充值面额：
充值类型：
请先输入充值号码
0分钟前he**在【流放之路】出售了
魔侠传直充
流放之路按元充
冒险岛2按元充
御龙在天经典版
天涯明月刀
DNF点券按元
洛奇英雄传
征途2经典版
无货、超时赔付 资金保障
防盗措施 保障交易安全
7×24小时 1对1专属客服> &>&&>&&>&正文
　　【安卓中文网】来自国家质量认证中心公布的信息显示，一款魅族尚未发布的新机有两个型号M576和M576U已经通过了3C认证，魅族Pro5型号是M576和M576U。
　　在这次国家3C质量认证中心公布的认证信息显示，魅族有一款尚未发布的新机已经获得了3C认证，其型号分别为M576和M576U，由魅族在珠海的工厂生产，均支持快速充电功能。尽管该机的真实身份仍然是个谜，但由于魅族已经确定会在本月底发布高端新机PRO 5，所以不出意外的话，此次获得认证的M576和M576U应该便是传说中魅族PRO 5两个版本。
　　魅族PRO 5的硬件配置，配置来看，魅族PRO 5采用了一块2.5D的5.7英寸的1080p屏幕，分辨率达到了像素，算是魅族产品中最大的一款，处理器方面，魅族Pro 5搭载了一颗三星Exynos 7420处理器，八核1.5GHz主频，并辅以3GB/4GB运行内存，32GB/64GB的存储空间。其他方面，PRO 5采用了一块3050mAh的不可拆卸电池。
提示：支持键盘“← →”键翻页魅族高端机Pro 5获3C认证 将于23日发布
稿源：手机中国
凤凰数码讯 9月18日消息，据手机中国报道自魅族PRO 5曝光之日起，该机就有着颇高的关注度。据悉，魅族PRO 5定位高端，售价在3000元以上，即将在本月23日正式发布。现如今，魅族有新机获得3C认证，应该就是即将到来的PRO 5。
魅族PRO 5获3C认证 国家3C质量认证中心信息显示，魅族新机型号为M576和M576U，应该是一款机器的两个版本，这和之前魅族Pro 5的传闻一致。同时，魅族M576/M576U发证日期是9月16日，考虑到魅族现有产品线2015年度该有的新机已全部到位，魅族M576/M576U应该就是魅族PRO 5无疑了。从图中我们了解到，魅族PRO 5支持快速充电（USB电源适配器: UP1220 输出: 5V或9V或12VDC，2A）。
魅族PRO 5包装盒 综合以往信息来看，魅族PRO 5将采用5.7英寸1080p弧面屏，搭载联发科Helio X20/Exynos 7420处理器，内置4GB内存，在拍照方面大有看头，运行Flyme 4.5系统。不过，关于魅族PRO 5的谜题仍然有许多，就等23日魅族官方为我们揭晓了。
有好的文章希望站长之家帮助分享推广，猛戳这里
本网页浏览已超过3分钟，点击关闭或灰色背景，即可回到网页From Wikipedia, the free encyclopedia
SHA-3 (Secure Hash Algorithm 3) is the latest member of the
family of standards, released by
on August 5, 2015. The
was dedicated to
. Although part of the same series of standards, SHA-3 is internally quite different from the -like
SHA-3 is a subset of the broader cryptographic primitive family Keccak (), designed by Guido Bertoni, , Micha?l Peeters, and , building upon . Keccak's authors have proposed additional uses for the function, not (yet) standardized by NIST, including a , an
system, a "tree" hashing scheme for faster hashing on certain architectures, and
ciphers Keyak and Ketje.
Keccak is based on a novel approach called . Sponge construction is based on a wide random function or random , and allows inputting ("absorbing" in sponge terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a pseudorandom function with regard to all previous inputs. This leads to great flexibility.
NIST does not currently plan to withdraw SHA-2 or remove it from the revised Secure Hash Standard. The purpose of SHA-3 is that it can be directly substituted for SHA-2 in current applications if necessary, and to significantly improve the robustness of NIST's overall hash algorithm toolkit.
The Keccak algorithm is the work of Guido Bertoni,
(who also co-designed the
cipher with ), Michael Peeters, and . It is based on earlier hash function designs
and . PANAMA was designed by Daemen and Craig Clapp in 1998. RadioGatún, a successor of PANAMA, was designed by Daemen, Peeters, and Van Assche, and was presented at the NIST Hash Workshop in 2006.
started to organize the
to create a new hash standard, SHA-3. SHA-3 is not meant to replace , as no significant attack on SHA-2 has been demonstrated. Because of the successful attacks on ,
and , NIST perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3.
After a setup period, admissions were to be submitted by the end of 2008. Keccak was accepted as one of the 51 candidates. In July 2009, 14 algorithms were selected for the second round. Keccak advanced to the last round in December 2010.
During the competition, entrants were permitted to "tweak" their algorithms to address issues that were discovered. Changes that have been made to Keccak are:
The number of rounds was increased from 12 + l to 12 + 2l to be more conservative about security.
The message padding was changed from a more complex scheme to the simple 10*1 pattern described below.
The rate r was increased to the security limit, rather than rounding down to the nearest power of 2.
On October 2, 2012, Keccak was selected as the winner of the competition.
In 2014, the NIST published a draft
202 "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions". FIPS 202 was approved on August 5, 2015.
On August 5, 2015 NIST announced that SHA-3 had become a hashing standard.
The sponge construction for hash functions. Pi are input, Zi are hashed output. The unused "capacity" c should be twice the desired resistance to
SHA-3 uses the , in which data is "absorbed" into the sponge, then the result is "squeezed" out. In the absorbing phase, message blocks are
into a subset of the state, which is then transformed as a whole using a permutation function f. In the "squeeze" phase, output blocks are read from the same subset of the state, alternated with the state transformation function f. The size of the part of the state that is written and read is called the "rate" (denoted r), and the size of the part that is untouched by input/output is called the "capacity" (denoted c). The capacity determines the security of the scheme. The maximum
is half the capacity.
Given an input bit string N, a padding function pad, a permutation function f that operates on bit blocks of width b, a rate r and an output length d, we have capacity c = b - r and the sponge construction Z = sponge[f,pad,r](N,d), yielding a bit string Z of length d, works as follows::18
pad the input N using the pad function, yielding a padded bit string P with a length divisible by r (such that n = len(P)/r is integer),
break P into n consecutive r-bit pieces P0, ..., Pn-1
initialize the state S to a string of b 0 bits.
absorb the input into the state: For each block Pi,
extend Pi at the end by a string of c 0 bits, yielding one of length b,
XOR that with S and
apply the block permutation f to the result, yielding a new state S
initialize Z to be the empty string
while the length of Z is less than d:
append the first r bits of S to Z
if Z is still less than d bits long, apply f to S, yielding a new state S.
truncate Z to d bits
The fact that the internal state S contains c additional bits of information in addition to what is output to Z prevents the
that SHA-2, SHA-1, MD5 and other hashes based on the
are susceptible to.
In SHA-3, the state S consists of a 5 × 5 array of w = 64-bit words, b = 5 × 5 × w = 5 × 5 × 64 = 1600 bits total. Keccak is also defined for smaller power-of-2 word sizes w down to 1 bit (25 bits total state). Small state sizes can be used to test cryptanalytic attacks, and intermediate state sizes (from w = 8, 200 bits, to w = 32, 800 bits) can be used in practical, lightweight applications.
For SHA-3-224, SHA-3-256, SHA-3-384, and SHA-3-512 instances, r is greater than d, so there is no need for additional block permutations in the leading d bits of the state are the desired hash. However, SHAKE-128 and SHAKE-256 allow an arbitrary output length, which is useful in applications such as .
To ensure the message can be evenly divided into r-bit blocks, padding is required. SHA-3 uses the pattern 101 in its padding function: a 1 bit, followed by zero or more 0 bits (maximum r - 1) and a final 1 bit.
The maximum of r - 1 0 bits occurs when the last message block is r - 1 bits long. Then another block is added after the initial 1 bit, containing r - 1 0 bits before the final 1 bit.
The two 1 bits will be added even if the length of the message is already divisible by r.:5.1 In this case, another block is added to the message, containing a 1 bit, followed by a block of r - 2 0 bits and another 1 bit. This is necessary so that a message with length divisible by r ending in something that looks like padding does not produce the same hash as the message with those bits removed.
The initial 1 bit is required so messages differing only in a few additional 0 bits at the end do not produce the same hash.
The position of the final 1 bit indicates which rate r was used (multi-rate padding), which is required for the security proof to work for different hash variants. Without it, different hash variants of the same short message would be the same up to truncation.
The block transformation f, which is Keccak-f[1600] for SHA-3, is a permutation that uses ,
operations, and is designed for easy implementation in both software and hardware.
It is defined for any power-of-two
size, w = 2l bits. The main SHA-3 submission uses 64-bit words, l = 6.
The state can be considered to be a 5 × 5 × w array of bits. Let a[i][ j][k] be bit (5i + j) × w + k of the input, using a
bit numbering convention and
indexing. I.e. i selects the row, j the column, and k the bit.
Index arithmetic is performed modulo 5 for the first two dimensions and modulo w for the third.
The basic block permutation function consists of 12 + 2l rounds of five steps, each individually very simple:
Compute the
of each of the 5w (320, when w = 64) 5-bit columns, and exclusive-or that into two nearby columns in a regular pattern. To be precise, a[i][ j][k] ← a[i][ j][k] ⊕ parity(a[0...4][ j-1][k]) ⊕ parity(a[0...4][ j+1][k-1])
each of the 25 words by a different
0, 1, 3, 6, 10, 15, .... To be precise, a[0][0] is not rotated, and for all 0 ≤ t & 24, a[i][ j][k] ← a[i][ j][k-(t+1)(t+2)/2], where
{\displaystyle {\begin{pmatrix}i\\j\end{pmatrix}}={\begin{pmatrix}3&2\\1&0\end{pmatrix}}^{t}{\begin{pmatrix}0\\1\end{pmatrix}}}
Permute the 25 words in a fixed pattern. a[j][2i+3j] ← a[ i][j].
Bitwise combine along rows, using x ← x ⊕ (?y & z). To be precise, a[i][ j][k] ← a[i][ j][k] ⊕ (?a[i][ j+1][k] & a[i][ j+2][k]). This is the only non-linear operation in SHA-3.
Exclusive-or a round constant into one word of the state. To be precise, in round n, for 0 ≤ m ≤ l, a[0][0][2m-1] is exclusive-ORed with bit m + 7n of a degree-8
sequence. This breaks the symmetry that is preserved by the other steps.
The speed of SHA-3 hashing of long messages is dominated by the computation of f = Keccak-f[1600] and XORing S with the extended Pi, an operation on b = 1600 bits. However, since the last c bits of the extended Pi are 0 anyway, and XOR with 0 is a noop, it is sufficient to perform XOR operations only for r bits (r = 1600 - 2 × 224 = 1152 bits for SHA3-224, 1088 bits for SHA3-256, 832 bits for SHA3-384 and 576 bits for SHA3-512). The lower r is (and, conversely, the higher c = b - r = 1600 - r), the less efficient but more secure the hashing becomes since fewer bits of the message can be XORed into the state (a quick operation) before each application of the computationally expensive f. The authors report the following speeds for software implementations of Keccak-f[1600] plus XORing 1024 bits, which roughly corresponds to SHA3-256:
on IA-32, Intel Pentium 3
41 cpb on IA-32+MMX, Intel Pentium 3
20 cpb on IA-32+SSE, Intel Core 2 Duo or AMD Athlon 64
12.6 cpb on a typical x86-64-based machine
6–7 cpb on []
For the exact SHA3-256 on x86-64, Bernstein measures 11.7–12.25 cpb depending on the CPU.:7 SHA-3 has been criticized for being slow in software – SHA2-512 is more than twice as fast as SHA3-512 and SHA-1 is more than three times as fast on an Intel Skylake processor clocked at 3.2 GHz. The authors have reacted to this criticism by suggesting to use SHAKE128 and SHAKE256 instead of SHA3-256 and SHA3-512, at the expense of cutting the preimage resistance in half (but while keeping the collision resistance). With this, performance is on par with SHA2-256 and SHA2-512. To further increase speed, the authors suggest using KangarooTwelve, a variant of Keccak with half the number of rounds (trading safety margin for speed) and using parallelizable tree hashing to exploit the availability of parallelism in the processor.
However, in , SHA-3 is notably faster than all other finalists, and also faster than SHA-2 and SHA-1.
The NIST standard defines the following instances, for message M and output length d::20,23
= block size
capacity c
Definition
Security Strengths in Bits
2nd Preimage
SHA3-224(M)
Keccak[448](M || 01, 224)
SHA3-256(M)
Keccak[512](M || 01, 256)
SHA3-384(M)
Keccak[768](M || 01, 384)
SHA3-512(M)
Keccak[1024](M || 01, 512)
SHAKE128(M, d)
Keccak[256](M || 1111, d)
min(d/2,128)
≥min(d,128)
min(d,128)
SHAKE256(M, d)
Keccak[512](M || 1111, d)
min(d/2,256)
≥min(d,256)
min(d,256)
With the following definitions
Keccak[c](N, d) = sponge[Keccak-f[1600], pad10*1, r](N, d):20
Keccak-f[1600] = Keccak-p[1600, 24]:17
c is the capacity
r is the rate = 1600 - c
N is the input bit string
Note that the appended postfixes are written as bit strings, not hexadecimal digits.
The SHA-3 instances are the drop-in replacements for SHA-2, with identical security claims. SHAKE instances are so called XOF's, Extendable Output Functions. For example, SHAKE128(M, 256) can be used as a hash function with a 256 bit length and 128 bit overall security.
Note that all instances append some bits to the message, the rightmost of which represent the domain separation suffix. The purpose of this is to ensure that it is not possible to construct messages that produce the same hash output for different applications of the Keccak hash function. The following domain separation suffixes exist:
reserved for future use
RawSHAKE is the basis for the Sakura coding for tree hashing, which has not been standardized yet. However, the SHAKE suffix has been carefully chosen so that it is
with Sakura. Sakura appends 0 for a chaining hop or 1 for a message, then 100 for a non-final (inner) node or 1 for a final node, before it applies RawSHAKE. Sequential hashing corresponds to a hop tree with a single message node, which means that 11 is appended to the message before RawSHAKE is applied. Thus, the SHAKE XOFs append 1111 to the message, i.e., 1 for message, 1 for final node, and 11 for the RawSHAKE domain separation suffix.:16
Since 10*1 padding always adds at least two bits, in byte aligned libraries there are always six unused zero bits. Therefore, these appended extra bits never make the padded message longer.
There is a general result () that quantum computers can perform a structured preimage attack in √2d = 2d/2, while a classical brute-force attack needs 2d. A structured preimage attack implies a second preimage attack and thus a collision attack. A quantum computer can also perform a birthday attack, thus break collision resistance, in 3√2d = 2d/3 (although that is disputed). Noting that the maximum strength can be c/2, this gives the following upper bounds on the quantum security of SHA-3:
Security Strengths in Bits
(Brassard et al.)
(Bernstein)
2nd Preimage
SHA3-224(M)
SHA3-256(M)
SHA3-384(M)
SHA3-512(M)
SHAKE128(M, d)
min(d/3,128)
min(d/2,128)
≥min(d/2,128)
min(d/2,128)
SHAKE256(M, d)
min(d/3,256)
min(d/2,256)
≥min(d/2,256)
min(d/2,256)
It has been shown that the Merkle–Damg?rd construction, as used by SHA-2, is collapsing and, by consequence, quantum collision-resistant, but for the sponge construction used by SHA-3, the authors provide proofs only for the case that the block function f is not ef Keccak-f[1600], however, is efficiently invertible, and so their proof does not apply.
In February 2013 at the RSA Conference, and then in August 2013 at CHES, NIST announced they would select different values for the capacity, i.e. the security parameter, for the SHA-3 standard, compared to the submission. The changes caused some turmoil.
The hash function competition called for hash functions at least as secure as the SHA-2 instances. It means that a d-bit output should have d/2-bit resistance to
and d-bit resistance to , the maximum achievable for d bits of output. Keccak's security proof allows an adjustable level of security based on a "capacity" c, providing c/2-bit resistance to both collision and preimage attacks. To meet the original competition rules, Keccak's authors proposed c=2d. The announced change was to accept the same d/2-bit security for all forms of attack and standardize c=d. This would have sped up Keccak by allowing an additional d bits of input to be hashed each iteration. However, the hash functions would not have been drop-in replacements with the same preimage resistance as SHA-2 it would have been cut in half, making it vulnerable to advances in quantum computing, which effectively would cut it in half once more.
In September 2013,
suggested on the
hash-forum mailing list to strengthen the security to the 576-bit capacity that was originally proposed as the default Keccak, in addition to and not included in the SHA-3 specifications. This would have provided at least a SHA3-224 and SHA3-256 with the same preimage resistance as their SHA-2 predecessors, but SHA3-384 and SHA3-512 would have had significantly less preimage resistance than theirs. In late September, the Keccak team responded by stating that they had proposed 128-bit security by setting c = 256 as an option already in their SHA-3 proposal. Although the reduced capacity was justifiable in their opinion, in the light of the negative response, they proposed raising the capacity to c = 512 bits for all instances. This would be as much as any previous standard up to the 256-bit security level, while providing reasonable efficiency, but not the 384/512 bit preimage resistance offered by SHA2-384/512. The authors tried to justify that with the claim that "claiming or relying on security strength levels above 256 bits is meaningless."
In early October 2013,
criticized NIST's decision on the basis of its possible detrimental effects on the acceptance of the algorithm, saying:
There is too much mistrust in the air. NIST risks publishing an algorithm that no one will trust and no one (except those forced) will use.
Paul Crowley, a cryptographer and senior developer at an independent software development company, expressed his support of the decision, saying that Keccak is supposed to be tunable and there is no reason for different security levels within one primitive. He also added:
Yes, it's a bit of a shame for the competition that they demanded a certain security level for entrants, then went to publish a standard with a different one. But there's nothing that can be done to fix that now, except re-opening the competition. Demanding that they stick to their mistake doesn't improve things for anyone.
There was also some confusion that internal changes were made to Keccak. The Keccak team clarified this, stating that NIST's proposal for SHA-3 is a subset of the Keccak family, for which one can generate test vectors using their reference code submitted to the contest, and that this proposal was the result of a series of discussions between them and the NIST hash team. Also,
corrected his earlier statement, saying:
I misspoke when I wrote that NIST made "internal changes" to the algorithm. That was sloppy of me. The Keccak permutation remains unchanged. What NIST proposed was reducing the hash function's capacity in the name of performance. One of Keccak's nice features is that it's highly tunable.
In response to the controversy, in November 2013 John Kelsey of NIST proposed to go back to the original c = 2d proposal for all SHA-2 drop-in replacement instances. These changes were confirmed in the April 2014 draft. This proposal was implemented in the final release standard in August 2015.
The reduced-capacity forms were published as SHAKE128 and SHAKE256, where the number indicates the security level and the number of bits of output is variable, but should be twice as large as the required collision resistance.
The following hash values are from NIST.gov:
SHA3-224("")
6b4edbb73b6eabdb078e3f5b5a6bc7
SHA3-256("")
a7ffc6f8bf1eda061d662f580ff4de43b49fa82d80a4b80f8434a
SHA3-384("")
0c63a75b845e4f7dcaaaa94fc61995e71bbee983a2acadb47fb6bd1e058d5f004
SHA3-512("")
a69f73cca23a9ac5c8b567dc185a756e97c859e0d1dccbf94c11e3e8fb6d3edcd26
SHAKE128("", 256)
7f9c2ba4e88f827d853ed73b8093f6efbc88eb1a6eacfa66ef26
SHAKE256("", 512)
46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c2fd75dc4ddd8c0f200cbf6fc821c492eacb3b7c4be
Changing a single bit causes each bit in the output to change with 50% probability, demonstrating an :
SHAKE128("The quick brown fox jumps over the lazy dog", 256)
f2ffdb95e7417ecae17db0f8cfeed0e3e66e
SHAKE128("The quick brown fox jumps over the lazy dof", 256)
853f21a6cea659a06cf02b13d11cf10c
In the table below, internal state means the number of bits that are carried over to the next block.
Comparison of SHA functions
Algorithm and variant
Output size
Internal state size
Block size
Max message size
Operations
Security bits
Performance on
First Published
long messages
(as reference)
And, Xor, Rot, Add (mod 232), Or
(collisions found)
And, Xor, Rot, Add (mod 232), Or
(collisions found)
(collisions found)
And, Xor, Rot, Add (mod 232), Or, Shr
And, Xor, Rot, Add (mod 264), Or, Shr
128 (≤ 384)
SHA-512/224
SHA-512/256
≈ SHA-384
≈ SHA-384
(5 × 5 × 64)
And, Xor, Rot, Not
d (arbitrary)
d (arbitrary)
min(d/2, 128)
min(d/2, 256)
, section 3.1
mainReference.c "The Keccak sponge function, designed by Guido Bertoni, Joan Daemen, Micha?l Peeters and Gilles Van Assche. For more information, feedback or questions, please refer to our website:
by the designers, hereby denoted as "the implementer". To the extent possible under law, the implementer has waived all copyright and related or neighboring rights to the source code in this file. "
Cruz, José R.C. (7 May 2013). . Dr. Dobbs.
Guido B Joan D Micha?l P Gilles Van Assche. .
NIST, , sections 5.1.2.1 (mentioning "tree mode"), 6.2 ("other features", mentioning authenticated encryption), and 7 (saying "extras" may be standardized in the future)
Daemen, Joan,
Daemen, Joan,
Guido Bertoni, Joan Daemen, Micha?l Peeters and Gilles Van Assche. . Ecrypt Hash Workshop 2007.
Stevens, M Bursztein, E Karpman, P Albertini, A Markov, Yarik.
(PDF) 2017.
National Institute of Standards and Technology (Aug 5, 2015).
Guido Bertoni, Joan Daemen, Micha?l Peeters and Gilles Van Assche. . EuroCrypt 2008.
"about 41 cycles/byte [...] represents a 40% speedup compared to an implementation using only 32-bit instructions". By formula
{\displaystyle {\frac {1}{x}}\times 1.40={\frac {1}{41}}}
{\displaystyle x=57.4}
Guo, Xu; Huang, S Nazhandali, L Schaumont, Patrick (Aug 2010),
(PDF), NIST 2nd SHA-3 Candidate Conference: 12 Keccak is second only to Luffa, which did not advance to the final round.
John Kelsey.
(PDF). RSA Conference 2013.
John Kelsey. . CHES 2013.
. 2 October 2013.
NIST Computer Security Division (CSD).
(PDF). NIST.
. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used.
: Hidden categories:}