13 2.2 Choosing an iterated permutation . 14 2.3 Designing the Keccak-f permutations . 14 2.4 Choosing the parameter values . 15 2.5 The difference between version 1 and version 2 of Keccak .......... 16 3 The sponge construction 17 3.1 Security of the sponge construction . 17 3.1.1 Indifferentiability from a random oracle . 17 3.1.2 Indifferentiability of multiple sponge functions . 18 3.1.3 Immunity to generic attacks . 19 3.1.4 Randomized hashing . 19 3.1.5 Keyed modes . 20 3.2 Rationale for the padding . 20 3.2.1 Sponge input preparation . 20 3.2.2 Multi-capacity property . 21 3.2.3 Digest-length dependent digest . 21 3.3 Parameter choices . 21 3.3.1 Capacity . 21 3.3.2 Width . 22 3.3.3 The default sponge function Keccak[] . 22 3.4 The four critical operations of a sponge . 23 3.4.1 Definitions . 23 3.4.2 The operations . 23 4 Usage 25 4.1 Usage scenario's for a sponge function . 25 4.1.1 Random-oracle interface . 25 4.1.2 Linking to the security claim . 25 4.1.3 Examples of modes of use . 26 3 / 121 Keccak CONTENTS 4.2 Backward compatibility with old standards . 27 4.2.1 Input block length and output length . 27 4.2.2 Initial value . 27 4.2.3 HMAC . 27 4.2.4 NIST and other relevant standards . 28 4.3 Input formatting and diversification . 28 4.4 Parallel and tree hashing . 29 4.4.1 Definitions . 30 4.4.2 Soundness . 32 4.4.3 Discussion . 32 5 Sponge functions with an iterated permutation 33 5.1 The philosophy . 33 5.1.1 The hermetic sponge strategy . 33 5.1.2 The impossibility of implementing a random oracle . 33 5.1.3 The choice between a permutation and a transformation . 34 5.1.4 The choice of an iterated permutation . 34 5.2 Some structural distinguishers . 35 5.2.1 Differential cryptanalysis . 35 5.2.2 Linear cryptanalysis . 36 5.2.3 Algebraic expressions . 37 5.2.4 The constrained-input constrained-output (CICO) problem . 38 5.2.5 Multi-block CICO problems . 39 5.2.6 Cycle structure . 40 5.3 Inner collision . 40 5.3.1 Exploiting a differential trail . 40 5.3.2 Exploiting a differential . 41 5.3.3 Truncated trails and differentials . 42 5.4 Path to an inner state . 42 5.5 Detecting a cycle . 42 5.6 Binding an output to a state . 42 5.7 Classical hash function criteria . 43 5.7.1 Collision resistance . 43 5.7.2 Preimage resistance . 43 5.7.3 Second preimage resistance . 43 5.7.4 Length extension . 44 5.7.5 Pseudo-random function . 44 5.7.6 Output subset properties . 44 6 The Keccak-f permutations 45 6.1 Translation invariance . 45 6.2 The Matryoshka structure . 46 6.3 The step mappings of Keccak-f ......................... 46 6.3.1 Properties of χ ............................... 47 6.3.2 Properties of θ ............................... 49 6.3.3 Properties of π ............................... 52 6.3.4 Properties of ρ ............................... 53 4 / 121 CONTENTS Keccak 6.3.5 Properties of ι ............................... 54 6.3.6 The order of steps within a round . 55 6.4 Choice of parameters: the number of rounds . 55 6.5 Differential and linear cryptanalysis . 55 6.5.1 A formalism for describing trails adapted to Keccak-f ........ 55 6.5.2 The Matryoshka consequence . 57 6.5.3 The column parity kernel . 57 6.5.4 One and two-round trails . 57 6.5.5 Three-round trails: kernel vortices . 58 6.5.6 Beyond three-round trails: choice of π .................. 60 6.5.7 Truncated trails and differentials . 61 6.5.8 Other group operations . 62 6.5.9 Differential and linear cryptanalysis variants . 62 6.6 Solving CICO problems . 63 6.7 Strength in keyed mode . 63 6.8 Symmetry weaknesses . 63 7 Trail propagation in Keccak-f 65 7.1 Relations between different kinds of weight . 65 7.2 Propagation properties related to the linear step θ ............... 67 7.3 Exhaustive trail search . 68 7.3.1 Upper bound for the weight of two-round trails to scan . 68 7.3.2 Constructing two-round trails . 69 7.3.3 Extending trails . 72 7.3.4 Linear and differential trail bounds for w ≤ 8.............. 72 7.4 Tame trails . 73 7.4.1 Construction of tame trails . 73 7.4.2 Bounds for three-round tame trails . 74 7.4.3 Bounds for four-round tame trails . 75 8 Analysis of Keccak-f 77 8.1 Algebraic normal form . 77 8.1.1 Statistical tests . 77 8.1.2 Symmetric trails . 79 8.1.3 Slide attacks . 80 8.2 Solving CICO problems algebraically . 80 8.2.1 The goal . 80 8.2.2 The supporting software . 81 8.2.3 The experiments . 81 8.2.4 Third-party analysis . 83 8.3 Properties of Keccak-f[25] . 83 8.3.1 Algebraic normal statistics . 83 8.3.2 Differential probability distributions . 84 8.3.3 Correlation distributions . 86 8.3.4 Cycle distributions . 89 8.4 Distinguishers exploiting low algebraic degree . 92 5 / 121 Keccak CONTENTS 9 Implementation 95 9.1 Bit and byte numbering conventions . 95 9.2 General aspects . 96 9.2.1 The lane complementing transform . 97 9.2.2 Bit interleaving . 98 9.3 Software implementation . 99 9.3.1 Optimized for speed . 100 9.3.2 Using SIMD instructions . ..
Load more

Recommended publications
  • The Design of Rijndael: AES - the Advanced Encryption Standard/Joan Daemen, Vincent Rijmen
    Joan Daernen · Vincent Rijrnen Theof Design Rijndael AES - The Advanced Encryption Standard With 48 Figures and 17 Tables Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Springer TnL-1Jn Joan Daemen Foreword Proton World International (PWI) Zweefvliegtuigstraat 10 1130 Brussels, Belgium Vincent Rijmen Cryptomathic NV Lei Sa 3000 Leuven, Belgium Rijndael was the surprise winner of the contest for the new Advanced En­ cryption Standard (AES) for the United States. This contest was organized and run by the National Institute for Standards and Technology (NIST) be­ ginning in January 1997; Rij ndael was announced as the winner in October 2000. It was the "surprise winner" because many observers (and even some participants) expressed scepticism that the U.S. government would adopt as Library of Congress Cataloging-in-Publication Data an encryption standard any algorithm that was not designed by U.S. citizens. Daemen, Joan, 1965- Yet NIST ran an open, international, selection process that should serve The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent Rijmen. as model for other standards organizations. For example, NIST held their p.cm. Includes bibliographical references and index. 1999 AES meeting in Rome, Italy. The five finalist algorithms were designed ISBN 3540425802 (alk. paper) . .. by teams from all over the world. 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, In the end, the elegance, efficiency, security, and principled design of Vincent, 1970- II. Title Rijndael won the day for its two Belgian designers, Joan Daemen and Vincent QA76.9.A25 D32 2001 Rijmen, over the competing finalist designs from RSA, IBl\!I, Counterpane 2001049851 005.8-dc21 Systems, and an English/Israeli/Danish team.
    [Show full text]
  • Permutation-Based Encryption, Authentication and Authenticated Encryption
    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
    [Show full text]
  • Cryptographic Sponge Functions
    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
    [Show full text]
  • Asymptotic Analysis of Plausible Tree Hash Modes for SHA-3
    Asymptotic Analysis of Plausible Tree Hash Modes for SHA-3 Kevin Atighehchi1 and Alexis Bonnecaze2 1 Normandie Univ, UNICAEN, ENSICAEN, CNRS, GREYC, 14000 Caen, France [email protected] 2 Aix Marseille Univ, CNRS, Centrale Marseille, I2M, Marseille, France [email protected] Abstract. Discussions about the choice of a tree hash mode of operation for a standardization have recently been undertaken. It appears that a single tree mode cannot address adequately all possible uses and specifications of a system. In this paper, we review the tree modes which have been proposed, we discuss their problems and propose solutions. We make the reasonable assumption that communicating systems have different specifications and that software applications are of different types (securing stored content or live-streamed content). Finally, we propose new modes of operation that address the resource usage problem for three representative categories of devices and we analyse their asymptotic behavior. Keywords: SHA-3 · Hash functions · Sakura · Keccak · SHAKE · Parallel algorithms · Merkle trees · Live streaming 1 Introduction 1.1 Context In this article, we are interested in the parallelism of cryptographic hash functions. De- pending on the nature of the application, we seek to achieve either of the two alternative objectives: • Priority to memory usage. We first reduce the (asymptotic) parallel running time, and then the number of involved processors, while minimizing the required memory of an implementation using as few as one processor. • Priority to parallel time. We retain an asymptotically optimal parallel time while containing the other computational resources. Historically, a cryptographic hash function makes use of an underlying function, de- noted f, having a fixed input size, like a compression function, a block cipher or more recently, a permutation [BDPA13, BDPA11].
    [Show full text]
  • The Subterranean 2.0 Cipher Suite Joan Daemen, Pedro Maat Costa Massolino, Alireza Mehrdad, Yann Rotella
    The subterranean 2.0 cipher suite Joan Daemen, Pedro Maat Costa Massolino, Alireza Mehrdad, Yann Rotella To cite this version: Joan Daemen, Pedro Maat Costa Massolino, Alireza Mehrdad, Yann Rotella. The subterranean 2.0 cipher suite. IACR Transactions on Symmetric Cryptology, Ruhr Universität Bochum, 2020, 2020 (Special Issue 1), pp.262-294. 10.13154/tosc.v2020.iS1.262-294. hal-02889985 HAL Id: hal-02889985 https://hal.archives-ouvertes.fr/hal-02889985 Submitted on 15 Jul 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2020, No. S1, pp. 262–294. DOI:10.13154/tosc.v2020.iS1.262-294 The Subterranean 2.0 Cipher Suite Joan Daemen1, Pedro Maat Costa Massolino1, Alireza Mehrdad1 and Yann Rotella2 1 Digital Security Group, Radboud University, Nijmegen, The Netherlands 2 Laboratoire de Mathématiques de Versailles, University of Versailles Saint-Quentin-en-Yvelines (UVSQ), The French National Centre for Scientific Research (CNRS), Paris-Saclay University, Versailles, France [email protected], [email protected], [email protected], [email protected] Abstract.
    [Show full text]
  • Broad View of Cryptographic Hash Functions
    IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 4, No 1, July 2013 ISSN (Print): 1694-0814 | ISSN (Online): 1694-0784 www.IJCSI.org 239 Broad View of Cryptographic Hash Functions 1 2 Mohammad A. AlAhmad , Imad Fakhri Alshaikhli 1 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia, 2 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia Abstract Cryptographic hash function is a function that takes an arbitrary length as an input and produces a fixed size of an output. The viability of using cryptographic hash function is to verify data integrity and sender identity or source of information. This paper provides a detailed overview of cryptographic hash functions. It includes the properties, classification, constructions, attacks, applications and an overview of a selected dedicated cryptographic hash functions. Keywords-cryptographic hash function, construction, attack, classification, SHA-1, SHA-2, SHA-3. Figure 1. Classification of cryptographic hash function 1. INTRODUCTION CRHF usually deals with longer length hash values. An A cryptographic hash function H is an algorithm that takes an unkeyed hash function is a function for a fixed positive integer n * arbitrary length of message as an input {0, 1} and produce a which has, as a minimum, the following two properties: n fixed length of an output called message digest {0, 1} 1) Compression: h maps an input x of arbitrary finite bit (sometimes called an imprint, digital fingerprint, hash code, hash length, to an output h(x) of fixed bit length n.
    [Show full text]
  • The Password Hashing Competition Prehistory of Password Protection
    The Password Hashing Competition Peter Gutmann University of Auckland Prehistory of Password Protection Before timesharing • Whoever submitted the card deck owned it Prehistory of Password Protection (ctd) Compatible Time-Sharing System (CTSS), 1963 • Introduced the use of a “private code” to protect access to users’ data Prehistory of Password Protection (ctd) Famously failed in 1966 • CTSS editor used a fixed temporary filename • Admin edited the password file and login message file at the same time… Problem occurred at 5pm on a Friday • User noticed it and deliberately executed an HCF instruction in the debugger • When machine was rebooted, users were told to change their passwords – (And given free credit monitoring) History of Password Protection Cambridge Uni Titan timesharing system, 1967, used a one-way cipher to protect the password Spread to CTSS’ successor Multics in the 1970s • And from there to a Multics successor, Unics^H^Hx History of Password Protection (ctd) Unix originally stored passwords in the clear • More problems with editor temp files Encrypt the passwords like Multics had done • Protect against brute-force by iterating the encryption • Protect against comparing encrypted passwords by adding a random quantity (salt) to the password Originally based on a software analogue of the M-209 cipher machine • Encrypt the password using itself as the key • Found to be too fast, vulnerable to brute-forcing History of Password Protection (ctd) Later Unix crypt used 25 iterations of DES encryption • Salt+password used as a
    [Show full text]
  • High Throughput Implementation of the Keccak Hash Function Using the Nios-II Processor †
    technologies Article High Throughput Implementation of the Keccak Hash Function Using the Nios-II Processor † Argyrios Sideris * , Theodora Sanida and Minas Dasygenis Department of Electrical and Computer Engineering, University of Western Macedonia, 50131 Kozani, Greece; [email protected] (T.S.); [email protected] (M.D.) * Correspondence: [email protected]; Tel.: +30-24610-33101 † This paper is an extended version of our paper published in 8th International Conference on Modern Circuit and System Technologies on Electronics and Communications (MOCAST 2019), Thessaloniki, Greece, 13–15 May 2019. Received: 21 December 2019; Accepted: 6 February 2020; Published: 10 February 2020 Abstract: Presently, cryptographic hash functions play a critical role in many applications, such as digital signature systems, security communications, protocols, and network security infrastructures. The new standard cryptographic hash function is Secure Hash Algorithm 3 (SHA-3), which is not vulnerable to attacks. The Keccak algorithm is the winner of the NIST competition for the adoption of the new standard SHA-3 hash algorithm. In this work, we present hardware throughput optimization techniques for the SHA-3 algorithm using the Very High Speed Integrated Circuit Hardware Description Language (VHDL) programming language for all output lengths in the Keccak hash function (224, 256, 384 and 512). Our experiments were performed with the Nios II processor on the FPGA Arria 10 GX (10AX115N2P45E1SG). We applied two architectures, one without custom instruction and one with floating point hardware 2. Finally, we compare the results with other existing similar designs and found that the proposed design with floating point 2 optimizes throughput (Gbps) compared to existing FPGA implementations.
    [Show full text]
  • Exploring NIST LWC/PQC Synergy with R5sneik How SNEIK 1.1 Algorithms Were Designed to Support Round5
    Exploring NIST LWC/PQC Synergy with R5Sneik How SNEIK 1.1 Algorithms were Designed to Support Round5 Markku-Juhani O. Saarinen∗ PQShield Ltd. Prama House, 267 Banbury Road Oxford OX2 7HT, United Kingdom [email protected] Abstract. Most NIST Post-Quantum Cryptography (PQC) candidate algorithms use symmetric primitives internally for various purposes such as “seed expansion” and CPA to CCA transforms. Such auxiliary symmetric operations constituted only a fraction of total execution time of traditional RSA and ECC algorithms, but with faster lattice algorithms the impact of symmetric algorithm characteristics can be very significant. A choice to use a specific PQC algorithm implies that its internal symmetric compo- nents must also be implemented on all target platforms. This can be problematic for lightweight, embedded (IoT), and hardware implementations. It has been widely ob- served that current NIST-approved symmetric components (AES, GCM, SHA, SHAKE) form a major bottleneck on embedded and hardware implementation footprint and performance for many of the most efficient NIST PQC proposals. Meanwhile, a sepa- rate NIST effort is ongoing to standardize lightweight symmetric cryptography (LWC). Therefore it makes sense to explore which NIST LWC candidates are able to efficiently support internals of post-quantum asymmetric cryptography. We discuss R5Sneik, a variant of Round5 that internally uses SNEIK 1.1 permutation-based primitives instead of SHAKE and AES-GCM. The SNEIK family includes parameter selections specifically designed to support lattice cryptography. R5Sneik is up to 40% faster than Round5 for some parameter sets on ARM Cortex M4, and has substantially smaller implementation footprint. We introduce the concept of a fast Entropy Distribution Function (EDF), a lightweight diffuser that we expect to have sufficient security properties for lattice seed expansion and many types of sampling, but not for plain encryption or hashing.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • ISAP – Towards Side-Channel Secure Authenticated Encryption
    ISAP – Towards Side-Channel Secure Authenticated Encryption Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel and Thomas Unterluggauer Graz University of Technology, Austria [email protected] Abstract. Side-channel attacks and in particular differential power analysis (DPA) attacks pose a serious threat to cryptographic implementations. One approach to counteract such attacks are cryptographic schemes based on fresh re-keying. In settings of pre-shared secret keys, such schemes render DPA attacks infeasible by deriving session keys and by ensuring that the attacker cannot collect side-channel leakage on the session key during cryptographic operations with different inputs. While these schemes can be applied to secure standard communication settings, current re-keying approaches are unable to provide protection in settings where the same input needs to be processed multiple times. In this work, we therefore adapt the re-keying approach and present a symmetric authenticated encryption scheme that is secure against DPA attacks and that does not have such a usage restriction. This means that our scheme fully complies with the requirements given in the CAESAR call and hence, can be used like other nonce- based authenticated encryption schemes without loss of side-channel protection. Its resistance against side-channel analysis is highly relevant for several applications in practice, like bulk storage settings in general and the protection of FPGA bitfiles and firmware images in particular. Keywords: authenticated encryption · fresh re-keying · passive side-channel attacks · sponge construction · permutation-based construction 1 Introduction Motivation. Passive side-channel attacks and in particular differential power analysis (DPA) pose a serious threat to the security of cryptographic implementations.
    [Show full text]
  • A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications
    A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications Elif Bilge Kavun and Tolga Yalcin Department of Cryptography Institute of Applied Mathematics, METU Ankara, Turkey {e168522,tyalcin}@metu.edu.tr Abstract. In this paper, we present a lightweight implementation of the permutation Keccak-f[200] and Keccak-f[400] of the SHA-3 candidate hash function Keccak. Our design is well suited for radio-frequency identification (RFID) applications that have limited resources and demand lightweight cryptographic hardware. Besides its low-area and low-power, our design gives a decent throughput. To the best of our knowledge, it is also the first lightweight implementation of a sponge function, which differentiates it from the previous works. By implementing the new hash algorithm Keccak, we have utilized unique advantages of the sponge construction. Although the implementation is targeted for Application Specific Integrated Circuit (ASIC) platforms, it is also suitable for Field Programmable Gate Arrays (FPGA). To obtain a compact design, serialized data processing principles are exploited together with algorithm-specific optimizations. The design requires only 2.52K gates with a throughput of 8 Kbps at 100 KHz system clock based on 0.13-µm CMOS standard cell library. Keywords: RFID, Keccak, SHA-3, sponge function, serialized processing, low- area, low-power, high throughput. 1 Introduction In recent years, the developments on digital wireless technology have improved many areas such as the mobile systems. Mobile and embedded devices will be everywhere in times to come, making it possible to use communication services and other applications anytime and anywhere. Among these mobile devices, radio-frequency identification (RFID) tags offer low-cost, long battery life and unprecedented mobility [1-2].
    [Show full text]