SHA-3

SHA -3 is a cryptographic hash function SHA family, which was developed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche under the name Keccak [ kɛtʃak ]. Keccak 2012 was commissioned by the U.S. NIST announced as the winner of the SHA -3 competition and is standardized as an alternative to SHA -2.

Prehistory

In 2004, there were several breakthroughs in attacks against at that time widespread hash functions such as MD5 (practical collisions) and SHA -1 ( theoretical collision at great expense ). Although there was the SHA -2 family, against which there is currently no practical relevance attacks, yet the need was for a new standard for cryptographic hash functions, which takes into account the current research.

Similar to the symmetric cryptosystem Advanced Encryption Standard (AES), NIST organized a competition. 64 teams of cryptographers submitted proposals. 14 candidates were selected for round two. In December 2010, the five finalists were announced: Skein, BLAKE, Grøstl, Keccak and JH. On October 2, 2012 Keccak was declared the winner. The algorithm has since been referred to as SHA -3.

Operation

Keccak uses an initialized with 0 state vector of 25 words, each bit. Value is a parameter of the procedure. The state vector is thus bits long. The second parameter is the bit length n of the desired hash value. In the version submitted to the SHA -3 competition, and the length of the hash value can be 224-512 bits.

The message is divided into portions of r bits in length (with or ) after it has been by adding the bit string ( with zeros up ) extended to a multiple of the length r.

The procedure processes the message gradually. In each step is an r -bit portion of the message with the R bit of the state vector is XORed, and then the values ​​of the state vector are permuted. This is done similar to a typical block cipher, except that the permutation is not here dependent on a key. To a round function is applied to the state vector time. After the last step of the n-bit state vector may be used as a hash value, is appropriate. Otherwise, the bits of the hash value are removed in several steps, a maximum of r bit in each step, and in between, the permutation of the state values ​​is performed again.

The value is the so-called capacity the length of the portion of the state vector, the remaining unaffected in the XORing with the message sections, and during the removal of the hash value. From the capacitance results in an upper limit for the safety of the procedure against collision and pre-image attacks. In order to be conservative in terms of safety, the developers have set the capacity to double the length of the hash value.

Criticism

The four versions of the submitted to the SHA -3 competition algorithm Keccak saw output lengths of 224 bit, 256 bit, 384 bit and 512 bit ago, resulting in a security against collision attacks of 112, 128, 192 and 256 bits, due to the birthday paradox. The NIST employee John Kelsey explained in August 2013 at the " Workshop on Cryptographic Hardware and Embedded Systems 2013 " ( CHES 2013), that the NIST only the two levels of security wanted to standardize 128 bit and 256 bit. Further changes were made to the parameters that increase the speed of execution, according to NIST as part of the standardization process. Some researchers have criticized that this affects the security and it would not also be there for the already well-studied, the original algorithm. In the presentation, it is proposed to halve the capacity c, because a pre-image attack on Sponge constructions as Keccak then be as difficult as a collision attack. This change is substantial, but the original safety margin is generally chosen to be very conservative.

A criticism of the winner himself is that he - implemented in software has a lower performance - compared to the other finalists. It was the accusation loud that NIST would put his attention too much on implementations in hardware.

470529
de