SHA-3

SHA-3

General
Designers	Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.
Certification	SHA-3 winner
Detail
Digest sizes	arbitrary
Speed	12.5 cpb on Core 2 [r=1024,c=576].

As of March 2013^[update], NIST has not yet updated Secure Hash Standard (SHS) for SHA-3. Content of this article are subject to change once the final standard is published.

SHA-3, originally known as Keccak (/ˈkætʃæk/, or /kɛtʃɑːk/),^[1][2] is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, building upon RadioGatún.

On October 2, 2012, Keccak was selected as the winner of the NIST hash function competition.^[1] SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 has been demonstrated. Because of the successful attacks on MD5, SHA-0 and theoretical attacks on SHA-1, NIST perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3.

SHA-3 uses the sponge construction^[3][4] in which message blocks are XORed into the initial bits of the state, which is then invertibly permuted. In the version used in SHA-3, the state consists of a 5×5 array of 64-bit words, 1600 bits total. The authors claim 12.5 cycles per byte^[5] on an Intel Core 2 CPU. However, in hardware implementations it is notably faster than all other finalists.^[6]

Keccak's authors have proposed additional, not-yet-standardized uses for the function, including an authenticated encryption system and a "tree" hash for faster hashing on certain architectures.^[7] Keccak is also defined for smaller power-of-2 word sizes w down to 1 bit (25 bits total state). Small state sizes can be used to test cryptanalytic attacks, and intermediate state sizes (e.g., from w=4, 100 bits, to w=32, 800 bits) could potentially provide practical, lightweight, alternatives.

The block permutation

This is defined for any power-of-two word size, w = 2^ℓ bits. The main SHA-3 submission uses 64-bit words, ℓ = 6.

The state can be considered to be a 5×5×w array of bits. Let a[i][j][k] be bit (i×5 + j)×w + k of the input, using a little-endian convention. Index arithmetic is performed modulo 5 for the first two dimensions and modulo w for the third.

The basic block permutation function consists of 12+2ℓ iterations of five sub-rounds, each individually very simple:

θ

Compute the parity of each of the 5×w (320, when w = 64) 5-bit columns, and exclusive-or that into two nearby columns in a regular pattern. To be precise, a[i][j][k] ⊕= parity(a[0..4][j−1][k]) ⊕ parity(a[0..4][j+1][k−1])

ρ

Bitwise rotate each of the 25 words by a different triangular number 0, 1, 3, 6, 10, 15, …. To be precise, a[0][0] is not rotated, and for all 0≤t<24, a[i][j][k] = a[i][j][k−(t+1)(t+2)/2], where .

π

Permute the 25 words in a fixed pattern. a[j][2i+3j] = a[i][j]

χ

Bitwise combine along rows, using a = a ⊕ (¬b & c). To be precise, a[i][j][k] ⊕= ¬a[i][j+1][k] & a[i][j+2][k]. This is the only non-linear operation in SHA-3.

ι

Exclusive-or a round constant into one word of the state. To be precise, in round n, for 0≤m≤ℓ, a[0][0][2^m−1] is exclusive-ORed with bit m+7n of a degree-8 LFSR sequence. This breaks the symmetry that is preserved by the other sub-rounds.

Hashing variable-length messages

The sponge construction for hash functions. p_i are input, z_i are hashed output. The unused "capacity" c should be twice the desired resistance to collision or preimage attacks.

SHA-3 uses the "sponge construction", where input is "absorbed" into the hash state at a given rate, then an output hash is "squeezed" from it at the same rate.

To absorb r bits of data, the data is XORed into the leading bits of the state, and the block permutation is applied. To squeeze, the first r bits of the state are produced as output, and the block permutation is applied if additional output is desired.

Central to this is the "capacity" of the hash function, which is the c=25w−r state bits that are not touched by input or output. This can be adjusted based on security requirements, but the SHA-3 proposal sets a conservative c=2n, where n is the size of the output hash. Thus r, the number of message bits processed per block permutation, depends on the output hash size. The rate r is 1152, 1088, 832, or 576 (144, 136, 104 and 72 bytes) for 224, 256, 384 and 512-bit hash sizes, respectively, when w is 64.

To ensure the message can be evenly divided into r-bit blocks, it is padded with the bit pattern 10^*1: a 1 bit, zero or more 0 bits (maximum r−1), and a final 1 bit. The final 1 bit is required because the sponge construction security proof requires that the rate is encoded in the final block.

To compute a hash, initialize the state to 0, pad the input, and break it into r-bit pieces. Absorb the input into the state; that is, for each piece, XOR it into the state and then apply the block permutation.

After the final block permutation, the leading n bits of the state are the desired hash. Because r is always greater than n, there is actually never a need for additional block permutations in the squeezing phase. However, arbitrary output length may be useful in applications such as optimal asymmetric encryption padding. In this case, n is a security parameter rather than the output size.

Although not part of the SHA-3 competition requirements, smaller variants of the block permutation can be used, for hash output sizes up to half their state size, if the rate r is limited appropriately. For example, a 256-bit hash can be computed using 25 32-bit words if r = 800−2×256 = 288 (36 bytes per iteration).

Tweaks

Throughout the NIST hash function competition, entrants are permitted to "tweak" their algorithms to address issues that are discovered. Changes that have been made to Keccak are:

• The number of rounds was increased from 12+ℓ to 12+2ℓ to be more conservative about security.
• The message padding was changed from a more complex scheme to the simple 10^*1 pattern described above.
• The rate r was increased to the security limit, rather than rounding down to the nearest power of 2.

Examples of SHA-3 (Keccak) variants

Note: Pending the standardization of SHA-3, there is no specification of particular SHA-3 functions yet.

Hash values of empty string.

Keccak-224("")
0x f71837502ba8e10837bdd8d365adb85591895602fc552b48b7390abd
Keccak-256("")
0x c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470
Keccak-384("")
0x 2c23146a63a29acf99e73b88f8c24eaa7dc60aa771780ccc006afbfa8fe2479b2dd2b21362337441ac12b515911957ff
Keccak-512("")
0x 0eab42de4c3ceb9235fc91acffe746b29c29a8c366b7c60e4e67c466f36a4304c00fa9caf9d87976ba469bcbe06713b435f091ef2769fb160cdab33d3670680e

Even a small change in the message will (with overwhelming probability) result in a mostly different hash, owing to the avalanche effect. For example, adding a period to the end of the sentence:

Keccak-224("The quick brown fox jumps over the lazy dog")
0x 310aee6b30c47350576ac2873fa89fd190cdc488442f3ef654cf23fe
Keccak-224("The quick brown fox jumps over the lazy dog.")
0x c59d4eaeac728671c635ff645014e2afa935bebffdb5fbd207ffdeab

Keccak-256("The quick brown fox jumps over the lazy dog")
0x 4d741b6f1eb29cb2a9b9911c82f56fa8d73b04959d3d9d222895df6c0b28aa15
Keccak-256("The quick brown fox jumps over the lazy dog.")
0x 578951e24efd62a3d63a86f7cd19aaa53c898fe287d2552133220370240b572d

Keccak-384("The quick brown fox jumps over the lazy dog")
0x 283990fa9d5fb731d786c5bbee94ea4db4910f18c62c03d173fc0a5e494422e8a0b3da7574dae7fa0baf005e504063b3
Keccak-384("The quick brown fox jumps over the lazy dog.")
0x 9ad8e17325408eddb6edee6147f13856ad819bb7532668b605a24a2d958f88bd5c169e56dc4b2f89ffd325f6006d820b

Keccak-512("The quick brown fox jumps over the lazy dog")
0x d135bb84d0439dbac432247ee573a23ea7d3c9deb2a968eb31d47c4fb45f1ef4422d6c531b5b9bd6f449ebcc449ea94d0a8f05f62130fda612da53c79659f609
Keccak-512("The quick brown fox jumps over the lazy dog.")
0x ab7192d2b11f51c7dd744e7b3441febf397ca07bf812cceae122ca4ded6387889064f8db9230f173f6d1ab6e24b6e50f065b039f799f5592360a6558eb52d760

References

1. "NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition". NIST. Retrieved 2012-10-02. 
2. "The Keccak sponge function family: Specifications summary". Retrieved 2011-05-11. 
3. "Sponge Functions". Ecrypt Hash Workshop 2007. 
4. "On the Indifferentiability of the Sponge Construction". EuroCrypt 2008. 
5. Keccak implementation overview Version 3.2 http://keccak.noekeon.org/Keccak-implementation-3.2.pdf
6. Guo, Xu; Huang, Sinan; Nazhandali, Leyla; Schaumont, Patrick (Aug. 2010), "Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations", NIST 2nd SHA-3 Candidate Conference: 12, retrieved 2011-02-18  Keccak is second only to Luffa, which did not advance to the final round.
7. NIST, Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition, sections 5.1.2.1 (mentioning "tree mode"), 6.2 ("other features", mentioning authenticated encryption), and 7 (saying "extras" may be standardized in the future)

External links

• The Keccak web site
• A Cryptol implementation of Keccak
• A VHDL source codes developed in the Cryptographic Engineering Research Group (CERG) at George Mason University
• Erlang NIF implementation based on the NIST reference code