|
|
The Third SHA-3 Candidate Conference
March 22-23, 2012 Washington Marriott Hotel, Washington, DC
USA West End Ballroom CDE Program
Zip files of the presentations and papers are now available. |
||||
|
First Day Thursday, March 22, 2012 |
||||
| 7:30 am | Registration Opens |
|||
|
9:00 – 9:15 (15 minutes) |
Opening Remarks Donna Dodson, Chief, Computer Security Division, NIST |
|||
|
9:15 – 10:40 (85 minutes) |
Session I:
Security Analysis I (20
minutes each) Session Chair: Morris Dworkin, NIST
1.
A Study of
Practical-time Distinguishing Attacks Against Round-reduced Threefish-256 [paper] Presented by: Aron Gohr, Bundesamt für Sicherheit in der Informationstechnik (BSI) 2.
ARXtools: A Toolkit
for ARX Analysis [paper] Presented by: Pierre-Alain Fouque, ENS 3.
On the
Algebraic Degree of some SHA-3 Candidates [paper] Presented by: Christina Boura, INRIA/Gemalto 4. Side Channel Analysis of the SHA-3 Finalists [paper] Presented by: Michael Zohner, CASED |
|||
|
10:40 – 11:05 (25 minutes) |
Coffee Break |
|||
|
11:05 – 12:30 (85 minutes) |
Session II: Security
Analysis II (20 minutes
each) Session Chair: Rene Peralta, NIST 1.
Provable Security
of BLAKE with Non-Ideal Compression Function [paper] Presented by: Bart Mennink, KULeuven 1.
Security Analysis and Comparison of the SHA-3
Finalists BLAKE, Groestl, JH, Keccak,
and Skein [paper] Presented by: Elena Andreeva, KULeuven 2.
Improved
Indifferentiability Security Bound for the JH Mode [paper]
Presented by: Souradyuti Paul, NIST and KULeuven 3.
A Keyed
Sponge Construction with Pseudorandomness in a Standard Model [paper]
Presented by: Donghoon Chang, NIST
|
|||
|
12:30 – 13:45 (75 minutes) |
Lunch Room: Dupont Salon FG |
|||
|
13:45 – 14:50 (65 minutes) |
Session III: Hardware Implementations I (20 minutes each) Session Chair: Bill Burr, NIST 1.
Lessons Learned
from Designing a 65nm ASIC for Evaluating Third Round SHA-3 Candidates [paper] Presented by: Frank Gurkaynak, Microelectronics Design Center, ETH Zurich, Switzerland 2.
Comprehensive
Evaluation of High-Speed and Medium-Speed Implementations of Five SHA-3
Finalists Using Xilinx and Altera FPGAs [paper] Presented by: Kris Gaj, George Mason University 3.
Efficient
Hardware Implementations and Hardware Performance Evaluation of SHA-3
Finalists [paper] Presented by: Athar Mahboob, National University of Sciences and Technology, Islamabad, Pakistan |
|||
|
14:50 – 15:15 (25 minutes) |
Coffee Break |
|||
|
15:15 – 16:20 (65 minutes) |
Session IV: Hardware Implementations II (20 minutes each) Session Chair: Andy Regenscheid, NIST 1.
On the
Suitability of SHA-3 Finalists for Lightweight Applications [paper] Presented by: Elif Bilge Kavun, Horst Görtz Institute, Ruhr University - Bochum 2.
Lightweight
Implementations of SHA-3 Finalists on FPGAs
[paper] Presented by: Jens-Peter Kaps, George Mason University 3.
Evaluation
Of Compact FPGA Implementations For All SHA-3 Finalists [paper*]
Presented by: Bernhard Jungk, University of Applied Sciences Wiesbaden
|
|||
|
16:20 – 17:10 (50 minutes) |
Session V: Algorithm Specific Implementations (15 minutes each) Session Chair: Meltem Sonmez Turan, NIST 1.
BLAKE and
256-bit advanced vector extensions [paper*]
Presented by: Samuel Neves, Universidade de Coimbra 2. Grøstl Implementation Guide [paper] Presented by: Martin Schläffer, IAIK, Graz University of Technology 3. 1001 ways to implement Keccak [paper] Presented by: Guido Bertoni, STMicroelectronics |
|||
|
17:10 |
Adjourn for Day |
|||
|
|
||||
|
Second Day Friday, March 23, 2012 |
||||
| 8:00 | Registration Opens |
|||
|
9:00 – 10:25 (85 minutes) |
Session VI: Software Implementations (20 minutes
each) Session Chair: Larry Bassham, NIST 1.
The New
SHA-3 Software Shootout [paper] Presented by: Dan Bernstein, University of Illinois and Tanja Lange, Technische Universiteit Eindhoven 2.
XBX
Benchmarking Results January 2012 [paper] Presented by: Christian Wenzel-Benner, ITK Engineering AG 3. SHA-3
on ARM11 Processors [paper] Presented by: Bo-Yin Yang, Academia Sinica, Taiwan 4. Performance
of the SHA-3 Candidates in Java [paper*]
Presented by: Christian Hanser, Institute for Applied Information Processing and Communications, Graz University of Technology |
|||
|
10:25 – 10:50 (25 minutes) |
Coffee Break |
|||
|
10:50 – 12:05 (75 minutes) |
Session VII: Open Discussion I - Performance Session Chair: Bill Burr, NIST *Please see discussion questions at end of program |
|||
|
12:05 – 13:20 (75 minutes) |
Lunch Room : Dupont Salon FG |
|||
|
13:20 – 15:05 (105 minutes) |
Session VIII: Round 3 Candidates Presentation (20 minutes each) Session Chair: Lily Chen, NIST 1.
BLAKE
Presented by: Jean-Philippe Aumasson, Nagravision
SA 2. Grøstl Presented by: Christian Rechberger, DTU 3.
JH
Presented by: Honjun Wu, Institute for Infocomm
Research 4.
Keccak
Presented by: Gilles Van Assche, STMicroelectronics 5.
Skein
Presented by: Bruce Schneier, BT |
|||
|
15:05 – 15:30 (25 minutes) |
Coffee
Break |
|||
|
15:30 – 16:55 (85 minutes) |
Session IX: Open Discussion II Session Chair: John Kelsey, NIST 1. Batteries Included- Features and Modes for Next Generation Hash Functions [paper] (20 minutes) Presented by: Stefan
Lucks, Bauhaus-Universität Weimar *Please see discussion questions at end of program |
|||
|
16:55 – 17:10 (15 minutes) |
Closing Remarks Bill Burr, NIST |
|||
|
17:10 |
Adjourn |
|||
*These papers were updated after the February 17 final paper deadline, but not posted until after the Third SHA-3 Candidate Conference.
The Third SHA-3 Candidate Conference Open Discussion Questions
Session VII: Open
Discussion I - Performance
1) What algorithms give us the best
coverage in places where SHA-256 and SHA-512 perform badly? Where does SHA-2
performance seem weakest?
a)
Should
we think about this in our selection?
2)
NIST
is interested in figuring out what performance differences among SHA-3
finalists will have a practical impact on real-world applications, specifically
whether there are current or near-future applications where these differences
will determine whether the application can use SHA-3 or not. Identify
specific applications and candidate algorithm that are unlikely to use SHA-3 if
that candidate is chosen to be SHA-3.
3)
Should
parallelizability matter in our selection, assuming that we will produce a
tree-mode hashing document sometime after the SHA-3 competition completes?
4)
What
performance issues haven’t we considered in this conference that we should
consider?
5)
How
much weight should we give to 512-bit hash versions vs. 256-bit hash versions?
a)
Are
there some SHA-3 versions where the 512 bit hash is generally a better
performer, and should be compared with the 256-bit versions of other
candidates?
6)
Dividing
the world into unconstrained and constrained implementations and into hardware
and software implementations:
a)
Which
quadrant is the most important? Which is the least important?
b)
What
criteria would you use to define a “constrained” implementation?
c)
Where
does an ARM with the NEON SIMD instructions fall on the above scale?
d)
Can
you assign a weight to each of these categories for performance ranking
purpose, and explain why?
e)
Which
finalist seems to have the best performance in each of the categories mentioned
above, and in overall performance?
f)
We
don’t seem to have many implementations that took advantage of the NEON SIMD
extension. Is it fair to assume that such extension will boost the
performance of all (or at least most) SHA-3 finalists? If not, why not?
g)
It
seems that adding 64-bit rotations to vector instruction sets might speed up
Skein, Keccak and BLAKE. Is that so?
Are there other simple extensions to vector instruction sets that might
speed up particular candidates?
h)
Mbits/Joule
seems a natural metric for measuring power consumption, but we don’t have much
power consumption data. Throughput seems a reasonable power consumption
proxy for software. Is throughput/area a reasonable proxy for hardware?
7)
What
new and upcoming applications and environments could use SHA-3 without having
to transition from SHA-1 or SHA-2? In these cases, there would be no transition
required.
Session IX: Open
Discussion II
1)
Do
any of the published analyses give much insight into which algorithm is more
likely to fall to a real attack (academic or practical) in its lifetime?
a)
What
are the most damaging or worrisome attacks to each of the SHA-3 finalists so
far?
b)
Are
there any results on these candidates that, right now, should call them into
question?
c)
If
so, what are they, and how can we better understand what we should learn from
these results?
2)
How
important is side channel resistance in hashing applications?
a)
Are
there important differences in candidates’ resistance to side channel attacks,
or ease of securing them against side-channel attacks?
i)
Groestl
and S-boxes?
ii)
Skein/BLAKE
and additions?
3)
Which
candidate would you say is the best understood, in security terms, at this
point?
a)
Are
there candidates you think are still poorly understood in security terms?
b)
Are
some candidates’ designs inherently harder to understand well in that sense
than others?
SHA-3 Selection
1)
Should
we try to find a SHA-3 candidate with a large design difference from SHA-2 or
from AES?
2)
Should
we care about “extras” like the Keccak authenticated
encryption mode or the Threefish wide tweakable block cipher?
3)
Individual
SHA-3 Designers: If you couldn’t pick your candidate, which one would you pick?
4) Non-Designer, Non-NIST Audience: Which candidate would you pick, if it were your decision?
5) Everyone: Are there any candidates that you think explicitly should not be picked? If so, why?