Are you over 18 and want to see adult content?
More Annotations
A complete backup of stadler-markus.de
Are you over 18 and want to see adult content?
A complete backup of buscandoseguro.com
Are you over 18 and want to see adult content?
A complete backup of holaspanishcentre.com
Are you over 18 and want to see adult content?
A complete backup of drachenbootrennen.ch
Are you over 18 and want to see adult content?
A complete backup of rabbitfileloveav.blogspot.com
Are you over 18 and want to see adult content?
Favourite Annotations
A complete backup of cosmetixclub.com
Are you over 18 and want to see adult content?
A complete backup of rbglobalchallenge.com
Are you over 18 and want to see adult content?
A complete backup of lindastgcaptions.blogspot.com
Are you over 18 and want to see adult content?
A complete backup of school-proxy.net
Are you over 18 and want to see adult content?
A complete backup of clere.hants.sch.uk
Are you over 18 and want to see adult content?
A complete backup of sportevent.com.ua
Are you over 18 and want to see adult content?
A complete backup of saintsbaseball.com
Are you over 18 and want to see adult content?
Text
KECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can beKECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction. KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can beKECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction. KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cKECCAK TEAM
Keccak (pronounced , like “ketchak”) is a family of sponge functions that has been standardized in the form of SHAKE128 and SHAKE256 extendable output functions and of SHA3-224 to SHA3-512 hash functions in FIPS 202, as well as cSHAKE128, cSHAKE256 and other functions in NIST SP 800-185.The text below is a quick description of Keccak using pseudo-code.KECCAK TEAM
Keccak follows an open design approach. Keccak comes with a clear design rationale and has been extensively scrutinized by third-party cryptanalysis. For more details, we refer to the cryptanalysis page. Unlike the previous hashing standards, the SHA-3, SHAKE, cSHAKE and other SHA-3-related functions are the outcome of an open competition.KECCAK TEAM
Synopsis The Keccak-p permutations; Designed by: Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche: Parameterized by: The width b and the number of rounds n r: Instances: The instances are denoted Keccak-p.The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted Keccak-f, as listed in the table below.KECCAK TEAM
Keccak is defined solely of operations on bits. When implemented on a typical computer, the input and output bits must be packed in bytes following a well-defined convention. In the case of Keccak, the convention is the little-endian convention, i.e., the first bit goes to the least significant bit position of a byte.. In more details, a n-bit string consists of a sequence of bits numberedKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.KECCAK TEAM
3GPP TS 35.231 - Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. October 2014 - The 3GPP TS 35.231 standard defines: TUAK, an authentication and key generation algorithm for mobile telephony, based on Keccak.KECCAK TEAM
Keccak Team. Xoodoo is a set of 384-bit cryptographic permutations parameterized by their round count. The round function works on 12 words of 32 bits, which makes it efficient even on low-end processors. At the core of Xoodyak and of Xoofff, it has excellent propagationproperties.
KECCAK TEAM
Keccak Team. Keyak is an authenticated encryption scheme based on Keccak - p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadataand the
KECCAK TEAM
Keccak Team. KangarooTwelve is a fast and secure extendable-output function (XOF), the generalization of hash functions to arbitrary output lengths. Derived from Keccak, it aims at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, it can exploit a high degreeKECCAK TEAM
Keccak Team. If SHA-2 is not broken, why would one switch to SHA-3 and not just stay with SHA-2? In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and itsKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction.KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction.KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
Keccak (pronounced , like “ketchak”) is a family of sponge functions that has been standardized in the form of SHAKE128 and SHAKE256 extendable output functions and of SHA3-224 to SHA3-512 hash functions in FIPS 202, as well as cSHAKE128, cSHAKE256 and other functions in NIST SP 800-185.The text below is a quick description of Keccak using pseudo-code.KECCAK TEAM
Keccak Team. This page lists the scientific papers we wrote and briefly describes what they are about. J. Daemen, S. Hoffert, M. Peeters, G. Van Assche and R. Van Keer, Xoodyak, a lightweight cryptographic scheme, Submission to the NIST Lightweight Cryptography Standardization Process, 2019. In this document, we define the Cyclistmode of
KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
3GPP TS 35.231 - Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. October 2014 - The 3GPP TS 35.231 standard defines: TUAK, an authentication and key generation algorithm for mobile telephony, based on Keccak.KECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.KECCAK TEAM
Keccak Team. KangarooTwelve is a fast and secure extendable-output function (XOF), the generalization of hash functions to arbitrary output lengths. Derived from Keccak, it aims at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, it can exploit a high degreeKECCAK TEAM
Keccak Team. Keyak is an authenticated encryption scheme based on Keccak - p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadataand the
KECCAK TEAM
Keccak Team. Kravatte is a deck function, on top of which we define simple modes: Kravatte -SANE, an authenticated encryption scheme supporting sessions, like Ketje and Keyak; Kravatte -SANSE, an authenticated encryption scheme supporting sessions and using the synthetic initial value (SIV) technique, robust under nonce repetitions; KravatteKECCAK TEAM
Keccak Team. Xoodoo is a set of 384-bit cryptographic permutations parameterized by their round count. The round function works on 12 words of 32 bits, which makes it efficient even on low-end processors. At the core of Xoodyak and of Xoofff, it has excellent propagationproperties.
KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction.KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction.KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
Keccak (pronounced , like “ketchak”) is a family of sponge functions that has been standardized in the form of SHAKE128 and SHAKE256 extendable output functions and of SHA3-224 to SHA3-512 hash functions in FIPS 202, as well as cSHAKE128, cSHAKE256 and other functions in NIST SP 800-185.The text below is a quick description of Keccak using pseudo-code.KECCAK TEAM
Keccak Team. This page lists the scientific papers we wrote and briefly describes what they are about. J. Daemen, S. Hoffert, M. Peeters, G. Van Assche and R. Van Keer, Xoodyak, a lightweight cryptographic scheme, Submission to the NIST Lightweight Cryptography Standardization Process, 2019. In this document, we define the Cyclistmode of
KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
3GPP TS 35.231 - Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. October 2014 - The 3GPP TS 35.231 standard defines: TUAK, an authentication and key generation algorithm for mobile telephony, based on Keccak.KECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.KECCAK TEAM
Keccak Team. KangarooTwelve is a fast and secure extendable-output function (XOF), the generalization of hash functions to arbitrary output lengths. Derived from Keccak, it aims at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, it can exploit a high degreeKECCAK TEAM
Keccak Team. Keyak is an authenticated encryption scheme based on Keccak - p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadataand the
KECCAK TEAM
Keccak Team. Kravatte is a deck function, on top of which we define simple modes: Kravatte -SANE, an authenticated encryption scheme supporting sessions, like Ketje and Keyak; Kravatte -SANSE, an authenticated encryption scheme supporting sessions and using the synthetic initial value (SIV) technique, robust under nonce repetitions; KravatteKECCAK TEAM
Keccak Team. Xoodoo is a set of 384-bit cryptographic permutations parameterized by their round count. The round function works on 12 words of 32 bits, which makes it efficient even on low-end processors. At the core of Xoodyak and of Xoofff, it has excellent propagationproperties.
KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction.KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction.KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
Keccak (pronounced , like “ketchak”) is a family of sponge functions that has been standardized in the form of SHAKE128 and SHAKE256 extendable output functions and of SHA3-224 to SHA3-512 hash functions in FIPS 202, as well as cSHAKE128, cSHAKE256 and other functions in NIST SP 800-185.The text below is a quick description of Keccak using pseudo-code.KECCAK TEAM
Keccak Team. This page lists the scientific papers we wrote and briefly describes what they are about. J. Daemen, S. Hoffert, M. Peeters, G. Van Assche and R. Van Keer, Xoodyak, a lightweight cryptographic scheme, Submission to the NIST Lightweight Cryptography Standardization Process, 2019. In this document, we define the Cyclistmode of
KECCAK TEAM
The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
3GPP TS 35.231 - Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. October 2014 - The 3GPP TS 35.231 standard defines: TUAK, an authentication and key generation algorithm for mobile telephony, based on Keccak.KECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.KECCAK TEAM
Keccak Team. KangarooTwelve is a fast and secure extendable-output function (XOF), the generalization of hash functions to arbitrary output lengths. Derived from Keccak, it aims at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, it can exploit a high degreeKECCAK TEAM
Keccak Team. Keyak is an authenticated encryption scheme based on Keccak - p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadataand the
KECCAK TEAM
Keccak Team. Kravatte is a deck function, on top of which we define simple modes: Kravatte -SANE, an authenticated encryption scheme supporting sessions, like Ketje and Keyak; Kravatte -SANSE, an authenticated encryption scheme supporting sessions and using the synthetic initial value (SIV) technique, robust under nonce repetitions; KravatteKECCAK TEAM
Keccak Team. Xoodoo is a set of 384-bit cryptographic permutations parameterized by their round count. The round function works on 12 words of 32 bits, which makes it efficient even on low-end processors. At the core of Xoodyak and of Xoofff, it has excellent propagationproperties.
KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +c KECCAK TEAMKECCAK 256KECCAK COINKECCAK HASHKECCAK MINING In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction. KECCAK TEAMKECCAK ALGORITHMKECCAK COINSKECCAK HASHKECCAK SHA3 The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it should KECCAK TEAMKECCAK 256KECCAK COINKECCAK HASHKECCAK MINING In this post, we highlight another argument why Keccak /SHA-3 is a better choice than SHA-2, namely openness, in analogy with open-source versus closed-source in software development and deployment. Software has two sides: its executable and its source code.KECCAK TEAM
Keccak Team. Keccak is a versatile cryptographic function. Best known as a hash function, it nevertheless can also be used for authentication, (authenticated) encryption and pseudo-random number generation. Its structure is the extremely simple sponge construction and internally it uses the innovative Keccak -f cryptographicpermutation.
KECCAK TEAM
Keccak Team. Different software implementations of Keccak, the standard SHA-3 and SHAKE functions, Ketje, Keyak and Kravatte are available. The first place to look for an implementation is the Keccak Code Package. For reference implementations and tools for cryptanalysis, we propose KeccakTools. There are also plenty ofthird-party
KECCAK TEAM
About us. The Keccak team. From left to right: Michaël Peeters, Guido Bertoni, Joan Daemen, Ronny Van Keer, Gilles Van Assche (at CHES 2015) and Seth Hoffert. We can be KECCAK TEAMSEE MORE ON KECCAK.TEAMKECCAK TEAM
Keccak Team. Xoodyak is a lightweight, versatile, cryptographic scheme suitable in constrained environments. It can be used for hashing, encryption, MAC computation and authenticated encryption. Xoodyak builds upon the Xoodoo permutations and the duplex construction. KECCAK TEAMKECCAK ALGORITHMKECCAK COINSKECCAK HASHKECCAK SHA3 The Keccak - p permutations. Designed by. Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Parameterized by. The width b and the number of rounds nr. Instances. The instances are denoted Keccak - p . The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted KeccakKECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared. KIMPLEMENTATION OVERVIEW 1.Generalaspects K implementationoverview WeobtaintheK spongefunction,withparameterscapacityc andbitrater,ifweapplythespongeconstructiontoK -f[r +cSPONGE FUNCTIONS
Sponge Functions Guido Bertoni1, Joan Daemen1, Micha¨el Peeters2, and Gilles Van Assche1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function should behave like a random oracle: it shouldKECCAK TEAM
Keccak (pronounced , like “ketchak”) is a family of sponge functions that has been standardized in the form of SHAKE128 and SHAKE256 extendable output functions and of SHA3-224 to SHA3-512 hash functions in FIPS 202, as well as cSHAKE128, cSHAKE256 and other functions in NIST SP 800-185.The text below is a quick description of Keccak using pseudo-code.KECCAK TEAM
Keccak Team. This page lists the scientific papers we wrote and briefly describes what they are about. J. Daemen, S. Hoffert, M. Peeters, G. Van Assche and R. Van Keer, Xoodyak, a lightweight cryptographic scheme, Submission to the NIST Lightweight Cryptography Standardization Process, 2019. In this document, we define the Cyclistmode of
KECCAK TEAM
Synopsis The Keccak-p permutations; Designed by: Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche: Parameterized by: The width b and the number of rounds n r: Instances: The instances are denoted Keccak-p.The width b must be 25, 50, 100, 200, 400, 800 or 1600 bits. Some instances can also be equivalently denoted Keccak-f, as listed in the table below.KECCAK TEAM
3GPP TS 35.231 - Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*. October 2014 - The 3GPP TS 35.231 standard defines: TUAK, an authentication and key generation algorithm for mobile telephony, based on Keccak.KECCAK TEAM
The figures above are available under the Creative Commons Attribution 4.0 International License.In short, they can be freely used, but we kindly ask to do the attribution in the figure caption, either by linking to this webpage or by citing the article where the particular figure first appeared.KECCAK TEAM
Keccak Team. Xoodoo is a set of 384-bit cryptographic permutations parameterized by their round count. The round function works on 12 words of 32 bits, which makes it efficient even on low-end processors. At the core of Xoodyak and of Xoofff, it has excellent propagationproperties.
KECCAK TEAM
Keccak Team. Keyak is an authenticated encryption scheme based on Keccak - p. It takes as input a *secret and unique value* (SUV), then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadataand the
KECCAK TEAM
Keccak Team. KangarooTwelve is a fast and secure extendable-output function (XOF), the generalization of hash functions to arbitrary output lengths. Derived from Keccak, it aims at higher speeds than FIPS 202's SHA-3 and SHAKE functions, while retaining their flexibility and basis of security. On high-end platforms, it can exploit a high degreeKECCAK TEAM
Keccak Team. Kravatte is a deck function, on top of which we define simple modes: Kravatte -SANE, an authenticated encryption scheme supporting sessions, like Ketje and Keyak; Kravatte -SANSE, an authenticated encryption scheme supporting sessions and using the synthetic initial value (SIV) technique, robust under nonce repetitions; Kravatte CRYPTOGRAPHICSPONGEFUNCTIONS Cryptographicspongefunctions 1.Introduction deeplyintothissubject.Ourgoalwastospecifyafunctionthatbehaveslikearandomora-cle* __
* __
* __
TEAM KECCAK
Guido Bertoni3, Joan Daemen2, Seth Hoffert, Michaël Peeters1, Gilles Van Assche1 and Ronny Van Keer1 1STMicroelectronics - 2Radboud University- 3Security Pattern
Toggle navigation __ Team Keccak* Home
* Design
* Schemes
* Keccak
* Ketje
* Keyak
* KangarooTwelve
* Kravatte
*
* Xoofff
* Xoodyak
* Constructions
* Sponge, duplex and variants* Farfalle
* Permutations
* Keccak-_p_
* Xoodoo
* Analysis
* Crunchy contest
* Ketje contest
* Third-party cryptanalysis* Implementation
* Software
* Implementations
* Performance figures* Hardware
* Documentation
* Specifications
* Our papers
* Third-party cryptanalysis*
* Figures
* Glossary
*
* Archives
* About us
HOME
Welcome to the web pages of the Keccak Team! In these pages, you can find information about our different cryptographic schemes and constructions, their specifications, cryptanalysis on them, the ongoing contests and the related scientificpapers.
LATEST NEWS
* 09/03/2020March __ Stateless deck-based modes We often receive questions as to whether DECK-SANSE can be used IN A STATELESS WAY; that is, _for a single message_. A common use case for this is a UDP-based VPN. In such an application, sessions are not feasible due to the lossy/unordered nature of UDP. Thanks to its versatility, Deck-SANSE can be used in such applications with virtually no overhead. Deck-SANSE provides the following features: * Nonce reuse resistance. * If a nonce is present in the associated data, then a t-bit tag gives t-bit security. * Thanks to frame bits, it collapses to a simple MAC if plaintext isnot present.
* Thanks to frame bits, the associated data string is also optional (so for e.g. key wrapping, the mode is efficient). * Both the key schedule and static associated data contribution can be precomputed and reused across multiple messages. * Fully parallelizable in absorption of associated data and plaintext, expansion of keystream and encryption of plaintext. Deck-SANSE wrap function, taking associated data _A_ and plaintext _P_, and returning ciphertext _C_ and tag _T_: IF |_A_| > 0 AND |_P_| > 0 THEN _T_ ← 0^t + F(_P_||010 ∘ _A_||00) _C_ ← _P_ + F(_T_||110 ∘ _A_||00) ELSE IF |_P_| > 0 THEN _T_ ← 0^t + F(_P_||010) _C_ ← _P_ + F(_T_||110)ELSE
_T_ ← 0^t + F(_A_||00)RETURN (_C_,_T_)
* 25/10/2018October __ Kravatte-SANE and -SANSE We released the specifications of two authenticated encryption schemes built on top of Kravatte , namely KRAVATTE-SANE and KRAVATTE-SANSE, replacing Kravatte-SAE and Kravatte-SIV, respectively. The Kravatte-SANE and Kravatte-SANSE schemes both support SESSIONS. Often, one does not only want to protect a single message, but rather a session where multiple messages are exchanged, such as in the Transport Layer Security (TLS) or the Secure Shell (SSH) protocols. Each tag authenticates all messages already sent so far in the session. Examples of session-supporting authenticated encryption schemes include Ketje and Keyak. The SANE and SANSE variants differ in their ROBUSTNESS with respect to nonce misuse. The former relies on user-provided nonces (one per session) for confidentiality, while the latter is more robust against nonce misuse and realizes this by using the SIV MECHANISM. Note that we also specify a tweakable block cipher on top of Kravatte in the original article on Farfalle.
Kravatte-SANE and Kravatte-SANSE fix and obsolete Kravatte-SAE and Kravatte-SIV, respectively. Ted Krovetz pointed out a flaw in the Farfalle-SIV mode and we subsequently found one in Farfalle-SAE. The flaw in Farfalle-SAE is related to sequences of messages with empty plaintexts and/or metadata, while that of Farfalle-SIV follows from the lack of separation between the tag and the keystream generation. (More details can be found in the Xoodoo cookbook , Sections 4.1 and 5.1.) The PERFORMANCE of the new schemes is identical to that of their obsoleted counterparts. Thanks to the high level of parallelism of Kravatte, the SANE and SANSE schemes have excellent software speeds . Optimized code can be found in the extended Keccak code package . * 15/03/2018March __ Results of the Ketje cryptanalysis prize At the rump session of FSE 2018 that took place last week in Brugge, Belgium, we announced the outcome of the KETJE CRYPTANALYSIS PRIZE . There were three submissions: * _Cube-like Attack on Round-Reduced Initialization of Ketje Sr_, by Xiaoyang Dong, Zheng Li, Xiaoyun Wang and Ling Qin, presented at FSE 2017 and published in Volume 2017, Issue 1 of ToSC.
* _New MILP Modeling: Improved Conditional Cube Attacks to Keccak-based Constructions_, by Ling Song, Jian Guo and Danping Shi, available as Cryptology ePrint Archive Report 2017/1030.
* _State-recovery attacks on Modified Ketje Jr_, by Thomas Fuhr, Maria Naya-Plasencia and Yann Rotella, presented at FSE 2018 and published in Volume 2018, Issue 1 of ToSC.
The first two submissions push the boundaries of cube attacks, or more generally, higher-order differential cryptanalysis of round-reduced Keccak-_f_. In Ketje, these attacks always target the initialization phase that applies Keccak-_p_ to the concatenation of a key and a nonce. The algebraic degree of Keccak-_p_, for a small number of rounds, is _d_=2_n_r, so a straightforward higher-order differential attack would require a data complexity of 2_d_ chosen input blocks (e.g., for _n_r=6 rounds, the degree is _d_=64 and the straightforward data complexity is 264). By applying some sophisticated tricks, one can peel off one or two rounds resulting in much lower data complexities. The first two submissions achieve this by exploiting specific propagation properties of the round function. The third submission is the first to attack the encryption/decryption phase of Ketje Jr. In this phase, a known-plaintext attacker gets the value of the first _r_=16 bits of the state for every round of Keccak-_f_. Information-theoretically _n_=200/16=12.5 such blocks would be sufficient to break Ketje by state recovery, but the computational difficulty increases quickly with _n_. This submission investigates weakened versions of Ketje Jr with increased rates: _r_=32 and _r_=40 bits and break the security claim. The attacks confirm that the tweak between Ketje v1 and Ketje v2 results in an increase in safety margin. These three attacks add to the already substantial amount of cryptanalysis of the Keccak-_f_ permutation in a keyed setting. They enforce the positions of Ketje (and Keyak) as being among the most cryptanalyzed authenticated ciphers. Given these nice results, we decided to award all three submissions. For practical reasons, the contestants of the first two entries got Belgian chocolates, while those of the latter received Belgian beer. Everyone's a winner in this contest. CONGRATULATIONS TO ALL! * 06/12/2017December __ Farfalle construction and Kravatte pseudo-random function We are glad to announce the final version of the Farfalle construction and of the Kravatte pseudo-random function and encryption schemes. First published in late 2016 on IACR ePrint, an update of our paper _Farfalle: parallel permutation-based cryptography_ was accepted at the journal Transactions on Symmetric Cryptography (ToSC) . We will present it at the yearly Fast Software Encryption (FSE) conference in Brugge, Belgium, in March2018.
* FARFALLE is a new generic construction for building a pseudo-random function (PRF) exploiting the parallel evaluation of a cryptographic permutation. The PRF takes as input a key and a sequence of arbitrary-length data strings, and returns an arbitrary-length output. To an adversary not knowing the key, these output bits look like independent uniformly-drawn random bits. Farfalle can readily be used for stream encryption and MAC computation, and we define several modes for authenticated encryptionon top of it.
* KRAVATTE is a high-speed instance of Farfalle based on Keccak-_p_ permutations, claimed to resist against classical and quantum adversaries. Modes for authentication, encryption and authenticated encryption are defined accordingly. In the last couple of months, we applied some changes to both Farfalle and Kravatte1. This was due to prompt third-party cryptanalysis by different researchers. First Ling Song and Jian Guo contacted us with a key recovery cube attack on the (full) previous version of Kravatte. Then a second team of cryptanalysts (who wish to stay anonymous at this point, as their paper is under submission) sent us the description of even more powerful attacks targeting the expansion layer specifically. Consequently, we modified Kravatte by taking 6 rounds for all four permutation instances. And to counteract the attacks of the second team, we made a more fundamental change by adopting a non-linear rolling function in the expansion layer. We realize that switching from a linear rolling function to a non-linear one is a change in philosophy, and we discuss it in the paper. The optimized code in the KCPand the reference
implementation in KeccakToolsare in sync.
1To distinguish the latest version of Kravatte from the previous one, we call it Kravatte Achouffe. * 26/09/2017September __ Keccak: open-source cryptography If SHA-2 is not broken, why would one switch to SHA-3 and not just stay with SHA-2? In this post, we highlight another argument why Keccak/SHA-3 is a better choice than SHA-2, namely OPENNESS, IN ANALOGY WITH OPEN-SOURCE versus closed-source in software developmentand deployment.
Software has two sides: its executable and its source code. The former is used as a black box by the users, while the latter is of interest to developers who want to extend it, to understand its inner workings or to make sure there is no obvious malicious code. As an analogy, we see the specification of the cryptographic primitive, mode or algorithm in a (proposed) cryptographic standard as the counterpart of the software executable: It allows everyone to include the cryptographic object, as is, in his/her project. The counterpart of the source code in cryptography would be the design rationale, preliminary cryptanalysis and evidence of extensive third-party cryptanalysis: These are THE ELEMENTS THAT GIVE INSIGHT INTO THE INNER WORKINGS AND ULTIMATELY TRUST. The transition of cryptography from a proprietary activity to a scientific one in the last 50 years can be seen as a move from closed-source to open-source in this analogy. Surprisingly, there are exceptions and we still see closed-source cryptography today. The SHA-1 and SHA-2 NIST standard hash functions were designed behind closed doors at NSA. The standards were put forward in 1995 and 2001 respectively, without public scrutiny of any significance, despite the fact that at time of publication there was already a considerable cryptographic community doing active research on this subject. Even the 2015 update of FIPS 180, the
standard that specifies SHA-2, does not contain, nor refer to, adesign rationale.
In contrast, SHA-3 is the result of AN OPEN CALL OF NIST TO THE CRYPTOGRAPHIC COMMUNITY for hash function proposals. There was no restriction on who could participate, so submissions were open in the broadest possible sense. Every submitted candidate algorithm had to contain a description, a design rationale and preliminary cryptanalysis. The authors of the 64 submissions included the majority of people active in open symmetric crypto research at the time. NIST solicited the symmetric crypto community for performing and publishing research in cryptanalysis, implementations, proofs and comparisons of the candidates and based its decision on the results. After a three-round process involving hundreds of people in the community for several years, NIST finally announced that Keccak was selected to become the SHA-3 standard. The open effort of the symmetric crypto community did not stop there. Since then, Keccak has remained under public scrutiny and new papers appear regularly . Paper after paper confirms the large safety margin of Keccak. What is important, is that these papers reach a high degree of sophistication as research can start from the preliminary cryptanalysis that we provided in our SHA-3 submissiondocument .
It is true that cryptanalysis of MD5, SHA-1 and SHA-2 has also reached a high degree of sophistication. However, this took longer to develop due to the absence of rationale and preliminary cryptanalysis, but also due to the adoption of the ARX design methodology.
SHA-2 is essentially a security patch of SHA-1 while SHA-3 is its open-source alternative, much in the same way that Triple-DES is a security patch for DES and AES the open-source alternative. IN RETROSPECT, EVEN IF TRIPLE-DES IS NOT BROKEN, WOULD YOU STILL RECOMMEND NOT TO SWITCH TO AES?NEWS ARCHIVES
* 2020
* 2018
* 2017
* 2016
* 2015
* 2014
* 2013
* 2012
* 2011
* 2010
* 2009
* 2008
Unless otherwise specified, the contents and files within the domain keccak.team are © 2008-2020 Guido Bertoni, Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche and Ronny Van Keer . Webmaster: Benoit Viguier .__
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0