references:
- Bertoni G, Daemen J, Peeters M, et al. Keccak[C]//Advances in Cryptology–EUROCRYPT 2013: 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings 32. Springer Berlin Heidelberg, 2013: 313-314.
- Dworkin M J. SHA-3 standard: Permutation-based hash and extendable-output functions[J]. 2015.
Article directory
On October 2, 2012, Keccak was selected as the winner of the NIST (National Institute of Standards and Technology) hash function competition. SHA-3 is not intended to replace SHA-2, because SHA-2 does not exhibit significant weaknesses. Due to the successful cracking of MD5 and SHA-1, NIST felt the need for an alternative cryptographic hash algorithm to the previous one, namely SHA-3.
permutation function
K E C C A K − p [ b , n r ] KECCAK-p[b,n_r] K ECC A K−p[b,nr] permutation function, wherenr n_rnris the number of rounds (round), and b ∈ { 25 , 50 , 100 , 200 , 400 , 800 , 1600 } b \in \{25,50,100,200,400,800,1600\}b∈{ 25,50,100,200,400,800,1600 } is the width (width)
The state state is of size 5 × 5 × w 5 \times 5 \times w5×5×The three-dimensional array of w , its two-dimensional sub-arrays are calledsheets, planes, slices, and the one-dimensional sub-arrays are calledrows, columns, lanes.
K E C C A K − p [ b , n r ] KECCAK-p[b,n_r] K ECC A K−p[b,nr] includenr n_rnriterations, in each iteration the state array AAA derivativeθ , ρ , π , χ , ι \theta,\rho,\pi,\chi,\iotai ,r ,p ,x ,i transform,
R nd ( A , ir ) = i ( χ ( π ( ρ ( θ ( A ) ) ) , ir ) Rnd(A,i_r) = \iota(\chi(\pi(\rho(\theta (A)))),i_r)Rnd(A,ir)=y ( x ( π ( ρ ( θ ( A )))) ,ir)
I have not explored the specific transformations. Readers who are interested can check the SHA-3 standard document by themselves.
Also define
KECCAK − f [ b ] = KECCAK − p [ b , 12 + 2 l ] KECCAK-f[b] = KECCAK-p[b,12+2l]K ECC A K−f[b]=K ECC A K−p[b,12+2 l ]
In particular, KECCAK − f [ 1600 ] = KECCAK − p [ 1600 , 24 ] KECCAK-f[1600] = KECCAK-p[1600,24]K ECC A K−f[1600]=K ECC A K−p[1600,24]
sponge structure
Sponge construction includes two steps of absorption (sbsorbing) and squeezing (squeezing), defined as SPONGE [ f , pad , r ] ( N , d ) SPONGE[f,pad,r](N,d)SPONGE[f,pad,r](N,d),
- Fixed-length permutation function fff
- Ratio (rate) r < br < br<b , andc = b − rc = brc=b−r is called capacity
- fill rule pad padpad
- Input bitstream NNN
- Output bit length ddd
As shown in the figure, in the absorption stage, the input bit stream NNN is divided into rrafter paddingSeveral blocks of length r are XORed with the link variable and used as the input of the replacement function; in the extrusion stage, the link variable is directly used as the input each time, and the output link variable is intercepted byrrr bits as an output block (block); finally, interceptddA prefix of d bits is used as the final output.
KECCAK is a family of KECCAK − f [ b ] KECCAK-f[b]K ECC A K−The sponge structure under f [ b ] replacement, the filling rule uses pad 1 0 ∗ 1 pad10^*1pad10∗ 1(i.e. filling1 ∥ 0 ⋯ 0 ∥ 1 1\|0\cdots0\|11∥0⋯0 ∥ 1 bit string). itsbbb can be from{ 25 , 50 , 100 , 200 , 400 , 800 , 1600 } \{25,50,100,200,400,800,1600\}{
25,50,100,200,400,800,1600 } , if you setb = 1600 b=1600b=1600 Then there is:
KECCAK [ c ] ( N , d ) = SPONGE [ KECCAK − p [ 1600 , 24 ] , pad 1 0 ∗ 1 , 1600 − c ] ( N , d ) KECCAK[c](N,d) = SPONGE[KECCAK-p[1600,24],\,\, pad10^*1,\,\, 1600-c](N,d)KECCAK[c](N,d)=SPONGE[KECCAK−p[1600,24],pad10∗1,1600−c](N,d)
Hash & XOF
Cryptographic hash functions : SHA3-224, SHA3-256, SHA3-384, SHA3-512.
Use the KECCAK function and set c = 2 dc=2dc=2 d , then setN = M ∥ 01 N=M\|01N=M ∥01 (two-bit suffix),
- SHA3-224 ( M ) = KECCAK [ 448 ] ( M ∥ 01 , 224 ) \text{SHA3-224}(M) = KECCAK[448](M\|01,224)SHA3-224 ( M )=K ECC A K [ 448 ] ( M ∥01 ,224 ) , the length of the digest is224 224224 bits
- SHA3-256 ( M ) = KECCAK [ 512 ] ( M ∥ 01 , 256 ) \text{SHA3-256}(M) = KECCAK[512](M\|01,256)SHA3-256 ( M )=K ECC A K [ 512 ] ( M ∥01 ,256 ) , the length of the digest is256 256256 bits
- SHA3-384 ( M ) = KECCAK [ 768 ] ( M ∥ 01 , 384 ) \text{SHA3-384}(M) = KECCAK[768](M\|01,384)SHA3-384 ( M )=K ECC A K [ 768 ] ( M ∥01 ,384 ) , the length of the digest is384 384384 bits
- SHA3-512 ( M ) = KECCAK [ 1024 ] ( M ∥ 01 , 512 ) \text{SHA3-512}(M) = KECCAK[1024](M\|01,512)SHA3-512 ( M )=K ECC A K [ 1024 ] ( M ∥01 ,512 ) , the length of the digest is512 512512 bits
Extensible output functions (extendable-output functions, XOF ): SHAKE128, SHAKE256.
Use the KECCAK function and set N = M ∥ 1111 N=M\|1111N=M ∥1111 (four-bit suffix),
- SHAKE128 ( M , d ) = K E C C A K [ 256 ] ( M ∥ 1111 , d ) \text{SHAKE128}(M,d) = KECCAK[256](M\|1111,d) SHAKE128(M,d)=K ECC A K [ 256 ] ( M ∥ 1111 ,d ) , the parameters areb = 1600 , c = 256 b=1600,c=256b=1600,c=256 , the block length of each output isr = 1344 r=1344r=1344 bits
- SHAKE256 ( M , d ) = K E C C A K [ 512 ] ( M ∥ 1111 , d ) \text{SHAKE256}(M,d) = KECCAK[512](M\|1111,d) SHAKE256(M,d)=K ECC A K [ 512 ] ( M ∥ 1111 ,d ) , the parameters areb = 1600 , c = 512 b=1600,c=512b=1600,c=512 , the block length of each output isr = 1088 r=1088r=1088 bits