A cryptographic hash function is an algorithm that takes anarbitrary block of data and returns a fixed-size bit string, the(cryptographic) hash value, such that any change to thedata will change the hash value. The data to be encodedare often called the "message," and the hash value issometimes called the message digest or simply digest.MD5 MD = 128 (Ron Rivest, 1992)SHA-1 MD = 160 (NSA, NIST, 1995)SHA-2 MD = 224/256/384/512 (NSA, NIST, 2001)SHA-3 MD = arbitrary (Bertoni, Daemen, Peeters, Van Assche, NIST, 20
• Cryptographic hash function, SHA family• Selected on October 2012 as the winner of the NISThash function competition• Not meant to replace SHA-2• Based on the sponge construction
More general than a hash function: arbitrary-length outputCalls a b-bit permutation f, with b = r + cr bits of ratec bits of capacity
The duplex construction allows the alternation of input andoutput blocks at the same rate as the sponge construction,like a full-duplex communication
• High level of parallelism• Flexibility: bit-interleaving• Software: competitive on wide range of CPU (also implem. forCUDA)• Dedicated hardware: very competitive• Suited for protection against side-channel attack• Faster than SHA-2 on all modern PC (12.5cpb on C2D)
• http://keccak.noekeon.org/tune.htmlIf an attacker has access to one billion computers, eachperforming one billion evaluations of Keccak-f per second,it would take about 1.6×1061 years (1.1×1051 times theestimated age of the universe) to evaluate the permutation2288 timesKECCAK-f[r+c]KECCAK-f[1024+576]KECCAK-f
In the pseudo-code above, S denotes the state as an array oflanes. The padded message P is organised as an array of blocksPi, themselves organized as arrays of lanes. The || operatordenotes the usual byte string concatenation.
• Currently best attack on KECCAK: 4 rounds• Sufficient nr. of rounds for security claim on KECCAK: 13rounds• KECCAK has 24 rounds (complexity 215xx)