Idea Transcript
Keccak speciο¬cations Guido Bertoni1 , Joan Daemen1 , MichaΒ¨el Peeters2 and Gilles Van Assche1 1 STMicroelectronics 2 NXP Semiconductors http://keccak.noekeon.org/ Version 2 β September 10, 2009
Keccak (pronounced [kEtSak]) is a family of hash functions that are based on the sponge construction [1] and use as a building block a permutation from a set of 7 permutations. In this document, we specify these permutations, the Keccak sponge functions and the parameter values we propose for use in our SHA-3 candidates. We also give conventions for bit and byte numbering, for using the arbitrary-long output mode and for naming parts of the Keccak state. These speciο¬cations give all the necessary information to implement the Keccak sponge functions. For more information, and for the reference code, please refer to the Keccak web page given above.
1
1
The Keccak-π permutations
There are 7 Keccak-π permutations, indicated by Keccak-π [π], where π = 25 Γ 2β and β ranges from 0 to 6. Keccak-π [π] is a permutation over π β β€π2 , where the bits of π are numbered from 0 to π β 1. We call π the width of the permutation. Our SHA-3 candidates use Keccak-π [1600]. In the sequel, the permutation Keccak-π [π] is described on a state π that is a threedimensional array of elements of GF(2), namely π[5][5][π€], with π€ = 2β . The mapping between the bits of π and those of π is π [π€(5π¦ + π₯) + π§] = π[π₯][π¦][π§]. The expression π[π₯][π¦][π§] with π₯, π¦ β β€5 and π§ β β€π€ , denotes the bit in position (π₯, π¦, π§). It follows that indexing starts from zero; expressions in the π₯ and π¦ coordinates should be taken modulo 5 and expressions in the π§ coordinate modulo π€. We may sometimes omit the [π§] index, both the [π¦][π§] indices or all three indices, implying that the statement is valid for all values of the omitted indices. Keccak-π [π] is an iterated permutation, consisting of a sequence of πr rounds R, indexed with πr from 0 to πr β 1. A round consists of ο¬ve steps: R = π β π β π β π β π, with
π : π[π₯][π¦][π§] β π[π₯][π¦][π§] +
4 β
β²
π[π₯ β 1][π¦ ][π§] +
π¦ β² =0
4 β
π[π₯ + 1][π¦ β² ][π§ β 1],
π¦ β² =0
π : π[π₯][π¦][π§] β π[π₯][π¦][π§ β (π‘ + 1)(π‘ + 2)/2], ( with π‘ satisfying 0 β€ π‘ < 24 and
π:
π[π₯][π¦]
π:
π[π₯]
π:
π
0 1 2 3
)π‘ ( ) ( ) 1 π₯ = in GF(5)2Γ2 , 0 π¦
or π‘ = β1 if π₯ = π¦ = 0, ) ( β²) ( ) ( π₯ 0 1 π₯ β² β² , = β π[π₯ ][π¦ ], with π¦β² 2 3 π¦ β π[π₯] + (π[π₯ + 1] + 1)π[π₯ + 2], β π + RC[πr ].
The additions and multiplications between the terms are in GF(2). With the exception of the value of the round constants RC[πr ], these rounds are identical. The round constants are given by (with the ο¬rst index denoting the round number) RC[πr ][0][0][2π β 1] = rc[π + 7πr ] for all 0 β€ π β€ β, and all other values of RC[πr ][π₯][π¦][π§] are zero. The values rc[π‘] β GF(2) are deο¬ned as the output of a binary linear feedback shift register (LFSR): ( ) rc[π‘] = π₯π‘ mod π₯8 + π₯6 + π₯5 + π₯4 + 1 mod π₯ in GF(2)[π₯]. The number of rounds πr is determined by the width of the permutation, namely, πr = 12 + 2β.
2
2
The Keccak sponge functions
We obtain a Keccak[π, π, π] sponge function, with parameters capacity π, bitrate π and diversiο¬er π, if we apply the sponge construction as described in [1], to Keccak-π [π + π] and by applying a speciο¬c padding to the input. This is speciο¬ed in Algorithm 1, where β£β£ denotes concatenation, β bitwise addition of strings of equal length and βπ βπ truncation of string π to its ο¬rst π bits. Algorithm 1 Keccak[π, π, π] Input π β β€β2 Output π β β€β2 π = pad(π, 8)β£β£enc(π, 8)β£β£enc(π/8, 8) π = pad(π, π) Let π = π0 β£β£π1 β£β£ . . . β£β£πβ£π β£β1 with ππ β β€π2 π = 0π+π for π = 0 to β£π β£ β 1 do π = π β (ππ β£β£0π ) π = Keccak-π [π + π](π ) end for π = empty string while output is requested do π = πβ£β£βπ βπ π = Keccak-π [π + π](π ) end while It makes use of the following functions: β pad(π, π) returns a bit string obtained by appending to the bit string π a single 1 and the smallest number of zeroes such that the length is a multiple of π. β enc(π₯, π) returns a string of π bits coding the integer π₯, from the least signiο¬cant β bit to π the most signiο¬cant bit, i.e., it returns the string π₯0 , π₯1 , . . . , π₯πβ1 when π₯ = πβ1 π=0 π₯π 2 . This speciο¬es Keccak[π, π, π] for any combination of π > 0 that is a multiple of 8 and π such that π + π is a width supported by the Keccak-π permutations and any integer value of π in the range [0, 28 β 1]. The default value for π is 0 and the default values for π and π are 1024 and 576 respectively. Hence we have: β Keccak[π, π] β Keccak[π, π, π = 0], β Keccak[] β Keccak[π = 1024, π = 576]. Initially, the state has value 0π , called the root state. The root state has a ο¬xed value and shall never be considered as an input. This is crucial for the security of the sponge construction.
3
3
Security claim for the Keccak sponge functions
To simplify our claim, we ο¬rst deο¬ne the notion of shortcut attack: Deο¬nition 1. An attack on a speciο¬c sponge function is a shortcut attack if the expected success probability is higher when mounted on that speciο¬c function than it would be on a random oracle for a given attack workload. Here the workload of an attack on a sponge function shall be expressed in terms of the number of calls to the underlying function π , while the cost of an attack on a random oracle is the sum of the workload of all queries sent to the random oracle by the attacker. The workload depends on the padding and on the bitrate. Deο¬nition 2. In the case of Keccak[π, π, π], the workload of a single query with input length π and requesting π output bits is given by β β βπβ 8β 8π β + 24 + calls. π π For each of the supported parameter values, we make a ο¬at sponge claim [1]. Claim 1. The expected success probability of any shortcut attack against Keccak[π, π, π] with a workload equivalent to π calls to Keccak-π [π + π] or its inverse shall be smaller than or equal to ) ( 1 β exp βπ (π + 1)2β(π+1) . We exclude here weaknesses due to the mere fact that Keccak-π [π + π] can be described compactly and can be eο¬ciently executed, e.g., the so-called random oracle implementation impossibility. Note that the claimed capacity is equal to the capacity used by the sponge construction.
4
The Keccak candidates for SHA-3
Our candidates are: 1. SHA3-224: βKeccak[π = 1152, π = 448, π = 28]β224 2. SHA3-256: βKeccak[π = 1088, π = 512, π = 32]β256 3. SHA3-384: βKeccak[π = 832, π = 768, π = 48]β384 4. SHA3-512: βKeccak[π = 576, π = 1024, π = 64]β512 However, we recommend using Keccak[] (with default parameters), where the output is truncated by the user at any desired output length, and up to the security claim of Section 3. See also Section 5.2.
4
5
Conventions
5.1
Bit and byte numbering
In this section, we detail the mapping between the bits of the input to the Keccak sponge functions, and their representation in the SHA-3 API deο¬ned by NIST [2]. The bits of the input message π are numbered from π = 0 to π = β£π β£ β 1. When the bits are gathered in bytes, it implies the equivalent numbering π = πbit + 8πbyte with 0 β€ πbit < 8. In our internal convention, πbit = 0 indicates the least signiο¬cant bit (LSB) of a byte while πbit = 7 indicates the most signiο¬cant one (MSB). The NIST convention [2] is diο¬erent: The bits of a byte are numbered from 0 for the MSB to 7 for the LSB. To be compatible with the API convention outside and with our convention inside, the following formal bit-reordering is performed on the input bit string π before it is processed: β For all bytes that contain 8 bits, position πbit +8πbyte is mapped to position 7βπbit +8πbyte . β For the last byte if it contains π < 8 bits, position πbit + 8πbyte is mapped to position (π β 1) β πbit + 8πbyte . This mapping is bijective and does not aο¬ect the security. In practice, the above operation cancels with the change of convention, so there is nothing to do, except: β For the last byte if it contains π < 8 bits, the bits are shifted by 8 β π positions towards the LSB (i.e., to the βrightβ).
5.2
Extending the API for arbitrarily-long output
The Keccak[] sponge function can produce an arbitrarily-long bit string. To enable this, we have made the following additions to the API [2]. In the Init function, the hashbitlen parameter can be set to 224, 256, 384 or 512 to select the parameters as speciο¬ed in Section 4, with a ο¬xed output length. If the hashbitlen parameter is set to 0, the arbitrarily-long output mode is activated. To use the arbitrarily-long output mode, the following sequence of calls needs to be made. β First, Init is called with hashbitlen=0. This selects the Keccak[] sponge function. β The input data is processed as usual with the Update function. β The Finalize function indicates that the whole input message has been fetched (i.e., it switches the sponge to the squeezing phase [1]). This function has to be called, but the hashval parameter is ignored, as no output is generated yet. This parameter can safely be set to 0 (the null pointer). β The output is then generated by calling the Squeeze function as many times as desired.
5
HashReturn Squeeze(hashState *state, BitSequence *output, DataLength outputLength); β Parameters: β state: a structure that holds the hashState information β output: the storage for output to be returned β outputLength: the length, in bits, of the output to produce; must be a multiple of 8 β Returns: β SUCCESS β on success
5.3
Parts of the state
In this subsection, we wish to deο¬ne names of parts of the Keccak-π state, as illustrated in Figure 1. This section is not, as such, needed to implement the Keccak sponge functions. Nevertheless, it may help use a common terminology when analyzing or describing properties of Keccak-π . The one-dimensional parts are: β A row is a set of 5 bits with constant π¦ and π§ coordinates. β A column is a set of 5 bits with constant π₯ and π§ coordinates. β A lane is a set of π€ bits with constant π₯ and π¦ coordinates. The two-dimensional parts are: β A sheet is a set of 5π€ bits with constant π₯ coordinate. β A plane is a set of 5π€ bits with constant π¦ coordinate. β A slice is a set of 25 bits with constant π§ coordinate.
6
Change log β The number of rounds of Keccak-π has changed from 12 + β to 12 + 2β. β The capacity and bitrate of the four ο¬xed-output-length candidates has been changed. Now for each of them the capacity is equal to twice the output length.
References [1] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, Sponge functions, Ecrypt Hash Workshop 2007, May 2007, also available as public comment to NIST from http://www. csrc.nist.gov/pki/HashWorkshop/Public_Comments/2007_May.html. [2] NIST, ANSI C cryptographic API proο¬le for SHA-3 candidate algorithm submissions, revision 5, February 2008, available from http://csrc.nist.gov/groups/ST/hash/sha-3/ Submission_Reqs/crypto_API.html.
6
Figure 1: Naming conventions for parts of the Keccak-π state
7