Section: New Results
Highassurance and highspeed SHA3
Participants : Cécile BaritelRuet, Benjamin Grégoire, José Bacelar Almeida [INESC TEC] , Manuel Barbosa [INESC TEC] , Gilles Barthe [IMDEA] , François Dupressoir [University of Surrey] , Vincent Laporte [Inria] , Tiago Oliveira [INESC TEC] , Alley Stoughton [Boston University] , PierreYves Strub [Ecole Polytechnique] .
We have developed a highassurance and highspeed implementation of the SHA3 hash function. Our implementation is written in the Jasmin programming language, and is formally verified for functional correctness, provable security and timing attack resistance in the EasyCrypt proof assistant. Our implementation is the first to achieve simultaneously the four desirable properties (efficiency, correctness, provable security, and sidechannel protection) for a nontrivial cryptographic primitive. Concretely, our mechanized proofs show that:

The SHA3 hash function is indifferentiable from a random oracle, and thus is resistant against collision, first and second preimage attacks;

The SHA3 hash function is correctly implemented by a vectorized x86 implementation.
Furthermore, the implementation is provably protected against timing attacks in an idealized model of timing leaks. The proofs include new EasyCrypt libraries of independent interest for programmable random oracles and modular indifferentiability proofs. This work has been published at an international conference [4].