Shabal

The Third SHA-3 Candidate Conference

Jeff — Thu, 07 Apr 2011 08:18:13 +0000

The Third SHA-3 Candidate Conference will be held in the Metropolitan Washington Area on March 22-23, 2012, following FSE 2012. The purpose of the conference is to discuss the SHA-3 finalist algorithms, and to solicit public feedback before NIST selects a winning algorithm for standardization later in 2012.

Call for Papers

And the finalists are…

Jeff — Mon, 13 Dec 2010 09:31:58 +0000

NIST announced the name of the SHA-3 candidates accepted for the final round. Shabal is not selected… We wait for the NIST report on the selection of the SHA-3 finalists.
Thanks to our supporters and congratulations to the finalists!

De : hash-forum@nist.gov [mailto:hash-forum@nist.gov] De la part de Burr, William E.
Envoyé : jeudi 9 décembre 2010 23:25
À : Multiple recipients of list
Objet : The SHA-3 Finalists

NIST has selected five SHA-3 candidate algorithms to advance to the third (and final) round:

BLAKE
Grøstl
JH
Keccak
Skein

The selection was challenging, because we had a strong field of fourteen hash algorithms remaining in the SHA-3 competition that were very strong contenders for the hash function standard. Security was our greatest concern, and we took this very seriously, but none of these candidates was clearly broken. However, it is meaningless to discuss the security of a hash function without relating security to performance, so in reality, NIST wanted highly secure algorithms that also performed well. We preferred to be conservative about security, and in some cases did not select algorithms with exceptional performance, largely because something about them made us “nervous,” even though we knew of no clear attack against the full algorithm.

Performance is multidimensional: no algorithm excelled in every dimension. Every second-round candidate achieved at least tolerable performance on mainstream desktop or server systems, although the performance range was significant. There were bigger differences on constrained platforms and in hardware, where area is as much a performance factor as speed. A couple of algorithms were wounded or eliminated by very large area requirements – it seemed that the area they required precluded their use in too much of the potential application space. Some algorithms allowed very high levels of fine-grain parallelism that could be realized well with hardware, some exploited parallelism with vector units, and some seemed to fully exploit the considerable parallelism that can be achieved by conventional superscalar arithmetic logic units (ALUs) that can simultaneously launch several instructions per clock cycle. Several algorithms also exploited the power of 64-bit-wide ALUs.

No algorithm survived to become a finalist that did not have a clear round structure that could be readily adjusted to trade security for performance. NIST eliminated several algorithms because of the extent of their second-round tweaks or because of a relative lack of reported cryptanalysis – either tended to create the suspicion that the design might not yet be fully tested and mature. NIST was generally comfortable with tweaks to the number of rounds or to constants, but more suspicious of changes that seemed to affect the structure of the compression functions.

Some teams announced the tweaks that they would make if they were selected for the final round. NIST evaluated the second-round submissions, but not the proposed tweaks. However, we did consider whether the best attacks on some of the candidates seemed amenable to mitigation by a simple modification.

NIST also considered diversity in the selection of the finalists. The selected five finalists incorporated a number of new design ideas that have arisen in the last few years, such as the HAIFA and sponge hash constructions. The finalists include designs whose nonlinearity is based on the AES S-box, on a smaller (4- or 5-bit wide) S-box efficiently implemented as a sequence of basic logical instructions, and on the interaction between addition and XOR operations.

NIST thanks the submitters of all fourteen second-round candidates. Every second-round candidate was a very professional effort, and every candidate had strong features to recommend it. We also thank the many individuals and organizations who helped with the cryptanalysis of the candidates, or who provided performance data from their own implementations of the candidate algorithms. This selection would not have been possible without their help.

NIST will publish a report on the selection of the SHA-3 finalists in the near future that explains the rationale for the selections on an algorithm-by-algorithm basis.

If tweaks are being considered for the final round, the submissions are due on January 16, 2011. Specific submission requirements will be provided to the designers of the five SHA-3 finalists.

Bill Burr

William E. Burr

Manager, Cryptographic Technology Group

NIST

Phone: 301-975-2914

Fax: 301-975-8670

Compact Implementations of Shabal

Jeff — Tue, 12 Oct 2010 13:50:54 +0000

Compact implementations of hash functions promote performance, by reducing pressure on L1 cache, and allow for easier integration on platforms with stringent constraints on code size. We present here some implementations of the Shabal hash function, optimized for code compactness. Two portable C implementations are provided, as well as specialized implementations in assembly for several architectures (32-bit and 64-bit x86, 32-bit PowerPC, big-endian and little-endian ARM, big-endian and little-endian 32-bit MIPS, and AVR8 microcontrollers).

All specialized implementations fit in less than one kilobyte of code, down to less than half a kilobyte on some platforms (e.g. 404 bytes for ARM-Thumb, 450 bytes on 32-bit x86). They nonetheless provide at least 60% of the speed achieved by optimized, unrolled C code on the same platforms. Moreover, these implementations all follow coding rules which make them immediately applicable to any application: the API is reentrant and thread-safe, it supports streaming operations, and the code is position-independent (it can be used in DLL). Each implementation simultaneously supports Shabal for all the 16 defined output sizes (all multiples of 32, from 32 to 512 bits), which includes the four standard SHA-3 output sizes (224, 256, 384 and 512 bits).

Download: Compact Implementations of Shabal (273)

Compact implementations of hash functions promote performance, by

reducing pressure on L1 cache, and allow for easier integration on

platforms with stringent constraints on code size. We present here some

implementations of the Shabal hash function, optimized for code

compactness. Two portable C implementations are provided, as well as

specialized implementations in assembly for several architectures

(32-bit and 64-bit x86, 32-bit PowerPC, big-endian and little-endian

ARM, big-endian and little-endian 32-bit MIPS, and AVR8

microcontrollers).

All specialized implementations fit in less than one kilobyte of code,

down to less than half a kilobyte on some platforms (e.g. 404 bytes for

ARM-Thumb, 450 bytes on 32-bit x86). They nonetheless provide at least

60% of the speed achieved by optimized, unrolled C code on the same

platforms. Moreover, these implementations all follow coding rules which

make them immediately applicable to any application: the API is

reentrant and thread-safe, it supports streaming operations, and the

code is position-independent (it can be used in DLL). Each

implementation simultaneously supports Shabal for all the 16 defined

output sizes (all multiples of 32, from 32 to 512 bits), which includes

the four standard SHA-3 output sizes (224, 256, 384 and 512 bits).

Two optimized implementations for PowerPC platforms

admin — Mon, 04 Oct 2010 11:58:52 +0000

We present here two optimized implementations for PowerPC platforms, in 32-bit and 64-bit modes. They offer a speed increase of about 30% over the optimized C implementation of Shabal.
These implementations do not use AltiVec. The 32-bit implementation is thus compatible with the oldest PowerPC systems, including the 603e. Hashing speed was measured to be about 9.1 cpb on a PowerPC 750 (aka “G3″).

Download: Optimized implementations for PowerPC platforms (205)

Optimized implementations of Shabal

Jeff — Mon, 04 Oct 2010 08:13:27 +0000

The optimized C implementation of Shabal provides a performance of about 7.5 cpb on an Intel Core2 processor in 64-bit mode, but only 9.3 cpb in 32-bit mode. We present here an implementation in assembly for i386, which achieves 7.5 cpb on an Intel Core2. This implementation is also quite shorter than the compiled C code (4813 bytes, including 2.8 kB for precomputed initial values for all 16 supported output sizes) and compatible with the complete i386 processor family.

We also include two optimized assembly implementations for x86 processor with SSE2 instructions, in 32-bit and 64-bit mode. Shabal was not designed to take advantage of vector instruction sets such as SSE2. But a moderate usage of these instruction can nonetheless help speed up the implementation of Shabal. Achieved bandwidth is around 5.9 cpb in both 32-bit and 64-bit mode. SSE2 instructions are available on all Intel processors from the Pentium 4 onward, and are a standard part of the 64-bit ABI.

Download: Optimized implementations of Shabal (282)

Internal Distinguishers in Indiﬀerentiable Hashing: The Shabal Case

Jeff — Wed, 28 Jul 2010 13:08:50 +0000

We show the ﬁrst indiﬀerentiability proof of a hash construction C ^F which does not make the assumption that the inner primitive F is ideal, but allows the existence (up to certain bounds that we explicit) of statistical distinguishers on F. Our hash construction is a general domain extender that generalizes both Chop-MD and Shabal and we prove that this general mode of operation is indiﬀerentiable from a random oracle by providing tight security bounds when the inner primitive F is either an ideal compression function or a keyed permutation. Our proof provides the tightest possible security bounds on Chop-MD and even improves the original indiﬀerentiability proof of Shabal. We then extend our results to the case where F is not assumed ideal anymore, but presents some (possibly strong) form of statistical bias in its input-output behavior. Our results allow us to derive new indiﬀerentiability bounds for Shabal and show that the series of recently found (order-1, diﬀerential or rotational) distinguishers on its internal keyed permutation leave fully intact its indiﬀerentiability properties.

Authors: Emmanuel Bresson, Anne Canteaut, Thomas Fuhr, Thomas Icart, María Naya-Plasencia, Pascal Paillier, Jean-René Reinhard, Marion Videau

Note: This work was partially supported by the French Agence Nationale de la Recherche through the SAPHIR2 project under Contract ANR-08-VERS-014.

Download:

Internall Distinguishers in Indifferentiable Hashing: The Shabal Case (448)

Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results

Jeff — Wed, 28 Jul 2010 13:06:50 +0000

In this paper, we focus on an optimized implementation of the Shabal candidate. We improve the state-of-the-art using the unfolding method. This transformation leads to unroll a part of the Shabal core. More precisely, our design can produce a throughput over 3 Gbps on Virtex-5 FPGAs, with a reasonable area usage.

Authors: Julien Francq and Céline Thuillet

Note: This work was partially supported by the French Agence Nationale de la Recherche through the SAPHIR2 project under Contract ANR-08-VERS-014.

Download PDF: Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results (362)

Download implementations (529Mo)

High-Speed Implementation of the SHA-3 Candidate Shabal

Jeff — Wed, 28 Jul 2010 12:27:24 +0000

The presentation of Julien Francq and Céline Thuillet, “High-Speed Implementation of the SHA-3 Candidate Shabal” at CryptArchi 2010 is now available in the Download section.

Download:

High-Speed Implementation of the SHA-3 Candidate Shabal (444)

The list of the accepted papers for the Second SHA-3 Candidate Conference is now available

Jeff — Thu, 01 Jul 2010 09:32:42 +0000

Two papers are about Shabal :

Internal Distinguishers in Indifferentiable Hashing: The Shabal Case
Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results

The list of accepted papers is available at

http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/AcceptedPapersListing_SHA3_2010.pdf

SSE2-enhanced parallel implementations of the Shabal hash functions

Jeff — Mon, 17 May 2010 12:54:17 +0000

This SSE2-enhanced parallel implementations of the Shabal hash functions runs up to four parallel instances of Shabal (on four input data messages of identical length).

This code was benched on an Intel x86 Core2 Q6600 system, clocked at 2.4 GHz and running Linux. The compiler is Intel C/C++ compiler version 11.1. Achieved speed (for long messages) is 631 MB/s (in 32-bit mode; 621 MB/s in 64-bit mode); this is the cumulative bandwidth of the four parallel instances (each instance is hashed with a bandwidth of about 158 MB/s). All of this is on a single CPU core.

See the mshabal.h header file for documentation on the API. The code itself should compile properly with GCC, the Intel C/C++ compiler, and Microsoft Visual C (this was tested with GCC 4.4.1 and Visual C 2005).

Download: SSE2-enhanced parallel implementations of the Shabal hash functions (354)

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to no restriction.

Technical remarks and questions can be addressed to: