|
|
| Line 1: |
Line 1: |
| {{notice|{{As of | 2014 | January }}, [[NIST]] has not yet updated the [[Secure Hash Standard]] (SHS) for SHA-3. The content of this article is subject to change once the final standard is published (draft expected 2013 Q3, final by 2014 Q2<ref name="nist_fips_timeline">{{cite web|url=http://csrc.nist.gov/groups/ST/hash/sha-3/timeline_fips.html|title=Tentative SHA-3 standard (FIPS XXX) development timeline|publisher=[[NIST]]|accessdate=2014-01-02}}</ref>).}}
| | If an existing Word - Press code is found vulnerable, Word - Press will immediately issue an update for that. Offshore expert Word - Press developers high level of interactivity, accessibility, functionality and usability of our website can add custom online to using. Should you go with simple HTML or use a platform like Wordpress. They found out all the possible information about bringing up your baby and save money at the same time. The number of options offered here is overwhelming, but once I took the time to begin to review the video training, I was amazed at how easy it was to create a squeeze page and a membership site. <br><br>The Internet is a vast open market where businesses and consumers congregate. Some of the Wordpress development services offered by us are:. It sorts the results of a search according to category, tags and comments. If you adored this article and you simply would like to be given more info regarding [http://mmservice.dk/wordpress_backup_plugin_63048 wordpress backup] kindly visit the site. Being able to help with your customers can make a change in how a great deal work, repeat online business, and referrals you'll be given. Aided by the completely foolproof j - Query color selector, you're able to change the colors of factors of your theme a the click on the screen, with very little previous web site design experience. <br><br>Usually, Wordpress owners selling the ad space on monthly basis and this means a residual income source. After sending these details, your Word - Press blog will be setup within a few days. Use this section to change many formatting elements. These frequent updates have created menace in the task of optimization. After that the developer adds the unordered list for navigations. <br><br>The disadvantage is it requires a considerable amount of time to set every thing up. I didn't straight consider near it solon than one distance, I got the Popup Ascendancy plugin and it's up and lengthways, likely you make seen it today when you visited our blog, and I yet customize it to fit our Thesis Wound which gives it a rattling uncomparable visage and search than any different popup you know seen before on any added journal, I hump arrogated asset of one of it's quatern themes to make our own. re creating a Word - Press design yourself, the good news is there are tons of Word - Press themes to choose from. If you are looking for Hire Wordpress Developer then just get in touch with him. Look for experience: When you are searching for a Word - Press developer you should always look at their experience level. <br><br>Someone with a basic knowledge of setting up a website should be able to complete the process in a couple of minutes however even basic users should find they are able to complete the installation in around 20 minutes by following the step by step guide online. In fact portfolio Word - Press themes is a smooth and attractive but considerably flawed Word - Press theme in creating simpler to the photographers or designers to develop a specific internet site showcasing their most current perform since it appear modern-day and has fantastic typography and large photographs which would develop an attractive wanting portfolio internet site. Word - Press can also be quickly extended however improvement API is not as potent as Joomla's. Web developers and newbies alike will have the ability to extend your web site and fit other incredible functions with out having to spend more. However, if you're just starting out your blog site or business site, you can still search for an ideal theme for it without breaking your bank account. |
| {{Infobox cryptographic hash function
| |
| | name = SHA-3<br/>(Keccak)
| |
| | image =
| |
| | caption =
| |
| <!-- General -->
| |
| | designers = [[Guido Bertoni]], [[Joan Daemen]], [[Michaël Peeters]], and [[Gilles Van Assche]].
| |
| | publish date =
| |
| | series =
| |
| | derived from =
| |
| | derived to =
| |
| | related to =
| |
| | certification = [[NIST hash function competition|SHA-3 winner]]
| |
| <!-- Detail -->
| |
| | digest size = arbitrary
| |
| | structure =
| |
| | rounds =
| |
| | speed = 12.5 [[cycles per byte|cpb]] on [[Intel Core 2|Core 2]] [r=1024,c=576].
| |
| | cryptanalysis =
| |
| }}
| |
| | |
| '''SHA-3''', originally known as '''Keccak''' ({{IPAc-en|ˈ|k|æ|t|ʃ|æ|k|}}, or {{IPAc-en|k|ɛ|t|ʃ|ɑː|k|}}),<ref name="nist" /><ref>{{cite web|title=The Keccak sponge function family: Specifications summary |url=http://keccak.noekeon.org/specs_summary.html |accessdate=2011-05-11|authors=Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche}}</ref> is a [[cryptographic hash function]] designed by [[Guido Bertoni]], [[Joan Daemen]], [[Michaël Peeters]], and [[Gilles Van Assche]], building upon [[RadioGatún]].
| |
| | |
| On October 2, 2012, Keccak was selected as the winner of the [[NIST hash function competition]].<ref name="nist">{{cite web|url=http://www.nist.gov/itl/csd/sha-100212.cfm|title=NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition|first=2012-10-02|publisher=[[NIST]]|accessdate=2012-10-02}}</ref> SHA-3 is not meant to replace [[SHA-2]], as no significant attack on SHA-2 has been demonstrated. Because of the successful attacks on [[MD5]], [[SHA-0]] and theoretical attacks on [[SHA-1]], [[NIST]] perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3.
| |
| | |
| SHA-3 uses the [[Sponge function|sponge construction]]<ref>{{cite web |url=http://sponge.noekeon.org/ |title=Sponge Functions |publisher=Ecrypt Hash Workshop 2007 |authors=Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche}}</ref><ref>{{cite web |url=http://sponge.noekeon.org/ |title=On the Indifferentiability of the Sponge Construction |publisher=EuroCrypt 2008 |authors=Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche}}</ref> in which message blocks are [[XOR]]ed into the initial bits of the state, which is then invertibly permuted. In the version used in SHA-3, the state consists of a 5×5 array of 64-bit words, 1600 bits total. The authors claim 12.5 [[cycles per byte]]<ref>Keccak implementation overview Version 3.2 http://keccak.noekeon.org/Keccak-implementation-3.2.pdf</ref> on an [[Intel Core 2]] CPU. However, in [[Application-specific integrated circuit|hardware implementations]] it is notably faster than all other finalists.<ref>{{Citation |title=Fair and Comprehensive Performance Evaluation of 14 Second Round SHA-3 ASIC Implementations |url=http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SCHAUMONT_SHA3.pdf |first1=Xu |last1=Guo |first2=Sinan |last2=Huang |first3=Leyla |last3=Nazhandali |first4=Patrick |last4=Schaumont |journal=NIST 2nd SHA-3 Candidate Conference |date=Aug 2010 |accessdate=2011-02-18 |page=12}} Keccak is second only to Luffa, which did not advance to the final round.</ref>
| |
| | |
| Keccak's authors have proposed additional, not-yet-standardized uses for the function, including an [[authenticated encryption]] system and a "tree" hash for faster hashing on certain architectures.<ref>NIST, [http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7896.pdf Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition], sections 5.1.2.1 (mentioning "tree mode"), 6.2 ("other features", mentioning authenticated encryption), and 7 (saying "extras" may be standardized in the future)</ref> Keccak is also defined for smaller power-of-2 word sizes ''w'' down to 1 bit (25 bits total state). Small state sizes can be used to test cryptanalytic attacks, and intermediate state sizes (e.g., from ''w''=4, 100 bits, to ''w''=32, 800 bits) could potentially provide practical, lightweight alternatives.
| |
| | |
| ==The block permutation==
| |
| This is defined for any power-of-two [[Word (computer architecture)|word]] size, ''w'' = 2<sup>ℓ</sup> bits. The main SHA-3 submission uses 64-bit words, ℓ = 6.
| |
| | |
| The state can be considered to be a 5×5×''w'' array of bits. Let ''a''[''i''][''j''][''k''] be bit (''i''×5 + ''j'')×''w'' + ''k'' of the input, using a [[Endianness|little-endian]] convention.<!-- Note that this swaps the first two indexes relative to the description in the Keccak paper!--> Index arithmetic is performed modulo 5 for the first two dimensions and modulo ''w'' for the third.
| |
| | |
| The basic block permutation function consists of 12+2ℓ iterations of five sub-rounds, each individually very simple:
| |
| ; ''θ''
| |
| : Compute the [[Parity (mathematics)|parity]] of each of the 5×''w'' (320, when ''w'' = 64) 5-bit columns, and exclusive-or that into two nearby columns in a regular pattern. To be precise, ''a''[''i''][''j''][''k''] ⊕= parity(a[''i''][''j''−1][''k'']) ⊕ parity(a[''i''][''j''+1][''k''−1])
| |
| ; ''ρ''
| |
| : [[Circular shift|Bitwise rotate]] each of the 25 words by a different [[triangular number]] 0, 1, 3, 6, 10, 15, .... To be precise, ''a''[0][0] is not rotated, and for all 0≤''t''<24, ''a''[''i''][''j''][''k''] = ''a''[''i''][''j''][''k''−(''t''+1)(''t''+2)/2], where <math>\begin{pmatrix} i \\ j \end{pmatrix} = \begin{pmatrix} 3 & 2 \\ 1 & 0 \end{pmatrix}^t \begin{pmatrix} 0 \\ 1 \end{pmatrix}</math>.
| |
| ; ''π''
| |
| : Permute the 25 words in a fixed pattern. ''a''[''j''][2''i''+3''j''] = ''a''[''i''][''j'']
| |
| ; ''χ''
| |
| : Bitwise combine along rows, using ''a'' = ''a'' ⊕ (¬''b'' & ''c''). To be precise, ''a''[''i''][''j''][''k''] ⊕= ¬''a''[''i''][''j+1''][''k''] & ''a''[''i''][''j+2''][''k'']. This is the only non-linear operation in SHA-3.
| |
| ; ''ι''
| |
| : Exclusive-or a round constant into one word of the state. To be precise, in round ''n'', for 0≤''m''≤ℓ, ''a''[0][0][2<sup>''m''</sup>−1] is exclusive-ORed with bit ''m''+7''n'' of a degree-8 [[LFSR]] sequence. This breaks the symmetry that is preserved by the other sub-rounds.
| |
| | |
| ==Hashing variable-length messages==
| |
| [[Image:SpongeConstruction.svg|thumb|upright=1.35|right|alt=Illustration of the sponge construction |The sponge construction for hash functions. p<sub>i</sub> are input, z<sub>i</sub> are hashed output. The unused "capacity" c should be twice the desired resistance to [[Collision attack|collision]] or [[preimage attack]]s.]] SHA-3 uses the "sponge construction", where input is "absorbed" into the hash state at a given rate, then an output hash is "squeezed" from it at the same rate.
| |
| | |
| To absorb ''r'' bits of data, the data is XORed into the leading bits of the state, and the block permutation is applied. To squeeze, the first ''r'' bits of the state are produced as output, and the block permutation is applied if additional output is desired.
| |
| | |
| Central to this is the "capacity" of the hash function, which is the ''c''=25''w''−''r'' state bits that are not touched by input or output. This can be adjusted based on security requirements, but the SHA-3 proposal sets a conservative ''c''=2''n'', where ''n'' is the size of the output hash. Thus ''r'', the number of message bits processed per block permutation, depends on the output hash size. The NIST submission sets the rate ''r'' as 1152, 1088, 832, or 576 (144, 136, 104 and 72 bytes) for 224, 256, 384 and 512-bit hash sizes, respectively. At [[RSA Conference]] 2013, and then at [[Workshop on Cryptographic Hardware and Embedded Systems|CHES]] 2013, [[John Kelsey (cryptanalyst)|John Kelsey]] of NIST announced<ref name="rsa2013">{{cite web |url=http://csrc.nist.gov/groups/ST/hash/sha-3/documents/burr_dimacs2013_presentation.pdf |title=SHA3, Where We've Been, Where We're Going |publisher=RSA Conference 2013 |author=John Kelsey}}</ref><ref name="ches2013">{{cite web |url=https://docs.google.com/file/d/0BzRYQSHuuMYOQXdHWkRiZXlURVE |title=SHA3, Past, Present, and Future |publisher=CHES 2013 |author=John Kelsey}}</ref> that the capacity is likely to be lowered to 256 bit for the 224 and 256 bit variants, and 512 bit for the 384 and 512 bit variants. Thus, the preimage and collision resistances would be set to the same. The 224/384 bit variants would be truncated versions of the 256/512 variants, similarly to the SHA2 family. NIST also considers standardizing other usage modes of Keccak.
| |
| | |
| To ensure the message can be evenly divided into ''r''-bit blocks, padding is required. The submission proposes the bit pattern 10<sup>*</sup>1: a 1 bit, zero or more 0 bits (maximum ''r''−1), and a final 1 bit. The final 1 bit is required because the sponge construction security proof requires that the rate is encoded in the final block ("multi rate padding"). This padding might be changed in the final SHA-3 standard to match the padding of Sakura, a tree hashing scheme proposed by the Keccak authors.
| |
| | |
| To compute a hash, initialize the state to 0, pad the input, and break it into ''r''-bit pieces. Absorb the input into the state; that is, for each piece, XOR it into the state and then apply the block permutation.
| |
| | |
| After the final block permutation, the leading ''n'' bits of the state are the desired hash. Because ''r'' is always greater than ''n'', there is actually never a need for additional block permutations in the squeezing phase. However, arbitrary output length may be useful in applications such as [[optimal asymmetric encryption padding]]. In this case, ''n'' is a security parameter rather than the output size.
| |
| | |
| Although not part of the SHA-3 competition requirements, smaller variants of the block permutation can be used, for hash output sizes up to half their state size, if the rate r is limited appropriately. For example, a 256-bit hash can be computed using 25 32-bit words if ''r'' = 800−2×256 = 288 (36 bytes per iteration).
| |
| | |
| ==Comparison of SHA functions==
| |
| In the table below, ''internal state'' means the number of bits that are carried over to the next block.
| |
| | |
| {{Comparison of SHA functions}}
| |
| | |
| ==Tweaks==
| |
| Throughout the NIST hash function competition, entrants were permitted to "tweak" their algorithms to address issues that were discovered. Changes that have been made to Keccak are:<ref>{{cite web|title=Keccak parameter changes for round 2 |url=http://keccak.noekeon.org/version_2.0.html }}</ref><ref>{{cite web|title=Simplifying Keccak's padding rule for round 3 |url=http://keccak.noekeon.org/version_3.0.html }}</ref>
| |
| * The number of rounds was increased from 12+ℓ to 12+2ℓ to be more conservative about security.
| |
| * The message padding was changed from a more complex scheme to the simple 10<sup>*</sup>1 pattern described above.
| |
| * The rate ''r'' was increased to the security limit, rather than rounding down to the nearest power of 2.
| |
| | |
| ==NIST announcement controversy==
| |
| | |
| In February 2013 at the RSA Conference, and then in August 2013 at CHES, NIST announced they would select different values for the capacity, i.e., the security parameter, for the SHA-3 standard, compared to the submission.<ref name="rsa2013" /><ref name="ches2013" /> The changes caused some turmoil.
| |
| | |
| In September 2013, on the [[NIST]] hash-forum mailing list,<ref>{{cite web|title=NIST hash forum mailing list|url=http://csrc.nist.gov/groups/ST/hash/email_list.html}}</ref> [[Daniel J. Bernstein]] suggested strengthening the security to the 576-bit capacity that was originally proposed as the default Keccak.{{citation needed|date=September 2013}} The Keccak team responded by stating that they proposed 128-bit security by setting c=256 as an option already in their SHA-3 proposal.<ref>{{cite web|title=On 128-bit security|url=http://keccak.noekeon.org/on_128bit_security.html}}</ref> But in the light of the uproar in the cryptographic community, they proposed raising the capacity to 512 bits for all instances.<ref>{{cite web|title=A concrete proposal |url=http://keccak.noekeon.org/a_concrete_proposal.html}}</ref>
| |
| | |
| In October 2013, [[Bruce Schneier]] criticized NIST's decision on the basis of its possible detrimental effects on the acceptance of the algorithm, saying
| |
| {{quote|There is too much mistrust in the air. NIST risks publishing an algorithm that no one will trust and no one (except those forced) will use.<ref name="schneier">{{cite web|title=Schneier on Security: Will Keccak = SHA-3? |url=https://www.schneier.com/blog/archives/2013/10/will_keccak_sha-3.html}}</ref>}}
| |
| | |
| Paul Crowley, on the other hand, commented why he supports such a decision, summarizing it as
| |
| {{quote|
| |
| * Keccak is designed to be varied in this way. The proposal document puts very little weight on their specific SHA-3 proposals; it’s clear that the capacity and output size can be independently varied to meet specific security needs.
| |
| * There is no reason to ask for a hash function with vastly greater second preimage security than collision security. […]
| |
| * If for some reason you’re nervous about the “less secure” Keccak, then what you should be demanding is more rounds in the Keccak-f function, not a larger capacity in the sponge construction. […]
| |
| * Yes, it’s a bit of a shame for the competition that they demanded a certain security level for entrants, then went to publish a standard with a different one. But there’s nothing that can be done to fix that now, except re-opening the competition. Demanding that they stick to their mistake doesn’t improve things for anyone.<ref>{{cite web|title=LShift: Why I support the US Government making a cryptography standard weaker |url=http://www.lshift.net/blog/2013/10/01/why-i-support-the-us-government-making-a-cryptography-standard-weaker}}</ref>}}
| |
| | |
| There was also some confusion that internal changes were made to Keccak. The Keccak team clarified this, stating that NIST's proposal for SHA-3 is a subset of the Keccak family, for which one can generate test vectors using their reference code submitted to the contest, and that this proposal was the result of a series of discussions between them and the NIST hash team.<ref>{{cite web|title=Yes, this is Keccak! |url=http://keccak.noekeon.org/yes_this_is_keccak.html}}</ref> Also, [[Bruce Schneier]] corrected this, saying
| |
| {{quote|I misspoke when I wrote that NIST made "internal changes" to the algorithm. That was sloppy of me. The Keccak permutation remains unchanged. What NIST proposed was reducing the hash function's capacity in the name of performance. One of Keccak's nice features is that it's highly tunable.<ref name="schneier" />}}
| |
| | |
| In November 2013, in the light of the uproar in the cryptographic community, John Kelsey of NIST proposed to go back to the original c=2n proposal for all SHA-2 drop-in replacement instances.<ref>{{cite web|title=Moving Forward with SHA-3|url=http://csrc.nist.gov/groups/ST/hash/sha-3/documents/kelsey-email-moving-forward-110113.pdf}}</ref>
| |
| | |
| ==Examples of SHA-3 (Keccak) variants==
| |
| {{notice|Pending the standardization of SHA-3, there is no specification of particular SHA-3 functions yet. The values provided reflect to the NIST submission parameters, and are likely to be changed.}}
| |
| | |
| Hash values of empty string. Actual parameters to be passed to the Keccak function (which expects 5 parameters<ref>http://keccak.noekeon.org/KeccakInPython-3.0.zip</ref>) in order to achieve these outputs are as follows:
| |
| * For Keccak-n, where n is 224, 256, 384, or 512, n is the output length.
| |
| * As mentioned above, capacity is set to double the output length, per the submission to NIST.
| |
| * Since the submission was based on a state size of 1600 bits, rate is set to 1600 minus capacity (rate plus capacity must always equal state size, so specifying any two implies the third).
| |
| * The message is encoded as a hexadecimal string.
| |
| * The message length is four times the length of the hexadecimal string.
| |
| | |
| <span style="color: green;">Keccak-224("")
| |
| 0x f71837502ba8e10837bdd8d365adb85591895602fc552b48b7390abd</span>
| |
| <span style="color: green;">Keccak-256("")
| |
| 0x c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470</span>
| |
| <span style="color: green;">Keccak-384("")
| |
| 0x 2c23146a63a29acf99e73b88f8c24eaa7dc60aa771780ccc006afbfa8fe2479b2dd2b21362337441ac12b515911957ff</span>
| |
| <span style="color: green;">Keccak-512("")
| |
| 0x 0eab42de4c3ceb9235fc91acffe746b29c29a8c366b7c60e4e67c466f36a4304c00fa9caf9d87976ba469bcbe06713b435f091ef2769fb160cdab33d3670680e</span>
| |
| | |
| Even a small change in the message will (with overwhelming probability) result in a mostly different hash, owing to the [[avalanche effect]]. For example, adding a period to the end of the sentence:
| |
| <span style="color: green;">Keccak-224("The quick brown fox jumps over the lazy dog")
| |
| 0x 310aee6b30c47350576ac2873fa89fd190cdc488442f3ef654cf23fe</span>
| |
| <span style="color: green;">Keccak-224("The quick brown fox jumps over the lazy dog.")
| |
| 0x c59d4eaeac728671c635ff645014e2afa935bebffdb5fbd207ffdeab</span>
| |
|
| |
| <span style="color: green;">Keccak-256("The quick brown fox jumps over the lazy dog")
| |
| 0x 4d741b6f1eb29cb2a9b9911c82f56fa8d73b04959d3d9d222895df6c0b28aa15</span>
| |
| <span style="color: green;">Keccak-256("The quick brown fox jumps over the lazy dog.")
| |
| 0x 578951e24efd62a3d63a86f7cd19aaa53c898fe287d2552133220370240b572d</span>
| |
|
| |
| <span style="color: green;">Keccak-384("The quick brown fox jumps over the lazy dog")
| |
| 0x 283990fa9d5fb731d786c5bbee94ea4db4910f18c62c03d173fc0a5e494422e8a0b3da7574dae7fa0baf005e504063b3</span>
| |
| <span style="color: green;">Keccak-384("The quick brown fox jumps over the lazy dog.")
| |
| 0x 9ad8e17325408eddb6edee6147f13856ad819bb7532668b605a24a2d958f88bd5c169e56dc4b2f89ffd325f6006d820b</span>
| |
|
| |
| <span style="color: green;">Keccak-512("The quick brown fox jumps over the lazy dog")
| |
| 0x d135bb84d0439dbac432247ee573a23ea7d3c9deb2a968eb31d47c4fb45f1ef4422d6c531b5b9bd6f449ebcc449ea94d0a8f05f62130fda612da53c79659f609</span>
| |
| <span style="color: green;">Keccak-512("The quick brown fox jumps over the lazy dog.")
| |
| 0x ab7192d2b11f51c7dd744e7b3441febf397ca07bf812cceae122ca4ded6387889064f8db9230f173f6d1ab6e24b6e50f065b039f799f5592360a6558eb52d760</span>
| |
| | |
| ==References==
| |
| {{reflist|30em}}
| |
| | |
| ==External links==
| |
| * [http://keccak.noekeon.org/ The Keccak web site]
| |
| * [https://github.com/kocakosm/pitaya/blob/master/src/org/pitaya/security/Keccak.java A Java implementation of Keccak]
| |
| * [http://plaintext.crypto.lo.gy/article/495/untwisted-a-cryptol-implementation-of-keccak-part-1 A Cryptol implementation of Keccak]
| |
| * [http://cryptography.gmu.edu/athena/index.php?id=source_codes VHDL source code developed by the Cryptographic Engineering Research Group (CERG) at George Mason University]
| |
| * [https://github.com/b/sha3 Erlang NIF implementation based on the NIST reference code]
| |
| * [http://www.purebasic.fr/english/viewtopic.php?p=423810#p423810 Keccak implemented in PureBasic]
| |
| | |
| | |
| {{Cryptography navbox | hash}}
| |
| | |
| [[Category:NIST hash function competition]]
| |