Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SHA-3 vs the world

430 views

Published on

The slides of my Defcon talk

Published in: Education
  • Be the first to comment

SHA-3 vs the world

  1. 1. SHA-3 vs the world David Wong
  2. 2. Snefru MD2 MD4 MD5 RIPEMD HAVAL-128 SHA-0 SHA-1 RIPEMD-160 SHA-2 1992 1994 1990 1994 1991 1996 20041995 1999 1997 2004 2012 2007 2003 2016 2001 2003 2003 2003 http://valerieaurora.org/hash.html
  3. 3. KeccakBLAKE, Grøstl, JH, Skein
  4. 4. f permutation-based cryptography Sponge Construction
  5. 5. f 0 0 Sponge Construction r c
  6. 6. f message 0 0 ⊕ Sponge Construction
  7. 7. f message 0 0 ⊕ ⊕ Sponge Construction
  8. 8. f message 0 0 ⊕ ⊕ f Sponge Construction
  9. 9. f message 0 0 ⊕ ⊕ f ⊕ Sponge Construction
  10. 10. f message 0 0 ⊕ ⊕ f ⊕ f Sponge Construction
  11. 11. f message ⊕ ⊕ f ⊕ f absorbing Sponge Construction 0 0
  12. 12. f message ⊕ ⊕ f ⊕ f absorbing output Sponge Construction 0 0
  13. 13. f message ⊕ ⊕ f ⊕ f absorbing output f Sponge Construction 0 0
  14. 14. f message ⊕ ⊕ f ⊕ f absorbing output f Sponge Construction 0 0
  15. 15. f message ⊕ ⊕ f ⊕ f absorbing output f f Sponge Construction 0 0
  16. 16. f message ⊕ ⊕ f ⊕ f absorbing output f f squeezing Sponge Construction 0 0
  17. 17. f message ⊕ ⊕ absorbing output f f squeezing Sponge Construction 24 rounds in SHA-3 0 0
  18. 18. Keccak Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche
  19. 19. SHA-3 competition 2012 2007
  20. 20. SHA-3 competition 2012 2007 BLAKE2
  21. 21. SHA-3 competition 2012 2007 BLAKE2 SHA-3 standard (FIPS 202) 2015
  22. 22. github.com/gvanas/KeccakCodePackage
  23. 23. • bit security of AES-128? • bit security of AES-256? • bit security against pre-image attacks of SHA-256? • bit security against pre-image attacks of SHA-512? • bit security against pre-image attacks of SHA-3-512? Bit Security
  24. 24. Where is SHA-3 being used?
  25. 25. SHAKE is a XOF
  26. 26. keccak.noekeon.org/tune.html
  27. 27. SHA-3 competition 2012 2007 BLAKE2 SHA-3 standard (FIPS 202) 2015 SP 800-185 2016
  28. 28. KMAC TupleHash ParallelHash
  29. 29. KMAC TupleHash ParallelHash message || SHA-256(message)
  30. 30. KMAC TupleHash ParallelHash message || SHA-256(key||message)
  31. 31. KMAC TupleHash ParallelHash message || more || SHA-256(key||message||more)
  32. 32. KMAC TupleHash ParallelHash message || SHAKE(key || message)
  33. 33. KMAC TupleHash ParallelHash message || SHAKE(key || message) my RSA public key = (e, N)
  34. 34. KMAC TupleHash ParallelHash message || SHAKE(key || message) my RSA public key = (e, N) fingerprint = SHA-256(e || N)
  35. 35. KMAC TupleHash ParallelHash message || SHAKE(key || message) fingerprint1 = SHA-256(1010110000000010001…) e N
  36. 36. KMAC TupleHash ParallelHash message || SHAKE(key || message) fingerprint1 = SHA-256(1010110000000010001…) e N fingerprint2 = SHA-256(1010110000000010001…) e N
  37. 37. KMAC TupleHash ParallelHash message || SHAKE(key || message) SHAKE(len(e) || e || len(N) || N)
  38. 38. f message ⊕ ⊕ f ⊕ f absorbing output f f squeezing Sponge Construction 0 0
  39. 39. f message ⊕ ⊕ f ⊕ f absorbing output f f squeezing Sponge Construction 0 0
  40. 40. f message ⊕ ⊕ f ⊕ f absorbing output f f squeezing Sponge Construction 0 0
  41. 41. f message ⊕ ⊕ f ⊕ f absorbing output f f squeezing Sponge Construction 0 0
  42. 42. KMAC TupleHash ParallelHash message || SHAKE(key || message) SHAKE(len(e) || e || len(N) || N) SHAKE(SHAKE(b1) || SHAKE(b2) || SHAKE(b3) || …)
  43. 43. SHA-3 competition 2012 2007 BLAKE2 SHA-3 / SHAKE 2015 TupleHash / ParallelHash / KMAC 2016
  44. 44. Keyak and Ketje
  45. 45. SHA-3 competition 2012 2007 BLAKE2 SHA-3 / SHAKE 2015 TupleHash / ParallelHash / KMAC 2016 KangarooTwelve & MarsupilamiFourteen
  46. 46. SHA-3 competition 2012 2007 BLAKE2 SHA-3 / SHAKE 2015 TupleHash / ParallelHash / KMAC 2016 KangarooTwelve & MarsupilamiFourteen
  47. 47. github.com/gvanas/KeccakCodePackage
  48. 48. Part II: Strobe
  49. 49. f message ⊕ ⊕ f ⊕ f absorbing output f f squeezing Sponge Construction 0 0
  50. 50. f input ⊕ init output duplexing Duplex Construction f input ⊕ output duplexing f input output duplexing ⊕0 0
  51. 51. myProtocol = Strobe_init(“myWebsite.com”) myProtocol.KEY(sharedSecret) buffer += myProtocol.send_ENC(“GET /”) buffer += myProtocol.send_MAC(len=16) // send the buffer // receive a ciphertext message = myProtocol.recv_ENC(ciphertext[:-16]) ok = myProtocol.recv_MAC(ciphertext[-16:]) if !ok { // reset the connection } Symmetric Protocol
  52. 52. default state = input ⊕ state cbefore state = input cafter output, state = input ⊕ state forceF the permutation is ran before the operation internal operations
  53. 53. operation = KEY ⊕
  54. 54. f operation = KEY ⊕
  55. 55. f operation = KEY data = 010100… ⊕
  56. 56. f operation = KEY operation = send_ENC ⊕ f data = 010100… ⊕ data = hello ⊕ ciphertext
  57. 57. data = 010100… ⊕ operation = AD ⊕
  58. 58. data = 010100… operation = send_MAC f ⊕ ⊕ len = 16 tag operation = AD ⊕
  59. 59. data = 010100… ⊕ operation = send_CLR ⊕
  60. 60. data = 010100… operation = RATCHET f ⊕ ⊕ operation = send_CLR ⊕ data = 00000
  61. 61. myHash = Strobe_init(“hash”) myHash.AD(“something to be hashed”) hash = myHash.PRF(outputLen=16) Hash Function
  62. 62. KDF = Strobe_init(“deriving keys”) KDF.KEY(keyExchangeOutput) keys = KDF.PRF(outputLen=32) key1 = keys[:16] key2 = keys[16:] Key Derivation Function
  63. 63. strobe.sourceforge.io
  64. 64. Part III: Disco?
  65. 65. github.com/mimoo/NoiseGo/disco/specification.md Noise + Strobe = Disco
  66. 66. Where to find me cryptologie.net twitter.com/lyon01_david

×