Sha 3
Sha 3
& Privacy
Lockdown
Inside SHA-3
cybrain/shutterstock.com
William Stallings
26
SHA-3 origins
0278-6648/13/$31.002013IEEE
IEEE POTENTIALS
NOVEMBER/DECEMBER 201327
x=0
x=1
x=2
x=3
x=4
y=4
L60, 4@
L61, 4@
L62, 4@
L63, 4@
L64, 4@
y=3
L60, 3@
L61, 3@
L62, 3@
L63, 3@
L64, 3@
y=2
L60, 2@
L61, 2@
L62, 2@
L63, 2@
L64, 2@
y=1
L60, 1@
L61, 1@
L62, 1@
L63, 1@
L64, 1@
y=0
L60, 0@
L61, 0@
L62, 0@
L63, 0@
L64, 0@
a6x, y, z@
(a)
(b)
Fig. 3 The SHA-3 state matrix. (a) State variable as 5#5 matrix A of 64-b words and
(b) bit labeling of 64-b words.
s
Theta i Step
Round 0
Rho t Step
ROTIx, yM
Pi r Step
Chi | Step
Iota k Step
RCQ0U
Theta i Step
Round 23
Rho t Step
ROTIx, yM
Pi r Step
Chi | Step
Iota k Step
28
RCQ23U
retained as block Z 0 .
Then, the value of s is
updatedwithrepeated
executionsof f, andat
each iteration, the first , b
of s are retained as block
Z i and concatenated with
p r ev i o u s l y g e n e r a t e d
blocks. The process continuesthrough ( j - 1)
iterations until we have
( j - 1) # r < , # j # r. At
this point the first , b of
the concatenated block Y
are returned.
Note that the absorbing
phase has the structure of
a typical hash function. A
common case will be one
in which the desired hash
length is less than or equal
to the input block length;
that is , # r. In that case,
the sponge construction
terminates after the absorbingphase.Ifalonger
output than b b is required,
then the squeezing phase
isemployed.Thusthe
spongeconstructionis
quite flexible. For example, a short message with a
length r could be used as a
seedandthesponge
construction would function as a pseudorandom
number generator.
To s u m m a r i z e , t h e
sponge construction is a
simple iterated construction for building a function F with variable-length
5e
5e
yl =0
4
yl =0
a 6(x - 1), y l , z @o
a 6(x + 1), y l , ^z - 1 h@o,
(1)
where the summations are iterated bitwise
XOR operations. We can see more clearly
what this operation accomplishes with reference to Figure 5a. First, define the bitwise XOR of the lanes in column x as:
C 6x@ = L 6x, 0@ 5 L 6x, 1@ 5 L 6x, 2@
5 L 6x, 3@ 5 L 6x, 4@ .
L 6x, y@ ! L 6x, y@ 5 C 6x - 1@
5 ROT ^C 6x + 1@, 1 h .
if x = y = 0
x
0 1 3 1
c m =c
m c m mod 5
y
2 3 0
0 1 0 1 0 1 1
mc
mc
m c m mod 5
=c
2 3 2 3 2 3 0
0 1 0 1 0
mc
m c m mod 5
=c
2 3 2 3 2
0 1 2
m c m mod 5
=c
2 3 6
0 1 2
m c m mod 5
=c
2 3 1
1
1
= c m mod 5 = c m .
7
2
otherwise,
t: a 6x, y, z @ ! a ;x, y, c z -
^t + 1 h^t + 2 h
mE
2
(2)
with
0 1 t 1
x
m c m = c m in GF (5) 2 # 2 ,
2 3 0
y
r: a 6x, y@ ! a 6x l , y l@,
x
0 1 xl
c m=c
m e o . (3)
y
2 3 yl
x
0 1 1
c m =c
m c m . For example, for t = 3,
y
2 3 0
(4)
we have:
|: a 6x@ ! a 6x@ 5 ^^ a 6x + 1@ 5 1 h
AND a 6x + 2@h .
NOVEMBER/DECEMBER 201329
x=1
x=2
x=3
x=4
y=4
L60, 4@
L61, 4@
L62, 4@
L63, 4@
L64, 4@
y=3
L60, 3@
L61, 3@
L62, 3@
L63, 3@
L64, 3@
y=2
L60, 2@
L61, 2@
L62, 2@
L63, 2@
L64, 2@
y=1
L60, 1@
L61, 1@
L62, 1@
L63, 1@
L64, 1@
y=0
L60, 0@
L61, 0@
L62, 0@
L63, 0@
L64, 0@
C61@
Lt62, 3@
L62, 3@
ROT(C63@, 1)
(a)
x=0
x=1
x=2
x=3
x=4
y=4
L60, 4@
L61, 4@
L62, 4@
L63, 4@
L64, 4@
y=3
L60, 3@
L61, 3@
L62, 3@
L63, 3@
L64, 3@
y=2
L60, 2@
L61, 2@
L62, 2@
L63, 2@
L64, 2@
y=1
L60, 1@
L61, 1@
L62, 1@
L63, 1@
L64, 1@
y=0
L60, 0@
L61, 0@
L62, 0@
L63, 0@
L64, 0@
L62, 3@
L63, 3@
L62, 3@
AND
L64, 3@
(b)
Fig. 5 Theta and chi step functions. (a) i step function and (b) | step function.
NIST published SHA-3 as a draft standard for public comment in the latter part
of 2013. As of this writing, it is expected
that the final standard will be published by
the middle of 2014. It may be some time
before we see commercially available
implementations in cryptographic algorithms and protocols. And because SHA-2
continues to be viewed as secure, it is
unlikely that SHA-3 will completely supplant SHA-2. But, with its high level of
security, its implementation efficiency, and
the prestige of having prevailed in a competition, SHA-3 is likely to become a widely
used hash function. An additional advantage of having both SHA-2 and SHA-3 as
standard hash functions is that the two
hash functions have fundamentally different structures and use quite different mathematical operations. Thus, any cryptanalytic
attack that is developed that tends to
weaken one of the two hash functions is
unlikely to be useful against the other.
Acknowledgment
I would like to thank the designers
ofKeccak,whoreviewedadraftof
this article.
g(t)
g(t)
mod 64
x, y
g(t)
g(t)
mod 64
x, y
1, 0
12
91
27
4, 0
0, 2
13
105
41
0, 3
2, 1
14
120
56
3, 4
10
10
1, 2
15
136
4, 3
15
15
2, 3
16
153
25
3, 2
21
21
3, 3
17
171
43
2, 2
28
28
3, 0
18
190
62
2, 0
36
36
0, 1
19
210
18
0, 4
45
45
1, 3
20
231
39
55
55
3, 1
21
253
61
10
66
1, 4
22
276
20
11
78
14
4, 4
23
300
44
30
a 6x, y, z @ ! a 6x, y, z @ 5
^NOT ^ a 6x + 1, y, z @hh
AND ^a 6x + 2, y, z @h .
L 60, 0@ ! L 60, 0@ 5 RC 6i r@
0 # i r # 24 .
x=0
x=1
w2
Ro
x=2
x=3
w4
x=4
w1
Ro
Ro
w
Ro
y = 4 L60, 4@
L61, 4@
L62, 4@
L63, 4@
L64, 4@
y = 3 L60, 3@
L61, 3@
L62, 3@
L63, 3@
L64, 3@
y = 2 L60, 2@
L61, 2@
L62, 2@
L63, 2@
L64, 2@
y = 1 L60, 1@
L61, 1@
L62, 1@
L63, 1@
L64, 1@
y = 0 L60, 0@
L61, 0@
L62, 0@
L63, 0@
L64, 0@
w
Ro
w2
Ro
w4
Ro
w1
Ro
w3
Ro
x=0
x=1
x=2
x=3
x=4
y = 4 L62, 0@
L63, 1@
L64, 2@
L60, 3@
L61, 4@
y = 3 L64, 0@
L60, 1@
L61, 2@
L62, 3@
L63, 4@
y = 2 L61, 0@
L62, 1@
L63, 2@
L64, 3@
L60, 4@
y = 1 L63, 0@
L64, 1@
L60, 2@
L61, 3@
L62, 4@
y = 0 L60, 0@
L61, 1@
L62, 2@
L63, 3@
L64, 4@
(b)
(a)
Fig. 6 Pi step function. (a) Lane position at the start of step and (b) lane position after the permutation.
NOVEMBER/DECEMBER 201331