Keccak sponge function family main document Guido Bertoni1 Joan Daemen1 Micha¨el Peeters2 Gilles Van Assche1 http://keccak.noekeon.org/ Version 1.2 1STMicroelectronics April 23, 2009 2NXP Semiconductors Keccak 2 / 93 Contents 1 Introduction 7 1.1 Specifications summary . .8 1.2 NIST requirements . 10 1.3 Acknowledgments . 11 2 Design rationale summary 13 2.1 Choosing the sponge construction . 13 2.2 Choosing an iterated permutation . 14 2.3 Designing the Keccak-f permutations . 14 2.4 Choosing the parameter values . 15 3 The sponge construction 17 3.1 Security of the sponge construction . 17 3.1.1 Indifferentiability from a random oracle . 17 3.1.2 Indifferentiability of multiple sponge functions . 18 3.1.3 Immunity to generic attacks . 19 3.1.4 Randomized hashing . 19 3.1.5 Keyed modes . 20 3.2 Rationale for the padding . 20 3.2.1 Sponge input preparation . 20 3.2.2 Multi-capacity property . 21 3.2.3 Digest-length dependent digest . 21 3.3 Parameter choices . 21 3.3.1 Capacity . 21 3.3.2 Width . 22 3.3.3 The default sponge function Keccak[] . 22 3.4 The four critical operations of a sponge . 23 3.4.1 Definitions . 23 3.4.2 The operations . 23 4 Sponge functions with an iterated permutation 25 4.1 The philosophy . 25 4.1.1 The hermetic sponge strategy . 25 4.1.2 The impossibility of implementing a random oracle . 25 4.1.3 The choice between a permutation and a transformation . 26 4.1.4 The choice of an iterated permutation . 26 3 / 93 Keccak CONTENTS 4.2 Some structural distinguishers . 27 4.2.1 Differential cryptanalysis . 27 4.2.2 Linear cryptanalysis . 28 4.2.3 Algebraic expressions . 29 4.2.4 The constrained-input constrained-output (CICO) problem . 30 4.2.5 Multi-block CICO problems . 31 4.2.6 Cycle structure . 32 4.3 Inner collision . 32 4.3.1 Exploiting a differential trail . 32 4.3.2 Exploiting a differential . 33 4.3.3 Truncated trails and differentials . 33 4.4 Path to an inner state . 34 4.5 Detecting a cycle . 34 4.6 Binding an output to a state . 34 4.7 Classical hash function criteria . 34 4.7.1 Collision resistance . 34 4.7.2 Preimage resistance . 35 4.7.3 Second preimage resistance . 35 4.7.4 Length extension . 35 4.7.5 Pseudo-random function . 35 4.7.6 Output subset properties . 36 5 The Keccak-f permutations 37 5.1 Translation invariance . 37 5.2 The Matryoshka structure . 38 5.3 The step mappings of Keccak-f ......................... 38 5.3.1 Properties of χ ............................... 39 5.3.2 Properties of θ ............................... 41 5.3.3 Properties of π ............................... 43 5.3.4 Properties of ρ ............................... 44 5.3.5 Properties of ι ............................... 45 5.3.6 The order of steps within a round . 45 5.4 Choice of parameters: the number of rounds . 46 5.5 Differential and linear cryptanalysis . 46 5.5.1 Trail propagation . 46 5.5.2 The Matryoshka consequence . 47 5.5.3 The column parity kernel . 47 5.5.4 One and two-round trails . 48 5.5.5 Three-round trails: kernel vortices . 48 5.5.6 Beyond three-round trails: choice of π .................. 50 5.5.7 Truncated trails and differentials . 51 5.5.8 Other group operations . 52 5.5.9 Differential and linear cryptanalysis variants . 52 5.5.10 Bounds for symmetric trails . 53 5.6 Solving CICO problems . 53 5.7 Strength in keyed mode . 54 5.8 Symmetry weaknesses . 54 4 / 93 CONTENTS Keccak 5.9 Experimental data . 54 5.9.1 Differential probability distributions . 54 5.9.2 Correlation distributions . 55 5.9.3 Algebraic normal form experiments . 59 5.9.4 Solving CICO problems algebraically . 62 5.9.5 Cycle distributions . 63 6 Usage 65 6.1 Usage scenario's for a sponge function . 65 6.1.1 Random-oracle interface . 65 6.1.2 Linking to the security claim . 65 6.1.3 Examples of modes of use . 66 6.2 Backward compatibility with old standards . 67 6.2.1 Input block length and output length . 67 6.2.2 Initial value . 67 6.2.3 HMAC . 67 6.2.4 NIST and other relevant standards . 67 6.3 Input formatting and diversification . 68 6.4 Parallel and tree hashing . 69 6.4.1 Definitions . 69 6.4.2 Discussion . 71 7 Implementation 73 7.1 Bit and byte numbering conventions . 73 7.2 General aspects . 74 7.2.1 The lane complementing transform . 74 7.2.2 Bit interleaving . 76 7.3 Software implementation . 76 7.3.1 Optimized for speed . 77 7.3.2 Using SIMD instructions . 79 7.3.3 SIMD instructions and KeccakTree .................. 79 7.3.4 Protection against side channel attacks . 81 7.3.5 Estimation on 8-bit processors . 81 7.4 Hardware implementation . 82 7.4.1 High-speed core . 83 7.4.2 Variants of the high-speed core . 84 7.4.3 Low-area coprocessor . 84 7.4.4 Protection against side channel attacks . 86 A Change log 93 A.1 From 1.1 to 1.2 . 93 A.2 From 1.0 to 1.1 . 93 5 / 93 Keccak CONTENTS 6 / 93 Chapter 1 Introduction Keccak [8] is a family of cryptographic hash functions [68] or, more accurately, sponge functions [7]. This document describes the properties of the Keccak family and presents its members as candidates to NIST's request for a new cryptographic hash algorithm family called SHA-3 [51]. This introduction offers in Section 1.1 a summary of the Keccak specifications using pseudocode, sufficient to understand its structure and building blocks. In no way should this introductory text be considered as a formal and reference description of Keccak. For the formal definition of the Keccak family, we refer to the separate document [8], to which we assume the reader has access. While the Keccak definition is fixed, this present document is likely to evolve over time, so we suggest the reader to obtain the latest version from our website http://keccak.noekeon.org/. The document is organized as follows. The design choices behind the Keccak sponge functions are summarized in Chapter 2. Chapters 3{5 provide a security analysis and a rationale for our design choices. Each of these three chapters looks at a particular level, from top to bottom. • Chapter 3 looks at the use of the sponge construction in our submission. • Chapter 4 gives more insight on the use of an iterated permutation in the sponge construction. • Chapter 5 looks more particularly at Keccak-f, the chosen permutation. Examples of modes of use, as well as other details regarding the use of the Keccak sponge functions, are provided in Chapter 6. Finally, Chapter 7 takes a look at the software and hardware implementation aspects. 7 / 93 Keccak 1. Introduction 1.1 Specifications summary Any instance of the Keccak sponge function family makes use of one of the.