Portfolio of optimized cryptographic functions based on Keccak
- Track: Security and Encryption
- Room: Janson
- Day: Sunday
- Start: 10:00
- End: 10:50
Since its adoption as the SHA-3 standard, Keccak has grown out of the mere hashing functionality. We present a consistent set of cryptographic functions, for fast hashing, pseudo-random bit generation, authentication or authenticated encryption, that enjoy very competitive safety margin vs speed ratios. We highlight the bases for the security of these functions and dive into their software implementations.
Beyond the FIPS 202 standard functions derived from Keccak (i.e., SHA-3 hash functions and SHAKE{128,256} extendable output functions), we present several interesting proposals, consistently based on the same permutation or its round function. Among others:
- For authenticated encryption, Ketje and Keyak are schemes that were selected for the third round of the CAESAR competition. In particular, Keyak proposes interesting features when protecting a stream of data flowing on a network. It exploits the parallelism in modern processors to achieve a high throughput.
- KangarooTwelve is a recently published arbitrary-output-length hash function. We designed it so that the implementation can automatically adapt to the available degree of parallelism. On Intel's Haswell and Skylake architectures, it achieves a speed below 1.5 cycles/byte for long inputs.
Two key aspects will be covered.
First, the essential goal of these functions is to remain secure despite advances in cryptanalysis. We will explain explain how we base the security on two strong pillars: the track record of third-party cryptanalysis and the generic security of the underlying construction.
Second, we will explore the Keccak Code Package and its two-level structure. The high-level cryptographic services are implemented in plain C, without any specific optimizations. The low-level services implement the permutations and the state input/output functions, for which we provide optimized code for different platforms. Another interesting topic to discuss is how the parallelism is exploited on modern processors with SIMD units.
Speakers
Gilles Van Assche |