Documente Academic
Documente Profesional
Documente Cultură
© cybrain/shutterstock.com
William Stallings
T
he National Institute of Standards it could take years to find a suitable Accordingly, NIST announced in
and Technology (NIST) has selected replacement for SHA-2, should it 2007 a competition to produce the next
a new cryptographic hash algorithm become vulnerable, NIST decided to generation NIST hash function, to be
through a public competition. The new begin the process of developing a new called SHA-3. NIST completed its evalu-
hash algorithm is referred to as the hash standard. ation process and announced a final
Secure Hash Algorithm 3 (SHA-3) and is
intended to complement the SHA-2 hash
algorithms currently specified in Federal
Information Processing Standard (FIPS)
180-3, Secure Hash Standard. The
selected algorithm is intended to be suit-
able for use by the U.S. government as
well as the private sector and is available
royalty-free worldwide.
The winning design for SHA-3 was
announced by NIST in October 2012.
This article examines the internal struc-
ture and functions of SHA-3 and talks
about its future role in cryptographic
and security products.
SHA-3 origins
Throughout the 1990s, first MD5
and then SHA-1 were deployed in a
wide variety of cryptographic applica-
tions and security protocols. By 2004,
however, MD5 had been effectively
“broken.” In 2005, NIST announced the
intention to phase out approval of
SHA-1 and move to a reliance on
SHA-2 by 2010. Shortly thereafter, a
research team described an attack in
which two separate messages could be
found that deliver the same SHA-1
hash using 2 69 operations, far fewer
than the 2 80 operations previously
thought needed to find a collision with
an SHA-1 hash.
SHA-2, particularly the 512-b ver-
sion, would appear to provide unas-
© can stock photo/shkyo30
sailable security. However, SHA-2
shares the same structure and mathe-
matical operations as SHA-1 and MD5,
and this is a cause for concern. Because
NOVEMBER/DECEMBER 201327
input and arbitrary output length based
x=0 x=1 x=2 x=3 x=4 on a fixed-length transformation or per-
y=4 L60, 4@ L61, 4@ L62, 4@ L63, 4@ L64, 4@
mutation f operating on a fixed number
b of bits.
y=3 L60, 3@ L61, 3@ L62, 3@ L63, 3@ L64, 3@ SHA-3 makes use of an iteration func-
tion f, labeled Keccak- f, which is
y=2 L60, 2@ L61, 2@ L62, 2@ L63, 2@ L64, 2@ described in the next section. The overall
y=1 L60, 1@ L61, 1@ L62, 1@ L63, 1@ L64, 1@ SHA-3 function is a sponge function
expressed as Keccak [r, c] to reflect that
y=0 L60, 0@ L61, 0@ L62, 0@ L63, 0@ L64, 0@ SHA-3 has two operational parameters, r,
the message block size, and c, the capac-
(a)
a6x, y, 0@ a6x, y, 1@ a6x, y, 2@ a6x, y, z@ a6x, y, 62@ a6x, y, 63@ ity. For SHA-3, the values of c and r
determine the hash size n , as follows:
•• n = 224, r = 1152, c = 448
•• n = 256, r = 1088, c = 512
(b) •• n = 384, r = 832, c = 768
•• n = 512, r = 576, c = 1024 .
Fig. 3 The SHA-3 state matrix. (a) State variable as 5 # 5 matrix A of 64-b words and In terms of the sponge algorithm
(b) bit labeling of 64-b words. defined above, Keccak [r, c] is defined as
Pi r Step
iterations until we have The SHA-3 iteration function f
( j - 1) # r < , # j # r. At The iteration function Keccak- f pro-
this point the first , b of cesses each successive block of the input
Chi | Step
the concatenated block Y message. Recall that f takes as input a
are returned. 1,600-b variable s consisting of r b, cor-
Note that the absorbing responding to the message block size fol-
Iota k Step RCQ0U phase has the structure of lowed by c b, referred to as the capacity.
a typical hash function. A For internal processing within f, the input
common case will be one state variable s is organized as a 5 # 5 # 64
in which the desired hash array a. The 64-b units are referred to as
length is less than or equal lanes. For our purposes, we generally use
to the input block length; the notation a [x, y, z] to refer to an indi-
that is , # r. In that case, vidual bit in the state array. When we are
the sponge construction more concerned with operations that
Theta i Step
terminates after the absorb- affect entire lanes, we designate the 5 # 5
ing phase. If a longer matrix as L [x, y], where each entry in L is
Rho t Step ROTIx, yM output than b b is required, a 64-b lane. The use of indices within this
then the squeezing phase matrix is shown in Fig. 3. Thus, the col-
is employed. Thus the umns are labeled x = 0 through x = 4,
Round 23
c m c m = c m in GF (5) 2 # 2 ,
0 1 t 1 x
5e a 6(x - 1), y l , z @o This can be rewritten as ^ x, y h #
4
/
^ y, ^2x + 3y hh . Thus, the lanes within the
yl =0
2 3 0 y
NOVEMBER/DECEMBER 201329
The future of SHA-3
NIST published SHA-3 as a draft stan-
x=0 x=1 x=2 x=3 x=4
dard for public comment in the latter part
y=4 L60, 4@ L61, 4@ L62, 4@ L63, 4@ L64, 4@ of 2013. As of this writing, it is expected
y=3 L60, 3@ L61, 3@ L62, 3@ L63, 3@ L64, 3@ that the final standard will be published by
the middle of 2014. It may be some time
y=2 L60, 2@ L61, 2@ L62, 2@ L63, 2@ L64, 2@ before we see commercially available
implementations in cryptographic algo-
y=1 L60, 1@ L61, 1@ L62, 1@ L63, 1@ L64, 1@
rithms and protocols. And because SHA-2
y=0 L60, 0@ L61, 0@ L62, 0@ L63, 0@ L64, 0@ continues to be viewed as secure, it is
unlikely that SHA-3 will completely sup-
plant SHA-2. But, with its high level of
L62, 3@ C61@ Lt62, 3@ ROT(C63@, 1)
security, its implementation efficiency, and
(a) the prestige of having prevailed in a com-
petition, SHA-3 is likely to become a widely
x=0 x=1 x=2 x=3 x=4
used hash function. An additional advan-
y=4 L60, 4@ L61, 4@ L62, 4@ L63, 4@ L64, 4@ tage of having both SHA-2 and SHA-3 as
y=3 L60, 3@ L61, 3@ L62, 3@ L63, 3@ L64, 3@ standard hash functions is that the two
hash functions have fundamentally differ-
y=2 L60, 2@ L61, 2@ L62, 2@ L63, 2@ L64, 2@ ent structures and use quite different math-
y=1 L60, 1@ L61, 1@ L62, 1@ L63, 1@ L64, 1@ ematical operations. Thus, any cryptanalytic
attack that is developed that tends to
y=0 L60, 0@ L61, 0@ L62, 0@ L63, 0@ L64, 0@ weaken one of the two hash functions is
unlikely to be useful against the other.
L62, 3@ L62, 3@ L63, 3@ AND L64, 3@
Acknowledgment
(b) I would like to thank the designers
of Keccak, who reviewed a draft of
Fig. 5 Theta and chi step functions. (a) i step function and (b) | step function. this article.
(b)
(a)
Fig. 6 Pi step function. (a) Lane position at the start of step and (b) lane position after the permutation.
• G. Bertoni, J. Daemen, M. Peeters, About the author maintains the Computer Science Student
and G. Van Assche. (2011, Jan.). Cryp- William Stallings (wllmst@me.com) is a Resource Site at ComputerScienceStudent.
tographic sponge functions. [Online]. consultant, lecturer, and author of numer- com. This site provides documents and
Available: http://sponge.noekeon.org/ ous computer science textbooks on cryp- links on a variety of subjects of general
• W. Stallings, Cryptography and tography, computer organization, operating interest to computer science students (and
Network Security: Principles and Prac- systems, and computer networking. His professionals). He is a member of the edi-
tice, 6th ed. Upper Saddle River, NJ: latest book is Cryptography and Network torial board of Cryptologia, a scholarly
Pearson, 2013. Security (Pearson. 2013). He created and journal devoted to all aspects of cryptology.
with SB Chapters and Chapters within your Section that align IEEE SB AWARDS: The Student Activities Committee (SAC)
with the technical interests of IEEE, offers you, and your is pleased to announce this year’s recipients of the SAC Awards.
IEEE SB, maximum support and maximum exposure to the There were a total of five awards for which students were eli-
larger IEEE. gible to submit nominations. Each award recognizes a differ-
As a student, have you ever attended a Section meeting or ent area of student leadership and success. The SAC is also
any Section event? Do you invite your Section leaders to your pleased to report that there was a 200% increase in nominations
IEEE SB events? The benefits of interaction between an IEEE received for this year’s award cycle compared to the previous
Section and an IEEE SB include: year. Please check the Student Activities Web site (www.ieee.
•• increased number of successful Section and SB events org/students) for a list of all recipients of the following awards:
and meetings with increased attendance •• IEEE Student Enterprise Award
•• open doors for meetings, networking opportunities, •• Larry K. Wilson Regional Student Activities Award
and other events held jointly between Sections and SBs •• IEEE Regional Exemplary Student Branch Award
•• future skilled volunteers for the Section as students •• IEEE Outstanding Branch Counselor and Advisor Award
graduate and elevate to higher grade membership Recognition Program
•• potential increase in the number of active Chapters in •• The Darrel Chong Student Activity Award.
SBs and Sections. The nomination process for the upcoming year will begin
Some ideas for IEEE Section and IEEE SB engagement include: in November 2013 with all nominations due by February 2014.
•• holding Section Executive Committee meetings at universities Please check https://ieee-student-awards.myreviewroom.com for
•• having a student serve on the Section ExCom as a vot- more details and specific deadlines. If you have questions regard-
ing member ing the awards program, please contact student-services@ieee.org.
•• the Section providing a mentor for the SB I like to close out each of my columns in the same manner—
•• planning and holding joint Section and SB technical with a request to please drop me a note at anytime to share
activities and professional awareness activities, such as a Stu- your thoughts on the value of your IEEE student membership
dent Professional Awareness Conference and to share a story or example of what your IEEE membership
•• SBs can request modest funding support from Sections engagement means to you. I would also like to here about how
for specific campus events. your IEEE SB has successfully interacted with your IEEE Section.
I encourage you, as an IEEE SB, to reach out to your local John Paserba
Section and build a relationship with them. The potential IEEE MGA Chair—Student Activities
benefits are worth the effort to engage. (j.paserba@ieee.org)
NOVEMBER/DECEMBER 201331