Keccak sponge function family main document Guido Bertoni1 Joan Daemen1 Micha¨el Peeters2 Gilles Van Assche1 http://keccak.noekeon.org/ Version 2.1 1STMicroelectronics June 19, 2010 2NXP Semiconductors Keccak 2 / 121 Contents 1 Introduction 7 1.1 Specifications summary . .8 1.2 NIST requirements . 11 1.3 Acknowledgments . 12 2 Design rationale summary 13 2.1 Choosing the sponge construction . 13 2.2 Choosing an iterated permutation . 14 2.3 Designing the Keccak-f permutations . 14 2.4 Choosing the parameter values . 15 2.5 The difference between version 1 and version 2 of Keccak .......... 16 3 The sponge construction 17 3.1 Security of the sponge construction . 17 3.1.1 Indifferentiability from a random oracle . 17 3.1.2 Indifferentiability of multiple sponge functions . 18 3.1.3 Immunity to generic attacks . 19 3.1.4 Randomized hashing . 19 3.1.5 Keyed modes . 20 3.2 Rationale for the padding . 20 3.2.1 Sponge input preparation . 20 3.2.2 Multi-capacity property . 21 3.2.3 Digest-length dependent digest . 21 3.3 Parameter choices . 21 3.3.1 Capacity . 21 3.3.2 Width . 22 3.3.3 The default sponge function Keccak[] . 22 3.4 The four critical operations of a sponge . 23 3.4.1 Definitions . 23 3.4.2 The operations . 23 4 Usage 25 4.1 Usage scenario's for a sponge function . 25 4.1.1 Random-oracle interface . 25 4.1.2 Linking to the security claim . 25 4.1.3 Examples of modes of use . 26 3 / 121 Keccak CONTENTS 4.2 Backward compatibility with old standards . 27 4.2.1 Input block length and output length . 27 4.2.2 Initial value . 27 4.2.3 HMAC . 27 4.2.4 NIST and other relevant standards . 28 4.3 Input formatting and diversification . 28 4.4 Parallel and tree hashing . 29 4.4.1 Definitions . 30 4.4.2 Soundness . 32 4.4.3 Discussion . 32 5 Sponge functions with an iterated permutation 33 5.1 The philosophy . 33 5.1.1 The hermetic sponge strategy . 33 5.1.2 The impossibility of implementing a random oracle . 33 5.1.3 The choice between a permutation and a transformation . 34 5.1.4 The choice of an iterated permutation . 34 5.2 Some structural distinguishers . 35 5.2.1 Differential cryptanalysis . 35 5.2.2 Linear cryptanalysis . 36 5.2.3 Algebraic expressions . 37 5.2.4 The constrained-input constrained-output (CICO) problem . 38 5.2.5 Multi-block CICO problems . 39 5.2.6 Cycle structure . 40 5.3 Inner collision . 40 5.3.1 Exploiting a differential trail . 40 5.3.2 Exploiting a differential . 41 5.3.3 Truncated trails and differentials . 42 5.4 Path to an inner state . 42 5.5 Detecting a cycle . 42 5.6 Binding an output to a state . 42 5.7 Classical hash function criteria . 43 5.7.1 Collision resistance . 43 5.7.2 Preimage resistance . 43 5.7.3 Second preimage resistance . 43 5.7.4 Length extension . 44 5.7.5 Pseudo-random function . 44 5.7.6 Output subset properties . 44 6 The Keccak-f permutations 45 6.1 Translation invariance . 45 6.2 The Matryoshka structure . 46 6.3 The step mappings of Keccak-f ......................... 46 6.3.1 Properties of χ ............................... 47 6.3.2 Properties of θ ............................... 49 6.3.3 Properties of π ............................... 52 6.3.4 Properties of ρ ............................... 53 4 / 121 CONTENTS Keccak 6.3.5 Properties of ι ............................... 54 6.3.6 The order of steps within a round . 55 6.4 Choice of parameters: the number of rounds . 55 6.5 Differential and linear cryptanalysis . 55 6.5.1 A formalism for describing trails adapted to Keccak-f ........ 55 6.5.2 The Matryoshka consequence . 57 6.5.3 The column parity kernel . 57 6.5.4 One and two-round trails . 57 6.5.5 Three-round trails: kernel vortices . 58 6.5.6 Beyond three-round trails: choice of π .................. 60 6.5.7 Truncated trails and differentials . 61 6.5.8 Other group operations . 62 6.5.9 Differential and linear cryptanalysis variants . 62 6.6 Solving CICO problems . 63 6.7 Strength in keyed mode . 63 6.8 Symmetry weaknesses . 63 7 Trail propagation in Keccak-f 65 7.1 Relations between different kinds of weight . 65 7.2 Propagation properties related to the linear step θ ............... 67 7.3 Exhaustive trail search . 68 7.3.1 Upper bound for the weight of two-round trails to scan . 68 7.3.2 Constructing two-round trails . 69 7.3.3 Extending trails . 72 7.3.4 Linear and differential trail bounds for w ≤ 8.............. 72 7.4 Tame trails . 73 7.4.1 Construction of tame trails . 73 7.4.2 Bounds for three-round tame trails . 74 7.4.3 Bounds for four-round tame trails . 75 8 Analysis of Keccak-f 77 8.1 Algebraic normal form . 77 8.1.1 Statistical tests . 77 8.1.2 Symmetric trails . 79 8.1.3 Slide attacks . 80 8.2 Solving CICO problems algebraically . 80 8.2.1 The goal . 80 8.2.2 The supporting software . 81 8.2.3 The experiments . 81 8.2.4 Third-party analysis . 83 8.3 Properties of Keccak-f[25] . 83 8.3.1 Algebraic normal statistics . 83 8.3.2 Differential probability distributions . 84 8.3.3 Correlation distributions . 86 8.3.4 Cycle distributions . 89 8.4 Distinguishers exploiting low algebraic degree . 92 5 / 121 Keccak CONTENTS 9 Implementation 95 9.1 Bit and byte numbering conventions . 95 9.2 General aspects . 96 9.2.1 The lane complementing transform . 97 9.2.2 Bit interleaving . 98 9.3 Software implementation . 99 9.3.1 Optimized for speed . 100 9.3.2 Using SIMD instructions . ..