COSIC · Design and Analysis of Cryptographic Hash Functions Özgül KÜÇÜK Jury: Dissertation presented in partial Prof. dr. Adhemar Bultheel, chairman fulﬁllment of the requirements

Arenberg Doctoral School of Science, Engineering & Technology

Faculty of Engineering Science

Department of Electrical Engineering (ESAT)

Design and Analysis of Cryptographic Hash Functions

Hirotaka YOSHIDA

Dissertation presented in partialfulfillment of the requirementsfor the degree of Doctor inEngineering

February 2013

Design and Analysis of Cryptographic Hash Functions

Hirotaka YOSHIDA

Jury:Prof. dr. ir Hugo Hens, chairProf. dr. ir. Bart Preneel, supervisorProf. dr. Henri Gilbert

(Agence nationale de la sécurité des systèmesd’information)Prof. dr. ir. Vincent Rijmen, SecretaryDr. Svetla Petkova-NikovaProf. dr. ir. Frank Piessens

Dissertation presented in partialfulfillment of the requirementsfor the degree of Doctor inEngineering

February 2013

c© Katholieke Universiteit Leuven – Faculty of Engineering ScienceArenbergkasteel, B-3001 Heverlee (Belgium)

Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigden/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm,elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijketoestemming van de uitgever.

All rights reserved. No part of the publication may be reproduced in any form byprint, photoprint, microfilm or any other means without written permission fromthe publisher.

D/2013/7515/18ISBN 978-94-6018-631-8

Acknowledgements

I would like to take this opportunity to thank the people who have helped andencouraged me during the past years.

First of all, I would like to thank my promotor, Prof. Bart Preneel forhis guidance and for carefully reading my technical documents including thisdissertation.

I would like to express my gratitude to the members of my jury — Prof. HenriGilbert, dr. Svetla Petkova-Nikova, Prof. Frank Piessens, and Prof. Vincent Rijmen— for reviewing this manuscript and for their valuable feedback, and to prof. HugoHens for chairing the jury.

Special thanks go to Alex Biryukov, Dai Watanabe, and Soichi Furuya, forintroducing me to cryptography and cryptanalysis and for providing me withassistance along the way. I have been very fortunate to work with establishedcryptographers, including my other co-authors Christophe De Cannière, Shoi-chi Hirose, Kota Ideguchi, Jun Kitahara, Hidenori Kuwakado, Joseph Lano,Florian Mendel, Katsuyuki Okeya, Toru Owada, Özgül Küçük, and Hongjun Wu.Antoon Bosselaers, Orr Dunkelman, Yasuko Fukuzawa, Kunihiko Miyazaki, Ka-zuo Ohta, Souradyuti Paul, Thomas Peyrin, Bart Van Rompay, Kazuo Sakiyama,and Lei Wang are also thanked for the interesting discussions.

Thank you to all the current and past COSIC members for the nice workingatmosphere including Elena Andreeva, Lejla Batina, Filipe Beato, Danny De Cock,Nele Mentens, Yoni De Mulder, Claudia Diaz, Benedikt Gierlichs, Jens Hermans,Atul Luykx, Bart Mennink, Stefan Schiffner, Taizo Shirai, Elmar Tischhauser,Deniz Toz, Kerem Varici, Ingrid Verbauwhede, Frederik Vercauteren, andKan Yasuda. I would like to express my gratitude to all the current andpast Hitachi crypto team members for the nice working atmosphere for thewarm working atmosphere including Eriko Ando, Keisuke Hakuta, Yasuo Hatano,Shugo Mikami, Ken Naganuma, Hisayoshi Sato, and Masayuki Yoshino.

My way of pursuing a Ph.D at COSIC is a bit different from other COSICmembers: I live in Japan and work for Hitachi. I needed to build a bridge betweenCOSIC and Japan. In this sense, a special thank you goes to Péla Noë for herincredibly kind support and a special thank you also goes to Sebastiaan Indesteegeand Nicky Mouha for their flexible support. I am grateful for the Hitachi directors

i

ii ACKNOWLEDGEMENTS

who have supported me, including Kazuo Takaragi, Satoru Tezuka, Seichi Susaki,Takahiro Fujishiro, Masahiro Mimura, and Tadashi Kaji.

I am grateful to Prof. Günter Müller for philosophical and enjoyable discussions.Last but not least, I would like to thank my family members Masao, Yoko, Yayoi,Masako, Nobuyoshi, and my friends for their encouragement, and my wife Rurikofor her warm support and my daughter Leyka for being relatively calm during thewriting of this thesis.

Hirotaka YoshidaYokohama, January 2013

Abstract

In our modern society, information and communication technology (ICT) is thebasis for our daily lives. ICT covers anything that stores, retrieves, transmitor receive information electronically in a digital form. The Internet, GlobalSystem of Mobile (GSM) telecommunication, fiber-optic cables, wireless networks,supercomputers, and PCs are influential forms of ICT. The power of computersand communications has allowed systems using ICT to become important. In orderfor ICT systems to be reliable, security is a very relevant area for management toget right. To solve the security concerns, cryptographic applications can be used.

Another important look at our society is that ubiquitous networking andcomputing have become reality in the course of just ten years. Lightweight devicessuch as mobile phones, IC cards, and RFID tags are being used at a large scale.Many things that one carries can even support a computation and communicationfunction. However, these lightweight devices have to cope with security problems.These problems in such devices have recently opened up an active research areacalled lightweight cryptography. The main challenge in this area is to designcryptographic primitives or protocols that should be implemented under restrictedresources.

Cryptographic hash functions play a very important role in the security of awide variety of cryptographic applications. A cryptographic hash function is analgorithm that takes as input strings of arbitrary (typically very large) length andmaps them to short output strings of fixed length. Since 2005, there has beensubstantial progress in cryptanalysis of widely-used hash functions such as MD5and SHA-1. The SHA-2 hash function family was standardized by NIST in 2002.However, the SHA-2 design shares the same design principle of SHA-1, which mightbe considered a security concern. In response to the cryptanalysis of SHA-1, NISTstarted the SHA-3 competition in 2007. NIST selected 51 candidates to advanceto the first round in 2008, and five SHA-3 finalists to advance to the final roundin 2010. NIST finally selected Keccak as the winning algorithm in October 2012.

The research presented in this dissertation is closely related to the SHA-3competition and to lightweight cryptography. Our first contribution is the designof two block cipher-based hash functions: the general purpose hash functionLesamnta and the lightweight hash function Lesamnta-LW. In the design ofLesamnta, the main question is whether we can design a new hash function that

iii

iv ABSTRACT

has advantages over SHA-2. We have tried to answer this question by designingLesamnta that aims to offer clear arguments for a high security level and to achievea high implementation flexibility on a broad range of platforms. Lesamnta wasone of the first round candidates in the SHA-3 competition but it did not advanceto the second round. In the design of Lesamnta-LW, we have tried to createa unique advantage over the previous lightweight primitives. As a result, it issoftware-oriented and mainly targeted to 8-bit processors while previous proposalsare hardware-oriented.

Our second contribution is a security analysis of hash functions. We havecontributed actively to the security analysis of block-cipher based hash functionssuch as HAVAL, MAME, SHA-256, and Tiger. On the other hand, we haveinvestigated the security of the second-round SHA-3 candidate Luffa. The mainquestions were how strong the diffusion layer is and how we can exploit the factthat no secret information is involved in the computation of a hash function.We have tried to answer to them by applying differential cryptanalysis withadvanced optimization techniques to reduce the attack complexity. Our analysishas produced results which can be viewed as evidence for the security margin ofthese hash functions.

Samenvatting

In onze moderne samenleving is informatie- en communicatietechnologie (ICT) debasis van ons dagelijks leven. ICT heeft betrekking op alles wat informatie elektro-nisch in een digitale vorm opslaat, ophaalt, verzendt of ontvangt. Het Internet, hetGSM-netwerk, glasvezelkabels, draadloze netwerken, supercomputers en pc’s zijninvloedrijke vormen van ICT. De kracht van computers en communicatie stondsystemen toe om belangrijk te worden met behulp van ICT. Opdat ICT-systemenbetrouwbaar zijn, is het juist uitvoeren van veiligheid een zeer relevant gebiedvoor het management. Om bezorgdheden over veiligheid op te lossen, kunnencryptografische toepassingen worden gebruikt.

Een ander belangrijk inzicht in onze samenleving is dat alomtegenwoordigenetwerken en computers werkelijkheid zijn geworden in de loop van slechts tienjaar. Lichtgewichtapparaten zoals mobiele telefoons, IC-kaarten en RFID-tagsworden gebruikt op grote schaal. Veel dingen die men bij zich draagt,kunnen zelfs een een berekenings- of communicatiefunctie ondersteunen. Dezelichtgewichtapparaten hebben echter te maken met beveiligingsproblemen. Dezeproblemen in dergelijke apparaten hebben onlangs een actief onderzoeksgebiedgenaamd lichtgewichtcryptografie geopend. De belangrijkste uitdaging op ditgebied is het ontwerpen van cryptografische primitieven of protocollen die moetenworden geïmplementeerd met beperkte middelen.

Cryptografische hashfuncties spelen een zeer belangrijke rol in de veiligheid vaneen grote verscheidenheid aan cryptografische toepassingen. Een cryptografischehashfunctie is een algoritme dat als invoer tekenreeksen van willekeurige (meestalzeer grote) lengte aanvaardt, en afbeeldt op korte tekenreeksen van een vastelengte. Sinds 2005 is er aanzienlijke vooruitgang geboekt bij de cryptanalyse vanalgemeen gebruikte hashfuncties, zoals MD5 en SHA-1. De SHA-2-familie vanhashfuncties werd gestandaardiseerd door NIST in 2002. Het ontwerp van SHA-2heeft echter hetzelfde ontwerpprincipe als SHA-1, wat kan beschouwd worden alseen veiligheidsprobleem. Als reactie op de cryptanalyse van SHA-1 is NIST gestartmet de SHA-3-competitie in 2007. NIST selecteerde 51 kandidaten om door tegaan naar de eerste ronde in 2008, en vijf SHA-3-finalisten om verder te gaan naarde finale in 2010. NIST selecteerde uiteindelijk Keccak als het winnende algoritmein oktober 2012.

v

vi SAMENVATTING

Het onderzoek dat in dit proefschrift gepresenteerd wordt, is nauw verbondenmet de SHA-3-competitie en met lichtgewichtcryptografie. Onze eerste bijdrageis het ontwerp van twee blokcijfergebaseerde hashfuncties: de hashfunctieLesamnta voor algemene doeleinden en de hashfunctie Lesamnta-LW voorlichtgewichttoepassingen. Bij het ontwerp van Lesamnta is de belangrijkste vraagof we een nieuwe hashfunctie kunnen ontwerpen die voordelen ten opzichte vanSHA-2 heeft. We hebben geprobeerd om deze vraag te beantwoorden door hetontwerpen van Lesamnta, dat gericht is om duidelijke argumenten te bieden vooreen hoog beveiligingsniveau en een hoge implementatieflexibiliteit te bereiken opeen grote verscheidenheid aan platformen. Lesamnta was één van de kandidatenvan de eerste ronde van de SHA-3-competitie, maar ging niet door naar de tweederonde. Bij het ontwerp van Lesamnta-LW hebben we geprobeerd om een uniekvoordeel ten opzichte van de vorige lichtgewichtprimitieven te creëren. Daardooris het voornamelijk softwaregeörienteerd en gericht naar 8-bit processoren, terwijleerdere voorstellen hardwaregeörienteerd zijn.

Onze tweede bijdrage is een veiligheidsanalyse van hashfuncties. Wij hebbenactief bijgedragen aan de veiligheid analyse van blokcijfergebaseerde hashfunctieszoals HAVAL, MAME, SHA-256 en Tiger. Anderzijds hebben we de veiligheidvan de tweede ronde SHA-3-kandidaat Luffa onderzocht. De belangrijkste vragenwaren hoe sterk de diffusielaag is en hoe we gebruik kunnen maken van het feit dater geen geheime informatie betrokken is bij de berekening van een hashfunctie. Wehebben geprobeerd om deze te beantwoorden door het toepassen van differentiëlecryptanalyse met geavanceerde optimalisatietechnieken om de aanvalscomplexiteitte verminderen. Onze analyse heeft resultaten opgeleverd die kunnen gezienworden als bewijs voor de veiligheidsmarge van deze hashfuncties.

Contents

Acknowledgements i

Abstract iii

Samenvatting v

Contents vii

List of Figures xv

List of Tables xvii

List of Abbreviations xxi

I Design and Analysis of Cryptographic Hash Functions 1

1 Introduction 31.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Research Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Cryptographic Hash Functions 72.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2 Hash Function Requirements . . . . . . . . . . . . . . . . . . . . . 7

2.2.1 Preimage Resistance . . . . . . . . . . . . . . . . . . . . . . 82.2.2 Second Preimage Resistance . . . . . . . . . . . . . . . . . . 82.2.3 Collision resistance . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 Iterated Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . 92.4 Additional Security Properties . . . . . . . . . . . . . . . . . . . . 10

2.4.1 Near-Collision Resistance . . . . . . . . . . . . . . . . . . . 102.4.2 Length-Extension Attack . . . . . . . . . . . . . . . . . . . 102.4.3 Indifferentiability from a Random Oracle . . . . . . . . . . 10

vii

viii CONTENTS

2.4.4 Multicollision Attack . . . . . . . . . . . . . . . . . . . . . . 112.4.5 Kelsey-Schneier Attack for Second-Preimage-Finding . . . . 11

2.5 Applications of Hash Functions . . . . . . . . . . . . . . . . . . . . 122.5.1 Digital Signature Schemes . . . . . . . . . . . . . . . . . . . 122.5.2 Key Derivation Function . . . . . . . . . . . . . . . . . . . . 132.5.3 Deterministic Random Bit Generators . . . . . . . . . . . . 132.5.4 Message Authentication . . . . . . . . . . . . . . . . . . . . 13

2.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Design of Cryptographic Hash Functions 15

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.1.1 The NIST SHA-3 Competition . . . . . . . . . . . . . . . . 163.1.2 Lightweight Cryptography . . . . . . . . . . . . . . . . . . . 17

3.2 The Lesamnta Hash Function . . . . . . . . . . . . . . . . . . . . . 183.2.1 Independent Cryptanalysis of the Lesamnta Hash Function 193.2.2 On Attacks on the Compression Functions . . . . . . . . . . 203.2.3 Tweaked Lesamnta (Lesamnta v2) . . . . . . . . . . . . . . 20

3.3 The Lesamnta-LW Hash Function . . . . . . . . . . . . . . . . . . . 223.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 Analysis of Cryptographic Hash Functions 29

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.2 HAVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.3 Luffa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.4 MAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324.5 SHA-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344.6 Tiger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5 Conclusion and Open Problems 39

5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.2 Open Problems and Future Research Directions . . . . . . . . . . . 42

5.2.1 Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . 425.2.2 Future Research Directions . . . . . . . . . . . . . . . . . . 43

Bibliography 47

II Publications 57

List of Publications 59

CONTENTS ix

Non-randomness of the Full 4 and 5-pass HAVAL 611 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Description of the HAVAL Hash Function . . . . . . . . . . . . . . 643 Differential Cryptanalysis of the 4-pass HAVAL in Encryption Mode 65

3.1 Cryptanalysis of Hash Functions in Encryption Mode . . . 653.2 Known Attacks on the Reduced 2-Pass and the Full 3-Pass

HAVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653.3 Differential Cryptanalysis of the 4-Pass HAVAL . . . . . . . 663.4 Implementing the Matrices Ms and Their Multiplication . . 69

4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 705 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Analysis of a SHA-256 Variant 791 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 Description of the SHA-256 Hash Function and the SHACAL-2

Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832.1 Our Variant of SHA-256 . . . . . . . . . . . . . . . . . . . . 84

3 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843.1 A Study on the Known Attacks on a Reduced Version of

SHACAL-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 843.2 A Study on the Known Results on SHA-256 . . . . . . . . . 85

4 Differential Cryptanalysis of SHA-2-XOR and SHACAL-2-XOR . . 864.1 Search for One-round Iterative Differential Characteristics . 864.2 The Search Algorithm . . . . . . . . . . . . . . . . . . . . . 884.3 The Best One-round Iterative Differential Characteristics . 894.4 Search for 2-round Iterative Differential Characteristics . . 894.5 Pseudo-collision Attack on SHA-2-XOR Using Iterative

Differential Characteristic . . . . . . . . . . . . . . . . . . . 914.6 Differential Attack on 32-round SHACAL-2-XOR . . . . . . 924.7 Improvement of the Pseudo-collision Attack . . . . . . . . . 934.8 An Example of a 23-round Pseudo-collision for SHA-2-XOR 944.9 The Impact on Round-reduced Versions of the Actual SHA-256 94

5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Update on Tiger 991 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012 Description of the Hash Function Tiger . . . . . . . . . . . . . . . 102

2.1 State Update Transformation . . . . . . . . . . . . . . . . . 1032.2 Key Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . 104

3 Previous Attack on Tiger . . . . . . . . . . . . . . . . . . . . . . . 1053.1 High Probability Characteristic for the Key Schedule of Tiger1053.2 Message modification by Meeting in the Middle . . . . . . . 106

x CONTENTS

3.3 The collision attack on Tiger-16 . . . . . . . . . . . . . . . 1074 A Collision Attack on Tiger-19 – Method 1 . . . . . . . . . . . . . 108

4.1 A Pseudo-Collision for Tiger-19 . . . . . . . . . . . . . . . . 1084.2 From a Pseudo-Collision to a Collision in Tiger-19 . . . . . 109

5 Collision Attack on Tiger-19 – Method 2 . . . . . . . . . . . . . . . 1105.1 The Precomputation Phase of the Attack . . . . . . . . . . 1115.2 The Main Phase of the Attack . . . . . . . . . . . . . . . . 1125.3 Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . 114

6 A Pseudo-Near-Collision for Tiger-22 . . . . . . . . . . . . . . . . . 1157 A Pseudo-Collision for Tiger-23/128 . . . . . . . . . . . . . . . . . 1168 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

9.1 A Pseudo-Near-Collision for Tiger-21 . . . . . . . . . . . . . 1179.2 A Pseudo-Collision for Tiger-21 . . . . . . . . . . . . . . . . 118

MAME: A Compression Function with Reduced Hardware Requirements 1211 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232 Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252.2 The Algorithm of MAME . . . . . . . . . . . . . . . . . . . 125

2.2.1 Overview of the Block Cipher . . . . . . . . . . . 1252.2.2 The Mixing Function . . . . . . . . . . . . . . . . 1262.2.3 The Key Schedule Function . . . . . . . . . . . . . 1272.2.4 The Round Constants Generation . . . . . . . . . 128

3 Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283.1 Parameter (input/output) . . . . . . . . . . . . . . . . . . . 1283.2 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1293.3 The Mode to Construct the Compression Function . . . . . 1293.4 The F Function . . . . . . . . . . . . . . . . . . . . . . . . . 1293.5 The Key Schedule Function and the Round Constants . . . 129

4 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294.1 Differential and Linear Attacks . . . . . . . . . . . . . . . . 1304.2 A Dedicated Differential Attack . . . . . . . . . . . . . . . . 1324.3 Higher Order Differential Attack . . . . . . . . . . . . . . . 1334.4 Interpolation Attack . . . . . . . . . . . . . . . . . . . . . . 1344.5 Square Attack . . . . . . . . . . . . . . . . . . . . . . . . . 1344.6 Analysis of the Iterated Hash Function Based on MAME

with the MD strengthening . . . . . . . . . . . . . . . . . . 1354.7 Regularity Analysis of Reduced MAME . . . . . . . . . . . 135

5 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1365.1 Hardware Performance . . . . . . . . . . . . . . . . . . . . . 1365.2 Software Performance . . . . . . . . . . . . . . . . . . . . . 137

6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

CONTENTS xi

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

7.1 Specifications for MAME-32 . . . . . . . . . . . . . . . . . . 1407.2 Round constants . . . . . . . . . . . . . . . . . . . . . . . . 140

SHA-3 proposal: Lesamnta 1431 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1452 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

2.1 Glossary of Terms and Acronyms . . . . . . . . . . . . . . . 1452.2 Algorithm Parameters and Symbols . . . . . . . . . . . . . 1452.3 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

3 Notation and Conventions . . . . . . . . . . . . . . . . . . . . . . . 1503.1 Inputs and Outputs . . . . . . . . . . . . . . . . . . . . . . 1503.2 Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1503.3 Arrays of Bytes . . . . . . . . . . . . . . . . . . . . . . . . . 1503.4 Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1513.5 Bit Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . 1513.6 Message Block . . . . . . . . . . . . . . . . . . . . . . . . . 1523.7 SubState256 . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523.8 SubState512 . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

4 Mathematical Preliminaries . . . . . . . . . . . . . . . . . . . . . . 1534.1 Addition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1544.2 Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . 154

5 Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1545.1 Round Constants . . . . . . . . . . . . . . . . . . . . . . . . 154

5.1.1 Lesamnta-224/256 . . . . . . . . . . . . . . . . . . 1545.1.2 Lesamnta-384/512 . . . . . . . . . . . . . . . . . . 155

5.2 Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . 1555.2.1 Padding the Message . . . . . . . . . . . . . . . . 1565.2.2 Parsing the Padded Message . . . . . . . . . . . . 1565.2.3 Setting the Initial Hash Value . . . . . . . . . . . 157

5.3 Lesamnta-256 Algorithm . . . . . . . . . . . . . . . . . . . . 1595.3.1 Lesamnta-256 Preprocessing . . . . . . . . . . . . 1595.3.2 Lesamnta-256 Computation . . . . . . . . . . . . . 159

5.4 Lesamnta-224 Algorithm . . . . . . . . . . . . . . . . . . . . 1675.5 Lesamnta-512 Algorithm . . . . . . . . . . . . . . . . . . . . 168

5.5.1 Lesamnta-512 Preprocessing . . . . . . . . . . . . 1685.5.2 Lesamnta-512 Computation . . . . . . . . . . . . . 168

5.6 Lesamnta-384 Algorithm . . . . . . . . . . . . . . . . . . . . 1756 Performance Figures . . . . . . . . . . . . . . . . . . . . . . . . . . 176

6.1 Software Implementation . . . . . . . . . . . . . . . . . . . 1766.1.1 8-bit Processors . . . . . . . . . . . . . . . . . . . 1766.1.2 32-bit Processors . . . . . . . . . . . . . . . . . . . 1776.1.3 64-bit Processor . . . . . . . . . . . . . . . . . . . 180

xii CONTENTS

6.2 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1816.2.1 ASIC Implementation . . . . . . . . . . . . . . . . 181

7 Tunable Security Parameters . . . . . . . . . . . . . . . . . . . . . 1828 Design Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

8.1 Block-Cipher-Based Hash Functions . . . . . . . . . . . . . 1828.2 Domain Extension . . . . . . . . . . . . . . . . . . . . . . . 1838.3 Compression Function . . . . . . . . . . . . . . . . . . . . . 183

8.3.1 PGV Mode . . . . . . . . . . . . . . . . . . . . . . 1838.4 Output Function . . . . . . . . . . . . . . . . . . . . . . . . 1848.5 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 185

9 Motivation for Design Choices . . . . . . . . . . . . . . . . . . . . . 1879.1 Padding Method . . . . . . . . . . . . . . . . . . . . . . . . 1879.2 MMO Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879.3 Output Function . . . . . . . . . . . . . . . . . . . . . . . . 1889.4 Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 188

9.4.1 Mixing Function . . . . . . . . . . . . . . . . . . . 1899.4.2 Key Scheduling Function . . . . . . . . . . . . . . 1919.4.3 Round Constants . . . . . . . . . . . . . . . . . . 192

10 Expected Strength and Security Goals . . . . . . . . . . . . . . . . 19311 Security Reduction Proof . . . . . . . . . . . . . . . . . . . . . . . 194

11.1 MMO Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 19411.1.1 Collision Resistance . . . . . . . . . . . . . . . . . 19411.1.2 Preimage Resistance . . . . . . . . . . . . . . . . . 19411.1.3 Pseudorandom Function . . . . . . . . . . . . . . . 195

11.2 MDO Domain Extension with MMO Functions . . . . . . . 19511.2.1 Collision Resistance . . . . . . . . . . . . . . . . . 19511.2.2 HMAC . . . . . . . . . . . . . . . . . . . . . . . . 19611.2.3 Indifferentiability from the Random Oracle . . . . 197

12 Preliminary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 19712.1 Length-Extension Attack . . . . . . . . . . . . . . . . . . . 19812.2 Multicollision Attack . . . . . . . . . . . . . . . . . . . . . . 19812.3 Kelsey-Schneier Attack for Second-Preimage-Finding . . . . 19812.4 Randomized Hashing Mode . . . . . . . . . . . . . . . . . . 19812.5 Attacks for Collision-Finding and Preimage-Finding . . . . 199

12.5.1 Collision Attacks Using the Message Modification 20012.6 Attacks for Non-Randomness-Finding . . . . . . . . . . . . 201

12.6.1 Differential and Linear Attacks . . . . . . . . . . . 20112.6.2 Interpolation Attack . . . . . . . . . . . . . . . . . 20212.6.3 Square Attack . . . . . . . . . . . . . . . . . . . . 20212.6.4 Attacks Using the Known-Key Distinguisher . . . 203

13 Advantages and Limitations . . . . . . . . . . . . . . . . . . . . . . 20513.1 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . 20513.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

14 Applications of Hash Functions . . . . . . . . . . . . . . . . . . . . 206

CONTENTS xiii

15 Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20716 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Finding Collisions for Reduced Luffa-256 v2 (Poster) 2131 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2152 Specification of Luffa-256 v2 . . . . . . . . . . . . . . . . . . . . . . 216

2.1 Chaining and Round Function . . . . . . . . . . . . . . . . 2162.2 Non-Linear Permutation . . . . . . . . . . . . . . . . . . . . 216

3 The Collision Attack on 4-step Luffa-256 v2 . . . . . . . . . . . . 2173.1 The Differential Path . . . . . . . . . . . . . . . . . . . . . 2173.2 Message Modification . . . . . . . . . . . . . . . . . . . . . 218

4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

An AES Based 256-bit Hash Function for Lightweight Applications:Lesamnta-LW 2211 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2232 Design Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

2.1 Padding Method . . . . . . . . . . . . . . . . . . . . . . . . 2252.2 LW1 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 2252.3 Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 226

3 Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2263.1 Message Padding . . . . . . . . . . . . . . . . . . . . . . . . 2263.2 Compression Function and Domain Extension . . . . . . . . 2263.3 Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 227

4 Security Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 2284.1 Collision Resistance . . . . . . . . . . . . . . . . . . . . . . 2294.2 (Second-)Preimage Resistance . . . . . . . . . . . . . . . . . 2314.3 Keyed Hashing Mode . . . . . . . . . . . . . . . . . . . . . 231

4.3.1 Keyed-via-IV (KIV) Mode. . . . . . . . . . . . . . 2314.3.2 Key-Prefix (KP) Mode. . . . . . . . . . . . . . . . 232

5 Preliminary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 2345.1 Differential and Linear Attacks . . . . . . . . . . . . . . . . 2345.2 Higher Order Differential and Interpolation Attack . . . . . 2345.3 Impossible Differential Attack . . . . . . . . . . . . . . . . . 2355.4 Related-key Attacks . . . . . . . . . . . . . . . . . . . . . . 2355.5 Collision Attacks Using Message Modification . . . . . . . . 2355.6 Attacks on the Lesamnta Compression Function Using

Self-Duality . . . . . . . . . . . . . . . . . . . . . . . . . . . 2366 Implementation Results . . . . . . . . . . . . . . . . . . . . . . . . 236

6.1 Low-Area ASIC Implementation Results . . . . . . . . . . . 2366.2 Software Implementation Results . . . . . . . . . . . . . . . 237

6.2.1 8-bit CPU . . . . . . . . . . . . . . . . . . . . . . 237

xiv CONTENTS

6.2.2 32-bit CPU . . . . . . . . . . . . . . . . . . . . . . 2387 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2398 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

8.1 Lesamnta-LW Example . . . . . . . . . . . . . . . . . . . . 2438.2 Proof of Lemma 3 . . . . . . . . . . . . . . . . . . . . . . . 2448.3 Proof of Lemma 4 . . . . . . . . . . . . . . . . . . . . . . . 245

Curriculum Vitae 247

List of Figures

I Analysis and Design of Cryptographic Hash Functions 1

3.1 The round function of Lesamnta-256. . . . . . . . . . . . . . . . . . 193.2 The structure of Lesamnta-LW. . . . . . . . . . . . . . . . . . . . . 233.3 The round function in Lesamnta-LW. . . . . . . . . . . . . . . . . . 24

II Publications 57

Non-randomness of the Full 4 and 5-pass HAVAL 611 One step of the compression function of HAVAL. . . . . . . . . . . 77

Analysis of a SHA-256 Variant 791 Round function for SHA-256. . . . . . . . . . . . . . . . . . . . . . 98

Update on Tiger 991 The round function of Tiger. . . . . . . . . . . . . . . . . . . . . . 1042 Outline of the message modification step in Tiger. . . . . . . . . . 1063 The information flow from C6 to C9. . . . . . . . . . . . . . . . . . 113

MAME: A Compression Function with Reduced Hardware Requirements 1211 The structure of the encryption function. . . . . . . . . . . . . . . 1252 The round function fR. . . . . . . . . . . . . . . . . . . . . . . . . 127

SHA-3 proposal: Lesamnta 1431 Lesamnta algorithm properties. . . . . . . . . . . . . . . . . . . . . 1452 Hexadecimal representations of bit patterns. . . . . . . . . . . . . . 1503 Indices for bytes and bits. . . . . . . . . . . . . . . . . . . . . . . . 1514 SubState256 array input and output. . . . . . . . . . . . . . . . . . 1525 SubState512 array input and output. . . . . . . . . . . . . . . . . . 1536 Last two blocks of a padded message for Lesamnta-224/256 (l ≡ 0

(mod 256)). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

xv

xvi LIST OF FIGURES

7 Last two blocks of a padded message for Lesamnta-224/256 (l 6≡ 0(mod 256)). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

8 Last two blocks of a padded message for Lesamnta-384/512 (l ≡ 0(mod 512)). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

9 Last two blocks of a padded message for Lesamnta-384/512 (l 6≡ 0(mod 512)). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

10 Pseudocode for the Lesamnta-256 computation. . . . . . . . . . . . 15911 Round function in EncComp256. . . . . . . . . . . . . . . . . . . . 16112 S-box: substitution values for the byte xy (in hexadecimal format).16313 Pseudocode for the Lesamnta-512 computation. . . . . . . . . . . . 16814 Round function in EncComp512. . . . . . . . . . . . . . . . . . . . 17015 Domain extension scheme MDO. h is the compression

function, and g is the output function. pad(M) =M (1)‖M (2)‖ · · · ‖M (N−1)‖M (N), where pad is the padding functionand M is a message input. . . . . . . . . . . . . . . . . . . . . . . 183

16 Matyas-Meyer-Oseas (MMO) mode. . . . . . . . . . . . . . . . . . 18417 Structure of the encryption function for the hash function, E. . . . 18518 Structure of the encryption function for the output function, L. . . 18619 Type 1 4-branch generalized Feistel network. . . . . . . . . . . . . 18920 Diagram of HMAC using Lesamnta. E and L are underlying (n, n)

block ciphers. Kip = K ⊕ ipad and Kop = K ⊕ opad. For amassage input M , pad(Kip‖M) = KipM

(1) · · · M (N), where pad isthe padding function. bin(|KopV |) represents the (n − 1)-bit binaryrepresentation of the length of Kop‖V . . . . . . . . . . . . . . . . 196

21 Another representation of FM . . . . . . . . . . . . . . . . . . . . . 19722 F permutation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19823 Algorithm to compute the plaintexts p and p satisfying the equation.204

Finding Collisions for Reduced Luffa-256 v2 (Poster) 213

An AES Based 256-bit Hash Function for Lightweight Applications:Lesamnta-LW 2211 The structure of Lesamnta-LW. . . . . . . . . . . . . . . . . . . . . 2272 The round function. . . . . . . . . . . . . . . . . . . . . . . . . . . 2273 The algorithm for generating the round constants. . . . . . . . . . 229

List of Tables

I Analysis and Design of Cryptographic Hash Functions 1

3.1 Comparison of RAM-optimized implementations on low-end pro-cessors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2 Our software implementation estimates on an 8-bit CPU RenesasH8. Three type values are shown depending on the implementationpolicy, namely ROM-optimized, RAM-optimized, and balanced. Byshort message we mean a message whose length is less than 128 bits. 25

3.3 Our ASIC implementation estimates of Lesamnta-LW, with knownresults on other hash functions. For Impl. Scope, Full means a fullyautonomous implementation including the complete functionalityof a hash function while Core means an implementation of the corefunctionality comprising only important parts of a hash functionsuch as the compression function. The digest size of SHA-3candidates is omitted. . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.1 A table representing the difference propagation through theL-function of MAME. The row corresponds to truncated inputdifferences of L and the column corresponds to truncated outputdifferences of L. We put 0 at the i-th row and the j-th columnif the input difference i cannot propagate the output difference jthrough L, otherwise we put 1. . . . . . . . . . . . . . . . . . . . . 34

II Publications 57

Non-randomness of the Full 4 and 5-pass HAVAL 61

1 The best probability for 8 steps in the case of ∆(X, X ′) = X ⊕ X ′. 712 The best probability for 8 and 32 steps in the case of ∆(X, X ′) =

X ⊕ X ′. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713 The best probabilities over different keys. . . . . . . . . . . . . . . 72

xvii

xviii LIST OF TABLES

4 The high probabilities at the same pair of input difference andoutput difference for each pass. . . . . . . . . . . . . . . . . . . . . 73

5 The best probability for 8 and 32 steps in the case of ∆(X, X ′) =X − X ′. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Analysis of a SHA-256 Variant 79

1 The best previous result and our result. . . . . . . . . . . . . . . . 852 The search algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . 893 One round iterative differential characteristic with the best proba-

bility 2−8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904 A differential property on non-linear functions. . . . . . . . . . . . 915 The condition for register values at each time to result in the

required difference after 19 rounds. . . . . . . . . . . . . . . . . . . 936 The input modification. . . . . . . . . . . . . . . . . . . . . . . . . 947 A Message and Register values producing a 23-round

pseudo-collision for SHA-2-XOR. . . . . . . . . . . . . . . . . . . . 95

Update on Tiger 99

1 Overview of attacks on the Tiger hash function. . . . . . . . . . . . 1022 Notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033 A collision-producing differential characteristic. . . . . . . . . . . . 111

MAME: A Compression Function with Reduced Hardware Requirements 121

1 Branch table for differential attacks . . . . . . . . . . . . . . . . . . 1322 Difference propagation for 15 rounds . . . . . . . . . . . . . . . . . 1413 µ values for MAME-32 with different diffusion layers . . . . . . . . 1414 Comparison of hardware implementation of MAME with SHA-256 1415 Comparison of software implementation of MAME with SHA-256 . 1426 Round constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

SHA-3 proposal: Lesamnta 143

1 Execution time and memory requirements for Lesamnta on theAtmel R© AVR R© ATmega8515 in assembly language. . . . . . . . . 176

2 Execution time and memory requirements for Lesamnta on theRenesas R© H8 R©/300L processor in assembly language. . . . . . . . 177

3 Execution time and memory requirements for Lesamnta on theRenesas R© H8 R©/300L processor in C language. . . . . . . . . . . . 177

4 NIST Reference Platform. . . . . . . . . . . . . . . . . . . . . . . . 1785 Performance figure of implementations in ANSI C language with

NIST API on the NIST Reference Platform. . . . . . . . . . . . . . 1786 NIST Reference Platform. . . . . . . . . . . . . . . . . . . . . . . . 1797 Performance figure of implementations in assembly language on the

Intel R© CoreTM

2 Duo processor. . . . . . . . . . . . . . . . . . . . . 179

LIST OF TABLES xix

8 Performance figure of implementations in ANSI C language withNIST API on the ARM R© ARM926EJ-S

TM

processor. . . . . . . . . 1809 NIST 64-bit Reference Platform. . . . . . . . . . . . . . . . . . . . 18010 Performance figure of implementations in ANSI C language with

NIST API on the NIST 64-bit Reference Platform. . . . . . . . . . 18111 64-bit Platform used for measurement of assembly codes. . . . . . 18112 Performance figure of implementations in assembly language on the

Intel R© CoreTM

2 Duo processor. . . . . . . . . . . . . . . . . . . . . 18213 ASIC implementation estimates of Lesamnta. . . . . . . . . . . . . 18314 Expected strength of Lesamnta. . . . . . . . . . . . . . . . . . . . . 19315 Characteristic for the collision attack. . . . . . . . . . . . . . . . . 20416 Characteristic for the Square attack. . . . . . . . . . . . . . . . . . 205

Finding Collisions for Reduced Luffa-256 v2 (Poster) 2131 The truncated differential path for Qj . . . . . . . . . . . . . . . . . 2182 Position correspondence between active S-boxes and message bundles.219

An AES Based 256-bit Hash Function for Lightweight Applications:Lesamnta-LW 2211 Our ASIC implementation estimates of Lesamnta-LW, MAME, and

SHA-256 with known results on other hash functions. The digestsize of SHA-3 candidates is omitted. . . . . . . . . . . . . . . . . . 237

2 Our estimates of RAM/ROM requirements on low-cost 8-bit CPUs. 2383 Our software implementation estimates on an 8-bit CPU Renesas R©

H8 R©. Three type values are shown depending on the imple-mentation policy, namely ROM-optimized, RAM-optimized, andbalanced. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

4 Our software implementation estimates on the Intel R© Corei5

TM

processor where, for our estimate of the speed of SHA-256, weuse the code used in OpenSSH. . . . . . . . . . . . . . . . . . . . . 239

List of Abbreviations

AES Advanced Encryption StandardAPI Application Programming InterfaceARX Addition modulo 2n, Bit Rotation and XORCOSIC Computer Security and Industrial CryptographyCP Chosen PlaintextCPU Central Processing UnitDES Data Encryption StandardDRBG Deterministic Random Bit GeneratorESAT Electronics, Systems, Automation and TechnologyFIPS Federal Information Processing StandardsFPGA Field-Programmable Gate ArrayFSM Finite State MachineGB GigabyteGHz GigahertzIBM International Business Machines CorporationISO International Organization for StandardizationIV Initial ValueKDF Key Derivation FunctionKP Known PlaintextLNCS Lecture Notes in Computer ScienceLSB Least Significant BitMAC Message Authentication CodeMD4 Message Digest Algorithm 4MD5 Message Digest Algorithm 5MDS Maximum Distance SeparableMitM Meet-in-the-Middle AttackMSB Most Significant BitNIST National Institute of Standards and TechnologyPC Personal ComputerPh.D. Doctor of PhilosophyPGV Preneel, Govaerts, and VandewallePRF Pseudo-random function

xxi

xxii LIST OF ABBREVIATIONS

RAM Random Access MemoryRFID Radio Frequency IdentificationRIPEMD RACE Integrity Primitives Evaluation Message DigestRSA Algorithm by Rivest, Shamir and AdlemanS-box Substitution BoxSHA Secure Hash AlgorithmUS United StatesXOR Exclusive OR

Part I

Design and Analysis ofCryptographic Hash Functions

1

Chapter 1

Introduction

1.1 Motivation

In our modern society with advanced information communication technologies,systems dealing with digital documents and contents offer convenient andubiquitous access to information over networks; this was not possible in thelegacy paper-based society. However, a malicious person can typically obtainelectronic documents more easily than paper documents. Consequently, the riskof illegal copying or illegal modification is higher. Furthermore, according to thelaw concerning digital documents issued in Japan and in other countries, longterm protection is needed for digital documents: this is a challenging and difficultproblem that requires advanced security techniques that protect informationagainst forgery and manipulation.

Small and smart devices such as smart phones and smart cards are widely usedfor various kind of electronic services for payment and information exchange. As aresult, our environment has become "ubiquitous": many things that one carries orwears support a communication function. On the other hand, there exists a riskof an illegal use of smart devices that have been lost or stolen. Therefore, userauthentication has become a necessary function to construct a secure ubiquitousenvironment.

To meet this demand from society, techniques to achieve data integrity and userauthentication in systems using smart devices are increasingly needed. To achievethese security requirements, security mechanisms such as message authenticationcodes (MACs) and digital signature schemes are used. One reasonable way toconstruct these mechanisms is to use a hash function as a key component inthem. In this way, the security of these methods is based on that of a hashfunction. In a ubiquitous environment, computers or client terminals are rangingfrom high-end servers and PCs, to micro-controllers and IC cards with limitedresource and/or power for computation. However, lightweight devices have to cope

3

4 INTRODUCTION

with security problems. These problems in such devices have recently opened upan active research area called lightweight cryptography. The main challenge inthis area is to design cryptographic primitives or protocols that meet the systemrequirements. They should be implemented under restricted resources, such aslow-cost, low-energy, or low-power environments.

Cryptographic hash functions are cryptographic primitives that play a veryimportant role in the security of a wide variety of cryptographic applications. Ahash function is often designed as a combination of a compression function whichtakes input data of a fixed length and a domain extender which determines a wayof using the compression function to process data of arbitrary length.

However, over the past years researchers have presented serious weaknesses inthe most deployed hash functions such as MD5 and SHA-1 [104,105]. It has beenreported that the most popular domain extender namely the Merkle-Damgårdconstruction, adopted by many hash functions including SHA-1, is not ideallysecure against some generic attacks. The SHA-2 hash function family wasstandardized by NIST in 2002; it aims to replace SHA-1. However, the SHA-2design shares its same design principle with SHA-1, which might be considereda security concern. In response to the cryptanalysis of SHA-1, NIST started theSHA-3 competition in 2007. NIST selected 51 candidates to advance to the firstround in December 2008, and five SHA-3 finalists to advance to the final round inDecember 2010. NIST finally selected Keccak as the winning algorithm in October2012.

In view of the above context, we have started our research with analyzing hashfunctions; subsequently we have designed a family of hash functions that are securefor the next generation and efficient on a wide range of platforms. We believe thatour research efforts and results will contribute to a secure ubiquitous society.

1.2 Research Goals

The research presented in this dissertation is closely related to the SHA-3competition and to lightweight cryptography. Our first research goal is the designof two hash functions: the general purpose hash function Lesamnta and thelightweight hash function Lesamnta-LW. In both cases, our design philosophy israther conservative: both hash functions are block cipher-based hash functions.Our motivation to take this philosophy is to benefit from the maturity of blockcipher cryptanalysis and from formal security reductions.

In view of the strongest attacks including the collision attack on SHA-1, weprove a bound related to differential cryptanalysis for the underlying block cipherand then limit the degrees of freedom that the attacker can use.

In the design of Lesamnta, the main question is whether we can design anew hash function that has advantages over SHA-2 in terms of security andperformance. We have tried to answer this question by designing Lesamntathat aims to offer convincing and simple arguments for a high security level and

OUTLINE 5

an excellent performance on a broad range of platforms including low-end 8-bitprocessors.

Lesamnta was one of the first round candidates in the SHA-3 competition butit did not proceed to the second round.

In the design of Lesamnta-LW, we have tried to create a unique advantageover the previous lightweight primitives in terms of security and performance.As a result, it is mainly targeted to 8-bit processors (software) while previousproposals are hardware-oriented with a small footprint. The distinct features ofLesamnta-LW are compactness, high-speed, and a very good tradeoff betweenspeed and cost on 8-bit CPUs as well as a very high security level.

Our second research goal is security analysis of hash functions. We havecontributed actively to the security analysis of block-cipher based hash functions.Since analysis and designs are closely related, the methods and the results of ouranalysis are of independent interest while they are of particular importance in ourdesigns, Lesamnta and Lesamnta-LW.

We have first focused on the most popular block cipher-based designs whichwere inspired by MD5 and SHA-1. The use of strong non-linear components seemsto have increased the confidence in the security of hash functions such as HAVALand Tiger. The main questions were how strong the diffusion layer is and how wecan exploit the fact that no secret information is involved in the computation ofa hash function. We tried to answer to them by applying advanced differentialcryptanalysis dealing with multiple paths and by applying a meet-in-the middleattack. Consequently, we have pointed out that security margin of each of thesehash functions is not as large as one could hope for.

On the other hand, for hash functions such as SHA-256, MAME, and Luffa,our analysis has produced results which can be viewed as evidence for a largesecurity margin. As for SHA-256, our differential cryptanalysis reveals howmuch the combined use of arithmetic additions and exclusive-ors can improvethe security. As for MAME on which our design of Lesamnta and Lesamnta-LWis based, we show that its underlying block cipher has a large security marginagainst any relevant attack by applying block cipher cryptanalysis techniques withcomputer-aided experiments. We have also contributed to the SHA-3 competitionthrough the evaluation of the second round candidate Luffa , the design of whichis based on a variant of the sponge construction [11]. Our approach optimizes theattack complexity with a sophisticated search algorithm for a differential collision.

1.3 Outline

This dissertation is based on publications and consists of two parts. The firstpart gives a brief introduction to the area of cryptographic hash functions: itclarifies their importance and explains the relevant concepts. It also summarizesour contributions to the design and analysis of cryptographic hash functions. The

6 INTRODUCTION

second part consists of a selection of our publications that we reproduced for thisdissertation. For a detailed list of publications, see p. 59.

This first part consists of five chapters. Chapter 1 explains why we researchthe area of cryptographic hash functions. Chapter 2 gives a brief introductionto cryptographic hash function: their relevant requirements and properties aredefined, their applications are explained, and then some key results with respect todesign and analysis are discussed. Chapters 3 and 4 summarize our contributions.

It is not our ambition for these chapters to give a complete overview of theliterature but rather to clarify how our publications achieve one goal: a deepunderstanding of the design and analysis of cryptographic hash function. Finally,Chapter 5 concludes and indicates some possible directions for future work.

Chapter 2

Cryptographic Hash Functions

2.1 Introduction

This chapter presents a brief introduction to cryptographic hash functions, theirsecurity properties and applications.

Cryptographic hash functions achieve certain security properties. An attack,consisting of an efficient algorithm, shows that a certain security property is notachieved. The existence of an attack on a hash function means that it is insecureand considered broken. This chapter discusses the most important attacks.

We refer to the Preneel’s theoretical treatment in [83] for more details anddeeper discussions. Note that, in general, hash functions in computer scienceinclude those used for database indexing [55] that may not require cryptographicproperties. Hereafter, we only consider cryptographic hash functions.

2.2 Hash Function Requirements

A cryptographic hash function is an algorithm that takes input strings of arbitrary(typically very large) length and maps them to short output strings of fixed lengthof n bits. Many different terms have been used for the output string. Among theseare the hash value and the message digest. A hash function returning an n-bit hashvalue is called an n-bit hash function. The description of hash function must bepublicly known and should not require any secret information for its operation.It is commonly believed that a cryptographic hash function has to satisfy thefollowing requirements [68]:

Preimage resistance. It is computationally infeasible to find any input whichhashes to any pre-specified output.

Second preimage resistance. It is computationally infeasible to find anysecond input which has the same output as any specified input.

7

8 CRYPTOGRAPHIC HASH FUNCTIONS

Collision resistance. It is computationally infeasible to find a collision, that is,two distinct inputs that hash to the same output.

Intuitively speaking, the first (second) requirement corresponds to the propertythat it is ’hard’ to find a (second) preimage of a given value in the range. Regardingeach of these requirements, there exist generic attacks that apply to all hashfunctions.

The computing power required for such attacks can be estimated as a functionof n. The value of n is chosen such that these attacks are not feasible inpractice and, consequently, it is typically somewhere between 128 and 512. Thecryptanalyst may attempt to attack a hash function in the following sense: forhis purpose of showing that one of the requirements is not met for a particularhash function h, he may try to develop an algorithm to find a preimage, a secondpreimage or a collision. If he succeeds in developing an efficient shortcut attackthat requires considerably less computing power than any generic attack does, thisclearly indicates that his purpose is achieved and the hash function h is consideredbroken. Any attack that shows that the hash function does not meet one of theserequirements is considered to be a serious attack.

In addition to the specific requirements mentioned above, it is often expectedthat a hash function is very efficient and “behaves like a random mapping’ (cf.Section 2.4.3 for a more formal statement).

2.2.1 Preimage Resistance

A preimage is a message hashed to a given value. In a preimage attack, theadversary is given y = h(M) for some randomly chosen message M which theattacker does not know.

A generic attack of finding preimages for a hash function is exhaustive search.Choose a random message, hash it, and check if the hash value is the given one.If not, continue. For an n-bit hash function, it is expected that 2n−1 messages areneeded to find a preimage under the assumption that the hash function is balancedin the sense that, for any given image y, the size of the corresponding set h−1(y) inwhich each preimage is hashed to that image is about the same. The complexityof this attack is 2n.

In practice, the attacker is frequently given multiple target images and has tosolve only a single instance; this makes his task easier. If he is given 2t targetimages, finding a preimage will take expected time 2n−t−1.

2.2.2 Second Preimage Resistance

A second preimage is a message (different from the first preimage) hashed tothe same value as the one to which the first preimage is hashed. In a secondpreimage attack, the adversary is given some randomly chosen message M as thefirst preimage. He also knows its image since the description of the hash functionis publicly known.

ITERATED HASH FUNCTIONS 9

An exhaustive search can be used as a generic attack to find second preimages.Note that, when randomly selecting messages, the probability that the secondpreimage is equal to the first one is negligible since the input set of the hashfunction is much larger than the output set.

2.2.3 Collision resistance

A generic attack of finding collisions for a hash function is the following. Choosea random message, hash it, and check if that hash has been seen before. If not,continue. With q messages, the number of message pairs is q(q − 1)/2 ≈ q2/2.For an n-bit hash function, it is expected that about 2n distinct message pairs areneeded to find a collision since two random n-bit strings are equal with probability2−n. Hence, with q ≈ 2(n+1)/2 (for large n), the expected number of collisions isone. This complexity is usually simplified to 2n/2. With this number of queries,the probability of a collision is about 1 − e1/2 ≈ 0.39. This attack is called thebirthday attack. The term comes from the following fact: if there are only 23people in the room, the probability that two people were born on the same day ofthe year is larger than 0.5. It is paradoxically surprising that such a low number ofpeople is needed, hence, this fact is known as the birthday paradox. Therefore, thebest possible collision resistance that can be achieved for an n-bit hash functionis no more than 2n/2.

Collision resistance and second preimage resistance independently implypreimage resistance. Rogaway and Shrimpton [93] give seven different definitionsthat correspond to these three underlying ideas and then they investigate allof the implications and separations among these seven definitions within theprovable-security framework. This work is improved and extended by Andreevaand Stam [2].

2.3 Iterated Hash Functions

Most hash functions proposed so far are called iterated hash functions, that areconstructed from a compression function. They work as follows. Let h be acompression function, that is, a function that compresses a fixed-length input.The message M is padded to a multiple of the block length and subsequentlydivided into t blocks M1, . . . , Mt. Then the hash value is taken as Ht, whereHi = h(Hi−1, Mi) and H0 = IV is called an initializing value or initializationvector. The values Hi are called the chaining variables or chaining values.

In order to satisfy the security requirements, most iterated hash functionsuse the Merkle-Damgård (MD) strengthening [30], which fixes IV , has anunambiguous padding method, and appends the message length to the message.


2.4 Additional Security Properties

During the last years, new constructions and concepts have been introduced andconsequently several novel attacks have been proposed. One expects that modernhash functions also satisfy these additional security properties. However, thiscould also have performance implications due to the inherent security/performancetrade-offs.

2.4.1 Near-Collision Resistance

It is usually expected that a hash function satisfy near-collision resistance. Thisproperty is defined in [68] as follows:

It should be hard to find any two inputs x, x′ such that h(x) and h(x′) differ inonly a small number of bits.

For instance, if the subset is of size m bits, then it is expected that finding acollision in the subset called a near-collision in h requires 2m/2 queries to h. In [57],to find near-collisions, a first approach is given as a simple extension of the birthdayattack and another approach using coding theory is investigated.

2.4.2 Length-Extension Attack

Consider a string x that is at least n bits long. In a length-extension attack, anattacker who does not know x can predict h(x‖y) from h(x) and y with probabilitylarger than guessing the hash value. One method for precluding length-extensionattacks is for the hash function to use a preimage resistant output function, that is,a function that is used in a final step to map the chaining variable to an n-bit result.The output function used in the above method is different from the compressionfunction. In the absence of an output function, the last chaining value is equal toh(x) and thus known. This makes it easy to extend the message.

MAC algorithms are often constructed by using hash functions. One example isa secret-prefix method: for a hash function h and a secret key K, the secret-prefixmethod [101] computes a tag of a message m as h(K‖m). In view of this, thelength-extension attack is defined in [95] as follows: the attacker obtains the tagσ for a message m. Without knowing the value of K and m, he can compute atag σ′ for a message m = m‖z for any z by computing σ′= C(σ, z), where C isthe underlying compression function used in h.

2.4.3 Indifferentiability from a Random Oracle

In cryptography, proofs are often relative: a scheme is proven secure under theassumption that some computational problem is difficult to solve. It is common forprovably-secure schemes that proofs are conducted in some idealised model. TheRandom Oracle Model (ROM) proposed by Fiat and Shamir [36] and formalized

ADDITIONAL SECURITY PROPERTIES 11

by Bellare and Rogaway [10] is a model of this kind. In the ROM, we have a publicrandom function (random oracle) which accepts any string. For each element inits domain, the corresponding n-bit output is uniform and independent from allother outputs.

The concept of indifferentiability was introduced by Maurer et al. [64].Coron et al. [26] applied this concept to construction of hash functions and showedthat indifferentiability from a random oracle partly validates the usage of a hashfunction to instantiate a random oracle. However, since an iterated hash functionwith MD strengthening like MD5 and SHA-1 is vulnerable to the length-extensionattack, it is easy to differentiate it from a random oracle even if the underlyingcompression function is truly random. Security against the length-extension attackis a necessary condition to be indifferentiable from a random oracle. Manycryptographic protocols are proved to be secure under the assumption that theunderlying hash functions are random oracles. However, there are counterexamplesthat show that there are schemes that are proven secure in the ROM but thatbecome insecure if they are instantiated with a fixed hash function [23].

2.4.4 Multicollision Attack

Joux [51] studied the generalization of collisions to r-way collisions; for an integerr greater than 1 and a function h(), an r-way collision (or r-multicollision) for f isan r-subset (x0, ..., xr−1) such that h(x0) = h(x1) =, ..., = h(xr−1). An attack forr-way collisions on n-bit hash function has time complexity O(2n(r−1)/r). Whenr = 2, the time complexity for finding a collision is O(2n/2). An r-way collision orr-multicollision attack consists of an algorithm which finds an r-multicollision setwith complexity significantly less than O(2n(r−1)/r).

Joux has shown an r-multicollision attack on a classical iterated hash functionsuch as SHA-1 and SHA-2 with time complexity O(r2n/2), which is significantlylower than brute force. Joux also showed how the multicollision attack impliesthat the concatenation of two iterated hash functions h(x)||g(x) is only as secureas the strongest of the two.

2.4.5 Kelsey-Schneier Attack for Second-Preimage-Finding

Kelsey and Schneier [52] provide a second preimage attack on all iterated hashfunctions with Damgård-Merkle strengthening under the condition that the targetmessage is very long. For a 2k-message-block message and n-bit iterated hashfunction with n-bit intermediate states, the attack can find a second preimagewith complexity k × 2n/2 + 1 + 2n−k+1. The key idea in their attack is touse expandable messages. An expandable message is a multicollision that yieldscolliding messages, all of which result in the same chaining value. Unlike Joux’smulticollisions, their colliding messages have different lengths and they collide onan intermediate chaining value. Using SHA-1 as an example, their attack can


find a second preimage for a 260-byte message with complexity of 2106, which issignificantly less than the complexity 2160 of a brute force preimage attack.

2.5 Applications of Hash Functions

Cryptographic hash functions are used in a wide variety of cryptographicapplications, many of which are currently specified in ISO/IEC, FIPS and NISTSpecial Publications; the latter publications require the use of a NIST-approvedhash algorithm. These applications include digital signatures (FIPS 186-2) [77],key derivation (NIST Special Publication 800-56A [79]), hash-based messageauthentication codes (FIPS 198) [78], deterministic random bit generators (SP800-90) [80]. In addition, hash functions are needed in any serious cryptographicsoftware library: they can be used in applications such as randomness extraction,public key encryption, and certificates.

2.5.1 Digital Signature Schemes

A digital signature scheme is a mathematical scheme providing the capability togenerate and verify signatures. Firstly, the signer has a private key and the verifierknows his public key. A digital signature is then computed according to a specifiedrules in a way that the identity of the signatory and the integrity of the message canbe verified. A hash function can be used in a digital signature scheme. When thisis the case, there shall be a binding between the signature schemes and the hashfunction in use. We give a brief explanation on how a hash function is used in thesimplest digital signature schemes; during the signature generation process, a hashfunction is used to obtain a fingerprint of the message. It is then input to the digitalsignature algorithm to generate the digital signature. The signature is sent to theverifier appended to the message. The verifier of the message and signature verifiesthe signature by using the sender’s public key. During the signature verificationprocess, the same hash function is used to verify the message. Digital signatureschemes are currently specified in NIST FIPS 186-2 [77], which requires the use ofa NIST-approved hash algorithm.

Halevi and Krawczyk [42] proposed a message randomization algorithm calledRMX to enhance the security of the hash functions employed in digital signatureschemes: this method randomizes the messages to be signed in order to strengthenthe collision resistance of the underlying hash functions without altering thespecifications of hash functions and digital signature schemes. Based on their work,NIST Special Publication 800-106 [81] provides a technique to randomize messagesthat are input to a hash function during the generation of digital signatures usingDSA, ECDSA, and RSA.

In a RMX hash-then-sign signature scheme, a signer computes the signature ofa message m using a RMX-hash-then-sign signature scheme as follows: he choosesa random value denoted r, and randomizes m by passing the pair (r, m) as input

APPLICATIONS OF HASH FUNCTIONS 13

to the RMX algorithm. The randomized message is given by M = RMX(r, m).The signer processes the message M using a n-bit hash function h and obtains then-bit hash value h(M). The signer signs the hash value h(M) using a signaturealgorithm and obtains the signature s. The signer sends the triplet (m, r, s) tothe verifier who computes M = RMX(r, m) and provides the pair (M, s) to theverification procedure to verify s.

In [40], Gauravaram and Knudsen show a forgery attack that is applicable tosignature schemes based on the variant of RMX standardized by NIST in SpecialPublication 800-106.

2.5.2 Key Derivation Function

Information systems need to employ cryptographic schemes to protect the integrityand confidentiality of the data. However, the use of cryptographic algorithmsrequires the establishment of shared secret keying material beforehand. Therefore,it is critical to support the cryptographic algorithms used in key establishmentschemes. A hash function can be used to construct a key derivation function or aMAC algorithm in key establishment schemes. A key derivation function (KDF) isused to derive secret keying material from a shared secret. The KDF output is onlyused for secret keying material such as a symmetric key and a secret initial vector.Key establishment schemes are currently specified in NIST Special Publication800-56A [79].

2.5.3 Deterministic Random Bit Generators

Techniques for the generation of random bits are often required by applicationsusing cryptography. There are two techniques for generating random bits. Onetechnique is to produce bits non-deterministically, using a physical process andmethod known as non-deterministic random bit generators (NRBGs). The othertechnique is to deterministically compute bits using an algorithm known asDeterministic Random Bit Generators (DRBGs). A DRBG mechanism may bebased on a hash function and typically requires its preimage resistance and needsthe ROM assumption: if the hash function is replaced by a random oracle, hashfunction based DRBG is secure. The security of each hash-function based DRBGdepends on that of the underlying hash function: the maximum security strengththat can be supported by this DRBG is the security strength of the underlyinghash function. Deterministic random bit generators are currently specified in NISTSP 800-90 [80].

2.5.4 Message Authentication

Message authentication is a down-scaled form of digital signature, where therecipient of a message can check that the message received is identical to themessage that was sent. The idea is the following. The sender and recipient agree


on a secret key K. The sender computes the message authentication code (MAC)of the message using the key K, and sends both the message and the MAC to therecipient. The recipient verifies that the MAC of the message is correct, given keyK. Since the MAC could have been computed by both parties, it cannot be used toprove the identity of the originator of the message to others. The requirements fora MAC algorithm are that it should not be possible for a third party (not knowingthe key) to compute a new message/MAC pair that the recipient will accept.(Note that the attacker may repeat a message/MAC pair already sent; this cannotbe prevented, and therefore often a timestamp or a counter is included in themessage.) A number of MAC algorithms based on cryptographic hash functionshave been proposed: the envelope MAC scheme [9], HMAC(Hash-based messageauthentication codes are), and MDx-MAC [86] are three examples. HMAC iscurrently specified in NIST FIPS 198 [78]. HMAC is the most commonly usedhash-based MAC algorithm.

For a hash function H and a secret key K, HMAC specified as follows:

HMAC(K, M) = H((K ⊕ opad)‖H((K ⊕ ipad)‖M)) ,

A hash function can be used with HMAC to construct a pseudorandom function(PRF). PRF is defined in [95] as follows:

Definition 1. A pseudorandom function family P RF (s, x)|s ∈ S consists ofpolynomial time computable functions with an index (also called a seed) s andinput variable x, such that when s is randomly selected from S and not known toobservers, P RF (s, x) is computationally indistinguishable from a random functiondefined on the same domain with output to the same range as P RF (s, x).

When n-bit hash function is used with HMAC to construct a PRF, that PRFmust resist any distinguishing attack that requires much fewer than 2n/2 queries.

2.6 Conclusion

In this chapter, we introduced cryptographic hash functions and their properties.First, their fundamental security requirements were described. Second, a widevariety of applications are explained and they impose a set of old and new securityproperties that hash functions should meet. It is important that the designersof future-proof cryptographic hash functions consider these security properties toresist state-of-the-art attacks.

Chapter 3

Design of Cryptographic HashFunctions

3.1 Introduction

Historically, most cryptographic hash function designs were based on block ciphers.In 1978, Rabin [89] proposed a hash function which is based on the DES blockcipher. In 1990, Rivest designed the dedicated hash function MD4 [91]. The mostwidely used hash functions today such as MD5 [92] and SHA-1 [72] are inspiredby MD4; functions of this type are called members of the MD4 family. In 2002,the National Institute of Standards and Technology (NIST) published the U.S.Federal Information Processing Standard (FIPS) 180-2 specifying the existing hashfunction SHA-1 and the new ones, SHA-256, SHA-384, SHA-512 [72]. SHA-224was added one year later. These four hash functions make up the SHA-2 family.In ISO/IEC 10118-3:2004 [49], RIPEMD-128 [84], RIPEMD-160 [84], SHA-1 [72],SHA-2 family, and Whirlpool [8] are standardized. All of them but Whirlpoolbelong to MD4 family.

The designs of block cipher based hash functions are typically based on somestructured methods. The most famous construction is called the Davies-Meyerconstruction [88]. Another famous construction is the dual of the Davies-Meyerconstruction. It is often named Matyas-Meyer-Oseas (or MMO) construction [63]A third well-known construction is called the Miyaguchi-Preneel construction [70,83]. The hash function Whirlpool is based on the Miyaguchi-Preneel construction.Preneel et al. [85] investigated in a systematic way how a block cipher can be usedto construct a hash function whose output size corresponds to the block size ofthe cipher.

15

16 DESIGN OF CRYPTOGRAPHIC HASH FUNCTIONS

3.1.1 The NIST SHA-3 Competition

Since 2005, there has been substantial progress in cryptanalysis [103, 105] ofwidely-used hash functions such as MD5 [92] and SHA-1 [72]. Consequently, in2006, NIST published a policy where Federal agencies should stop using SHA-1 forcertain applications including digital signatures and must use the SHA-2 familyfor them after 2010. NIST recommends to replace SHA-1 by the SHA-2 hashfunctions. On the other hand, NIST commented on cryptanalytic attacks onSHA-1 that the SHA-2 hash functions may be vulnerable to similar techniques, butthey are much stronger than SHA-1. This can be explained by the similarities inthe design principles between SHA-2 and SHA-1. After these considerations, NISTstarted the SHA-3 competition in 2007 [76], similar to the successful AdvancedEncryption Standard (AES) development and selection process from 1997-2001.The winning algorithm SHA-3 will augment the hash algorithms currently specifiedin FIPS 180-3. NIST does not plan to withdraw SHA-2 or remove it from therevised Secure Hash Standard; however, it is intended that SHA-3 can be directlysubstituted for SHA-2 in current applications; therefore, the submitted algorithmsfor SHA3 must provide message digests of 224, 256, 384 and 512 bits.

The SHA-3 algorithm is expected to be suitable for these applications, hencethe following properties of the SHA-2 hash functions must be preserved: theinput parameters; the output sizes; the collision resistance, preimage resistance,and second-preimage resistance properties; and the ‘onepass’ streaming mode ofexecution. However, it is also desirable that the selected SHA-3 algorithm offerfeatures or properties that exceed, or improve upon, the SHA-2 hash functions.For example, the selected SHA-3 algorithm may offer efficient integrated options,such as randomized hashing, that fundamentally improve security, or it may beparallelizable, more efficient to implement on some platforms, more suitable forcertain applications, or may avoid some of the incidental ‘generic’ properties (suchas length extension) of the Merkle-Damgard construct that sometimes result ininsecure applications.

By the submission deadline, October 31, 2008, NIST received 64 candidatealgorithms from all over the world. Based on its internal review, NIST selected51 candidates to advance to the first round in December 2008, and 14 to advanceto the second round in July 2009, five SHA-3 finalists - BLAKE [3], Grøstl [39],JH [107], Keccak [12], and Skein [35] to advance to the third (and final) roundin December 2010. In the Spring of 2012, NIST hosted a final SHA-3 CandidateConference to discuss the public feedback on the finalists and it finally selectedKeccak as the winning algorithm on October 3, 2012. Our design Lesamnta [43]was selected as a first-round candidate but was not selected as a second-roundcandidate.

We argue that the design strategy of hash functions and security evaluationmethods must be revisited. As for security, we may focus on the collision resistancebecause (second) preimage attacks still require higher complexity than the birthdayattack. One way of viewing the recent attacks that find collisions for SHA-1

INTRODUCTION 17

and many others is that they essentially apply differential cryptanalysis [15] tofind collisions. Therefore, we could argue that a new hash function is only takenseriously if it is accompanied with evidence that it resists differential cryptanalysis.

3.1.2 Lightweight Cryptography

The next decade will witness an ever growing demand for a wide variety of appli-cations using smart (small electronic) devices including low-end micro-controllersand RFID (Radio Frequency IDentification) tags. This can be explained by thereport in [99] stating that the passive RFID tag market is expected to hit $486Min 2013. In terms of microprocessors typically embedded in smart devices, 8-bitCPUs have gained increasing attention from both companies and end users. Infact, about 55% of all CPUs sold in the world are 8-bit microcontrollers andmicroprocessors and over 4 billion 8-bit controllers were sold in 2006 [96, 106].

These smart devices have to cope with security problems such as confidentiality,and more importantly, authentication and privacy. These problems in such deviceshave recently opened up an active research area called lightweight cryptography.The main challenge in this area is to design cryptographic primitives or protocolsthat meet the system requirements which are often very severe in the sense thatthe available resources are quite limited for implementing these cryptographiccomponents. To meet these requirements, lightweight cryptographic algorithmscan be implemented under restricted resources, such as low-cost, low-energy, orlow-power environments. To target these environments, lightweight block cipherssuch as PRESENT [19] and KATAN [24] and a lightweight MAC algorithmSQUASH [97] have been proposed. These lightweight symmetric-key encryptionalgorithms attract users for providing very compact authentication using MACalgorithms.

We argue that there is an increasing demand for lightweight hash functionsproviding a high security level. In fact, it is pointed out [34] that in the RFIDsecurity community, it is commonly assumed that hash functions are the betterchoice than block ciphers from an implementation perspective. A reasonableapplication of lightweight hash functions would be code signing for small but highlysensitive devices which can be targeted at medical applications or car electronics.Code signing requires hashing and public key cryptography (PKC). Some recentworks [5, 38] have shown that implementations of elliptic curve cryptography(ECC) can be so compact that implementations of ECC are targeted at wirelesssensor networks (WSN). Therefore it would be a nice challenge to fit ECC andhashing in a small area such as 25 Kgates.

As for choice of algorithm, lightweight software/hardware implementationscould use SHA-256 [72] or the SHA-3 Round-3 candidates. However, most of thesehash functions could be too expensive for small devices since they are designed forgeneral purpose processors; they are fast on high-end 32/64-bit CPUs and havein general a large internal state to resist multi-collision-type of attacks [51, 52].Therefore, lightweight hash functions such as H-PRESENT [20], MAME [110],


QUARK [4], and PHOTON [41] hold promise for implementation. However,hash functions mentioned above are hardware-oriented with very small footprints.Hardware-oriented schemes do not necessarily provide good performance on 8-bitCPUs. We also notice that small portable electronic devices have very limitedRAM and ROM.

3.2 The Lesamnta Hash Function

Lesamnta is a new family of hash functions supporting digest size ranging from224 bits to 512 bits; it consists of four algorithms: Lesamnta-224/256/384/512.The goals on which the design rationale of Lesamnta is based are to be efficienton a wide range of platforms and to ensure both attack-based security andproof-based security. Lesamnta can take advantage of the competitive speedon modern processors for general purpose processors and on various hardwareplatforms. Another advantage of Lesamnta is its capability of implementation onembedded processors, such as an 8-bit processor, with a small amount of RAMand on hardware with a small gate count. One of the most important featuresof Lesamnta is its design simplicity to simplify both the security analysis and theimplementation. Furthermore, the structure of Lesamnta enables us to provideproofs reducing the security of Lesamnta to that of the underlying block cipherswhich are confirmed to be secure against various known attacks. We refer to [43]for a more comprehensive and extensive treatment of Lesamnta.

The domain extension of Lesamnta is the Merkle-Damgård construction withan output function. Lesamnta is indifferentiable from a random oracle in the idealcipher model.

The compression function and the output function are the Matyas-Meyer-Oseas(MMO) mode [63] of dedicated block ciphers. For reducing the hardwarecomplexity, these block ciphers share the same mixing function. A main advantageof adopting the MMO mode is that when we assume that the key (i.e., the previouschaining values) is fixed (not directly controllable) for the attacker, the attackmodel is similar to the attack model of block-cipher cryptanalysis, which makescryptanalysis of the underlying block ciphers more relevant to cryptanalysis of thewhole hash function than in other PGV modes such as the Davies-Meyer (DM)mode used in the SHA-2 family. Another major advantage of MMO is that thesize of the internal buffer is less than that of other secure PGV modes. As a result,we estimate that Lesamnta-256 requires only 64 bytes of RAM on low-cost 8-bitprocessors; and this makes Lesamnta one of the smallest in terms of RAM amongSHA-3 candidates on these processors.

The structure of dedicated block ciphers is partially similar to that of AES.More precisely, the round function adopts a well-studied Feistel network; AEScomponents are used for the non-linear component that is called the F-function.

Figure 11 illustrates the round function of the underlying block cipher.

THE LESAMNTA HASH FUNCTION 19

K(round)1

K(round)0

F256

32

Figure 3.1 – The round function of Lesamnta-256.

Thus, techniques on efficient software/hardware implementation of AES can beapplied to the implementation of Lesamnta. In addition, AMD and Intel offer intheir latest processors instructions that enable hardware accelerated encryptionand decryption of AES. Fast implementations of Lesamnta are made possibleby taking advantage of these instructions. For instance, our implementation ofLesamnta-512 achieves 12.8 cycle/byte on the Intel Core i5 processor. In thedesign of the F-function, the design approach of AES, namely the wide trailstrategy, is applied. As a result, the block ciphers provide a bound with respect todifferential cryptanalysis. This is particularly useful in ensuring security againstthe differential collision attacks [105].

HMAC using Lesamnta is a pseudorandom function if the underlying blockciphers are independent pseudorandom permutations. A more efficient mode fora pseudorandom function than HMAC is also presented.

3.2.1 Independent Cryptanalysis of the Lesamnta Hash Function

Two independent analyses of the security of Lesamnta have been published.Bouillaguet et al. [21] present attacks on the full Lesamnta compression function.The main idea is to find some structure in the round constants. For Lesamntathe 32-bit difference of a 64-bit round constant is periodically constant, hence it iseasy to find a key such that the round key satisfies special conditions. The blockcipher of Lesamnta exhibits a correlation between keys, ciphertexts and plaintexts.This correlation is caused by the self-duality of the key schedule and the mixingfunction. Note that the concept of self-duality was given as the property of theAES round function [60]. Using the correlation, the block cipher of Lesamnta iseasily distinguished from an ideal cipher, and a pseudo-collision for Lesamnta-256


and Lesamnta-512 can be found with a complexity of 264 and 2128 respectively,each of which is less than expected.

In the other independent analysis, Bouillaguet et al. [22] present attacks onthe Lesamnta hash function with reduced rounds. The main idea is to applycancellation cryptanalysis to generalized Feistel schemes. This cryptanalysisimposes constraints on the values of the state in order to limit the diffusion inthe Feistel structure. They find a collision for 24 out of 32 rounds of Lesamnta-n(n = 256, 512) with a time complexity of 23n/8 and a memory complexity of 2n/4.They find a second preimage for 24 rounds of Lesamnta-n with a time complexityof 23n/4 and a memory complexity of 2n/4.

3.2.2 On Attacks on the Compression Functions

In [44], we have discussed the security analysis of the compression functionof Lesamnta by Bouillaguet et al. [21]. In general, a collision attack on thecompression function cannot be extended to a collision attack on the hash function.Although compression function attacks may be useful to estimate the securitymargin, they do not necessarily threaten the security of the hash function. Afterexamining several attacking scenarios to extend this compression function analysisto the security of the full Lesamnta, we conclude that the expected strengthof Lesamnta we claim in the submission document [43] still remains the same.We claim that the impact of the analysis of Bouillaguet et al. on the security ofLesamnta is limited to the fact that each of the assumptions made in the reductionproof regarding collision resistance and the one in the reduction proof regardingindifferentiability no longer holds. This is because the above attack means thatLesamnta block cipher is a poor instantiation of an ideal cipher. It is importantto note that reduction proofs themselves for Lesamnta are still valid, which meansthat the attacker has to find some weakness in the compression function to mountan attack on the full hash function.

NIST did not provide any information on their decision to not select Lesamntaas the second round SHA-3 candidate. But it is likely that their decision was madebecause of the compression function attacks of Bouillaguet et al.

3.2.3 Tweaked Lesamnta (Lesamnta v2)

To prevent the attack presented by Bouillaguet et al. [21], we propose to make aminor change to the specification of Lesamnta [45]. The minor change is only thereplacement of 32 round constants. No other parts of the specification is changed.We name the resulting algorithm with new round constants Lesamnta v2. Formore detailed discussions on design and analysis of Lesamnta v2, the reader isreferred to [45].

THE LESAMNTA HASH FUNCTION 21

For Lesamnta-224/256, we replace the 32 round constants described inSection 5.1.1 (page 14) of [43] with the following constants:

9e754700889cfedb 2db4ad503bbd6f80 02db4ad503bbd6f8 e1a70c522758bc4b

2a4989e511412ba9 1e95cf81bff8729e a8c416470af5c6d6 422bb32416c61cb6

4c85497227052110 04c8549722705211 fdf76aa9eba86421 f264994a0735e742

3744e7ab7dab9e3d 6f80451ae2875955 8b86b7ce8c169407 bda476dc1727489b

2f89be4df246d4e4 723dc79b6495eddc 966c38f97a9bdf6b 2d353aafa49d1d9b

2680aa8ac97d71b4 72ad56d717265789 1b1b82729f9e055c 90fe5ca7e52b61e3

ccd6a4153a051757 b9d177e1ac4670ae a2b05dc10bce26f5 8755b643328203fd

648150046675c089 1a79421fa88b3c2c 90e870a1365a3274 79cbdb75a8d423b5

For Lesamnta-384/512, we replace the 32 round constants described inSection 5.1.2 (page 15) of [43] with the following constants:

f6251864809494cd35cb7fa305acbe7f 78b114d45c0c003757aa6c4b9d98f1bf

b508148e2c0e460802e6cd2af27a24b0 ba220a9a4170d2de29fdd68d717f83f4

fa8e84753153428a0c9d29ba4c07bc9f 97fc92f852b9c3860d30da783d3f6b9d

95b68b70b22784abca19a58a8ca71e4c 48abbc03a30a7ff77422b58cdfd2a9ca

c7c5fa0d1976cfcbbfd178c3b7e94af7 f9c7bdd4fd083fedb7b7be15c8dcc1d3

dfc1d14920cdc088b5635cc6c7e5be34 37dcf3f822ec2133f52f774280cbc7e2

ed519add8adb45eae57e1d138887b7e1 eebfc9e5f47009f492d2f77813921014

159b340651e246363b85e6fe008b602c 2eb05b97b586d5603e4449f6e8e3f514

155b3b9423a3b0eaaf2970408e7011c9 c4acd4dbd5f51d7e0cb6c807b1a503ca

c749fd65c10030a936a9ecbe3c873d5d 58d1aa49ef6ae3f34a0cfccecddc475a

5f343b7343bca903289d46dd90e26da9 a27d71f052fa6d3232a61c086f06e116

17f09d2029b961fe360d4014031eb9db d7b2481063efc7658a41ae3d098b4854

514f4a4a1bc06c61cf87358938b8d9b4 be889af85ebc47add66113773567db05

05e3ea69155b31c85e13ac1129135b54 519d1be862b6d8976253678b149841a7

ac87ca0bc82b2705d736ec2f621c7828 2a47905563e447589bf95efede53f800

002a47905563e447589bf95efede53f8 f6e7f57d574abc562f1ea392b7ffb35b

We describe how to produce the new round constants below. To be free ofsuspicion of a trapdoor, round constants must be determined in a transparentway. The new round constants for Lesamnta-224/256 were determined by analgorithm based on the linear feedback shift register (LFSR) of the following33-term primitive polynomial g(x):

g(x) = x64 + x61 + x58 + x55 + x47 + x46 + x42 + x41 + x39 + x38

+ x37 + x35 + x34 + x33 + x31 + x30 + x29 + x28 + x27 + x26

+ x25 + x24 + x20 + x19 + x18 + x16 + x14 + x12 + x8 + x7

+ x2 + x1 + 1 .


For Lesamnta-384/512, the new round constants were determined using thefollowing 65-term primitive polynomial g(x):

g(x) = x128 + x124 + x121 + x120 + x119 + x117 + x116 + x114 + x112

+ x111 + x110 + x107 + x106 + x105 + x104 + x101 + x100 + x98

+ x97 + x95 + x94 + x93 + x92 + x91 + x90 + x89 + x87 + x86

+ x84 + x82 + x81 + x79 + x78 + x76 + x74 + x73 + x70 + x69

+ x66 + x64 + x63 + x60 + x58 + x54 + x53 + x51 + x48 + x39

+ x37 + x36 + x35 + x32 + x31 + x30 + x29 + x28 + x26 + x23

+ x21 + x18 + x17 + x15 + x9 + x8 + 1 .

We have confirmed that the new round constants do not satisfy the conditionallowing the attack [21] using self-duality. We expect that this attack no longerapplies to Lesamnta with the new round constants, Lesamnta v2. We also expectthat the change does not cause any significant impact on resistance against theknown attacks and on the performance of Lesamnta.

3.3 The Lesamnta-LW Hash Function

Lesamnta-LW is a lightweight variant of the Lesamnta [43] hash function,supporting a digest size of 256 bits. The goals on which the design rationaleof Lesamnta-LW is based are to be compact and fast, optimized for lightweightapplications on a wider variety of environments ranging from inexpensive devices tohigh-end servers and to provide a 2120 security level achieved with a high securitymargin. Lesamnta-LW can take advantage of the competitive speed for shortmessages with a very small amount of RAM on low-cost (8-bit) CPUs. Anotheradvantage of Lesamnta is its capability of hardware implementation with a smallgate count. Lesamnta-LW inherits its design principle and design simplicity fromLesamnta. Furthermore, the structure of Lesamnta-LW enables us to provideproofs reducing the security of Lesamnta-LW to that of the underlying block cipherwhich has also been designed to offer adequate security against all known attacksincluding the one on the Lesamnta compression function [21]. We refer to [46] fora more comprehensive treatment of Lesamnta-LW.

Its domain extension is the strengthened Merkle-Damgård construction. Thelast block does not contain any part of the message input. It only contains thelength of the message input. This property is required to guarantee preimageresistance of Lesamnta-LW.

Lesamnta-LW uses the following compression function h on 128-bit wordsH

(i−1)0 , H

(i−1)1 , and M (i):

h(H(i−1), M (i)) = EH

(i−1)0

(M (i)‖H(i−1)1 ) ,

THE LESAMNTA-LW HASH FUNCTION 23

where H(i−1) = H(i−1)0 ‖H

(i−1)1 and EK is a 256-bit block cipher with a 128-bit

key K. We call this new method to construct a compression function the LW1mode.

For a padded message input M = M (1)‖ · · · ‖M (N), Lesamnta-LW works asfollows: H(i) = h(H(i−1), M (i)) for 1 ≤ i ≤ N , where H(0) is a fixed initial valueand H(N) is the output (see Fig. 3.2).

E

M(1)

E

M(2)

E

M(N−1)

E

M(N)

H(0)

H(0)0

1 H(N)1

H(N)0

Figure 3.2 – The structure of Lesamnta-LW.

Unlike the popular Davies-Meyer mode [68] and the MMO mode, the LW1mode does not have the feedforward of inputs, which contributes to reductionof the size of required memory. Furthermore, in order to achieve a compactimplementation, the LW1 mode uses a block cipher with a key size smaller thanthe block size. From the view-point of attacks, as in the case of Lesamnta, theLW1 mode does not allow attackers to control the key of the underlying blockcipher directly.

The block cipher is designed to be easy to analyze, to be compact insoftware/hardware, and to offer a reasonable speed on high-end/low-end CPUs.For this purpose, the block cipher is an AES-based design such that Lesamnta-LWcan gain clear advantages over known block-cipher based designs such as SHA-256and MAME. One round of the underlying block cipher is illustrated in Fig. 3.3.

The key scheduling function ensures a strong non-linearity and an excellentdiffusion property by re-using the 32-bit permutation of the mixing function: thisreduces the hardware complexity since a part of the hardware can be reused.As an important application of Lesamnta-LW, we consider a provably securekey-prefix (KP) mode (required in the PPP Challenge Handshake AuthenticationProtocol [98]). We give a security reduction for this mode and show that thismode of Lesamnta-LW gains a significant advantage over the standard methodHMAC-SHA-256.

In contrast to recently proposed lightweight hash functions which arehardware-oriented with very small footprints, Lesamnta-LW is mainly targetedat 8-bit CPU employed in smart devices, while achieving implementationflexibility in software and hardware for a wide range of lightweight applications.Hardware-oriented schemes do not necessarily provide good performance on 8-bitCPUs. In low-cost 8-bit CPU applications using small portable electronic devices,hash functions should require limited resources, memory and computation time.We argue that the most important constraint for hash functions is the limitedRAM which could be critical in many cases. It is typical on 8-bit CPUs that theROM size is large enough for symmetric-key algorithm implementations. In view


Q

K(r)

G

32 64

k0(r)

k1(r)

k2(r)

k3(r)

k0(r+1)

k1(r+1)

k2(r+1)

k3(r+1)

x0(r)

x1(r)

x2(r)

x3(r)

x0(r+1)

x1(r+1)

x2(r+1)

x3(r+1)

key scheduling function mixing function

Q Q

R

64

32

function G

C(r)

Figure 3.3 – The round function in Lesamnta-LW.

of this, Lesamnta-LW is targeted at RAM requirement on an 8-bit CPU employedin smart devices.

We have estimated RAM/ROM requirements of the SHA-3 candidates,SHA-256, and Lesamnta-LW. Our results are shown in Table 3.1 . As for RAMrequirement, it is clear that Lesamnta-LW achieves a very small implementationthat is substantially smaller than most SHA-3 final round candidates. As forROM requirement, we estimate the size of constants such as initial vectors, lookuptables, and round constants. It is typical on 8-bit CPUs that the ROM size is largeenough for symmetric-key algorithm implementations. We expect that the ROMrequirement of Lesamnta-LW is reasonable.

We have estimated speed and ROM/RAM size of Lesamnta-LW and SHA-256on an 8-bit CPU Renesas H8 in assembly language. The performance results areshown in Table 3.2. As for RAM requirement, it is clear that Lesamnta-LW gainsadvantages over SHA-256 with respect to speed on short messages and RAM/ROMrequirements. Our RAM-optimized implementation comparison on an 8-bit CPURenesas H8 shows that Lesamnta-LW achieves a very small implementationrequiring only 50 byte of RAM while achieving 3478 cycles/byte for short (128-bit)messages. As for RAM Lesamnta-LW is 84% smaller than SHA-256 while running21% faster than SHA-256.

On high-end processors where the AES instruction set can be utilized,Lesamnta-LW is reasonably fast. For instance, our software implementation ofLesamnta-LW achieves 39.2 cycles/byte on the Intel Core i5 processor. Forhardware, our size-optimized ASIC implementation estimates of Lesamnta-LW,MAME, and SHA-256 in 90 nm technology show that Lesamnta-LW achieves a verysmall implementation requiring only 8.24 Kgates, which means that Lesamnta-LWis 36% smaller than MAME and 43% smaller than SHA-256. In Table 3.3 wecompare our results to known results on the SHA-3 final round candidates, it isclear that Lesamnta-LW is substantially smaller than most of them.

THE LESAMNTA-LW HASH FUNCTION 25

Table 3.1 – Comparison of RAM-optimized implementations onlow-end processors.

Algorithm RAM ROM Speed CPU Ref.(bytes) (bytes) (cycles/

byte)BLAKE [3] 267 3434 1617 atmega 1284p [6]BLAKE [3] 193 1166 562 ATtiny45 [7]Grøstl [39] 368 3528 20019 atmega 1284p [6]Grøstl [39] 201 1400 686 ATtiny45 [7]JH [107] 388 4950 9191 atmega 1284p [6]JH [107] 234 1020 5062 ATtiny45 [7]

Keccak [12] 276 1848 1115 atmega 1284p [6]Keccak [12] 244 868 1432 ATtiny45 [7]Skein [35] 427 2524 1566 atmega 1284p [6]Skein [35] 232 988 4788 ATtiny45 [7]

SHA-256 [72] 359 77720 2768 atmega 1284p [6]SHA-256 [72] 158 2720 263 Atmel’s AVR [82]SHA-256 [72] 143 1090 532 ATtiny45 [7]

Lesamnta-LW [46] 50 2114 1737 H8 [46]

Table 3.2 – Our software implementation estimates on an 8-bitCPU Renesas H8. Three type values are shown depending on theimplementation policy, namely ROM-optimized, RAM-optimized,and balanced. By short message we mean a message whose length isless than 128 bits.

Algorithm Bulk Short ROM RAMSpeed Message (CONST. (byte)

(cycles/ (cycles/ +CODE)byte) message) (byte)

SHA-256 1033.3 66434 32 + 37034 3301046.9 67308 288 + 5046 3301281.1 82296 288 + 948 330

Lesamnta-LW 1650.9 52828 512 + 20006 501736.5 55568 768 + 1346 502055.0 65760 768 + 370 54


Table 3.3 – Our ASIC implementation estimates of Lesamnta-LW,with known results on other hash functions. For Impl. Scope, Fullmeans a fully autonomous implementation including the completefunctionality of a hash function while Core means an implementationof the core functionality comprising only important parts of a hashfunction such as the compression function. The digest size of SHA-3candidates is omitted.

Algorithm Impl. Logic Area Throughput ClockScope Process (Kgates) (Mbit/s) (MHz)

BLAKE [100] Full 0.35 µm 25.57 15.4 31.25Keccak [13] Using external 0.13 µm 5 52.9 200

memory

JH [62] Full 90 nm 31.9 4,639 353.4Grφstl [100] Full 0.35 µm 14.62 145.9 55.87Skein [100] Full 0.35 µm 12.89 19.8 80Lesamnta-LW Full 90 nm 8.24 125.55 188.3SHA-256 Full 90 nm 14.6 1766 220.8

3.4 Conclusion

This chapter presents our contribution to the design and implementation results ofhash functions: Lesamnta and Lesamnta-LW. The security of Lesamnta has beenproved assuming the security of the underlying block ciphers. We have shownthat Lesamnta has a large security margin against various kinds of widely knownattacks.

Lesamnta is designed as a general purpose hash function and was a first roundcandidate in the SHA-3 competition. Lesamnta supports different hash lengths224, 256, 384, and 512. It is efficient on a wide range of platforms. In particular,Lesamnta-256 is one of the smallest in terms of RAM among SHA-3 candidateson low-cost 8-bit processors. Lesamnta-512 can run fast on the recent AMD andIntel processors.

Independent analysis of Lesamnta has showed some weakness in the compres-sion function. In response, we analyzed their impact on the full hash functionand proposed a tweak to mitigate the analysis. Lesamnta did not proceed to thesecond round during the competition.

Lesamnta-LW is a new lightweight 256-bit hash function. Its distinct featuresover the existing lightweight primitives are compactness, high-speed, and a verygood tradeoff between speed and cost on 8-bit CPUs as well as the high securitylevels with security reductions. We expect that Lesamnta-LW will open up a newset of lightweight applications. Although we believe that the underlying block

CONCLUSION 27

cipher of Lesamnta-LW withstands a number of recently proposed attacks becauseof our conservative design, a more extensive analysis would be needed.

Chapter 4

Analysis of CryptographicHash Functions

4.1 Introduction

In this chapter, we give a brief survey of our contributions regarding thecryptanalysis of cryptographic hash functions. We have analyzed a second-roundhash function candidate in the SHA-3 competition: Luffa. At the time of writing,this is still the best known result for collision attacks on Luffa in the hash functionsetting.

Outside of the SHA-3 competition, we have shown several attacks on simplifiedvariants of the SHA-2 hash functions, up to 34 out of 64 rounds. We alsoinvestigated the security of HAVAL and reduced versions of the Tiger hashfunction. We have evaluated the security of the compression function of thelightweight hash function MAME.

We give a short summary of each of these analysis results in alphabetical orderin the remainder of this chapter. We refer to the publications included in Part IIof this dissertation for technical details on each of the attacks.

4.2 HAVAL

HAVAL is a cryptographic hash function proposed in 1992 by Zheng, Pieprzyk andSeberry [112]. Its structure is quite similar to other widely used hash functionssuch as MD5 and SHA-1. The HAVAL compression function consists of 96, 128 or160 consecutive steps. Each sequence of 32 steps is grouped together into a pass,so that we say that HAVAL is 3,4 or 5-pass. Every pass r has its own Booleanfunction fr.

29

30 ANALYSIS OF CRYPTOGRAPHIC HASH FUNCTIONS

In our analysis [109], we cryptanalyze the compression functions of 4-passand 5-pass HAVAL using differential cryptanalysis. The technique of differentialcryptanalysis has first been described by Biham and Shamir in [15]. The aim ofthe approach is to find differential characteristics for the whole cipher. In [15], adifferential characteristic is defined in as follows:

Definition 2. Associated with any pair of encryptions are the difference of itstwo plaintexts, the differences of its ciphertexts, the differences of the inputsof each round in the two executions and the differences of the outputs of eachround in the two executions. These differences form an n-round characteristic. Acharacteristic has a probability, which is the probability that a random pair withthe chosen plaintext difference has the round and ciphertext differences specifiedin the characteristic.

In the above definition, the probability is taken over all plaintexts. Adifferential attack consists of two parts: in the first part we divide the functioninto several consecutive sub-functions and try to find differential characteristicswith high probability for these sub-functions. In our analysis, each sub-functionwill consist of several steps in a certain pass. Hence all steps in such a sub-functionwill use the same non-linear Boolean function. In the second part the differentialcharacteristics for each sub-function are concatenated so that they cover the wholeunderlying block cipher of the hash function. However, it is difficult to do thesecond part of the analysis when the characteristics obtained in the first part havecomplicated forms. For instance, this is the case for SHA-1. In our analysis, wepresent a method to solve this difficulty by combining these two parts into a singlepart.

One could construct a hash function from a block cipher using the Davies-Meyerconstruction. Inversely, one can construct a block cipher which is the HAVALcompression function with Davies-Meyer chaining peeled off. In the cipher, themessage block Mj is viewed as the key, the chaining variable Vj acts as theplaintext block and Vj+1 = E(Vj , Mj) is the corresponding ciphertext block. Theblock cipher constructed from a hash function in such a way is called a hashfunction in encryption mode. We analyze the 4-pass HAVAL in encryption mode.Such an analysis provides a better understanding of the strength of the HAVALcompression function.

The theoretical background of our analysis is the theory of Markov ciphers andtheir connection to differential cryptanalysis introduced by Lai et al. in [58]. Foran iterated cipher E with the function Y = T (X, Z) which takes the plaintextinput as X, the subkey input as Z, we denote the conditional probability that βis the difference ∆Y (i) of the ciphertext pair after i steps, given that α is thedifference of the plaintext pair, by P (∆Y (i) = β|∆X = α) where the probabilityis taken over all plaintexts. In [58], Markov cipher is defined as follows:

Definition 3. An iterated cipher with round function Y = T (X, Z) is a Markovcipher there is a group operation ⊗ for defining differences such that, for all choices

LUFFA 31

of non-identity element α and non-identity element β,

P (∆Y = β|∆X = α, X = γ)

is independent of γ when the subkey is uniformly random.

In the above definition, the probability is taken over all inputs X .In the case of HAVAL, we denote 8 consecutive steps1 of the block cipher E by

T . We assume that E, obtained by iterating T , is a Markov cipher. This allowsus to search for differentials rather than characteristics. Lai et al. [58] definedifferentials as follows:

Definition 4. If T ≥ 2 and ∆x, ∆y ∈ 0, 1N , then the corresponding differential,denoted DIFF(∆x, ∆y), is the set of all characteristic for rounds 1 . . . T having ∆x,as the first difference and ∆y as the last difference, i.e., all characteristic of theform

Ω =< ∆x, ∆x2, . . . ∆xT , ∆y > .

The goal of our attack is to find a high probability differential for 4-pass and5-pass HAVAL.

Our goal is to study differential properties of 4-pass HAVAL. We consider lowHamming weight differentials and their propagation: we study the behavior of the4-pass HAVAL compression function when we apply input differences of weight 1and 2. At the output, we only consider output differences of weight 1 and 2. Wecheck whether these observations are in accordance with the randomness criteriawe would expect from a cryptographic hash function. With our approach, weidentified differentials with probabilities > 2−125 for 4-pass HAVAL and > 2−168

for 5-pass HAVAL, which is much higher than the probability 2−256 we wouldexpect for a random function.

4.3 Luffa

Luffa [27] is a family of cryptographic hash functions that has been selected as oneof the 14 second round SHA-3 candidates. The hash function Luffa adopts thestructure of a sponge function [11] and a wide-pipe strategy [59]. In the previousresults on Luffa, its building blocks have been analyzed extensively: the designersfound a differential path for the internal permutation of Luffa.

In [87] we analyze the collision resistance of reduced-round versions of Luffa-256which is the 256-bit hash function in the Luffa family. Our analysis focuses onthe hash function security. We here present a collision attack on Luffa reduced to4 (out of 8) steps. We outline how the attack works: there are three round functioncalls, meaning that the attack uses three message blocks which are used in the

1A single step of HAVAL is clearly a bad candidate for T since only one 32-bit word changesper step and only one 32-bit word of key-material is mixed in.


following manner: the attack uses the first message block M (1) with no differencefor finding a good value for the second round function input (H(1)

0 , H(1)1 , H

(1)2 ), the

second message block pair (M (2), M (2) ⊕∆) introduces the differences conformingto the differential path for each permutation and those differences are erased withthe third message block pairs (M (3), M (3) ⊕ ∆′). The attack first constructs adifferential path producing a collision and then applies the message modificationtechnique of Wang et al. to reduce the complexity. We adopt the cryptanalyticprinciple of Khovratovitch et al. [56] in the following sense:

1. We apply the modification technique at S-box level.

2. We store the degrees of freedom as the information on the set of messageinputs which give the right input for the active S-boxes.

We apply the basic modification using a single message bundle for each activeS-box and advanced modification [105] using multiple message bundles for eachactive S-box respectively. In order to reduce the attack complexity, we apply thefollowing strategy:

1. Maximize the number of applications of basic message modification.

2. Minimize the number of involved message bundles for advanced messagemodification.

The optimization was achieved using a heuristic approach where message bundleswhich have been used before have higher priorities to be used in the following stepthan the others.

As a result, the expected number of collisions for 4-step Luffa is one and thetotal complexity is 290

; 239(214 + 216 + 241 + 251) where 214, 216, 241, and 251

are the complexities for the message modifications at the first, second, third, andfourth steps respectively.

4.4 MAME

We propose a new compression function, MAME [110] designed as ahardware-oriented hash function which can be used in applications withreduced hardware requirements. MAME takes a 256-bit message block and a256-bit chaining variable as input and produces a 256-bit output. In the light ofrecent attacks on MD5 and SHA-1, our design strategy is very conservative, andwe show that our compression function is secure against various kinds of widelyknown attacks with very large security margins. The simple logical operations andthe hardware efficient S-boxes are used to achieve a hardware implementation ofMAME requiring only 8.1 Kgates. As for the S-box, we adopted a function whichis affine equivalent to the inversion function in GF(24) for security reasons. Weimposed the restriction that S has no fixed points. The S-box has the followingproperties:

MAME 33

• Maximum differential and linear probabilities are 2−2.

• The degree of the Boolean polynomial of every output bit is 3.

• The number of monomials of the polynomial expression over GF(24) is 14.

In the our analysis of MAME, we estimate the lower bounds of the numberof active S-boxes by applying the Viterbi algorithm [102]. According to [37], theViterbi algorithm is a recursive optimal solution to the problem of estimatingthe state sequence of a discrete-time finite-state Markov process observed inmemoryless noise. For MAME, the internal state size is 256 bits which consists offour 64-bit words. There is a single non-linear function denoted by F in the roundfunction. F is a permutation that takes 64-bit inputs. F consists of a non-linearfunction constructed from 16 4-bit S-boxes and the linear transformation L.

In applying the Viterbi algorithm to MAME, each state might be defined as a256-bit difference in the internal state. However, in this case, the Viterbi algorithmwould have a memory requirement of about 2256 bits, which is impractical. Tosolve this, we first truncate a 64-bit word xi into a 16-bit value by considering the4 input bits of an S-box as a single bit. For such a 16-bit word xi, Ham(x) rangesfrom 0 to 16 and it can be represented as a 5-bit string. In the end, we solved theproblem by truncating the 256-bit space into the 20-bit space, which reduces thememory requirement to 220 only.

In applying the Viterbi algorithm to MAME, each state is defined as thenumber of active S-boxes with respect to F . The distance between a state atround r and a state at round r + 1 is measured by the number of active S-boxeswhich has been increased through the application of the r-th round.

Carrying out the Viterbi algorithm requires us to construct a table representingthe propagation of the truncated differences through F (see Table 4.1). For row iand column j, the element ai,j in Table 4.1 is determined in the following way:

• Case 1 (i ≤ 6): For any 64-bit x with Ham(x) = i, compute Ham(L(x)). If

there exists an x such that Ham(L(x)) = j, then let ai,j be 1. Otherwise letai,j be 0.

• Case 2 (j ≤ 6): For any 64-bit y with Ham(y) = j, compute Ham(L−1(y)).

If there exists a y such that Ham(L−1(y)) = i, then let ai,j be 1. Otherwiselet ai,j be 0.

• Case 3 (Otherwise): Let ai,j be 1.

It took us several hours on a PC to perform experiments for each case.We used Table 4.1 when we performed the Viterbi algorithm. In addition, we

captured information on how the weights of the differences change through two

applications of F . We experimentally obtained information on how Ham( ˜F F (x))behaves. This limits the possibilities for the output difference of the second


Table 4.1 – A table representing the difference propagation throughthe L-function of MAME. The row corresponds to truncated inputdifferences of L and the column corresponds to truncated outputdifferences of L. We put 0 at the i-th row and the j-th column if theinput difference i cannot propagate the output difference j throughL, otherwise we put 1.

Ham(L(x)) 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 160 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 1 12 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 13 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 14 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 15 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 16 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 17 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 18 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 19 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 110 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 111 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 112 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 113 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 114 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 115 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 116=Ham(x) 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

application of F , compared to what we expect from the case of single application ofF , as in Table 4.1.2 If an output difference of the first application is not influencedat the XOR which is processed just after F , we can use the above information. Inthis way, the Viterbi algorithm yields a result, namely a lower bound of 130 on thetotal number of active S-boxes in a differential characteristic for MAME reducedto 58 out of 96 rounds.

For the linear attack, we take a similar approach. We estimate that themaximum differential/linear characteristic probabilities are upper bounded by2−260 and 2−258, respectively. It follows that there is no effective differential/linearcharacteristic for MAME reduced to 58 rounds.

4.5 SHA-256

SHA-256 is a cryptographic hash function which was proposed in 2000 as a newgeneration of SHA functions; it was adopted as FIPS standard in 2002 [72]. In ouranalysis [108], we consider the pseudo-collision resistance of a SHA-256 variantin which every arithmetic addition is replaced by a XOR operation. We callthe SHA-256 variant SHA-2-XOR. In a pseudo-collision on a hash function, anattacker can freely choose both the message input and the initial value; this doesnot necessarily lead to a collision for the hash function, as most hash functions

2E.g., if Ham(x) = 3 and Ham(F (x))=5), then Ham( ˜F F (x))=3 is not possible.

SHA-256 35

specify a fixed initial value. The compression function updates the 8 registers:A, B, C, D, E, F, G, H. We identified one-round iterative differential characteristicsby determining the conditions for the existence of such an iterative characteristic.We are interested in those iterative characteristic that have high probabilities.For an iterative characteristic with differences dA, dE, it turns out that if someregister inputs make this condition hold, they also make the other conditions hold.Therefore, we pay a probability penalty only for this condition to hold. We seethat we have to pay a probability penalty for this equation at bit position j tohold if and only if dE(j) is equal to 1. In particular, an iterative characteristicwhere the Hamming weight of dE is the smallest has the best probability. Thisdiscussion leads us to the following theorem.

Theorem 4.1. For SHA-2-XOR, a differential characteristic with input differ-ences (dA,dB,dC,dD,dE,dF,dG,dH) is a one round iterative characteristic if andonly if for some 32-bit value X, the input differences dA, dE satisfy the followingconditions:

dA = Σ1(dE) ⊕ (X ∧ dE), (4.1)

dE = Σ0(dA) ⊕ dA . (4.2)

If this condition holds, the other differences in the characteristic are determinedby dA and dE as follows:

dB = dA, dC = dA, dD = dA, dF = dE, dG = dE, dH = dE.

Furthermore, an iterative characteristic where the weight of dE is the smallest hasthe best probability.

We have to design an algorithm to put this theorem into practice. Bysubstituting the second condition into the first one, we obtain the following:

dA = Σ1(Σ0(dA) ⊕ dA) ⊕ (X ∧ (Σ0(dA) ⊕ dA)) .

It is sufficient to search for dA values which make this equation solvable in termsof X . Looking at this equation per bit leads us to consider a 1-bit equationI = X ∧ R. We consider what the condition is for I for this equation to have asolution X = X0; in both cases R = 0, R = 1. If R is equal to 1, there alwaysexists a solution. If R is equal to 0, there exists a solution if and only if I is equalto 0. Based on this consideration, we present Algorithm 1.


Algorithm 1 The search algorithm. For a bit string V , its value at bit positionj is denoted by V (j).

1: Choose a 32-bit value, dA.2: Compute R = Σ0(dA) ⊕ dA.3: Set u to be 0.4: for i from 0 to 31 do5: if R(j) is equal to 0, then6: Compute I(j) = (Σ1(Σ0(dA) ⊕ dA) ⊕ dA)(j)

7: if I(j) is equal to 1, then8: increase u by 1.9: end if

10: end if11: end for12: if u is equal to 0, then13: output dA,14: end if15: if all possible value for dA have been chosen, do then16: end.17: else18: go to step1.19: end if

The algorithm we designed has identified all one round iterative characteristicsfor SHA-2-XOR. The running time was 30 min on a PC with a Crusoe processorrunning at 1 GHz.. We use the best ones with probability 2−8. We also show thatno 2-round iterative patterns with probability higher than 2−16 exist.

In the pseudo-collision attack model, the attacker chooses any element fromthe set Iall = 0, 1256 × 0, 1512, which is taken as input to the compressionfunction. The main idea in our improvement is to use a subset of Iall denotedby Isub for which better probabilities for many rounds are obtained. This ideawas already indicated by Rijmen and Preneel in [90] where it is pointed out thatthe attacker can choose the message so that the first several rounds follow thecharacteristic with probability 1. It is quite natural to consider this idea in thecryptanalysis of hash functions. To realize this idea in practice, the attacker firstrandomly choose an input from Iall and then modifies it in a way that certaincondition on the register values Et, Ft, Gt, t = 0, 1, . . . , 17 in Table 5 is satisfied.Using the resulting set of modified inputs, we do not have to pay any probabilitypenalty for the first 19 rounds. We develop an algorithm for the input modification.The algorithm involves a modification of 152 input bits (=19×8 bits), that is,

E(j)0 , G

(j)0 , H

(j)0 , W

(j)0 , W

(j)1 , . . . , W

(j)15 (j ∈ J). All the modified inputs with the

difference δ results in δ again after 19 rounds, which was experimentally confirmedwith 220 randomly chosen inputs. We use 120 input bits out of the remaining 616

TIGER 37

bits to add 15 rounds. This leads to an attack finding a pseudo-collision with acomplexity 2120 for SHA-2-XOR reduced to 34 (out of 64) rounds.

4.6 Tiger

Tiger is a cryptographic hash function with a 192-bit hash value which wasproposed by Anderson and Biham in 1996 [1]. At FSE 2006, Kelsey and Luckspresented a collision attack on Tiger reduced to 16 (out of 24) rounds withcomplexity of about 244. Furthermore, they showed that a pseudo-near-collisioncan be found for a variant of Tiger with 20 rounds with complexity of about 248.In [53], Kelsey and Lucks discussed the possibility of extending their attack tomore rounds of Tiger and the applicability of their attack techniques to the fullhash function. The Kelsey and Lucks’ attack can be summarized as follows.

1. Choose a characteristic for the key schedule of Tiger that holds with highprobability (ideally with probability 1).

2. Use a kind of message modification technique [104] developed for Tiger toconstruct certain differences in the chaining variables for round 7, which canthen be canceled by the differences in the message words in the followingrounds. This leads to a collision for the Tiger hash function after 16 rounds.

In our analysis [67], we show how this attack method can be extended toconstruct a collision for the Tiger hash function reduced to 19 rounds. Wepresent two different attack strategies for constructing collisions in Tiger reducedto 19 rounds with complexity of about 262 and 269. Furthermore, we present apseudo-near-collision for a variant of Tiger reduced to 22 rounds with complexityof about 244.

After our work, in [66], Mendel showed a pseudo-near-collision for the full Tigerhash function. In [65], Mendel presented a preimage attack on Tiger reduced to17 rounds.

4.7 Conclusion

• HAVAL.

We have analyzed the compression functions of 4-pass and 5-pass HAVAL.Surprisingly, our result shows that the use of highly non-linear functions,which is the design feature of HAVAL, does not result in a hash functionwhich is very strong against differential cryptanalysis.

• Luffa.

We have shown that collisions for 4 out of 8 steps of Luffa can be found withcomplexity 290 using sophisticated message modification techniques. To the


best of our knowledge, this is the first collision analysis for Luffa with a fixedinitial vector.

• MAME.

We have analyzed the compression function of the hash function MAME,which is a hardware-oriented design. We have evaluated its security byapplying techniques from block cipher analysis. We show that MAME offersa strong security margin against a broad range of known attacks.

• SHA-256.

We presented a differential attack with message modification on a simplifiedSHA-256 variant, SHA-2-XOR. Our result shows that SHA-2-XOR with upto 34 rounds has a weakness with respect to pseudo-collision resistance.

• Tiger.

We have presented collision attacks on Tiger reduced to 19 rounds out of 24and a pseudo-near-collision for Tiger reduced to 22 rounds. Based on thiswe conclude that the security margin of Tiger is not as large as one couldhope for.

Chapter 5

Conclusion and Open Problems

5.1 Conclusion

In our modern society, various kind of services using information techniques areprovided using a wide variety of high-end computers and smart devices. As aresult, our ICT systems have become ubiquitous. In such a society, computers orclient terminals are ranging from high-end servers, PCs, mobile phones, to low-endIC cards and RFID (Radio Frequency IDentification) tags whose resource and/orpower for computation are limited. To achieve security, cryptographic applicationsare required to be supported on a wide variety of platforms. Cryptographichash functions are used as a key component to achieve security in a largenumber of cryptographic applications such as digital signatures, certificates, MACalgorithms, randomness extraction, and public key encryption.

At the beginning of our research, an important cryptanalytic method calledmessage modification was proposed by Wang et al. in CRYPTO 2005 [105].This method breaks the most widely deployed hash function SHA-1 and manyother hash functions and it is unclear whether SHA-2 will be secure againstthis technique. It has been also reported that the most popular domainextension namely Merkle-Damgård construction used in SHA-1 and many otherhash functions is not ideally secure against a generic attack regarding secondpreimage resistance. In response, in 2007, the SHA-3 competition was launched tostandardize a hash function to augment the current FIPS standard hash functionfamily SHA-2.

In the history of symmetric-key cryptography, from 1997-2001 an importantopen competition was held, the AES competition. The performance requirementon the candidates was to be much faster than the benchmark cipher the triple-DESwhile the security strength is stronger, namely 128 bits. However, SHA-3 is quitedifferent from AES from the viewpoint of a competition. The SHA-256 designhas high-end 32-bit CPUs in mind hence SHA-256 runs already very fast on these

39

40 CONCLUSION AND OPEN PROBLEMS

CPUs. SHA-512 is designed for 64-bit CPUs. The required security levels areexactly the same as those of SHA-2 family, namely 224/256/384/512 bits. Anotherpoint is performance on low-end CPUs and hardware efficiency. On October 2012,NIST announced that they chose out of 64 candidates the winner to be Keccak. Webelieve that the winner Keccak has two clear advantages: a significantly improvedhardware efficiency and a novel construction: the sponge.

Our research presented in this dissertation is closely related to the SHA-3competition and to lightweight cryptography. The context is the hash functionsecurity crisis and the ubiquitous environment. Our goal is to design andanalyze five algorithms: Lesamnta-224/256/384/512, and Lesamnta-LW. Ourdesign philosophy is rather conservative: block cipher-based hash functions. Ourmotivation to take this philosophy is to benefit from provable security reductionsand from the maturity of block cipher cryptanalysis. The main question is whetherwe can design a new hash function which has advantages over SHA-2 in terms ofsecurity and performance. We have tried to answer this question by designingLesamnta that aims to have clear evidence for its security and to be efficient ona wide range of platforms, especially on low-end 8-bit processors. Our approachis that of block cipher designs: we select an appropriate mode of operations witha reduction proof; next we prove a bound related to differential cryptanalysis forthe underlying block cipher and we limit the degrees of freedom of the attack. Inthis way, we can estimate an upper bound on the number of rounds that can bebroken with the attack. Proving the bound was challenging; it was achieved usingsophisticated computer experiments or by applying the wide trail strategy used indesign of AES. As for performance, we show that Lesamnta achieves the smallestRAM requirement among the candidates in low-end software implementation.

The SHA-3 competition has seen innovational design strategies and novelcryptanalytic methods. One interesting method to optimize the attack complexitycalled rebound attack was presented; it worked very well for several competitivecandidates in the sense that it finds weakness in the underlying components suchas the compression function. Another interesting cryptanalytic method to use theself-similarity property in hash function was introduced in FSE 2010. This methodworks for Lesamnta and finds weakness in the compression function. It is likelythat this weakness in the underlying components could result in a small securitymargin of the hash function, although it does not affect the security of the entirehash function.

We have submitted Lesamnta to the SHA-3 competition. It did not proceed tothe second round of the competition. It is likely that, in terms of security, NISTwas concerned about this self-similarity property while, for performance, NISTconsiders high-end software more important than low-end software and hardwarein the second round candidate selection process.

At the beginning of our research presented in this dissertation, another activeresearch area called Lightweight cryptography has opened up. The main challengein this area is to design cryptographic algorithms or protocols that meet thesystem requirements which are often very severe: these algorithms are required

CONCLUSION 41

to be implemented under restricted resources, such as low-cost, low-energy, orlow-power environments. The security problems such as confidentiality, and moreimportantly, authentication and privacy have to be dealt with.

As for choice of algorithm, lightweight software/hardware implementationscould use the SHA-2 family or SHA-3. However, most of these hash functionscould be too expensive for small devices since they are designed for general purposeprocessors; they are fast on high-end 32/64-bit CPUs and have in general a largeinternal state in order to resist multi-collision-type of attacks. Therefore, the recentproposals of lightweight cryptographic primitives such as block/stream ciphersand hash functions hold promise for implementation. They are hardware-orientedwith very small footprints. However, these schemes do not necessarily providea good performance on 8-bit CPUs. We also notice that there is only verylimited RAM/ROM available on small portable electronic devices. In terms ofmicroprocessors typically embedded in smart devices, 8-bit CPUs have gainedincreased attention from both companies and end users.

We argue that there is an increasing demand for lightweight hash functionsproviding a high security level. A new lightweight 256-bit hash functionLesamnta-LW has been proposed. We claim that its distinct features over theexisting lightweight primitives are compactness, high-speed, and a very goodtradeoff between speed and cost on 8-bit CPUs as well as high security levelswith security reductions. We expect that Lesamnta-LW will open up a new set oflightweight applications such as code signing for small but highly sensitive deviceswhich can be targeted at medical applications or car electronics. A more extensivethird-party analysis in terms of security and performance would be needed to gainmore confidence in its usability in these applications.

The second contribution is security analysis of hash functions. We havecontributed actively to the security analysis of block-cipher based hash functions.Since analysis and designs are closely related, the methods and the results of ouranalysis are of independent interest, while they are of particular importance in ourblock cipher-based designs, the Lesamnta family and Lesamnta-LW.

We have first focused on the block cipher-based designs which were inspiredby MD5 and SHA-1 and have been the most popular. Certain hash functionsseemed to have based their security on the use of strong non-linear components.Previous analysis of them only investigates the small components taking 8-bitinputs. Our analysis covers larger components such as the underlying block ciphersand compression functions. The main questions were how strong the diffusionlayer is and how we can exploit the hash function property that there is no secretinformation involved. We have tried to answer to them by applying advanceddifferential cryptanalysis dealing with multiple paths and a meet-in-the middleattack where the backward and forward computation is possible without knowledgeof any secret information. Consequently, we have made it clear that securitymargin of several hash functions is not as large as one could hope for.

On the other hand, our analysis has produced a result which can be viewed asevidence for a large security margin. Taking as an example SHA-256, on which


there had been a very little work previously, our differential cryptanalysis revealshow much the combined use of arithmetic additions and exclusive-ors can improvethe security of a hash function.

In state-of-art hash function cryptanalysis, the key technique is to optimizethe attack complexity. The non-existence of key in a hash function makes thistechnique work more efficiently. One example of this technique is the messagemodification technique which has been developed by Wang et al. [105] to attackMD4, MD5, and SHA-1: the attack first applies differential cryptanalysis to finda differential characteristic producing collisions and then optimizes the attackcomplexity by modifying the message in an appropriate way.

Apart from the analysis of block-cipher based designs, we have also contributedto the SHA-3 competition through the evaluation of the second round candidateLuffa, the design of which is based on a variant of the sponge construction.

We believe that our research efforts and results in design and analysis of hashfunctions will contribute to lead to establish a secure ubiquitous society.

5.2 Open Problems and Future Research Directions

5.2.1 Open Problems

• HAVAL.

For HAVAL, we identified differentials with probabilities much higher thanthe probability we would expect from a random function. Our way of findingdifferentials is based on matrix multiplications and it seems works well interms of computation time and memory for hash functions with a weakdiffusion layer. It would be interesting to apply it to other hash functionswith similar design principles. However, it would be difficult to apply ourapproach of finding and using differentials to hash functions with a strongerdiffusion layer.

• Luffa.

The techniques used in the rebound attack such as match-in-the middle andmulti-path are difficult to apply to analyze Luffa because we consider thehash function security where the IV is fixed. It remains an open problemwhether the rebound attack can be applied effectively to Luffa. For futurework, it would be interesting to investigate whether our approach of a simpleand effective application of message modification can be applied to otherS-box based hash function such as the SHA-3 finalists JH and Grøstl.

• MAME.

Our implementation shows the compactness of MAME but it leaves room forfurther optimizations. Because of the use of the MMO mode, the memoryrequirement is dominated by the storage for the internal state. In order

OPEN PROBLEMS AND FUTURE RESEARCH DIRECTIONS 43

to improve the MAME design, it would be necessary to investigate a newmode. One of the disadvantages of MAME is its software speed because ofthe conservative choice of the number of rounds. Even though our analysisshows that there is no effective differential/linear characteristic for MAMEreduced to 58 rounds, it is not known how many rounds a collision findingdifferential characteristic can actually reach. It could be 58 but if it is muchless, one can reduce the number of rounds in the MAME design, which resultsin a further speed-up.

• SHA-256.

We applied the message modification to analyze the SHA-256 hash functionwith respect to pseudo-collision resistance. Using our scenario, we presenteda pseudo-collision attack on a variant of the SHA-2 hash function calledSHA-2 XOR. Our attack uses an iterative differential characteristic. Wealso studied the properties of multiple rounds of the real SHA-256 function.However, we could not find any iterative differential characteristic with ahigh probability for SHA-256. It remains a topic for further research to finda differential characteristic suitable for message modification.

• Tiger.

It remains a topic for further research to determine whether the attacksusing the meet-in-the-middle approach can be extended to Tiger variantswith more than 23 rounds.

5.2.2 Future Research Directions

• Authenticated ciphers.

Users often need to achieve confidentiality and integrity of data in securesystems. An authenticated cipher encrypts and authenticates plaintext,which produces a ciphertext with an authentication code. If an attackermodifies a message, the user would detect the modification using theauthentication code during the decryption and verification process. NISTspecifies two block cipher modes of operation for authenticated encryption,CCM [73] and GCM [74]. It would be interesting to investigate stream ciphermodes of operation to achieve authenticated encryption.

In 2012, the DIAC (Directions in Authenticated Ciphers) workshop ad-dressed the shortcomings in terms of security and performance of currentapproaches for authenticated ciphers. The workshop evaluated the stateof the art in authenticated encryption. It would be important to discusssecurity/performance requirement on authenticated ciphers, the problemswith the existing algorithms and desired future directions, which would shapean open competition similar to the ECRYPT Stream Cipher Project and theSHA-3 competition.


• Cryptography suitable for Industrial control/SCADA systems.

In 2010, a sophisticated computer worm Stuxnet was discovered; it initiallyspread via Microsoft Windows, and targeted some industrial software andequipment. The worm includes a specialized malware payload that targetsonly particular supervisory control and data acquisition (SCADA) systems.The U.S. National Cyber Security Division (NCSD) operates the ControlSystem Security Program (CSSP) to reduce industrial control system risks bycoordinating efforts among federal and local governments as well as industrialcontrol systems.

Before the discovery of the Stuxnet worm, in industrial control systems, ithas been common not to apply cryptography for several reasons: operatingsystems are specialized, the network is not connected to the Internet, and theimplementation resource is quite limited: there are very tight requirementsfor cryptographic primitives regarding speed/RAM/ROM compared totypical information systems.

However, in future industrial control systems, cryptography is expected tobe an essential component. It is likely that applying cryptography to thesesystems faces the difficult situation that it is very hard to integrate it insystems where the reliability and availability is a top priority. This meansthat cryptographic solutions should not impact the existing application flow,which creates a very challenging problem. In order to address this problem,there is a need for solutions for confidentiality and integrity that is one orperhaps two orders of magnitude more efficient than current standards suchas AES and SHA-2. It will become important to reconsider the design andimplementation of symmetric primitives.

• SHA-3 implementation.

The SHA-3 hash function will become the de facto standard hash function.This means that SHA-1 will be gradually replaced. Hash functions aredeployed in a huge number of applications. Optimal SHA-3 implementa-tions regarding RAM/ROM/speed or secure implementations against sidechannel attacks would be of great interest. We studied SHA-3 candidateimplementations during the competition, now the community can focus onthe winner Keccack. We except to obtain very good results from the thislarge scale research effort.

• Design and analysis of symmetric key primitives considering the bicliquecryptanalytic approach.

In 2011, there has been a significant progress in the analysis of AES [18]. Atheoretical attack using a novel technique called biclique analysis has beenproposed. The attack successfully exploits the weak diffusion property in theAES key schedule. It is interesting to note that the concept of this techniquehas been developed in the hash function analysis but applied to an another

OPEN PROBLEMS AND FUTURE RESEARCH DIRECTIONS 45

research area: block cipher analysis. Since the technique is generic andpowerful enough to attack AES that has withstood attacks for the past 10years since it has been standardized in 2001, from an attacker’s point of view,it would be interesting to investigate the applicability of this technique toother symmetric key primitives such block ciphers, stream ciphers, and hashfunctions with a weak diffusion property. From the designer’s point of view,he has to clearly explain why a new cipher is secure against all the relevantattacks. However, it is still unclear how to ensure the security against thebiclique attack. It would be an interesting task for the designer to evaluatehis cipher with respect to this attack in a theoretical or quantitative manner.

• Applied cryptography in information systems.

In an information system, there are many computer devices, client PCs,servers which are distributed in several kinds of networks. The amount ofdata traffic varies, depending on the communication channels in the systemand the sensitivity of data varies as well. A busy-traffic communicationchannel could be beneficial to the attacker because he could gather a largeamount of data that he can analyze.

In general, one can adjust the security levels of the systems by optimizing thekey length. However, straight-forward application of cryptographic solutionsor frequent key updates could be too expensive and cause a problem offunctionality or availability of the system. In systems, a different approachhas to be taken for different security targets even though a single keylength is supported in the system. Therefore, optimized applications ofcryptography and optimized key management are required within the samesystem. For instance, it may be required that some communication channelsneed cryptographic protection but others do not. Given the current situationthat good cryptographic algorithms such as AES and SHA-3 have beenstandardized, one of the most important next challenges would be to applythese algorithms to real systems in an optimal way. This could include tofind an automated method to determine whether or not to apply crypto ineach channel and to find a systematic method to determine how frequent thekeys have to be updated.

There are different requirements imposed on encryption algorithms and hashalgorithms and some requirements are harder to achieve than others (e.gcollision resistance seems harder to achieve than preimage resistance); somerecent research considers this and proposes to other security parameters thankeys, such as a salt. In the real world security, it is important to considerhow to generate and use security parameters such as IVs, salts, and alsodevelop other security parameters so that the security levels can be adjustedor a more realistic security reduction can be possible.

• Cryptanalysis of bit-slice type ciphers.


For the last several years, CPU designs have changed to employ multi-corearchitectures. This affects the design of symmetric-key primitives. Manynew designs of these ciphers keep this CPU trend in mind during the designprocess. The advantage is that parallel computations are possible by usingSIMD instructions on very long registers. Some fast SHA-3 candidates suchas JH and Keccack have this advantage. For future work, it would beinteresting to investigate a generic method using message modification toanalyse these hash functions.

Bibliography

[1] R. J. Anderson and E. Biham, “TIGER: A Fast New Hash Function,” FastSoftware Encryption, FSE ’96 , LNCS, vol. 1039, Springer, pp. 89–97, 1996.

[2] E. Andreeva, and M. Stam, “The Symbiosis between Collision and PreimageResistance,” Cryptography and Coding, IMA International Conference,LNCS, vol. 7089, Springer, pp. 152-171, 2011.

[3] J. P. Aumasson, L. Henzen, W. Meier and R. C. W. Phan, “SHA-3 proposalBLAKE”. http://131002.net/blake/

[4] J. P. Aumasson, L. Henzen, W. Meier and M. Naya-Plasencia, “QUARK: ALightweight Hash,” Cryptographic Hardware and Embedded Systems, CHES2010, LNCS, vol. 6225, Springer, pp 1–15, 2010.

[5] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I .Verbauwhede,“Low-Cost Elliptic Curve Cryptography for Wireless Sensor Networks,”Security and Privacy in Ad-Hoc and Sensor Networks, ESAS 2006, LNCS,vol. 4357, Springer, pp 6–17, 2007.

[6] C. W. Benner, J. Graef, J. Pham, J. P. Kaps, “XBX Benchmarking ResultsJanuary 2012,” Third SHA-3 Candidate Conference.

[7] J. Balasch, B. Ege, T. Eisenbarth, B. Gérard, Z. Gong, T. Guneysu,S. Heyse, S. Kerckhof, F. Koeune, T. Plos, T. Pö ppelmann, F. Regazzoni,F. X. Standaert, G. V. Assche, R. V. Keer, L. Oldenzeel, I. von. Maurich,“Compact Implementation and Performance Evaluation of Hash Functions inATtiny Devices,” http://eprint.iacr.org/2012/507.pdf

[8] P. S. L. M. Barreto and V. Rijmen, “The Whirlpool Hashing Function,”Submitted to NESSIE, September 2000. Revised May 2003.

[9] M. Bellare, R. Canetti, and H. Krawczyk, “Pseudorandom functions revisited:The cascade construction and its concrete security,” Annual Symposium onthe Foundations of Computer Science, pp. 514–523, IEEE, 1996.

47

http://131002.net/blake/

http://eprint.iacr.org/2012/507.pdf

48 BIBLIOGRAPHY

[10] M. Bellare, and P. Rogaway, “Random oracles are practical: A paradigmfor designing efficient protocols,” ACM Conference on Computer andCommunications Security (1993), pp. 62–73.

[11] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, “On theIndifferentiability of the Sponge Construction,” Advances in Cryptology -EUROCRYPT 2000, LNCS, vol. 4965, Springer, pp. 181–197, 2008.

[12] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, “Keccak specifications”.http://keccak.noekeon.org/

[13] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, “KECCAK spongefunction family main document (Version 1.2, April 23, 2009)”. http://

keccak.noekeon.org/Keccak-main-1.2.pdf.

[14] E. Biham, A. Biryukov and A. Shamir, “Cryptanalysis of Skipjack Reducedto 31 Rounds Using Impossible Differentials,” Advances in Cryptology -EUROCRYPT ’99, LNCS, vol. 1807, Springer, pp. 12–23, 1999.

[15] E. Biham and A. Shamir, “Differential Cryptanalysis of the Data EncryptionStandard,” Springer, 1993.

[16] A. Biryukov and D. Wagner, “Advanced slide attacks,” Advances inCryptology - EUROCRYPT 2000, LNCS, vol. 1807, Springer, pp. 589–606,2000.

[17] J. Black, P. Rogaway, and T. Shrimpton, “Black-box analysis of theblock-cipher-based hash-function constructions from PGV,” Advances inCryptology - CRYPTO 2002, LNCS, vol. 2442, Springer, pp. 320–335, 2002.

[18] A. Bogdanov, D. Khovratovich, C. Rechberger, “Biclique Cryptanalysis of theFull AES,” Advances in Cryptology - ASIACRYPT 2011, LNCS, vol. 7073,Springer, pp. 344–371, 2011.

[19] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann,M. J. B. Robshaw, Y. Seurin, and C. Vikkelsoe, “PRESENT: AnUltra-Lightweight Block Cipher,” Cryptographic Hardware and EmbeddedSystems CHES 2007, LNCS, vol. 4727, Springer, pp 450–466, 2007.

[20] A. Bogdanov, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, andY. Seurin, “Hash Functions and RFID Tags: Mind the Gap,” CryptographicHardware and Embedded Systems CHES 2008, LNCS, vol. 5154, Springer,pp 283–299, 2008.

[21] C. Bouillaguet, O. Dunkelman, G. Leurent, and P. A. Fouque, “Another lookat complementation properties,” Fast Software Encryption 2010 Workshop,FSE 2010, LNCS, vol. 6147, Springer, pp 347-364, 2010.

http://keccak.noekeon.org/

http://keccak.noekeon.org/Keccak-main-1.2.pdf.

http://keccak.noekeon.org/Keccak-main-1.2.pdf.

BIBLIOGRAPHY 49

[22] C. Bouillaguet, O. Dunkelman, G. Leurent, and P. A. Fouque, “Attacks onHash Functions Based on Generalized Feistel: Application to Reduced-RoundLesamnta and SHAvite-3512,” Selected Areas in Cryptography, SAC 2010,LNCS, vol. 6544, Springer, pp. 18-35, 2010.

[23] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology,revisited,” ACM Symposium on the Theory of Computing (1998), ACM Press,pp. 209–218.

[24] C. De Cannière, O. Dunkelman, and M. Knezevic, “KATAN and KTANTAN afamily of small and efficient hardware-oriented block ciphers,” CryptographicHardware and Embedded Systems, CHES 2009, LNCS, vol. 5747, Springer,pp. 272-288, 2009.

[25] F. Chabaud and S. Vaudenay, “Links between differential and linearcryptanalysis,” Advances in Cryptology - EUROCRYPT ’94, LNCS, vol. 950,Springer, pp. 356–365, 1995.

[26] J. S. Coron, Y. Dodis, C. Malinaud, and P. Puniya, “Merkle-Damgårdrevisited: How to construct a hash function,” Advances in Cryptology -CRYPTO 2005, LNCS, vol. 3621, Springer, pp. 430–448, 2005.

[27] C. De Cannière, H. Sato and D. Watanabe, “Hash Function Luffa –Specification”. http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/

submissions_rnd1.html

[28] J. Daemen, L. R. Knudsen, and V. Rijmen, “The block cipher SQUARE,”Fast Software Encryption, FSE ’97, LNCS, vol. 1267, Springer, pp. 149–165,1997. http://www.esat.kuleuven.ac.be/~cosicart/pdf/VR-9700.PDF.

[29] J. Daemen and V. Rijmen, “The Design of Rijndael: AES -AdvancedEncryption Standard,” Springer, 2002.

[30] I. B. Damgård, “A design principle for hash functions,” Advances inCryptology - CRYPTO ’89, LNCS, vol. 435, Springer, pp. 416–427, 1990.

[31] DIAC (Directions in Authenticated Ciphers) workshop July 05 - 06, 2012,Stockholm, Sweden. http://www.hyperelliptic.org/DIAC/

[32] E. Fleischmann, C. Forler, and M. Gorski, “Classification of the SHA-3Candidates,” Cryptology ePrint Archive: http://eprint.iacr.org/2008/

511

[33] M. Feldhofer, S. Dominikus, J. Wolkerstorfer, “Strong Authentication forRFID Systems using the AES Algorithm,” Cryptographic Hardware andEmbedded Systems - CHES 2004, LNCS, vol 3156, Springer, pp. 357–370,2004.

http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html

http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html

http://www.esat.kuleuven.ac.be/~cosicart/pdf/VR-9700.PDF

http://www.hyperelliptic.org/DIAC/

http://eprint.iacr.org/2008/511


50 BIBLIOGRAPHY

[34] M. Feldhofer and C. Rechberger, “A case against currently used hash functionsin RFID protocols,” On the Move to Meaningful Internet Systems 2006, OTM2006, LNCS, vol. 4227, Springer, pp. 372–381, 2006.

[35] N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno,J. Callas, and J. Walker, “The Skein Hash Function Family”. http://www.

schneier.com/skein.html

[36] A. Fiat and A. Shamir, “How to Prove Yourself: Practical Solutions toIdentification and Signature Problems,” Advances in Cryptology - CRYPTO’86, LNCS, vol. 263, Springer, pp. 186–194, 1986.

[37] G. D. Forney, “The Viterbi Algorithm,” Proceedings of the IEEE Vol 61,Issue 3 pp. 268–278, 1967.

[38] G. Gaubatz, J. P. Kaps, E. Ozturk, and B. Sunar, “State of the Art inUltra-Low Power Public Key Cryptography for Wireless Sensor Networks,”Workshop on Pervasive Computing and Communication Security, PerSec2005.

[39] P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger,M. Schläffer, and S. S. Thomsen, “Grøstl – a SHA-3 candidate”. http://www.groestl.info/

[40] P. Gauravaram, L. R. Knudsen, “Security Analysis ofRandomize-Hash-then-Sign Digital Signatures,” J. Cryptology 25(4):748-779 (2012).

[41] J. Guo, T. Peyrin, A. Poschmann, “The PHOTON Family of LightweightHash. Functions,” Advances in Cryptology - CRYPTO 2011, LNCS, vol. 3152,Springer, pp. 306–316, 2004.

[42] S. Halevi and H. Krawczyk, “Strengthening digital signatures via randomizedhashing,” Advances in Cryptology - CRYPTO 2006, LNCS, vol. 4117,Springer, pp. 41–59, 2006.

[43] S. Hirose, H. Kuwakado, and H. Yoshida, “SHA-3 proposal: Lesam-nta,” http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/

Lesamnta.zip, October 2008. latest version: http://www.hitachi.com/rd/yrl/crypto/lesamnta/.

[44] S. Hirose, H. Kuwakado, and H. Yoshida, “Security analysis of the compres-sion function of Lesamnta and its impact”. http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LESAMNTA_Comments.pdf, June 2009.

[45] S. Hirose, H. Kuwakado, and H. Yoshida, “A Minor Change to Lesamnta- Change of Round Constants -”. http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LESAMNTA_Comments.pdf.

http://www.schneier.com/skein.html


http://www.groestl.info/


http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/Lesamnta.zip


http://www.hitachi.com/rd/yrl/crypto/lesamnta/


http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LESAMNTA_Comments.pdf


http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LESAMNTA_Comments.pdf.


BIBLIOGRAPHY 51

[46] S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel and H. Yoshida,“An AES Based 256-bit Hash Function for Lightweight Applications:Lesamnta-LW,” IEICE TRANSACTIONS on Fundamentals of Electronics,Communications and Computer Sciences, vol. E95-A No.1. pp.89–99, 2012.

[47] S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel and H. Yoshida,“A Lightweight 256-Bit Hash Function for Hardware and Low-End Devices:Lesamnta-LW,” Information Security and Cryptology, ICISC 2010, LNCS,2011, vol. 6829, Springer, pp. 151–168, 2011.

[48] S. Hirose, H. Kuwakado and H. Yoshida, “Compression Functions Using aDedicated Blockcipher for Lightweight Hashing,” International Conference onInformation Security and Cryptology, ICISC 2011, LNCS, vol. 7259, Springer,pp. 346–364, 2011.

[49] ISO/IEC, “ISO/IEC 10118-3:2004: Information technology–Security tech-niques – Hash-functions – Part 3: Dedicated hash-functions,” 2004.

[50] T. Jakobsen and L. R. Knudsen, “The interpolation attack on block ciphers,”Fast Software Encryption, FSE ’97, LNCS, vol. 1267, Springer, pp. 28–40,1997.

[51] A. Joux, “Multicollisions in iterated hash functions. Application to cascadedconstruction,” Advances in Cryptology - CRYPTO 2004, LNCS, vol. 3152,Springer, pp. 306–316, 2004.

[52] J. Kelsey and B. Schneier, “Second preimages on n-bit hash functions formuch less than 2n work,” Advances in Cryptology - EUROCRYPT 2005,LNCS, vol. 3494, Springer, pp. 474–490, 2005.

[53] J. Kelsey and S. Lucks, “Collisions and Near-Collisions for Reduced-RoundTiger,” Fast Software Encryption, FSE 2006, LNCS, vol. 4047, Springer,pp. 111–125, 2006.

[54] L. R. Knudsen, “Truncated and higher order differentials,” Fast SoftwareEncryption, FSE’94, LNCS, pp. 196–211, 1995.

[55] D. E. Knuth, “The Art of Computer Programming, volume 3: Sorting andSearching,” Addison-Wesley, second edition, 1998.

[56] D. Khovratovich, M. N. Plasencia, A. Roeck, M. Schlaeffer, “Cryptanalysisof Luffa v2 components,” Selected Areas in Cryptography, SAC 2010, August2010.

[57] M. Lamberger, F. Mendel, V. Rijmen, K. Simoens, “Memorylessnear-collisions via coding theory,” Des. Codes Cryptography 62(1):1-18, 2012.

52 BIBLIOGRAPHY

[58] X. Lai, J. Massey, “Markov Ciphers and Differential Cryptanalysis,”Eurocrypt 1991, LNCS, vol. 547, Springer, pp. 17–38, 1991.

[59] S. Lucks, “A Failure-Friendly Design Principle for Hash Functions,”ASIACRYPT 2005, LNCS, vol. 3788, pp. 474–494, 2005.

[60] T. V. Le, R. Sparr, R. Wernsdorf, and Y. Desmedt, “Complementation-likeand cyclic properties of AES round functions,” Advanced EncryptionStandard – AES, 4th International Conference, AES 2004, LNCS, vol. 3373,Springer, pp. 128–141, 2005.

[61] M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances inCryptology - EUROCRYPT ’93, LNCS, vol. 765, pp. 386–397, 1994.

[62] Hardware Security Project, http://www.morita-tech.co.jp/SASEBO/en/

sha3/index.html.

[63] S. M. Matyas, C. H. Meyer, and J. Oseas, “Generating strong one-wayfunctions with cryptographic algorithm,” IBM Techn. Disclosure Bull., vol. 27,No. 10A, pp. 5658–5659, 1985.

[64] U. Maurer, R. Renner, and C. Holenstein, “Indifferentiability, impossibilityresults on reductions, and applications to the random oracle methodology,”First Theory of Cryptography Conference, TCC 2004, LNCS, vol. 2951,pp. 21–39, 2004.

[65] F. Mendel, “Two Passes of Tiger Are Not One-Way,” AFRICACRYPT 2009,LNCS, vol. 5580, Springer, pp. 29–40, 2009.

[66] F. Mendel and V. Rijmen, “Cryptanalysis of the Tiger Hash Function,”ASIACRYPT 2007, LNCS, vol. 4833, Springer, pp. 536–550, 2007.

[67] F. Mendel, B. Preneel, V. Rijmen, H. Yoshida, and D. Watanabe, “Updateon Tiger,” INDOCRYPT 2006, LNCS, vol. 4329, Springer, pp. 63–79, 2006.

[68] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, “HANDBOOK ofAPPLIED CRYPTOGRAPHY,” CRC Press, 1996.

[69] R. C. Merkle, “One way hash functions and DES,” CRYPTO ’89, LNCS,vol. 435, Springer, pp. 428–446, 1990.

[70] S. Miyaguchi, K. Ohta, and M. Iwata, “128-bit Hash function (N-Hash),”NTT Review, 2(6):128–132, November 1990.

[71] R. Motwani and P. Raghavan, “Randomized Algorithms,” CambridgeUniversity Press, 1995.

http://www.morita-tech.co.jp/SASEBO/en/sha3/index.html

http://www.morita-tech.co.jp/SASEBO/en/sha3/index.html

BIBLIOGRAPHY 53

[72] National Institute of Standards and Technology, “Secure hash stan-dard,” FIPS Publication 180-2, August 2002. http://csrc.nist.gov/

publications/fips/fips180-2/fips180-2.pdf.

[73] National Institute of Standards and Technology, “Recommendation forBlock Cipher Modes of Operation: The CCM Mode for Authenticationand Confidentiality,” Special Publication 800-38C. http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf

[74] National Institute of Standards and Technology, “Recommendation for BlockCipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC,”Special Publication 800-38D. http://csrc.nist.gov/publications/

nistpubs/800-38D/SP-800-38D.pdf

[75] NIST, “The keyed-hash message authentication code (HMAC),” FIPSPublication 198.

[76] NIST, “Announcing request for candidate algorithm nominations for a newcryptographic hash algorithm (SHA-3) family,” November 2007. http://

csrc.nist.gov/groups/ST/hash/documents/

[77] NIST, “Digital Signature Standard,” FIPS Publication 186-2.

[78] NIST, “The Keyed-Hash Message Authentication Code (HMAC),” FIPSPublication 198.

[79] NIST, “Recommendation for Pair-Wise Key Establishment Schemes UsingDiscrete Logarithm Cryptography,” Special Publication 800-56A.

[80] NIST, “Recommendation for Random Number Generation Using Determin-istic Random Bit Generators (DRBGs),” Special Publication 800-90.

[81] NIST,“Randomized Hashingfor Digital Signatures,” Special Publication800-106.

[82] D. A. Osvik, “Fast Embedded Software Hashing, ” http://eprint.iacr.

org/2012/156.pdf

[83] B. Preneel, “Analysis and Design of Cryptographic Hash Functions,” PhDthesis, Katholieke Universiteit Leuven, 1993.

[84] B. Preneel, D. Chaum, W. Fumy, C. J. A. Jansen, P. Landrock, andG. Roelofsen, “Race Integrity Primitives Evaluation (RIPE): a status report,”Advances in Cryptology – EUROCRYPT ’91, LNCS, vol. 547, Springer,pp. 547–551, 1991.

[85] B. Preneel, R. Govaerts, and J. Vandewalle, “Hash functions based on blockciphers: A synthetic approach,” Advances in Cryptology – CRYPTO ’93,LNCS, vol. 773, Springer, pp. 368–378, 1994.

http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf


http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf

http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf

http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

http://csrc.nist.gov/groups/ST/hash/documents/




54 BIBLIOGRAPHY

[86] B. Preneel and P. C. van Oorschot, “MDx-MAC and Building Fast MACs fromHash Functions,” Advances in Cryptology – CRYPTO ’95, LNCS, vol. 963,Springer, pp. 1–14, 1995.

[87] B. Preneel, H. Yoshida, and D. Watanabe, “Finding Collisions for ReducedLuffa-256 v2 (Poster),” Information Security and Privacy - 16th AustralasianConference, ACISP 2011, LNCS, vol. 6812, Springer, pp. 423-427, 2011.

[88] J. J. Quisquater and M. Girault, “2n-Bit Hash-Functions Using n-Bit Sym-metric Block Cipher Algorithms,” Advances in Cryptology – EUROCRYPT’89, LNCS, vol. 434, Springer, pp. 102–109. Springer, 1990.

[89] M. O. Rabin, “Digitalized signatures,” Foundations of Secure Computations,pp. 155–168. Academic Press, 1978.

[90] V. Rijmen, B. Preneel, “Improved characteristics for differential cryptanalysisof hash functions based on block ciphers,” Fast Software Encryption, FSE ’95,LNCS, vol. 1008, , Springer, pp. 242-248, 1995.

[91] R. Rivest, “The MD4 message-digest algorithm,” Request for Comments,no. 1320, Internet Activities Board, Internet Privacy Task Force, April 1992.

[92] R. Rivest, “The MD5 message-digest algorithm,” Request for Comments,no. 1321, April 1992. ftp://ftp.rfc-editor.org/in-notes/rfc1321.txt.

[93] P. Rogaway and T. Shrimpton, “Cryptographic Hash-Function Basics:Definitions, Implications, and Separations for Preimage Resistance,Second-Preimage Resistance, and Collision-Resistance,” Fast SoftwareEncryption (FSE) 2004, LNCS, vol. 3017, Springer, pp. 371-388, Springer,2004.

[94] Y. Sasaki, G. Yamamoto, K. Aoki, “Practical Password Recovery on an MD5Challenge and Response,” Cryptology ePrint Archive, 101, 2007.

[95] Y. Sasaki, “Cryptanalysis on a Merkle-Damgård Based MAC - AlmostUniversal Forgery and Distinguishing-H Attacks,” Advances in Cryptology- EUROCRYPT 2012, LNCS, vol. 7237, Springer, pp. 411-427, 2012.

[96] http://www.semico.com.

[97] A. Shamir, “SQUASH - A New MAC with Provable Security Properties forHighly Constrained Devices Such as RFID Tags,” Fast Software Encryption,FSE 2008, LNCS, vol. 5086, Springer, pp. 144–157, 2008.

[98] W. Simpson, “PPP Challenge Handshake Authentication Protocol (CHAP),”Request for Comments, no. 1994, 1996. http://www.ietf.org/rfc/

rfc1994.txt

ftp://ftp.rfc-editor.org/in-notes/rfc1321.txt

http://www.semico.com

http://www.ietf.org/rfc/rfc1994.txt


BIBLIOGRAPHY 55

[99] M. L. Songini, “Passive RFID tag market to hit $486M in2013,” InfoWorld, http://www.infoworld.com/t/networking/

passive-rfid-tag-market-hit-486m-in-2013-102.

[100] S. Tillich, M. Feldhofer, W. Issovits, T. Kern, H. Kureck, M. Muhlberghuber,G. Neubauer, A. Reiter, A. Kofler, and M. Mayrhofer, “Compact hardwareimplementations of the SHA-3 candidates ARIRANG, BLAKE,Grφstl, andSkein,” Cryptology ePrint Archive: http://eprint.iacr.org/2009/349.

pdf.

[101] G. Tsudik, “Message authentication with one-way hash functions,” ACMComputer Communications Review, vol. 22, No. 5, pp. 29–38, 1992.

[102] A. J. Viterbi, “Error bounds for convolutional codes and an asymptoticallyoptimal decoding algorithm,” IEEE Transactions on Information Theory 13,pp. 260–269, 1967.

[103] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Cryptanalysis of thehash functions MD4 and RIPEMD,” Advances in Cryptology - EUROCRYPT2005, LNCS, vol. 3494, Springer, pp. 1–18, 2005.

[104] X. Wang and H. Yu, “How to Break MD5 and Other Hash Functions,”Advances in Cryptology - EUROCRYPT 2005, LNCS, vol. 3494, Springer,pp. 19–35, 2005.

[105] X. Wang, Y. L. Yin, and H. Yu, “Finding collisions in the full SHA-1,”Advances in Cryptology - CRYPTO 2005, LNCS, vol. 3621, Springer,pp. 17–36, 2005.

[106] Wikipedia, “Microprocessor”, ch. Market statistics, http://en.wikipedia.org/wiki/Microprocessor.

[107] H. Wu, “The Hash Function JH”. http://www3.ntu.edu.sg/home/wuhj/

research/jh/

[108] H. Yoshida, A. Biryukov,“Analysis of a SHA-256 Variant,” Selected Areasin Cryptography, SAC 2005, LNCS, vol. 3897, Springer, pp. 245–260, 2005.

[109] H. Yoshida, A. Biryukov, C. De Cannière, J. Lano, and B. Preneel,“Non-randomness of the Full 4 and 5-pass HAVAL,” SCN 2004, LNCS,vol. 3352, Springer, pp. 324–336, 2005.

[110] H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, Ö. Küçük,and B. Preneel, “MAME: a compression function with reduced hardwarerequirements,” Cryptographic Hardware and Embedded Systems, CHES2009, LNCS, vol. 4727, Springer, pp 148–165, 2007.

http://www.infoworld.com/t/networking/passive-rfid-tag-market-hit-486m-in-2013-102.




http://en.wikipedia.org/wiki/Microprocessor


http://www3.ntu.edu.sg/home/wuhj/research/jh/


56 BIBLIOGRAPHY

[111] Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block ciphersprovably secure and not relying on any unproved hypotheses,” Advances inCryptology - CRYPTO ’89, LNCS, vol. 435, pp. 461–480, 1990.

[112] Y. Zheng, J. Pieprzyk, J. Seberry, “ HAVAL – a one-way hashing algorithmwith variable length of output,” Auscrypt 1992, LNCS, vol. 718, Springer,pp. 83–104, 1992.

Part II

Publications

57

List of Publications

International Journals

1. S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel and H. Yoshida,“An AES Based 256-bit Hash Function for Lightweight Applications:Lesamnta-LW,” IEICE TRANSACTIONS on Fundamentals of Electronics,Communications and Computer Sciences, vol. E95-A No.1. pp.89–99, 2012.

– See p. 221.

Lecture Notes in Computer Science

1. H. Yoshida, A. Biryukov, C. De Cannière, J. Lano, and B. Preneel,“Non-randomness of the Full 4 and 5-pass HAVAL,” SCN 2004, LNCS,vol. 3352, Springer, pp. 324–336, 2005.

– See p. 61.

2. H. Yoshida, A. Biryukov,“Analysis of a SHA-256 Variant,” Selected Areasin Cryptography, SAC 2005, LNCS, vol. 3897, Springer, pp. 245–260, 2005.

– See p. 79.

3. F. Mendel, B. Preneel, V. Rijmen, H. Yoshida, and D. Watanabe, “Updateon Tiger,” INDOCRYPT 2006, LNCS, vol. 4329, Springer, pp. 63–79, 2006.

– See p. 99.

4. H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, Ö. Küçük,and B. Preneel, “MAME: a compression function with reduced hardwarerequirements,” Cryptographic Hardware and Embedded Systems, CHES2007, LNCS, vol. 4727, Springer, pp 148–165, 2007.

– See p. 121.

59

60 LIST OF PUBLICATIONS

5. S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel and H. Yoshida,“A Lightweight 256-Bit Hash Function for Hardware and Low-End Devices:Lesamnta-LW,” Information Security and Cryptology, ICISC 2010, LNCS,vol. 6829, Springer, pp. 151–168, 2011.

6. B. Preneel, H. Yoshida, and D. Watanabe, “Finding Collisions for ReducedLuffa-256 v2 (Poster),” Information Security and Privacy - 16th AustralasianConference, ACISP 2011, LNCS, vol. 6812, Springer, pp. 423-427, 2011.

– See p. 213.

7. S. Hirose, H. Kuwakado, and H. Yoshida, “Compression Functions Using aDedicated Blockcipher for Lightweight Hashing,” Information Security andCryptology, ICISC 2011, LNCS, vol. 7259, Springer, pp. 346-364, 2012.

Technical Reports

1. H. Yoshida, A. Biryukov, B. Preneel, “ Some applications of the Biham-Chenattack,” ECRYPT Conference on Hash Functions 2005, 2005.

2. H. Yoshida, A. Biryukov, B. Preneel, “Some Applications of the Biham-ChenAttack to SHA-like Hash Functions,” Proceedings 2005 NIST CryptographicHash Workshop, 12 pages, 2005.

3. H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, Ö. Küçük,B. Preneel, “MAME: A compression function with reduced hardwarerequirements,” ECRYPT Workshop on Hash Functions 2007, 15 pages,2007.

4. S. Hirose, H. Kuwakado, and H. Yoshida, “SHA-3 proposal: Lesamnta,”http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/

Lesamnta.zip, October 2008. latest version: http://www.hitachi.com/

rd/yrl/crypto/lesamnta/.

– See p. 143 for the full version of this technical report.

5. S. Hirose, H. Kuwakado, and H. Yoshida, “A Minor Change to Lesamnta -Change of Round Constants -”. http://csrc.nist.gov/groups/ST/hash/

sha-3/Round1/documents/LESAMNTA_Comments.pdf.

6. S. Hirose, H. Kuwakado, and H. Yoshida, “Security analysis of the compres-sion function of Lesamnta and its impact”. http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/LESAMNTA_Comments.pdf, June 2009.









Publication

Non-randomness of the Full 4and 5-pass HAVAL

Publication Data

H. Yoshida, A. Biryukov, C. De Cannière, J. Lano, and B. Preneel,“Non-randomness of the Full 4 and 5-pass HAVAL,” SCN 2004, LNCS,vol. 3352, Springer, pp. 324–336, 2005.

Contributions

• Principal author. We devised an attack on the underlying block cipher ofthe full HAVAL hash function. The theoretical analysis of differentials wassuggested by Alex Biryukov.

61

Non-randomness of the Full 4 and 5-pass HAVAL∗

Hirotaka Yoshida1,2, Alex Biryukov2, Christophe De Cannière2†,Joseph Lano2‡, and Bart Preneel2

1 Systems Development Laboratory, Hitachi, Ltd.,292 Yoshida-cho, Totsuka-ku, Yokohama, 244-0817, Japan

2 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSICKasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium

hyoshida,abiryuko,cdecanni,jlano,[email protected]

Abstract. HAVAL is a cryptographic hash function proposed in1992 by Zheng, Pieprzyk and Seberry. Its structure is quite similarto other widely used hash functions such as MD5 and SHA-1. Thespecification of HAVAL includes a security parameter: the numberof passes (that is, the number of times that a particular word of themessage is used in the computation) which can be chosen equal to3, 4 or 5. In this paper we cryptanalyze the compression functionsof the 4-pass and the 5-pass HAVAL using differential cryptanalysis.We show that each of these two functions can be distinguished froma truly random function.

1 Introduction

A hash function is a cryptographic algorithm that takes input strings of arbitrary(or very large) length and maps these to short fixed length output strings.HAVAL is a cryptographic hash function proposed in 1992 by Zheng, Pieprzykand Seberry [18]. Its structure is quite similar to other widely used hash functionssuch as MD5 [14] and SHA-1 [16]. It uses rotations, modular additions, and highlynon-linear boolean functions. HAVAL operates in so called passes, where each passconsists of 32 steps. The recommended number of passes are 3, 4 and 5. Thus 3,4 and 5 pass HAVAL would have 96, 128 and 160 steps (or rounds in block-cipherterminology) respectively. The hash value calculated by HAVAL is 256 bits long.

In the case of HAVAL, several articles demonstrated collisions for the reduced2-pass variants [8, 10, 13]. Recently, an efficient algorithm constructing collisionsfor the full 3-pass HAVAL has been described in [15]. The attack has a complexityof 229 steps and requires a negligible amount of memory. However no weaknessesin the 4 and 5-pass HAVAL have been demonstrated so far.

∗This work was supported in part by the Concerted Research Action (GOA) Mefisto-2000/06of the Flemish Government.

†F.W.O. Research Assistant, the Fund for Scientific Research – Flanders (Belgium).‡Research financed by a Ph.D. grant of the Institute for the Promotion of Innovation through

Science and Technology in Flanders (IWT-Vlaanderen)

63

64 NON-RANDOMNESS OF THE FULL 4 AND 5-PASS HAVAL

In this paper we show a cryptanalysis of HAVAL in the cases where the numberof passes equals the maximal security values: 4 and 5. Our analysis leads to anattack that detects the non-randomness of the 4-pass and the 5-pass HAVAL inencryption mode. We show how to distinguish the compression function of the4 and 5-pass HAVAL from a random permutation. For convenience, we discussthe security of HAVAL focusing on the 4-pass version. Our discussion is easilyextended to the 5-pass version. The security of the 4 and 5-pass HAVAL in hashmode remains an open problem.

The outline of this paper is as follows. In Section 1, we give a brief description ofthe HAVAL algorithm published in [18]. In Section 4, we present our differentialattack on the HAVAL compression function used in encryption mode. We alsodiscuss the practical implementation issues of our attack. In Section 4 we giveexperimental results. We conclude in Section 5.

2 Description of the HAVAL Hash Function

In this section, we give a brief description of the HAVAL hash function, whichis sufficient to understand the concepts introduced in this paper. For a fulldescription of HAVAL we refer to [18].

HAVAL is a hash function that is based on the well-known Davies-Meyerconstruction of hash functions ( [12], p. 341). The variable-length message Mis divided into 1024-bit blocks M0, M1, . . . , Mn−1. The 256-bit hash value Vn isthen computed as follows:

V0 = IV ; Vj+1 = compress(Vj , Mj) = E(Vj , Mj) + Vj for 0 ≤ j < n,

where compress is the compression function, IV is a fixed initial value and Eis a block cipher. As a block cipher E, one could choose either a known blockcipher or a dedicated design. HAVAL chooses the latter option. The functionE is an iterated design that only uses simple operations on 32-bit words. The256-bit input Vj is loaded into 8 registers (A, B, C, D, E, F, G, H) and the 1024-bitmessage block is divided into 32 words of 32 bits (X0 . . . X31).

The 8 registers are updated through a number of steps. One step of thecompression function is depicted in Fig. 1. The HAVAL compression functionconsists of 96, 128 or 160 consecutive steps. Each sequence of 32 steps is groupedtogether into a pass, so that we say that HAVAL is 3,4 or 5-pass. In each pass,every word Xi is used exactly once. Every pass r has its own Boolean function fr,32 constants Ki, and a specified order in which the 32 words Xi are processed.

DIFFERENTIAL CRYPTANALYSIS OF THE 4-PASS HAVAL IN ENCRYPTION MODE 65

3 Differential Cryptanalysis of the 4-pass HAVAL inEncryption Mode

In this section, we will explain the HAVAL hash function in encryption mode inSection 3.1 and will study known attacks on the reduced 2-pass and the full 3-passHAVAL in Section 3. We will present a differential cryptanalysis to find a weaknessin the 4-pass HAVAL in Section 3.3 and provide solutions to the problems in itsimplementation in Section 3.4.

3.1 Cryptanalysis of Hash Functions in Encryption Mode

As mentioned above, one could construct a hash function from a block cipher usingthe Davies-Meyer construction. Inversely, one can construct a block cipher whichis the HAVAL compression function with Davies-Meyer chaining peeled off. In thecipher, the message block Mj is viewed as the key, the chaining variable Vj acts asthe plaintext block and Vj+1 = E(Vj , Mj) is the corresponding ciphertext block.In general, the block cipher constructed from a hash function in such a way iscalled a hash function in encryption mode.

We will analyze the 4-pass HAVAL in encryption mode. Such an analysisprovides a better understanding of the strength of the HAVAL compressionfunction. Our method can be easily extended to the 5-pass version.

Several cryptanalytic techniques ranging from differential cryptanalysis [1] toslide attacks [2] have been applied to study the security of well-known hashfunctions in encryption mode. For example, differential cryptanalysis of SHA-1has been shown in [7]. A slide attack on SHA-1 and an attack on MD5 which findsone high-probability differential characteristic were given in [17].

Throughout this paper we will use the notion of a “step”, as defined in thespecification of HAVAL, instead of the block-cipher notion – “round”. We will alsouse the notion of a “pass”, which stands for 32 steps as explained above.

3.2 Known Attacks on the Reduced 2-Pass and the Full 3-PassHAVAL

In this section we review the previously known attacks which find collisions forthe reduced 2-pass and the full 3-pass HAVAL and explain why the techniques inthese attacks are not applicable to the 4-pass HAVAL.

The main idea in all the attacks of finding a collision is that the attackeruses the simplicity of the message schedule that allows him to control over thedifferences in the 8 registers. What is used is a pair of message whose differencewith Hamming weight one is in exactly one message word. The difference in themessage word is injected into registers at exactly one step in each pass.

In the attacks on the reduced 2-pass HAVAL which have two passes out of three,the difference injections explained above happen at two steps [10, 13]. In between


the two steps the difference in registers propagates. A differential propagation isfound by applying the algebraic technique which is building a system of equationsand solving it. The difference becomes zero at the last step in the propagationwhich means that a collision is found. When build the system, it is important tochoose which message word have the difference. A good choice makes it possiblefor the difference in the registers to propagate for the small number of steps (e.g.10), which allows the number of equations in the system to be small.

In the attack on the full 3-pass HAVAL, the algebraic technique as above is alsoapplied [15]. The problem with this case is that the difference in the message wordis injected into registers at three steps, such as 28, 38, and 69. The attack solvesthis problem by combining the algebraic technique and differential cryptanalysis.From step 28 to 38 the algebraic technique is applied to find an inner almostcollision, which means a pair of values in registers which differs only in the smallnumber of bit positions and then from step 39 to 69 a differential cryptanalysis is tofind a differential propagation with a high probability, 2−29 such that the differenceis zero at the last step of the propagation. The attack indicates a weakness in thecompression function against differential cryptanalysis.

In case of the full 4-pass HAVAL, we tried to apply the same strategy asthe case of the full 3-pass, however it was turned out to be difficult to find aninner almost collision by applying the algebraic technique. This is due to thefact that the different order of processing message words from the order in thecase of 3-pass makes the system of equation more difficult to solve. Even if aninner almost collision is constructed, a differential cryptanalysis has to solve theproblem of finding a differential propagation of many steps (typically, 65) with 3time difference injection into the registers due to the message schedule, which isvery difficult for the attacker to control over differences with a high probability.That is because the registers which the differences are injected from the messageschedule into are not always as the attacker wants. We consider that it is easierto analyze the cipher in encryption mode where the differences in the registercan be directly controlled than to do the cipher in hash mode where they can becontrolled only through the message schedule. This observation above leads us toenhance differential cryptanalysis, instead of applying the algebraic technique, tofind a weakness in the cipher in encryption mode.

3.3 Differential Cryptanalysis of the 4-Pass HAVAL

The technique of differential cryptanalysis has first been described in [1]. The aimof the approach is to find differential characteristics for the whole cipher. In [1], adifferential characteristic is defined in the following:

Definition 1. Associated with any pair of encryptions are the difference of itstwo plaintexts, the differences of its ciphertexts, the differences of the inputsof each round in the two executions and the differences of the outputs of eachround in the two executions. These differences form an n-round characteristic. A


characteristic has a probability, which is the probability that a random pair withthe chosen plaintext difference has the round and ciphertext differences specifiedin the characteristic.

In differential cryptanalysis, two difference operations are often used:∆(X, X ′) = X ⊕ X ′, ∆(X, X ′) = X − X ′. We will consider both cases in ourcryptanalysis.

The strategy to perform the differential cryptanalysis can be mainly dividedinto two parts: In the first part we divide the function into several consecutivesub-functions and try to find differential characteristics with high probability forthese sub-functions. In our analysis, each sub-function will consist of severalsteps in a certain pass. Hence all steps in such a sub-function will use the samenon-linear Boolean function. In the second part the differential characteristics foreach sub-function are concatenated so that they cover the whole cipher. However,it is difficult to do the second part of the analysis when the characteristics obtainedin the first part have complicated forms. For instance, this is the case for SHA-1.In this paper, we present a method to solve this difficulty by combining these twoparts into a single part.

The theoretical background of this method is the theory of Markov ciphers andtheir connection to differential cryptanalysis introduced by Lai et al. in [11]. Foran iterated cipher E with the function Y = T (X, Z) which takes the plaintextinput as X, the subkey input as Z, we denote the conditional probability that β isthe difference ∆Y (i) of the ciphertext pair after i steps of S, given that α is thedifference of the plaintext pair, by P (∆Y (i) = β|∆X = α).

Recall that a sequence of discrete random variables v0, v1, . . . , vr is a Markovchain if, for 0 ≤ i ≤ r,

P (vi+1 = βi+1|vi = βi, vi−1 = βi−1, . . . , v0 = β0) = P (vi+1 = βi+1|vi = βi).

A Markov chain is called homogenous if P (vi+1 = β|vi = α) is independent of ifor all α and β. A Markov cipher is defined as follows:

Definition 2. An iterated cipher with the function T is a Markov cipher if for allchoices of α and β,

P (∆Y = β|∆X = α, X = γ)

is independent of γ when the subkey is uniformly random.

We now state the following theorem using our notation.

Theorem .1. If an r-step iterated cipher is a Markov cipher and the r step keysare independent and uniformly random, then the sequence of differences ∆X =∆Y (0), . . . , ∆Y (r) = ∆Y , is a homogenous Markov chain.

In the case of HAVAL, we denote 8 consecutive steps3 of E by T . We assumethat the cipher E, obtained by iterating T , is a Markov cipher. This allows us

3A single step of HAVAL is clearly a bad candidate for T since only one 32-bit word changesper step and only one 32-bit word of key-material is mixed in.


to search for differentials rather than characteristics. The goal of our attack is tofind a high probability differential for the 4-pass and the 5-pass HAVAL.

Our goal is to study differential properties of the 4-pass HAVAL. We willconsider low Hamming weight differentials and their propagation: we studythe behavior of the 4-pass HAVAL compression function when we apply inputdifferentials of weight 1 and 2. At the output, we only observe output differentialsof weight 1 and 2. We will check whether these observations are in accordancewith the randomness criteria we would expect from a cryptographic hash function.

Let A be the set of all the bit strings of length 256:

A = 0, 1256.

Let B be the subset of A where each element has Hamming weight equal to 1:

B = ∆ ∈ A|Ham(∆) = 1.

Let C be the subset of A where each element has Hamming weight equal to 2:

C = ∆ ∈ A|Ham(∆) = 2.

Let D be the union set of B and C:

D = B ∪ C.

Let E be a set of integers where each element is greater than 0 and is less thanor equal to the size of D:

E = 1, 2, . . . , 28 +28 · (28 − 1)

2.

Using the first consecutive 8 steps in the s-th pass, we build a matrix Ms. Todo so, we first define a function g mapping D to E in the following manner. If∆ ∈ B, let k be the position of 1 in ∆. Otherwise, let h be the high position of 1in ∆ and let l be the low position of 1 in ∆. The function g is defined as follows:

g(∆) =

k − 1 ∆ ∈ B

h − l − 1 +l−1∑

i=0

(256 − i) ∆ ∈ C.

It is easy to see that g is bijective. The aim of the function g is to establish anordering for the elements of D.

Now, let’s denote the function which consists of the first consecutive 8 steps inthe s-th pass as Ts. To construct a matrix Ms, we randomly choose a (sufficientlylarge) subset R of A. The cardinality of the subset R is denoted by #R = r. For

i and j in E , we define each entry a(s)ij in the matrix Ms as follows:

a(s)ij =

#p ∈ R|g−1(j) = ∆(Ts(p), Ts(∆(p, g−1(i))))r

.


The entry a(s)ij estimates the probability of the differential where the input

difference is g−1(i) and the output difference is g−1(j). We assume that onepass of HAVAL behaves as a 4-round Markov cipher with Ts as the roundtransformation4. Thus the matrix Ms is a transition matrix of the correspondingMarkov chain. Raising this matrix to the fourth power as M4

s allows us to see theprobabilities of 32-step differentials for the s-th pass. Calculating the compositionµ = µ4

4 µ43 µ4

2 µ41 allows us to see the differential structure of the 4-pass HAVAL,

where the function µs is defined by a matrix multiplication as µs(X) = X ·Ms. Forexample, we can see high probability differentials for the whole cipher. What is ofmost interest now is the highest value in the matrix M = µ(I). This highest valuecorresponds to a particular low-weight differential which has a high probability.

The approach described here has several complications with respect to amemory-efficient and fast implementation, which we will now explain into moredetail.

3.4 Implementing the Matrices Ms and Their Multiplication

We had to resolve some implementation issues for the N × N matrix Ms. Thevalue of N is quite large:

N = 28 +28 · (28 − 1)

2≈ 215,

If we implement the matrix Ms as such, the required memory size is 8 · 230 ≈ 8GBwhen using 64-bit variables to represent each element of Ms. This is quite large andnot efficient at all. Simulations show that the matrix Ms is very sparse: Because ofthe diffusion of Ts, the hamming weight of the output differences are very likely tobe more than 2 and thus most output differences will be discarded in our approach.And those that do have a Hamming weight of at most 2 only occur in a limitednumber of places in the matrix. This helps us for the efficient implementation.The number of nonzero entries of a row in a matrix is typically 100 but we makethe number a parameter, namely d, which is useful as will be shown. For eachrow, we will now only store the nonzero entries, together with the column in whichthis nonzero entry occurs. Furthermore, we also store the row itself for each row.This is useful to reduce the time complexity which will be explained later. Everynon-zero a

(s)ij in the Ms is stored as a triplet (i, j, a

(s)ij ) in its implementation. In

that case, the memory complexity is only 215 · d · (2 + 2 + 8) ≈ 5MB when using16-bit variables to represent each row i and column j.

In order to implement the multiplication of the two matrices Ms, we haveto implement one matrix Ms as a list of rows and the other matrix as a list ofcolumns. The representation of M as a list of columns can be easily obtained from

4Our experiments indicate that this assumption is reasonable. The ten best differentials for16 steps produced by experiment and the ten best differentials computed via M2

s were at mosta factor 1.28 apart. Also some variation across the different keys has been observed.


the representation as a list of rows by a straightforward and efficient transpositionalgorithm. In addition to the memory for the two lists, the memory for the productmatrix is allocated. However, we have a problem with the memory for the productmatrix after one multiplication. A theoretical estimation shows that about 26%of the entries in the product matrix will be non-zero, which was confirmed byour experiments. This means that the product matrix is not sparse any more.This motivates the following idea of pruning the matrix. After the generations ormultiplications of the matrix Ms, we only keep high-value entries in Ms, cuttingthe entries below a fixed low value q. To obtain a high probability for the wholecipher, it is sufficient to obtain high probabilities after every 8 steps. This alsomotivates the idea of pruning. We now keep the matrix sparse all the steps.Taking into account that the multiplications can be done on the fly, the memorycomplexity of computing the matrix M for the whole cipher is 15MB.

The time complexity of generating the matrix Ms can be shown to be r · 216

computations of Ts. When we take r equal to 220 (which seems to be enoughto obtain a matrix with sufficient statistical significance), this results in a timecomplexity of 236 computations of Ts. As for the multiplication of the matrices,we can find a fast implementation. As mentioned above, the matrix Ms isimplemented as an array with dimension two where each element is a triplet(i, j, a

(s)ij ). If the matrix is sorted by the first element and afterwards by the

second element in the triplets, then it can be implemented as an array withdimension one. Now all we have to do is the multiplication of two sorted arrayswith dimension one. In this case, the multiplication of the matrices has a timecomplexity of N · d = 215 · 100 ≈ 221.6 computations, each of which is a few ofmultiplications and additions of two 64-bit variables. Note that this significantlyreduces the number of computations of entries during the multiplication of thematrices hence is much faster than straightforward implementation which hasa time complexity N2 · d2 ≈ 243.3. To compute the matrix M for the wholecipher requires the generations of the matrix Ms 5 times and the multiplication ofmatrices 15 times. Taking into account their time complexities and what is doneduring one computation in each case, the time complexity in total is dominatedby the former, which is 238 computations of T .

4 Experimental Results

We report some experimental results which we obtained by using the techniquesdescribed above. In our experiments, we used the reference implementation ofHAVAL available at [9] and the cut-away value q in Section 3.4 is set to be 2−12.Since different passes use different non-linear functions, it is interesting to see thedifferential structure for each of the 4 different passes. Therefore we search for thebest probability over 8 and 32 steps in the s-th pass.

Before doing that, we need some preparation. We focus on the observation of 8steps to see whether the experimental results are stable. That is very important: if

EXPERIMENTAL RESULTS 71

Table 1 – The best probability for 8 steps in the case of ∆(X, X ′) =X ⊕ X ′.

r = 216 r = 220 r = 224

s = 1 2−5.916521 2−5.992885 2−5.996883

s = 2 2−6.947432 2−7.023257 2−7.009951

s = 3 2−6.969333 2−6.996482 2−6.992622

s = 4 2−6.594859 2−6.660011 2−6.677051

Table 2 – The best probability for 8 and 32 steps in the case of∆(X, X ′) = X ⊕ X ′.

8 steps 32 stepss = 1 2−5.992885 2−26.670829

s = 2 2−7.023257 2−30.992364

s = 3 2−6.996482 2−30.908851

s = 4 2−6.660011 2−29.360996

the results were not stable yet, the error will be amplified due to the multiplicationof matrices. Our simulations convincingly showed that increasing the number ofplaintexts r to 220 is sufficient in order to obtain precise experimental results.

Table 1 presents a typical experimental results that we observed for the 4-PassHAVAL. It shows the measured probability for 8 steps for each of the 4 passes, andthis for increasing samples r. As a difference function we used ∆(X, X ′) = X ⊕X ′.Note that in the above experiment, we consider the input difference ∆in ∈ B tomake it feasible in terms of time complexity to obtain the result for r equal to 224.However, in all the following experiments we will use the entire set D.

Table 2 shows the best probability of a differential characteristic for all 4 passes(s = 1, 2, 3, 4), and this both for 8 steps and 32 steps. In these experiments we used220 as a value for r, and again used the difference function ∆(X, X ′) = X ⊕ X ′.

For both the 4-pass and the 5-pass HAVAL, we can now calculate the bestprobability with which all the differential characteristics we consider by computingthe matrix M in Section 4 in which the highest entry is the best probability. Welearn from Section 4 that it is practical to compute the matrix M because the timecomplexity is 238 computations of 8 steps and the memory complexity is 15MB.

The result is that the best probability is 2−125 for the 4-pass HAVAL and 2−168

for the 5-pass HAVAL. Each of these two probabilities is much greater than theprobability 2−256 that we would expect from a truly random hash function. Thismeans that both the 4-pass and the 5-pass HAVAL have a significant weakness ofrandomness.


Table 3 – The best probabilities over different keys.

Key 1st pass 2nd pass 3rd pass 4th passK1 2−5.992885 2−7.012381 2−6.972267 2−6.647129

K2 2−5.979194 2−6.977285 2−6.997537 2−6.651963

K3 2−5.974168 2−6.980409 2−7.007947 2−6.668383

K4 2−5.984237 2−6.979541 2−7.005823 2−6.676664

K5 2−5.990521 2−6.983540 2−6.972958 2−6.682163

Taking into account that each of these our results has been obtained with afixed randomly chosen key, there could be an occupancy problem if our results areaffected by the choice of the key. There are two points to be stressed:

For the full 4 and 5-Pass HAVAL we fix both the input and the outputdifferences. Thus occupancy is not a problem there. On the other hand we gatherprobabilities for the matrix M by experiment, so we could potentially experienceoccupancy problem, which would result in slightly higher key-dependent probabil-ities.

We carried out some experiments for the 8 steps of each pass which showthat probabilities collected for the matrix M are not key-dependent and hold onaverage. We encrypted 220 plaintext pairs to check that results of Table 2 for 8steps remain the same for 5 different keys K1, K2, · · · , K5. The following table 3shows the best probabilities over different keys. The table 3 shows that resultsof Table 2 for 8 steps remain the same for these keys, which means the bestprobabilities are not affected by the choice of the key.

Next we consider not only the probabilities and but also their pairs of inputdifference and output difference to see if the differential structure of 8 steps isaffected by the choice of the key. In fact, in the case of the 2nd pass, the bestprobabilities in the table 3 are achieved at exactly the same pair of input differenceand output difference. In the cases of the other passes, the best probabilities inthe table 3 are achieved at several different pairs of input and output differences.Therefore we present for each pass, the probabilities over different keys at the samepair of input and output difference in the table 4 in which each triplet where theprobability is not the best is indicated by #. Fortunately, the probabilities foreach pass are very close which means the differential structure of 8 steps is notaffected by the choice of the key.

These discussions show that our results hold on average for any key and arenot affected by the occupancy problem.

Our method contains multi-paths. This means that various trails exist thatgo from one input difference to one output difference. Therefore an interestingquestion is how many multi-paths are included into the best probability. Wecarried out some experiments with 220 plaintexts and found an answer to the

EXPERIMENTAL RESULTS 73

Table 4 – The high probabilities at the same pair of input differenceand output difference for each pass.

Key 1st pass 2nd pass 3rd pass 4th passK1 2−5.992885 2−7.012381 2−6.972267 2−6.647129

K2 #2−5.997537 2−6.977285 #2−7.010606 2−6.651963

K3 2−5.974168 2−6.980409 #2−7.009896 #2−6.687684

K4 #2−5.988511 2−6.979541 2−7.005823 #2−6.686834

K5 #2−6.000352 2−6.983540 #2−7.015938 #2−6.684284

question. The best probability 2−124.6 with which the input difference e160

goes to the output difference e176 includes 12 multi-paths. On the other hand,a probability 2−125.9 with which the input difference e139 goes to the outputdifference e155 includes the maximum number of multi-paths observed, 42. Forboth probabilities above, the input and output difference have Hamming weight1.

Another point we need to check is which difference notion is most effective inour attack: ∆(X, X ′) = X − X ′ or ∆(X, X ′) = X ⊕ X ′. In Table 5, we presentthe results for the case of the difference operation ∆(X, X ′) = X − X ′, where thenumber of samples r equals 216. The table shows the best probability over 8 and 32steps in the s-th pass for the 4-Pass HAVAL. By comparing this table with Table 2,we can see that the difference operation ∆(X, X ′) = X ⊕X ′ is more effective. Oneof the possible reasons why this happens is that due to the non-linear function,each step of the 4-Pass HAVAL uses XOR operation 4 to 8 times while it usesarithmetic additions only 3 times. This makes the step function XOR-friendlywhich means that differences can go though paths with paying relatively smallprobabilities when using the operation. ∆(X, X ′) = X ⊕ X ′.

Note that these results can not be used immediately to distinguish outputs ofthe 4-Pass or the 5-Pass HAVAL in hash mode from truly random outputs, thoughthey show a surprising property.

We explain what we have done in details and what we will be able to do forthe future research. We limited ourselves to search for all the paths where thedifferences have a hamming weight less than 3 not only at input and output butalso at every 8 steps, which is a strong condition on the paths. It is surprising tofind a path with a very good probability under this limited circumstance. Thismeans that we found a probability which is a lower bound for the differentials. Itwould be interesting to see how high the best probability be when the conditionis relaxed. In order to do this, a more efficient algorithm has to be found.

We describe what would be necessary for a hash function which is secure againstour attack. One of the necessary conditions to apply our attack is that the weightof a low-weight difference is likely to remain to be low after 8 steps. This is the case


Table 5 – The best probability for 8 and 32 steps in the case of∆(X, X ′) = X − X ′.

8 steps 32 stepss = 1 2−6.860449 2−27.638838

s = 2 2−7.426353 2−34.011164

s = 3 2−7.642448 2−34.337646

s = 4 2−7.536476 2−30.437003

for the 4-Pass and the 5-Pass HAVAL. For a hash function with a good diffusion,this is not the case even after a small number of consecutive steps. Our attack isnot applicable to such a function.

5 Conclusions

We have analyzed the compression functions of the 4-pass and the 5-pass HAVAL.Surprisingly, our result shows that the use of highly non-linear functions, whichis the main focus of the design of HAVAL, does not result in a hash functionwhich is significantly strong against differential cryptanalysis. With our approach,we identified differentials with probabilities > 2−125 for the 4-pass HAVAL and> 2−168 for the 5-pass HAVAL, which is much higher than the probability 2−256

we would expect from a random function.It is difficult to see if and how the weakness of randomness in the compression

function can be exploited to find collisions for the HAVAL hash function. Thisremains an open problem. The strategy for our attack is quite general so that wecan analyze the compression functions of other hash functions with the approachdescribed in this paper.

Acknowledgements

The authors would wish to thank Bart Van Rompay, Antoon Bosselaers, SoichiFuruya, Souradyuti Paul, and several anonymous reviewers for helpful commentsand useful discussions.

References

[1] E. Biham, A. Shamir, Differential Cryptanalysis of the Data EncryptionStandard, Springer-Verlag, 1993.

REFERENCES 75

[2] A. Biryukov, D. Wagner, Advanced slide attacks, Eurocrypt 2000, LNCS 1807,B. Preneel, Ed., Springer-Verlag, pp. 589–606, 2000.

[3] B. den Boer, A. Bosselaers, Collisions for the compression function of MD5,Eurocrypt 1993, LNCS 765, T. Helleseth, Ed., Springer-Verlag, pp. 293–304,1993.

[4] I. Damgård, A design principle for hash functions, Crypto 1989, LNCS 435,G. Brassard, Ed., Springer-Verlag, pp. 416–427, 1990.

[5] H. Dobbertin, The status of MD5 after a recent attack, Cryptobytes, Vol. 2,No. 2, pp. 1–6, Summer 1996.

[6] H. Gilbert, H. Handschuh, Security Analysis of SHA-256 and Sisters,SAC 2003, LNCS 3006, M. Matsui, R. Zuccherato, Eds., Springer-Verlag,pp. 175–193, 2004.

[7] H. Handschuh, D. Naccache, SHACAL, Submission to theNESSIE project, 2000. Available from http://www.gemplus.com/

smart/r_d/publications/pdf/HN00shac.pdf.

[8] Y.-S. Her, K. Sakurai, S.-H. Kim, Attacks for finding collision inreduced versions of 3-pass and 4-pass HAVAL, International Conference onComputers, Communications and Systems, CE-15, pp. 75–78, 2003.

[9] Calyptix Security, HAVAL source code (reference implementation), availableat http://www.calyptix.com/downloads.html.

[10] P. Kasselman, W. Penzhorn, Cryptanalysis of reduced version of HAVAL,Electronics letters, Vol. 36, No. 1, pp. 30–31, January 2000.

[11] X. Lai, J. Massey, Markov Ciphers and Differential Cryptanalysis, Eurocrypt1991, LNCS 547, D. Davies, Ed., Springer-Verlag, pp. 17–38, 1991.

[12] A. Menezes, P. van Oorschot and S. Vanstone, Handbook of AppliedCryptography, CRC Press, 1997.

[13] S. Park, S. H. Sung, S. Chee, J. Lim, On the security of reduced versionsof 3-pass HAVAL, ACISP 2002, LNCS 2384, J. Seberry, L. Batten, Eds.,pp. 406–419, 2002.

[14] R. Rivest, The MD5 message-digest algorithm, Request for Comments (RFC)1321, Internet Activities Board, Internet Privacy Task Force, April 1992.

[15] B. van Rompay, A. Biryukov, B. Preneel, J. Vandewalle, Cryptanalysis of3-Pass HAVAL, Asiacrypt 2003, LNCS 2894, C. Laih, Ed., Springer-Verlag,pp. 228-245, 2003.


[16] National Institute of Standards and Technology, FIPS-180-2: Secure HashStandard (SHS), August 2002.

[17] M. Saarinen, Cryptanalysis of Block Ciphers Based on SHA-1 and MD5, FSE2003, LNCS 2887, T. Johansson, Ed., Springer-Verlag, pp. 36–44, 2003.

[18] Y. Zheng, J. Pieprzyk, J. Seberry, HAVAL – a one-way hashing algorithm withvariable length of output, Auscrypt 1992, LNCS 718, J. Seberry, Y. Zheng,Eds., Springer-Verlag, pp. 83–104, 1992.

REFERENCES 77

A B C D E F G H

r r r r r r r

fr

≫ 7

≫ 11

Xi

Ki

B C D E F G H A

Figure 1 – One step of the compression function of HAVAL.

Publication

Analysis of a SHA-256 Variant

Publication Data

H. Yoshida, A. Biryukov,“Analysis of a SHA-256 Variant,” SelectedAreas in Cryptography, SAC 2005, LNCS, vol. 3897, Springer,pp. 245–260, 2005.

Contributions

• Principal author. We devised a pseudo-collision attack on a simplified variantof the SHA-256 hash function, up to 34 out of 64 rounds. The attack strategyto search for iterative characteristics was suggested by Alex Biryukov.

79

Analysis of a SHA-256 Variant ∗

Hirotaka Yoshida1 and Alex Biryukov2

1 Systems Development Laboratory, Hitachi, Ltd.,1099 Ohzenji, Asao-ku, Kawasaki-shi, Kanagawa-ken, 215-0013 Japan

[email protected] Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSICKasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium

[email protected]

Abstract. SHA-256 is a cryptographic hash function which wasproposed in 2000 as a new generation of SHA functions andwas adopted as FIPS standard in 2002. In this paper we willconsider a SHA-256 variant and a SHACAL-2 variant in whichevery arithmetic addition is replaced by XOR operation. Wecall the SHA-256 variant SHA-2-XOR and the SHACAL-2 variantSHACAL-2-XOR respectively. We will present a differential attackon these constructions by using one-round iterative differentialcharacteristics with probability 2−8 we identified. Our result showsthat SHACAL-2-XOR with up to 31 rounds out of 64 has aweakness of randomness and that SHA-2-XOR with up to 34 roundshas a weakness of pseudo-collision resistance. Using the 31-rounddistinguisher, we present an attack on SHACAL-2-XOR with up to32 rounds. We also show that no 2-round iterative patterns withprobability higher than 2−16 exist.

Keywords: SHA-256,SHA-2-XOR, SHACAL-2-XOR, Differential cryptanalysis,Pseudo-collision resistance, Iterative patterns.

1 Introduction

A cryptographic hash function is an algorithm that takes input strings of arbitrary(typically very large) length and maps these to short fixed length output strings.The progress in cryptanalysis of cryptographic hash functions has been quiteslow until very recently, the cryptographic community has been surprised at theprogress of cryptanalysis of hash functions, such as an attack on MD5 [23] forfinding collisions and an attack with a new strategy on SHA-0 [2, 3] and anattack for finding multi-collisions. However, these techniques are not applicableto SHA-256 due to its more complex message schedule and round function.

∗This work was supported in part by the Concerted Research Action (GOA) Ambiorics2005/11 of the Flemish Government.

81

82 ANALYSIS OF A SHA-256 VARIANT

SHA-256 is a cryptographic hash function which was proposed in 2000 as anew generation of SHA functions and was adopted as FIPS standard in 2002[18]. SHA-256 is constructed from MD(Merkle-Damgård) -construction andDavis-Meyer mode. The compression function of SHA-256 has 64 rounds, twokinds of non-linear functions, cyclic rotations, and round-dependent constants.The hash value calculated by SHA-256 is 256 bits long.

The function obtained from the compression function of SHA-256 by removingthe feed-forward operation of the Davis-Meier mode is invertible. It was proposedfor use as a block cipher by Handschuh and Naccache and named SHACAL-2 [12].The block cipher was selected as one of the NESSIE finalists. In cryptanalysis ofSHACAL-2, there have been several attacks on its reduced versions [14, 22], butwith time complexities around 2500 for 32 or less rounds.

Although several works have discussed the security of SHA-256 [11] andreported interesting differential properties of several consecutive round functions[13], no weakness has been demonstrated for SHA-256 or any SHA-256 variant sofar. In this paper we will consider a SHA-256 variant and a SHACAL-2 variantin both of which ADD operations are replaced by XOR operations. We callthe SHA-256 variant SHA-2-XOR and the SHACAL-2 variant SHACAL-2-XORrespectively. We will present a differential attack [5] on these ciphers byidentifying iterative differential characteristics. We will show how to distinguishthe SHACAL-2-XOR from a random permutation. Our result will show thatSHACAL-2-XOR with up to 31 rounds has a weakness of randomness and thatSHA-2-XOR with up to 34 rounds has a weakness of pseudo-collision resistance.In addition to that, it will also show a property that SHA-2-XOR with up to 31rounds has a weakness in certain collision resistance we will define.

Hereafter we introduce three kinds of resistance of hash functions for themotivation of our approach in the cryptanalysis of SHA-256: near-collisionresistance, pseudo-collision resistance, and randomness.

The importance of the first two requirements is related to collision resistance.Near-collision resistance is resistance against attacks finding a pair of hashvalues which differ in only small number of bit positions. Near-collisions ofthe SHA-0 hash function have been found, which is an undesirable property [2]for a hash function. In fact, there has been presented a strategy to convertnear-collisions into full-collisions [1]. Therefore near-collision resistance is crucialfor the collision resistance. Pseudo-collision resistance is resistance against findinga collision obtained from more relaxed condition that different initial vectors canbe chosen. Pseudo-collision resistance has a particular importance for a hashfunction constructed by the MD-construction because in this case pseudo-collisionresistance for the hash function can be translated into collision resistance for itscompression function. The theory of the MD-construction, on which the securityof many popular hash functions rely, does not guarantee collision resistance for ahash function without pseudo-collision resistance for its compression function [10].Recently, a situation where pseudo-collisions could become practical has beenconsidered [16].

DESCRIPTION OF THE SHA-256 HASH FUNCTION AND THE SHACAL-2 BLOCK CIPHER 83

Pseudo-randomness of a function is its indistinguishability from a randomfunction. This resistance has a particular importance in some existing applicationswhere one of the requirements for the hash function is randomness. Recently, thestrongest version of the HAVAL hash function (in encryption mode) was shown tobe non-random [24].

Although in the past these three types of resistance have received less attentionthan the collision resistance, we expect that situation will change in the near future.

The outline of this paper is as follows. In Section 1, we give a brief description ofthe SHA-2 algorithm published in [18]. In Section 3 we study the known results oncryptanalysis of the SHA-256 algorithm and the SHACAL-2 algorithm. In Section4, we present our differential attack on the SHA-2-XOR and SHACAL-2-XORidentifying iterative characteristics. Our conclusions are given in Section 5.

2 Description of the SHA-256 Hash Function and the

SHACAL-2 Block Cipher

In this section, we give a brief description of the SHA-256 hash function and theSHACAL-2 block cipher, which is sufficient to understand the concepts introducedin this paper. For a full description of SHA-256 we refer to [18].

SHA-256 is a hash function that is based on the well-known Davies-Meyerconstruction of hash functions ( [17], p. 341). The variable-length message M isdivided into 512-bit blocks M0, M1, . . . , Mn−1. The 256-bit hash value Vn is thencomputed as follows:

V0 = IV ; Vs+1 = compress(Vs, Ms) = EMs(Vs) + Vs for 0 ≤ s < n,

where compress is the compression function, IV is a fixed initial value and EK(X)is the block cipher, SHACAL-2. The function EK(X) is an iterated design thatonly uses simple operations on 32-bit words. The 256-bit input Vj is loaded into 8registers (A, B, C, D, E, F, G, H) and the 512-bit message block is divided into 16words of 32 bits (W0 . . . W15) and these words are expanded to a sequence of 64words through the message schedule:

σ0(X) = ROT R7(X) ⊕ ROT R18(X) ⊕ SHR3(X);

σ1(X) = ROT R17(X) ⊕ ROT R19(X) ⊕ SHR10(X);

Wt = σ1(Wt−2) + Wt−7 + σ0(Wt−15) + Wt−16

where ROT Rn is right rotation by n bits. SHACAL-2 encrypts the initial valueusing this sequence as a key.

The 8 registers are updated through a number of rounds. One round ofthe compression function is depicted in Fig. 1. The SHA-256 compressionfunction consists of 64 rounds. Every round function has arithmetic addition,


a round-dependent constant Ki, two linear functions Σ0, Σ1, and two non-linearfunctions CH, MJ .

CH(X, Y, Z) = (X ∧ Y ) ⊕ (X ∧ Z);

MJ(X, Y, Z) = (X ∧ Y ) ⊕ (Y ∧ Z) ⊕ (Z ∧ X);

Σ0(X) = ROT R2(X) ⊕ ROT R13(X) ⊕ ROT R22(X);

Σ1(X) = ROT R6(X) ⊕ ROT R11(X) ⊕ ROT R25(X),

where X is bitwise complement of X . The t-th round of the compression functionupdates the 8 registers using the word Wt and the constant Ki as input. Thecompression function updates the 8 registers according to the following algorithm:

T 1t(Et, Ft, Gt, Ht, Kt, Wt) = Ht + Σ1(Et) + CH(Et, Ft, Gt) + Kt + Wt ;

T 2t(At, Bt, Ct) = Σ0(At) + MJ(At, Bt, Ct) ;

Ht+1 = Gt; Gt+1 = Ft; Ft+1 = Et; Et+1 = Dt + T 1t ;

Dt+1 = Ct; Ct+1 = Bt; Bt+1 = At; At+1 = T 1t + T 2t.

2.1 Our Variant of SHA-256

In our analysis, we simplify SHA-256 and SHACAL-2 by replacing all thearithmetic addition used in its round function by the XOR operation. This analysistells us how much the carry propagation caused by the arithmetic addition affectthe security of the cipher. It is also interesting for designers to investigate thesecurity of an arithmetic-addition free hash function, because such a hash functionhas an advantage in its hardware implementation due to a lower gate count.

3 Previous Work

3.1 A Study on the Known Attacks on a Reduced Version ofSHACAL-2

In the literature, two kinds of attacks on SHACAL-2 have been demonstrated.In [14], it was shown that the impossible differential attack [4] is applicable tothe reduced 30-round SHACAL-2 with a time complexity 2495.1 and a memorycomplexity 214.5. In [22] it has been shown that the differential-linear attack isapplicable to the reduced 32-round SHACAL-2 with a complexity 2504.2 and amemory complexity 248.4 which is the best attack so far. In the table 1, we listthe best previous result and our result3.

3This distinguisher uses a differential characteristic for 31 rounds, it can be made more efficientby relaxing conditions of the final rounds. This is done for the differential attack which improvescomplexity of the attack and allows to recover the secret key bits.

PREVIOUS WORK 85

Table 1 – The best previous result and our result.

Attack type #R Data Time MemoryImpossible Differential attack on SHACAL-2 [14] 30 744CP 2495.1 214.5

Differential-linear attack on SHACAL-2 [22] 32 243.4CP 2504.2 248.4

Related-Key Rectangle attack on SHACAL-2 [15] 37 243.2RK-CP 2484.95 2238.16

Distinguisher attack on SHACAL-2-XOR in this paper 31 2248CP 2248

Differential attack on SHACAL-2-XOR in this paper 32 2243.3CP 2246.3 222

#R: # of rounds, CP: Chosen Plaintexts, RK-CP: Related-Key ChosenPlaintexts, Time: Encryption units, Memory: Bytes of memory

3.2 A Study on the Known Results on SHA-256

What has been known as results on cryptanalysis of the SHA-256 algorithm sofar are several properties related to resistance of the function against the knownattacks [11, 13] where none of the attacks have demonstrated any weakness inSHA-256 or any SHA-256 variant.

Hereafter we study the known results on resistance of SHA-256 against atheoretical attack on SHA-0 [8] which have been very important results so far in thefollowing sense: some strong attacks on the SHA algorithms have been developedby improving the attack. Two interesting strategies significantly reducing thecomplexity in the attack found collisions or near-collisions for the SHA-0 hashfunctions [2, 3].

We explain the procedure of the attack which is divided into two steps. Thisattack first finds a sequence of differences which is called local collision with ahigh-probability. An attacker introduces a 1-bit difference into one message wordand then for the following rounds the attacker also introduced differences into thefollowing message words so that the differences in the registers are canceled out,which results in a local collision with several rounds. Recent works have givenhigh-probabilities for the local collisions they identified, a probability 2−66 in [11],a better probability 2−39 in [13]. What we need to take into account in this stepis that the attacker can choose the differences he injects whatever he likes, whichmeans he does not care about the message schedule.

Secondly the attack analyzes the message schedule in an attempt to find twomessages such that the message schedule will result in the collision obtained inthe first step. However, it has been difficult to carry out this step for all theSHA-algorithms except for SHA-0 because of the large influence of the messageschedule with respect to difference propagation.


4 Differential Cryptanalysis of SHA-2-XOR andSHACAL-2-XOR

4.1 Search for One-round Iterative Differential Characteristics

We will search for one round iterative differential characteristics for SHA-2-XOR.We will first determine the constraints which an iterative characteristic shouldsatisfy. Then we will develop an efficient algorithm to find all the differentialcharacteristics satisfying the constraints and find one with the highest probability.

Let us denote the value in the register A at time t by At and the differencein this register at time t by dAt. The t-th round changes the value At toAt+1 in the register A. The one-round iterative translates into conditions thatin each register the differences at time t and at time t + 1 are the same:dAt+1 = dAt, dBt+1 = dBt, dCt+1 = dCt, dDt+1 = dDt, dEt+1 = dEt, dFt+1 =dFt, dGt+1 = dGt, dHt+1 = dHt.

Our purpose here is to translate the constraints into the conditions withdifferences only at time t. There are 6 registers, in each of which value attime t + 1 is determined by only one register value at time t. This builds thefollowing simple relations between the differences at time t and the differencesat time t + 1: dBt+1 = dAt, dCt+1 = dBt, dDt+1 = dCt, dFt+1 = dEt, dGt+1 =dFt, dHt+1 = dGt. From these relations, 6 constraints dBt+1 = dBt, dCt+1 = dCt,dDt+1 = dDt, dFt+1 = dFt, dGt+1 = dGt, dHt+1 = dHt are equivalent to thefollowing conditions: dAt = dBt = dCt = dDt, dEt = dFt = dGt = dHt.

Now we have two remaining constraints dAt+1 = dAt, dEt+1 = dEt totransform. We introduce several functions dCH , dMJ ,dT 1t, dT 2t each of which isthe output difference of a sub-function used in the round function. These functionsare defined as follows:

dCH = CH(X, Y, Z) ⊕ CH(X ′, Y ′, Z ′),

dMJ = MJ(X, Y, Z) ⊕ MJ(X ′, Y ′, Z ′),

dT 1t = T 1t(Et, Ft, Gt, Ht, Kt, Wt) ⊕ T 1t(E′t, F ′

t , G′t, H ′

t, Kt, Wt),

dT 2t = T 2t(At, Bt, Ct) ⊕ T 2t(A′t, B′

t, C′t).

We rewrite the non-linear functions CH , MJ in terms of their input values andinput differences. Let’s denote the input differences to the non-linear functions bydXt = Xt ⊕ X ′

t for two input values Xt, X ′t. dCH is calculated as the following:

dCH = ((Y ⊕ Z) ∧ dX) ⊕ (X ∧ dY ) ⊕ (X ∧ dZ) ⊕ (dX ∧ dY ) ⊕(dX ∧ dZ) (1)

In particular, if all the differences to CH are equal, dX = dY = dZ, then

dCH = (Y ⊕ Z) ∧ dX. (2)

DIFFERENTIAL CRYPTANALYSIS OF SHA-2-XOR AND SHACAL-2-XOR 87

dMJ is calculated as the following:

dMJ = MJ(dX, dY, dZ) ⊕ ((Y ⊕ Z) ∧ dX) ⊕ ((Z ⊕ X) ∧ dY ) ⊕((X ⊕ Y ) ∧ dZ). (3)

In particular, if all the differences to MJ are equal, dX = dY = dZ, then

dMJ = dX (4)

This tells an important property on MJ that this function behaves linearly if allthe input differences are equal4.

By using the formulas (2),(4) and the constraints obtained so far, dT 1t, dT 2t,dAt+1, dEt+1 are calculated as follows:

dT 1t = dEt ⊕ Σ1(dEt) ⊕ ((Ft ⊕ Gt) ∧ dEt) (5)

dT 2t = Σ0(dAt) ⊕ dMJ(At, Bt, Ct) = Σ0(dAt) ⊕ dAt (6)

dAt+1 = dT 1t ⊕ dT 2t

dEt+1 = dDt ⊕ dT 1t = dAt ⊕ dT 1t

Therefore, the remaining constraints dAt+1 = dAt, dEt+1 = dEt are equivalentto the following two conditions:

dAt = dT 1t ⊕ dT 2t

dEt = dAt ⊕ dT 1t.

We can from now on omit the time indexes of differences, e.g. dAt = dA. Thenthese two conditions are equivalent to following conditions:

dA = dT 1t ⊕ dE (7)

dE = dT 2t. (8)

By the formula (6), the condition (8) is calculated as follows:

dE = Σ0(dA) ⊕ dA.

By the formula (5), the condition (7) is calculated as follows:

dA = dE ⊕ Σ1(dE) ⊕ ((F ⊕ G) ∧ dE) ⊕ dE.

Value F ⊕ G can be considered to be some random value X . This condition isequivalent to the following condition:

4This property has been noticed previously, for example see [11]


dA = Σ1(dE) ⊕ (X ∧ dE).

We have determined the conditions for the existence of iterative. We noware interested in those iterative characteristic that have high probabilities. Foran iterative with differences dA, dE, if some register inputs make this conditionhold, they also make the other conditions hold. Therefore, we pay a probabilityonly for this condition to hold. We see that we have to pay probability for thisequation at bit position j to hold if and only if dE(j) is equal to 1. In particular,an iterative where Hamming weight of dE is the smallest has the best probability.This discussion leads us to the following theorem.

Theorem .1. For SHA-2-XOR, a differential characteristic with input differences(dA,dB,dC,dD,dE,dF,dG,dH) is a one round iterative if and only if for some 32-bitvalue X, the input differences dA, dE satisfy the following:

dA = Σ1(dE) ⊕ (X ∧ dE). (9)

dE = Σ0(dA) ⊕ dA. (10)

If this condition holds, the other differences in the characteristic are determinedby dA and dE as follows:

dB = dA, dC = dA, dD = dA, dF = dE, dG = dE, dH = dE.

Furthermore, iterative where the weight of dE is the smallest has the bestprobability.

4.2 The Search Algorithm

We have to design an algorithm for practical use of the theorem. By substitutingthe second condition into the first one, we obtain the following:

dA = Σ1(Σ0(dA) ⊕ dA) ⊕ (X ∧ (Σ0(dA) ⊕ dA)).

It is sufficient for us to search for dA’s which make this equation solvable in termsof X . Looking at this equation per bit leads us to consider a 1-bit equationI = X ∧ R. We consider what is the condition on I that the equation has asolution X = X0, in each of two cases, R = 0, R = 1. In the case of R equal to 1,there always exists a solution. In the case of R equal to 0, there exists a solutionif and only if I is equal to 0. Based on this consideration, now we can developthe following algorithm shown in Table 2 where for a bit string V , its value at bitposition j is denoted by V (j).


Table 2 – The search algorithm.

Step1: Choose a 32-bit value, dAStep2: Compute R = Σ0(dA) ⊕ dA.Step3: Set u to be 0.Step4: For j=0 to 31 do:

If R(j) is equal to 0, doCompute I(j) = (Σ1(Σ0(dA) ⊕ dA) ⊕ dA)(j)

If I(j) is equal to 1, increase u by 1.Otherwise, do nothing.

Step5: If u is equal to 0, then output dA.Step6: If all possible value for dA have been chosen, then end.

Otherwise go to step1.

4.3 The Best One-round Iterative Differential Characteristics

The algorithm we designed has identified all one round iterative characteristics forSHA-2. The running time was 30 min. Table 3 shows all the one-round iterativedifferential characteristic with the best probability 2−8.

It was confirmed that one of the best iterative with dA = b3b3b3b3, dE =0c0c0c0c has an experimental probability 259/(216) which is around 2−8. Wecan theoretically tell exactly what happens in one round. The only place whereprobabilities are paid is the place where the CH function is applied. The differenceat the input of CH , 0c0c0c0c becomes 08080808 at the output with a probability2−8, which is calculated using the following differential property of CH per bit:

CH(0, 0, 0) = 0CH(1, 1, 1) = 0/1 with probability 1/2.

Note that the eight iterative patterns given in Table 3 are cyclic rotations ofthe same pattern. In the following section, we show that no 2-round iterativepatterns better than a concatenation of two best one-round iteratives exist.

4.4 Search for 2-round Iterative Differential Characteristics

We search for two-round iterative differential characteristics for SHA-2-XOR.However, we will show that no 2-round iterative patterns with probability higherthan 2−16. We first determine the constraints which an iterative pattern shouldsatisfy. Let’s denote the value(the difference) in the register A at time t by At(dAt).The t-th first rounds change the value At to At+1 in the register A. The constraintsare translated into conditions that in each register its difference at time t andits difference at time t + 2 are the same: dAt+2 = dAt, dBt+2 = dBt, dCt+2 =dCt, dDt+2 = dDt, dEt+2 = dEt, dFt+2 = dFt, dGt+2 = dGt, dHt+2 = dHt.


Table 3 – One round iterative differential characteristic with thebest probability 2−8.

dA = dB = dC = dD dE = dF = dG = dH3b3b3b3b c0c0c0c0

67676767 18181818

76767676 81818181

9d9d9d9d 60606060

b3b3b3b3 0c0c0c0c

cececece 30303030

d9d9d9d9 06060606

ecececec 03030303

Our purpose here is to translate the constraints into the conditions withdifferences only at time t. There are 4 registers, in each of which value at timet + 1 is determined by only one register value at time t. This builds the followingsimple relations between the differences at time t and the differences at time t + 1:dCt+2 = dAt, dDt+2 = dBt, dGt+2 = dEt, dHt+2 = dFt. From these relations, 4constraints dCt+2 = dCt, dDt+2 = dDt, , dGt+2 = dGt, dHt+2 = dHt equivalentto the following conditions: dCt = dAt, dDt = dBt, dGt = dEt, dHt = dFt.

Now we have 4 remaining constraints dFt+2 = dFt, dEt+2 = dEt, dAt+2 = dAt,dBt+2 = dBt from which we can derive the following four conditions:

dBt ⊕ Σ1dEt = dCH(Et, Ft, Gt), (11)

dAt ⊕ Σ1dFt = dCH(Et+1, Et, Ft), (12)

dFt ⊕ Σ0dAt = dMJ(At, Bt, Ct), (13)

dEt ⊕ Σ0dBt = dMJ(At+1, At, Bt) (14)

In our case, the conditions dAt+1 = dBt, dEt+1 = dFt hold. Therefore weneed to know what is the differential property of non-linear functions with someconditions on their input differences which is given in Table 4.

We assume that there is an iterative with differences (dA,dB,dC,dD,dE,dF ,dG,dH) have a probability at least 2−16. Let us define α, β as follows:

α = dCH(Et, Ft, Gt) ⊕ dCH(Et+1, Et, Ft).

β = dMJ(At, Bt, Ct) ⊕ dMJ(At+1, At, Bt).

We know Ham(α)≤ 8 by studying (11) (12) and Table 4. We can assume Ham(α)is more than 0, otherwise the search is reduced to the search for one-round iterativepattens. We also know the following condition on dE ⊕ dF that holds for any bitposition j,

α(j) = 0 =⇒ (dEt ⊕ dFt)(j) = 0.


Table 4 – A differential property on non-linear functions.

dX = dZ dY dCJ dMJ0 0 0 00 1 0/1 0/11 0 0/1 0/11 1 0/1 1

Hence, the number of possible values for dEt ⊕ dFt is 2Ham(α). By adding (11)and (12) we have the following:

dAt ⊕ dBt = Σ1(dEt ⊕ dFt) ⊕ α (15)

On the other hand, we have the following condition by adding (12) and (13),

dFt ⊕ dEt ⊕ Σ0(dAt ⊕ dBt) = β

Finally we obtain the following condition:

dFt ⊕ dEt ⊕ Σ0(Σ1(dEt ⊕ dFt) ⊕ α) = β (16)

Now we can compute dA ⊕ dB and β from α. From the discussion above, we alsoobtain the following property that holds for any bit position j,

(dAt ⊕ dBt)(j) = 0 =⇒ β(j) = 0.

However, it was confirmed that none of computed dAt ⊕ dBt and β satisfy thisproperty. This was done with 232 possible values for α. The total complexity is232+Ham(α) = 240 elemental computations.

4.5 Pseudo-collision Attack on SHA-2-XOR Using IterativeDifferential Characteristic

We present attacks on SHA-2-XOR and SHACAL-2-XOR using iterative differen-tial characteristic we identified. We present two kinds of attacks on SHA-2-XOR.

By definition, to find a pseudo-collision, an attacker can inject differences bothinto the message schedule and registers. The attacker would require a complexity2128 to find a pseudo-collision for a ideal hash function. We obtain a 15-rounditerative with a probability 2−120 by concatenating one of the best one-rounditerative we identified. This leads to an attack finding a pseudo-collision with acomplexity 2120 for the 15-round SHA-2-XOR.

Our attack suggests a security model where an attacker can inject differencesonly into registers. Taking into account the feed-forward operation of the


Davis-Meyer mode, to find a collision means to find a differential characteristic forthe underlying block cipher where an input difference and an output difference ofare same. In the ideal case, if both of an input difference and an output differenceare fixed, then the probability that a plaintext pair with the input differenceresults in the output difference is 2−256. However, SHA-2-XOR with 31 roundshas a probability 2−248 which means that 31 rounds of this hash function does notbehave as a random hash function.

4.6 Differential Attack on 32-round SHACAL-2-XOR

As for SHACAL-2-XOR, we can build a 31-round characteristic with a probability2−248 concatenating one of the best iterative differential characteristics weidentified. This shows SHACAL-2-XOR with 31 rounds is distinguished froma random permutation. We now attack SHACAL-2-XOR with 32 rounds byusing the 30-round differential characteristic. Our goal here is to find the32-bit key W31. Let δ be the input difference in the 30-round characteristic(e.g.dA0=dB0=dC0=dD0= 3b3b3b3b, dE0=dF0=dG0=dH0= c0c0c0c0). We denotea plaintext P at time t by Pt and the value of Pt in the register A by At. Wedenote the difference between a pair of plaintexts (P, P ∗) at time t by ∆t and thedifference of dt in the register A by dAt. Let (P, P ∗) be a pair of plaintexts withthe difference δ:∆0 = δ The pair of corresponding ciphertexts is (P32, P ∗

32). Thereare two steps to perform our attack, data collection step, data analysis step. Inthe data collection step, we encrypt 2240 · 10 plaintext pairs. Then we collect only216 · 10 pairs needed for the next step by checking if the corresponding ciphertextspairs satisfy certain conditions. Let us see what this condition looks like. Forthe right pairs, the condition ∆30 = δ holds. For the last 2 rounds, we observehow this difference behaves in case of not paying any probability. Even in thiscase, in the 4 registers, the differences at time 32 are determined uniquely by thedifferences at time 30: dC32 = dA30, dD32 = dB30, dG32 = dE30, dH32 = dF30.By studying how non-linear functions increase the uncertainty of differences, wecan see there are 216 candidates for the differences in the other 4 registers at time32: (dA32, dB32,dE32,dF32).

In the data analysis step, we find 8bits of 32-bit key W31 using 28 counters.Each pair suggests one key therefore one counter is 28 in average, while the counterfor the correct key bits is 28 · 10. This enables us to detect the correct key bits.Using another three iterative characteristics we identified, we can find another 24bits of W32.

The time complexity of this attack is 2246.3(= 2240 · 10 · 2 · 4) 32-roundSHACAL-2-XOR encryptions and the data complexity of this attack is 2243.3

chosen plaintexts which are immediately discarded leaving only 217 for the analysisstep.


Table 5 – The condition for register values at each time to result inthe required difference after 19 rounds.

(F0 ⊕ G0)(j) = L(j) (j ∈ J)(E0 ⊕ F0)(j) = L(j)

(Et ⊕ Et+1)(j) = L(j) (j ∈ J, t = 1, 2, . . . , 17)

4.7 Improvement of the Pseudo-collision Attack

In the previous section, we identified one-round iterative differential character-istics. Using the best ones with the probability 2−8, we attacked 15 rounds ofSHA-2-XOR regarding pseudo-collision resistance. Here we will improve this resultand add more rounds.

In the pseudo-collision attack model, the attacker choose any element from theset Iall = 0, 1256 ×0, 1512, which is taken as input to the compression function.The main idea in our improvement is to use a subset of Iall denoted by Isub forwhich better probabilities for many rounds are obtained. This idea was alreadyindicated in [19] where it is pointed out that the attacker can choose the messageso that the first several rounds follow the characteristic with probability 1. It isquite natural to consider this idea in cryptanalysis of hash functions. Recently,this idea was effectively used in the attacks in [23].

To realize this idea in practice, the attacker first randomly choose an inputfrom Iall and then modifies it in a way that certain condition on the registervalues Et, Ft, Gt, t = 0, 1, . . . , 17 in the Table5 is satisfied. Using the resulting theset of modified inputs, we do not have to pay probability for the first 19 rounds.

Now we develop an algorithm of the input modification. Firstly, we fix oneof the iterative characteristic to δ as the previous section. Let L be the constantvalue:0x08080808 and J be the set of bit positions: 2, 3, 10, 11, 18, 19, 26, 27.Studying the proof of the above theorem tells us the condition for register valuesat each time to result in the required difference after 19 rounds.

Taking this condition into account, we develop the following algorithm shownin Table 6 where for a bit string V , its value at the bit position j is denoted byV (j).

The algorithm involves a modification of 152 input bits(=19× 8 bits), that

is, E(j)0 , G

(j)0 , H

(j)0 , W

(j)0 , W

(j)1 , . . . , W

(j)15 (j ∈ J). All the modified inputs with the

difference δ results in δ again after 19 rounds, which was experimentally confirmedwith 220 randomly chosen inputs. We use 120 input bits out of the remaining 616bits to add 15 rounds. This leads to an attack finding a pseudo-collision with acomplexity 2120 for the 34-round SHA-2-XOR.


Table 6 – The input modification.

Step1: Choose randomly an initial resister values: A0, B0, C0, D0, E0, F0, G0, H0

Step2: Choose randomly a message block of 16 words: W0, W1, . . . , W15

Step3: Replace 8 bits of G(j)0 and E

(j)0 by 8 bits of (F0 ⊕ L)(j)(j ∈ J)

Step4: For t = 0 to 15 do:Compute the value: α = Et+1 ⊕ Et ⊕ L

Replace 8 bits of W(j)t by 8bits of α(j)(j ∈ J)

Apply the t-th round function with the resulting Wt

Step5: Copy the value from W0 to the variable: W old0

Step6: Compute the value:β = D16 ⊕ H16 ⊕ Σ1(E16) ⊕ CH(E16, F16, G16) ⊕ K16 ⊕ L ⊕ E16

Step7: Compute W16 = σ1(W14) ⊕ W9 ⊕ σ0(W1) ⊕ W0.

Step8: Replace 8 bits of W(j)16 by 8 bits of β(j)(j ∈ J)

Step9: Replace W(j)0 by the value: (W16 ⊕ σ1(W14) ⊕ W9 ⊕ σ0(W1))(j)(j ∈ J)

Step10: Replace H(j)0 by the value: (H0 ⊕ W0 ⊕ W old

0 )(j)(j ∈ J)

4.8 An Example of a 23-round Pseudo-collision for SHA-2-XOR

In the Table 7 Here we list an example of a pseudo-collision producinginput to SHA-2-XOR with reduced rounds. Our approach found a 23-roundpseudo-collision for SHA-2-XOR with a complexity 232.

4.9 The Impact on Round-reduced Versions of the ActualSHA-256

Since our attack on SHA-2-XOR is based on one-round iterative characteristicwhose Hamming weight is relatively high, it is unlikely to obtain a high probabilityfor the same characteristic in the case of the actual the SHA-256 hash function.Therefore it is not possible to apply our attack to the actual SHA-256 in astraightforward way.

5 Conclusions

We considered a SHA-256 variant and a SHACAL-2 variant. We presented adifferential attack on these ciphers. Our result shows that SHACAL-2-XOR withup to 31 rounds has a weakness of randomness and that SHA-2-XOR with up to 34rounds has a weakness of pseudo-collision resistance. We also presented an attackon SHACAL-2-XOR with up to 32 rounds by using the 31-round distinguisher.

REFERENCES 95

Table 7 – A Message and Register values producing a 23-roundpseudo-collision for SHA-2-XOR.

Message words W0, W1, ..., W15:0xe97ae8e7 0x695655dd 0x57e9383b 0x8c916172

0x68e61dd1 0x2bc71033 0x081dae0f 0x5546e057

0xfd1450ef 0xcb398b6a 0xa16bf40c 0xfc7bb645

0x14b17c9c 0x1b2a8265 0xa17f20c4 0xe8f96137

Register values (A0, B0, C0, D0, E0, F0, G0, H0):0x4939a45a 0x79ec4172 0xf0ef5249 0x29b5bb6f

0xd92f76e4 0x21962dfe 0xd88e64f6 0x7b624d63

Acknowledgements

The authors would like to thank Bart Preneel for his suggestions towards thisanalysis. We also would like to thank Joseph Lano and Souradyuti Paul for helpfulcomments and useful discussions. We are also grateful to the anonymous refereesfor their valuable remarks.

References

[1] E. Biham, “New Results on SHA-0 and SHA-1,” Invited talk presented atSAC 2004.

[2] E. Biham, R. Chen “Near-Collision of SHA-0,” in Proceedings of CRYPT2004, LNCS 3152, M. Franklin, Ed., pp.290–305, 2004.

[3] E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, and W. Jalby,“Collisions of SHA-0 and Reduced SHA-1,” in Proceedings of Eurocrypt 2005,LNCS 3494, R. Cramer, Ed., Springer-Verlag, pp. 36–57, 2005.

[4] E. Biham, A. Biryukov, A. Shamir, “Cryptanalysis of SkipJack Reduced to31 Rounds Using Impossible Differentials,” in Proceedings of Eurocrypt’99,LNCS 1592, pp.12–23, 1999.


[6] A. Biryukov, D. Wagner, “Advanced slide attacks,” in Proceedings ofEurocrypt 2000, LNCS 1807, B. Preneel, Ed., Springer-Verlag, pp. 589–606,2000.


[7] B. D. Boer, A. Bosselaers, “Collisions for the compression function ofMD5,” in Proceedings of Eurocrypt 1993, LNCS 765, T. Helleseth, Ed.,Springer-Verlag, pp. 293–304, 1993.

[8] F. Chabaud and A. Joux, “Differential Collisions in SHA-0,” in Proceedingsof CRYPTO’98, LNCS 1462, H. Krawczyk, Ed., pp.56-71, Springer-Verlag,1998.

[9] I. Damgård, “A design principle for hash functions,” in Proceedings ofCrypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, pp. 416–427, 1990.

[10] H. Dobbertin, “The status of MD5 after a recent attack,”, Cryptobytes, Vol. 2,No. 2, pp. 1–6, Summer 1996.

[11] H. Gilbert, H. Handschuh, “Security Analysis of SHA-256 and Sisters,” inProceedings of SAC 2003, LNCS 3006, M. Matsui and R. Zuccherato, Eds.,Springer-Verlag, pp. 175–193, 2004.

[12] H. Handschuh, D. Naccache, “SHACAL,” Submission to the NESSIE project,2000. Available fromhttp://www.gemplus.com/smart/r_d/publications/pdf/HN00shac.pdf.

[13] P. Hawkes, M. Paddon, and G.G. Rose, “On Corrective Patterns for theSHA-2 Family,” Cryptology ePrint Archive August 2004. Available fromhttp://eprint.iacr.org/.

[14] S. Hong, J. Kim, G. Kim, J. Sung, C. Lee, and S. Lee, “Impossible DifferentialAttack on 30-Round SHACAL-2,” in Proceedings of INDOCRYPT 2003,LNCS 2904, T. Johansson and S. Maitra, Ed., Springer-Verlag, pp. 97–106,2003.

[15] J. Kim, G. Kim , S. Lee, J. Lim, and J. Song, “Related-Key Attackson Reduced Rounds of SHACAL-2,”in Proceedings of INDOCRYPT 2004, LNCS 3348, A. Canteaut and K. Viswanathan Ed., Springer-Verlag,pp. 175–189 2004.

[16] L. R. Knudsen and J. E. Mathiassen, “Preimage and collision attacks onMD2,” in Proceedings of FSE 2005, LNCS 3557, H. Gilbert and H. HandschuhEd., Springer-Verlag, pp. 255–267, 2005.

[17] A. Menezes, P. van Oorschot and S. Vanstone, Handbook of AppliedCryptography, CRC Press, 1997.

[18] National Institute of Standards and Technology, FIPS-180-2: “Secure HashStandard (SHS),” August 2002.

REFERENCES 97

[19] V. Rijmen, B. Preneel, “Improved characteristics for differential cryptanalysisof hash functions based on block ciphers,” Fast Software Encryption, LectureNotes in Computer Science 1008, B. Preneel, Ed., Springer-Verlag, 1995,pp. 242-248.

[20] R. Rivest, “The MD5 message-digest algorithm,” Request for Comments(RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April1992.

[21] M. Saarinen, “Cryptanalysis of Block Ciphers Based on SHA-1 and MD5,”in Proceedings of FSE 2003, LNCS 2887, T. Johansson, Ed., Springer-Verlag,pp. 36–44, 2003.

[22] Y. Shin, J. Kim, G. Kim, S. Hong, and S. Lee, “Differential-Linear TypeAttacks on Reduced Rounds of SHACAL-2,” in Proceedings of ACISP2004, LNCS 3108, H. Wang, J. Pieprzyk, and V. Varadharajan, Ed.,Springer-Verlag, pp. 110–122, 2004.

[23] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Cryptanalysis of the HashFunctions MD4 and RIPEMD,” in Proceedings of Eurocrypt 2005, LNCS 3494,R. Cramer, Ed., Springer-Verlag, pp. 1–18, 2005.

[24] H. Yoshida, A. Biryukov, C. De Cannière, J. Lano, and B. Preneel,“Non-randomness of the Full 4 and 5-pass HAVAL,” in Proceedings ofSCN 2004, LNCS 3352, C. Blundo and S. Climato, Ed., Springer-Verlag,pp. 324–336, 2005.


A B C D E F G H

r r r

MJ

r

Σ0

r r r

CH

r

Σ1

Wt

Kt

r

❳❳❳❳❳❳❳❳❳❳❳

❳❳❳❳❳❳❳❳❳❳❳

A B C D E F G H

Figure 1 – Round function for SHA-256.

Publication

Update on Tiger

Publication Data

F. Mendel, B. Preneel, V. Rijmen, H. Yoshida, and D. Watanabe,“Update on Tiger,” INDOCRYPT 2006, LNCS, vol. 4329, Springer,pp. 63–79, 2006.

Contributions

• Principal author together with Florian Mendel. We devised a collision attackon Tiger, up 19 out of 24.

99

Update on Tiger ∗

Florian Mendel1, Bart Preneel2, Vincent Rijmen1,Hirotaka Yoshida3, and Dai Watanabe3

1 Graz University of TechnologyInstitute for Applied Information Processing and Communications

Inffeldgasse 16a, A–8010 Graz, AustriaFlorian.Mendel,[email protected]

2 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC,Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium

[email protected] Systems Development Laboratory, Hitachi, Ltd.,

1099 Ohzenji, Asao-ku, Kawasaki-shi, Kanagawa-ken, 215-0013 Japanhirotaka.yoshida.qv,[email protected]

Abstract. Tiger is a cryptographic hash function with a 192-bithash value which was proposed by Anderson and Biham in 1996. AtFSE 2006, Kelsey and Lucks presented a collision attack on Tigerreduced to 16 (out of 24) rounds with complexity of about 244.Furthermore, they showed that a pseudo-near-collision can be foundfor a variant of Tiger with 20 rounds with complexity of about 248.

In this article, we show how their attack method can be extended toconstruct a collision in the Tiger hash function reduced to 19 rounds.We present two different attack strategies for constructing collisionsin Tiger-19 with complexity of about 262 and 269. Furthermore, wepresent a pseudo-near-collision for a variant of Tiger with 22 roundswith complexity of about 244.

Keywords: cryptanalysis, hash functions, differential attack, colli-sion, near-collision, pseudo-collision, pseudo-near-collision

1 Introduction

Recent results in cryptanalysis of hash function show weaknesses in manycommonly used hash functions, such as SHA-1 and MD5 [4, 5]. Therefore, thecryptanalysis of alternative hash functions, such as Tiger, is of great interest.

In [2], Kelsey and Lucks presented a collision attack on Tiger-16, a roundreduced variant of Tiger (only 16 out of 24 rounds), with complexity of about

∗This work was supported in part by the Austrian Science Fund (FWF), project P18138.This work was supported in part by a consignment research from the National Institute onInformation and Communications Technology (NiCT), Japan. This work was supported in partby the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government.

101

mailto:\protect \T1\textbraceleft Florian.Mendel,Vincent.Rijmen\protect \T1\textbraceright @iaik.tugraz.at

mailto:[email protected]

mailto:\protect \T1\textbraceleft hirotaka.yoshida.qv,dai.watanabe.td\protect \T1\textbraceright @hitachi.com

102 UPDATE ON TIGER

244. In the attack they used a kind of message modification technique developedfor Tiger to force a differential pattern in the chaining variables after round 7,which can then be canceled by the differences in the expanded message words inthe following rounds. This led to a collision in the Tiger hash function after 16rounds. Furthermore, they showed that a pseudo-near-collision can be found ina variant of Tiger with 20 rounds in about 248 applications of the compressionfunction.

In this article, we extend the attack to construct a collision in Tiger-19. Wepresent two different collision attacks on Tiger-19 with complexity of 262 and269. Furthermore, we present a pseudo-near-collision attack for a variant of Tigerwith 22 rounds with complexity of about 244 and a pseudo-collision attack forTiger-23/128, a version of Tiger reduced to 23 rounds with truncated output,with complexity 244. A summary of our results is given in Table 1.

Table 1 – Overview of attacks on the Tiger hash function.number of rounds type complexity

Tiger-16 collision 244 in [2]Tiger-19 collision 262 and 269 in this articleTiger-19 pseudo-collision 244 in this articleTiger-21 pseudo-collision 266 in this articleTiger-23/128 pseudo-collision 244 in this articleTiger-20 4 pseudo-near-collision 248 in [2]Tiger-21 pseudo-near-collision 244 in this articleTiger-22 pseudo-near-collision 244 in this article

The remainder of this article is structured as follows. A description of the Tigerhash function is given in Section 2. The attack of Kelsey and Lucks on Tiger-16 isdescribed in Section 3. In Section 4, we describe a method to construct collisionsin Tiger-19. Another method for construction collisions in Tiger-19 is describedin Section 5. Furthermore, we present a pseudo-near-collision for Tiger-22 inSection 6 and a pseudo-collision for Tiger-23/128 in Section 7. Finally, we presentconclusions in Section 7.

2 Description of the Hash Function Tiger

Tiger is a cryptographic hash function that was designed by Ross Anderson andEli Biham in 1996 [1]. It is an iterative hash function that processes 512-bit inputmessage blocks and produces a 192-bit hash value. In the following, we brieflydescribe the hash function. It basically consists of two parts: the key-scheduleand the state update transformation. A detailed description of the hash function

4Kelsey and Lucks show a pseudo-near-collision for the last 20 rounds of Tiger.

DESCRIPTION OF THE HASH FUNCTION TIGER 103

Table 2 – Notation.Notation MeaningA + B addition of A and B modulo 264

A − B subtraction of A and B modulo 264

A ∗ B multiplication of A and B modulo 264

A ⊕ B bit-wise XOR-operation of A and B¬A bit-wise NOT-operation of A

A ≪ n bit-shift of A by n positions to the leftA ≫ n bit-shift of A by n positions to the right

Xi message word i (64-bits)Xi[even] the even bytes of message word Xi (32-bits)Xi[odd] the odd bytes of message word Xi (32-bits)

is given in [1]. For the remainder of this article we use the same notation as isused in [2]. The notation is given in Table 2.

2.1 State Update Transformation

The state update transformation starts from a (fixed) initial value IV of three64-bit registers and updates them in three passes of eight rounds each. In eachround one 64-bit word X is used to update the three chaining variables A, B andC as follows.

C = C ⊕ X

A = A − even(C)

B = B + odd(C)

B = B × mult

The results are then shifted such that A, B, C become B, C, A. Fig. 1 shows oneround of the state update transformation of Tiger.The non-linear functions even and odd used in each round are defined as follows.

even(C) = T1[c0] ⊕ T2[c2] ⊕ T3[c4] ⊕ T4[c6]

odd(C) = T4[c1] ⊕ T3[c3] ⊕ T2[c5] ⊕ T1[c7]

where C is split into eight bytes c0, . . . , c7 where c0 is the most significant byte.The four S-boxes T1, . . . , T4 : 0, 18 → 0, 164 are used to compute the outputof the non-linear functions even and odd. For the definition of the four S-boxeswe refer to [1]. Note that chaining variable B is multiplied with the constantmult ∈ 5, 7, 9 at the end of each round. The value of the constant is different ineach pass of the Tiger hash function.

After the last round of the state update transformation, the chaining variablesA−1, B−1, C−1 and the output values of the last pass A23, B23, C23 are combined,

104 UPDATE ON TIGER

even

odd

Xi

Ai−1 Bi−1 Ci−1

Ai Bi Ci

Figure 1 – The round function of Tiger.

resulting in the final value of one iteration (feed forward). The result is the finalhash value or the initial value for the next message block.

A′23 = A−1 ⊕ A23

B′23 = B−1 − B23

C′23 = C−1 + C23

2.2 Key Schedule

Between two passes of Tiger, there is one key schedule. The key schedule isan invertible function which ensures that changing a small number of bits inthe message will affect a lot of bits in the next pass. While the message wordsX0, . . . , X7 are used in the first pass to update the chaining variables, the remaining16 message words, 8 for the second pass and 8 for the third pass, are generated byapplying the key schedule as shown below.

(X8, . . . , X15) = KeySchedule(X0, . . . , X7)

(X16, . . . , X23) = KeySchedule(X8, . . . , X15)

The key schedule modifies the inputs (Y0, . . . , Y7) in two steps, as shown below.

first step second step

Y0 = Y0 − (Y7 ⊕ A5A5A5A5A5A5A5A5) Y0 = Y0 + Y7

Y1 = Y1 ⊕ Y0 Y1 = Y1 − (Y0 ⊕ ((¬Y7) ≪ 19))Y2 = Y2 + Y1 Y2 = Y2 ⊕ Y1

Y3 = Y3 − (Y2 ⊕ ((¬Y1) ≪ 19)) Y3 = Y3 + Y2

Y4 = Y4 ⊕ Y3 Y4 = Y4 − (Y3 ⊕ ((¬Y2) ≫ 23))Y5 = Y5 + Y4 Y5 = Y5 ⊕ Y4

Y6 = Y6 − (Y5 ⊕ ((¬Y4) ≫ 23)) Y6 = Y6 + Y5

Y7 = Y7 ⊕ Y6 Y7 = Y7 − (Y6 ⊕ 0123456789ABCDEF)

PREVIOUS ATTACK ON TIGER 105

The final values (Y0, . . . , Y7) are the output of the key schedule and the messagewords for the next pass.

3 Previous Attack on Tiger

In this section, we will briefly describe the attack of Kelsey and Lucks on Tiger-16.A detailed description of the attack is given in [2]. For a good understanding ofour results, it is recommended to study it very carefully. Space restrictions do notpermit us to copy all the important details of the original attack. The attack onTiger-16 can be summarized as follows.

1. Choose a characteristic for the key schedule of Tiger that holds with highprobability (ideally with probability 1).

2. Use a kind of message modification technique [5] developed for Tiger toconstruct certain differences in the chaining variables for round 7, which canthen be canceled by the differences in the message words in the followingrounds. This leads to a collision in the Tiger hash function after 16 rounds.

In the following we will describe both parts of the attack in detail.

3.1 High Probability Characteristic for the Key Schedule ofTiger

For the attack Kelsey and Lucks used the key schedule difference given in (1). Ithas probability 1 to hold in the key schedule of Tiger. This facilitates the attack.

(I, I, I, I, 0, 0, 0, 0) → (I, I, 0, 0, 0, 0, 0, 0) (1)

Note that I denotes a difference in the MSB of the message word. Hence, theXOR difference (denoted by ∆⊕) and the additive difference (denoted by ∆+) isthe same in this particular case.

To have a collision after 16 rounds, there has to be a collision after round 9as well. Hence, the following differences are needed in the chaining variables forround 7 of Tiger.

∆⊕(A6) = I, ∆⊕(B6) = I, ∆⊕(C6) = 0 (2)

Constructing these differences in the chaining variables after round 6 is the mostdifficult part of the attack. Therefore, Kelsey and Lucks adapted the idea ofmessage modification from the MD-family to Tiger. The main idea of messagemodification is to use the degrees of freedom we have in the choice of the messagewords to control the differences in the chaining variables. In the case of Tiger, thedifferential pattern given in (2) has to be met in order to have a collision after 16rounds of Tiger.

106 UPDATE ON TIGER

3.2 Message modification by Meeting in the Middle

even

even

odd

odd

Xi

∆+(Ci+1) = δ∗

Xi+1

Ai−1 Bi−1 Ci−1

Ai Bi Ci

Ai+1 Bi+1 Ci+1

Figure 2 – Outline of the message modification step in Tiger.

In this section, we explain the idea of message modification in Tiger accordingto Fig. 2. Assume that the values of (Ai−1, Bi−1, Ci−1) and the additive differences∆+(Ai−1), ∆+(Bi−1), ∆+(Ci−1) are known as well as the additive differences inthe message words Xi and Xi+1. Then the additive difference ∆+(Ci+1) can beforced to be any difference δ∗ with probability 1/2 by applying the birthday attack.As depicted in Fig. 2, the additive difference ∆+(Ci+1) depends on the additivedifferences ∆+(Bi−1), ∆+(odd(Bi)), and ∆+(even(Bi+1)).

For any nonzero XOR difference ∆⊕(Bi+1[even]), one expect about 232

different corresponding additive output differences ∆+(even(Bi+1)). Similarly, forany nonzero XOR difference ∆⊕(odd(Bi)), one expect close to 232 correspondingdifferent additive output differences ∆+(odd(Bi)).

Thus, if the XOR differences ∆⊕(Bi+1[even]) and ∆⊕(Bi[odd]) both arenonzero, a meet-in-the-middle (MITM) approach can be applied to solve thefollowing equation:

mult × (∆+(Bi−1) + ∆+(odd(Bi))) − ∆+(even(Bi+1)) = δ∗ .

This is done by performing the following two steps:

1. Store the 232 candidates for ∆+(odd(Bi)) in a table.

2. For all 232 candidates for ∆+(even(Bi+1)), test if some ∆+(odd(Bi)) existswith ∆+(odd(Bi)) = (∆+(even(Bi+1)) + δ∗)/(mult) − ∆+(Bi−1) .

PREVIOUS ATTACK ON TIGER 107

This technique takes 233 evaluations of each of the functions odd and even,which is equivalent to about 229 evaluations of the compression function of Tigerreduced to 16 rounds and some 233 64-bit word units of storage space.

Note that if the choice of the values of the message words Xi and Xi+1 isconstrained by k-bits then the success probability of the message modificationstep is reduced by a factor of 2k. This is referred to as a constrained messagemodification step.

3.3 The collision attack on Tiger-16

With the key schedule difference given in Section 3.1 and the new developedmessage modification technique for Tiger described in Section 3.2, Kelsey andLucks show a collision attack on Tiger reduced to 16 rounds. The method can besummarized as follows (see [2]).

0. Precomputation: Find an additive difference L+ with a low Hamming weightXOR difference L⊕ which can be canceled out by a suitable choice forX6[even]. In the analysis Kelsey and Lucks assume, that an additivedifference L can be found which is consistent to an 8-bit XOR differenceLxor. This step of the attack has a complexity of about 227.

1. Choose suitable values for X0, X1, X2[even] such that ∆⊕(A2), ∆⊕(B2),∆⊕(C2) are useful. A difference is called useful if there are differences in theeven and odd bytes of the word. This step adds negligible cost to the attackcomplexity.

2. Do a message modification step to get a suitable XOR-difference Lxor inC3 which is consistent with the additive difference L of the precomputationstep. This step has complexity of about 236 and determines the messagewords X2[odd] and X3[even].

3. Do a constrained message modification step to get ∆⊕(C4) = I. Thisdetermines X3[odd] and X4[even]. Completing this step has complexity ofabout 240. This is due to the fact that 8 bits of X4 (4 bits in X4[even] and4 bits in X4[odd]) are constrained by the transition of the XOR differenceLxor in C3 to the additive difference L in B4.

4. Do a constrained message modification step to get ∆⊕(C5) = I. Thisdetermines X4[odd] and X5[even]. Completing this step has complexityof about 244.

5. Determine X6[even] by using C5 and the results of the precomputation step.This adds no additional cost to the attack complexity.

Hence, a collision in Tiger-16 can be found with a complexity of about 244

applications of the compression function. In the attack a characteristic for the

108 UPDATE ON TIGER

key schedule differences is used which has probability 1 as well as a messagemodification technique developed for Tiger to force certain differences in thechaining variables after round 6 which can then be canceled by the differencesin the expanded message words X8 and X9. For a detailed description of theattack we refer to [2].

4 A Collision Attack on Tiger-19 – Method 1

In this section we present a collision attack on Tiger-19 with complexity of about262 hash computations. First, we show how the attack of Kelsey and Lucks canbe extended to construct a pseudo-collision in Tiger-19 with complexity of about244 hash computations. Second, we show how this pseudo-collision can be turnedinto a collision for Tiger-19 by using a kind of neutral bit technique. The collisionattack on Tiger-19 has a complexity of 262 hash computations.

4.1 A Pseudo-Collision for Tiger-19

In this section we will show how to construct a pseudo-collision for Tiger-19 witha complexity of about 244. The attack is an extension of the attack of Kelsey andLucks on Tiger-16.

To construct a pseudo-collision in Tiger-19 we use the key schedule differencegiven in (3). It has probability 1 to hold in the key schedule of Tiger whichfacilitates the attack.

(0, 0, 0, I, I, I, I, 0) → (0, 0, 0, I, I, 0, 0, 0) → (0, 0, 0, I, I, I, I, I) (3)

Note that the key schedule difference from round 3 to 18 is the 16-round differenceused by Kelsey and Lucks in the attack on Tiger-16. Hence, we can use the sameattack strategy which was used to break Tiger-16 in the attack on Tiger-19 as well.The attack work as follows:

1. Choose arbitrary values for the chaining variables A2, B2, C2 for round 3.

2. Employ the attack on 16 rounds, to find message words X3, . . . , X7 andX8[even], X9[even] such that the output after round 18 collides.

3. To compute the real message words X0, . . . , X7, we have to choose suitablevalues for X8[odd], X9[odd] and X10, . . . , X15 such that X4, X5, X6 and X7

are correct after computing the key schedule backward. Note that X3 canbe chosen freely, because we can modify C2 such that C2 ⊕X3 stay constant.In detail, we choose arbitrary values for X8[odd], X9[odd], X10, X11 and

A COLLISION ATTACK ON Tiger-19 – METHOD 1 109

calculate X12, . . . , X15 as follows.

X12 = (X4 ⊕ (X11 − X10)) − (X11 ⊕ (¬X10 ≫ 23))

X13 = (X5 + (X12 + (X11 ⊕ (¬X10 ≫ 23)))) ⊕ X12

X14 = (X6 − (X13 ⊕ X12 ⊕ (¬(X12 + (X11 ⊕ (¬X10 ≫ 23))) ≫ 23))) + X13

X15 = (X7 ⊕ (X14 − X13)) − (X14 ⊕ 0123456789ABCDEF)

This adds negligible cost to the attack complexity and guarantees thatX4, X5, X6 and X7 are always correct after computing the key schedulebackward.

4. To compute the initial chaining values A−1, B−1 and C−1 run the rounds 2,1 and 0 backwards.

Hence, we can construct a pseudo-collision for Tiger-19 with a complexity of about244 applications of the compression function. We can turn this pseudo-collisioninto a collision for Tiger-19. This is described in detail in the next section.

4.2 From a Pseudo-Collision to a Collision in Tiger-19

Constructing a collision in Tiger-19 works quite similar as constructing thepseudo-collision. Again we use the key schedule difference given in (3) and employthe attack on 16 rounds of Tiger. The attack can be summarized as follows.

1. Choose arbitrary values for X0,X1 and X2 and compute the chainingvariables A2, B2, C2 for round 3.

2. Employ the attack on 16 rounds, to find the message words X3, . . . , X7 andX8[even], X9[even] such that the output after round 18 collides.

3. To guarantee the X8[even], X9[even] are correct after applying the keyschedule, we use the degrees of freedom we have in the choice of X0, X1, X2,X3. Note that for any difference we introduce into X0, you can introducecanceling differences into X1, X2, X3 such that A2, B2 and B3 = C2 ⊕ X3

stay constant. This is a kind of local collision for the first 4 rounds of Tiger.

Xnew0 = arbitrary

Xnew1 = Cnew

0 ⊕ C0 ⊕ X1

Xnew2 = Cnew

1 ⊕ C1 ⊕ X2

Xnew3 = Cnew

2 ⊕ C2 ⊕ X3

After testing all 264 possible choices for X0 and changing X1, X2, and X3

accordingly such that A2, B2 and B3 stay constant, we expect to get thecorrect values for X8[even], X9[even] after applying the key schedule ofTiger.

110 UPDATE ON TIGER

Hence, this step of the attack has a complexity of at about 264 key schedulecomputations and 3 × 264 round computations. This is equivalent to about262 applications of the compression function of Tiger-19.

Thus, we can construct a collision in Tiger-19 with complexity of about 262 +244 ≈262 applications of the compression function. We are not aware of any othercollision attack on Tiger which works for so many rounds. The best collisionattack on Tiger so far was for 16 rounds by Kelsey and Lucks described in [2].

5 Collision Attack on Tiger-19 – Method 2

We now present another method to find collisions for the 19-round Tiger. Theattack complexity of this attack method is slightly higher than the one in theprevious attack method. One difference from the previous method is that the firstmethod uses larger space of message than the second one. This can been seenwhere X0 is used in each attack. The first method uses whole 64 bits of X0 andthe second one uses less bits of X0.

The attack described here is also an extension of the attack by Kelsey andLucks. However, our attack is in a different situation from their attack. Theirattack precomputes the additive difference L and then use X6 to cancel it out inthe main phase. Similarly, our attack precomputes the additive difference α andthen use X9 to cancel it out in the main phase. The key difference is that theirattack controls X6 in a deterministic way but our attack has to do in a probabilisticway due to the key schedule. This causes the main difficulty we have to solve here.

The outline of the attack is as follows:

1. Search for a good differential characteristic of the message words for 19rounds.

2. Construct a good differential characteristic for 19 rounds by considering themessage word differences expected from the characteristic in Step 1.

3. Divide this characteristic for round 3-9 into two consecutive characteristics(characteristic for round 3-7 and characteristic for round 8-9) so that wework on them independently.

4. Do the MITM step for the characteristic for round 3-7. Determine thechaining values A3, B3, B3 and the message words X4, X5, X6, X7[even].

5. Do the MITM step for the characteristic for round 8-9 by varying the messagewords X0, X1, X2, X3, X7[odd] while keeping the previously determinedvalues unchanged. Determine all of the values.

In the attack, we use the same characteristic for the key schedule as in Section 4and then construct a differential characteristic as shown in Table 3, where α andγ are some useful values in our attack. We will explain how these value are chosenin the next section.

COLLISION ATTACK ON Tiger-19 – METHOD 2 111

Table 3 – A collision-producing differential characteristic.

i ∆(Ai) ∆(Bi) ∆(Ci) ∆(Xi)3 0 I * I4 * * * I5 * * * I6 * * γ I7 * γ I 08 α * I 09 I I 0 010 I 0 I 011 0 0 I I12 0 0 0 I

5.1 The Precomputation Phase of the Attack

Before performing our attack, we need an algorithm to find a good differentialcharacteristic starting with ∆+(C6) and ending with ∆+(C9) as shown in Table 3.We need the additive difference ∆+(even(B9)) to be equal to ∆+(A8). Thequestion we have here is what difference we want in C6 for obtaining a highprobability. A solution to this is to compute the differences backward startingfrom the additive difference ∆+(B9) = I. By performing experiments, we searchedfor α and γ such that the corresponding differential probabilities p1, p2 are high5.As a result, we found a high probability differential characteristic which is shownin the following:

∆+(B9) = Ieven→ ∆+(even(B9)) = ∆+(A8) = α with probability p2 ,

∆+(A8) = α÷,+→ ∆(B7)+ = γ with probability 1 ,

∆+(B7) = γ⊕→ ∆(C6)+ = ∆+(B7 ⊕ X7) = γ with probability p1 .

Here the additive differences are

α = 0x80c02103d43214d6 ,

γ = α/7 mod 264 = 0xedd24ddbf9be02fa ,

and probabilities are p1 = 2−26 and p2 = 2−28. We here study the abovecharacteristic with probability p1 in detail.

In general, for a pair of data (J , J ′) and some constant value Q, if we assumethe Hamming weight of ∆⊕(J, J ′) to be k, then the probability that ∆+(J, J ′) =

5We have searched some sub space for the values α and γ so far. Searching the whole spacecould give us the better values for both of two.

112 UPDATE ON TIGER

∆+(J ⊕ Q, J ′ ⊕ Q) is 2−k. This means that k bits of Q are constrained6 to holdthe above equation. Therefore, in the case of the characteristic with probabilityp1 = 2−26, we expect α to have 26 active bits as a XOR difference, which imposesa 26-bit condition on X7.

Because of the large number of active bits, it seems plausible to assume thatthere is a 13-bit condition on X7[even] and a 13-bit condition on X7[odd]. Wedenote the probabilities that these two conditions hold by p1,even = p1,odd = 2−13

respectively.

5.2 The Main Phase of the Attack

We here describe how the main attack phase is performed. For a preparation wepresent the following lemma explaining the generic birthday attack which will beused for the MITM technique to work.

Lemma 1. Consider two functions f and g having the same output space of n bitlength. If we assume that f and g are random and we have r1 inputs for f and r2

inputs for g, the probability of having a pair of inputs (x, y) producing a collisionf(x) = g(y) is given by p = 1 − exp(−r1r2/2n) [3].

This tells us that the MITM step works with some probability even if thenumber of output differences of the odd or even is less than 232. The main attackphase is performed as follows.

1. Arbitrarily choose the chaining values A3, B3, C3 for round 4.

2. Choose X4[even] and ensure that the difference ∆⊕C4 is useful. By useful wemean that the corresponding XOR difference has at least 1 active bit in eachodd byte for having the 232 values for the additive difference ∆+odd(B5).The work here is negligible.

3. Choose X4[odd] and X5[even] to ensure that the difference is ∆⊕C5 useful.

4. Perform a MITM step by choosing X5[odd] and X6[even] to get an additivedifference γ in C6. The expected work here is approximately 233 evaluationsof both of the odd function and the even function, and we determineX5[odd] and X6[even]. Each failure requires that we go back to Step 3.

5. Set 13 bits of X7[even] to hold the 13-bit condition on X7[even] derivedin the precomputation phase in Sect. 5.1 and then perform a MITM stepusing the generic birthday attack of Lemma 1. This is performed by choosingX6[odd] and the rest bits of X7[even] to get additive difference I in C7.

6 For example, an XOR difference of 1 is consistent with an additive difference of either −1or +1. If the low bit in J is 0, the low bit in J ′ will be 1, and reaching an additive difference of−1 will require fixing the low bit of Q to 1

COLLISION ATTACK ON Tiger-19 – METHOD 2 113

even

even

eveneven

even

even

odd

odd

oddodd

odd

odd

∆+ = γ

∆+ = γ

∆+ = α

∆+ = I∆+ = I

∆+ = I

∆+ = I

∆+ = 0

∆+ = I

∆+ = I

∆+ = I

X4

X5

X6

X7

X8

X9

A3 B3 C3

A4 B4 C4

A5 B5 C5

A6 B6 C6

A7 B7 C7

A8 B8 C8

A9 B9 C9

Figure 3 – The information flow from C6 to C9.

114 UPDATE ON TIGER

Each failure requires that we go back to Step 3. The expected work here isabout 213 computations, each of which consists of two kinds of evaluations:233 evaluations of the odd function and 219 evaluations of the even function.We determine X6[odd] and X7[even] at the end of this step.

6. Set 13 bits of X7[odd] to hold the 13-bit condition on X7[odd] derived inthe precomputation phase in Sect. 5.1 and then perform a MITM step toget the additive difference I in C8. This is done by randomly choosing therest bits of X7[odd] and randomly generating X8[even].

The message word X8[even] is generated in the following way: Randomlychoose the message word X0 and determine X1, X2, and X3 so that theresulting A3, B3, C3 are consistent with A3, B3, C3 chosen in Step 1. Wethen determine X8[even] from the key schedule.

The above MITM step is performed with 219 values for ∆+(A7) and 228

values for ∆+(even(B8)) 7. According to Lemma 1, the success probabilityof this attack is 2−17. Therefore the expected work here is about 218

computations, each of which consists of two kinds of evaluations: 219

evaluations of the odd function and 228 evaluations of the even function.

7. Compute X9[even] by processing the key schedule and check if∆+even(B9) = ∆+(A8), which means ∆+(C9) = 0. Each failurerequires that we go back to Step 6.

5.3 Complexity Analysis

We discuss the attack complexity in the attack in Sect. 5.2. The important thingto consider when we estimate the complexity is that the task of Steps 1-5 can beperformed independently of the task of Steps 6-7. We first perform Steps 1-5 andthen perform Steps 6-7 without changing the values which have been determinedin Steps 1-5.

In order to determine X4, X5, X6, X7[even] by performing from Step 1 to Step5, the required time complexity is equivalent to p−1

1,even ·233 evaluations of the oddfunction. In order to determine X0, X1, X2, X3, X7[odd] by performing from Step6 to Step 7, the required time complexity is equivalent to p−1

2 ·218 ·228 = 228 ·246 =274 evaluations of the odd function.

The time complexity required by this attack is dominated by the latter part,which is equivalent to 269 computations of the compression function of Tigerreduced to 19 rounds.

7 Because of the XOR difference ∆⊕(B8) = I, there is only one active S-box at the input ofthe even(B8). This makes the number of the additive difference smaller than 232.

A PSEUDO-NEAR-COLLISION FOR Tiger-22 115

6 A Pseudo-Near-Collision for Tiger-22

In this section we present a pseudo-near-collision for Tiger-22 with complexity ofabout 244. Similar as we construct a pseudo-collision in Tiger-19, we can constructa pseudo-near-collision in Tiger-22. Again we use a key schedule difference thatholds with probability 1 in the key schedule of Tiger and employ the attack on 16rounds of Tiger. The key-schedule difference used in the attack is given in (4).

(0, 0, I, 0, 0, 0, I, I) → (I, 0, 0, 0, 0, 0, I, I) → (0, 0, 0, 0, 0, 0, I, I) (4)

The attack work as follows:



3. To compute the real message words X0, . . . , X7, we have to choose suitablevalues for X11[odd], X12[odd] and X13, . . . , X15 to guarantee that X7 iscorrect after computing the key schedule backward. Therefore, we choosearbitrary values for X11[odd], X12[odd], X13, X14 and calculate X15 asfollows:

X15 = (X7 ⊕ (X14 − X13)) − (X14 ⊕ 0123456789ABCDEF)

This adds negligible cost to the attack complexity and guarantees that X7

is correct after computing the key schedule backward. Note that X6 can bechosen freely, because we can modify C5 such that C5 ⊕ X6 stays constant.

4. Run the rounds 5, 4, 3, 2, 1 and 0 backwards to compute the initial valuesA−1, B−1 and C−1. Since there is a difference in the message word X2 in theMSB, we have to introduce the same difference in the initial value to cancelit out, namely

∆⊕(B−1) = I .

Since the difference is in the MSB this happens with probability 1.

5. Of course, the feed forward destroys the pseudo-collision. After the feedforward we get the same output differences as in the initial values. Since thedifference is in the MSB this has probability 1.

∆⊕(B′21) = ∆⊕(B−1 − B21) = I

Hence, we can construct a pseudo-near-collision for Tiger-22 with complexity ofabout 244. For an ideal hash function with a hash value of 192-bit we wouldexpect a complexity of about 290 to construct a pseudo-near-collision with a one bitdifference. Note that a pseudo-near-collision for Tiger-21 with a one bit differencecan be found with the same complexity. A detailed description of the attack isgiven in the appendix.

116 UPDATE ON TIGER

7 A Pseudo-Collision for Tiger-23/128

Tiger/128 is a variant of Tiger, where the final hash value is truncated to 128 bit.This variant was specified in [1] to make Tiger compatible to MD5. In this section,we present a pseudo-collision for 23 rounds of Tiger/128. In detail, we can turnthe pseudo-near-collision for Tiger-22 into a pseudo-collision for Tiger-23/128 byadding one additional round. If we add one round then the output after 23 roundshas the following differences in the chaining variables:

∆⊕(A22) = 0, ∆⊕(B22) = I, ∆⊕(C22) 6= 0 (arbitrary) .

Due to the feed-forward the difference in B22 cancels out with probability 1. Hence,we have a pseudo-collision in Tiger-23/128, since only register A and B are usedfor the final hash value of Tiger-128. The attack has a complexity of about 244

applications of the compression function.

8 Conclusion

In [2], Kelsey and Lucks discussed the possibility of extending their attack to morerounds of Tiger and the applicability of their attack techniques to the full hashfunction.

In this article, we presented two strategies for constructing collision in theTiger-19 hash function. The first has a complexity of about 262 hash computationsand the second has a slightly higher complexity of about 269 hash computations.

The best attack on a reduced variant of Tiger so far was proposed by Kelseyand Lucks in [2]. They showed a collision attack on Tiger-16 with a complexity ofabout 244 and a pseudo-near-collision for a variant of Tiger with 20 rounds witha complexity of about 248. We have extended their approach to show collisionattacks on Tiger-19 and presented a pseudo-near-collision for Tiger-22 and apseudo-collision for Tiger-23/128. Based on this we conclude that the securitymargin of Tiger is not as large as one could hope for. It remains a topic of furtherresearch to determine whether the attacks can be extended to Tiger variants withmore than 23 rounds.

Acknowledgement

The authors wish to thank Antoine Joux, Elisabeth Oswald, and the anonymousreferees for useful comments and discussions.

References

[1] Ross J. Anderson and Eli Biham. TIGER: A Fast New Hash Function. In DieterGollmann, editor, Fast Software Encryption, Third International Workshop,

APPENDIX 117

Cambridge, UK, February 21-23, 1996, Proceedings, volume 1039 of LectureNotes in Computer Science, pages 89–97. Springer, 1996.

[2] John Kelsey and Stefan Lucks. Collisions and Near-Collisions forReduced-Round Tiger. In Matt Robshaw, editor, Fast Software Encryption,13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006,volume 4047 of LNCS, pages 111–125, 2006.

[3] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbookof Applied Cryptography. CRC Press, 1997. Available online at http://www.

cacr.math.uwaterloo.ca/hac/.

[4] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the FullSHA-1. In Victor Shoup, editor, Advances in Cryptology - CRYPTO 2005, 25thAnnual International Cryptology Conference, Santa Barbara, California, USA,August 14-18, 2005, Proceedings, volume 3621 of LNCS, pages 17–36. Springer,2005.

[5] Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions.In Ronald Cramer, editor, Advances in Cryptology - EUROCRYPT 2005:24th Annual International Conference on the Theory and Applications ofCryptographic Techniques, Aarhus, Denmark, May 22-26, 2005. Proceedings,volume 3494 of LNCS, pages 19–35. Springer, 2005.

9 Appendix

9.1 A Pseudo-Near-Collision for Tiger-21

In a similar way as we construct a pseudo-near-collision in Tiger-22, we canconstruct a pseudo-near-collision for Tiger-21. For the attack we use thekey-schedule difference given in (5). It has probability 1 to hold in the key-scheduleof Tiger.

(0, I, 0, 0, 0, I, I, I) → (0, 0, 0, 0, 0, I, I, 0) → (0, 0, 0, 0, 0, I, I, I) (5)

Again we use the attack on 16 rounds of Tiger (described in Section 3) to constructa pseudo-near-collision in Tiger-21. The attack work as follows:



3. To compute the real message words X0, . . . , X7, we have to choose suitablevalues for X10[odd], X11[odd] and X12, . . . , X15 such that X6 and X7 iscorrect after computing the key schedule backward. Therefore, we choose

http://www.cacr.math.uwaterloo.ca/hac/

http://www.cacr.math.uwaterloo.ca/hac/

118 UPDATE ON TIGER

arbitrary values for X10[odd], X11[odd] and X12, X13 and calculate X14, X15

as follows:

X14 = (X6 − (X13 ⊕ X12 ⊕ (¬(X12 + (X11 ⊕ (¬X10 ≫ 23))) ≫ 23))) + X13

X15 = (X7 ⊕ (X14 − X13)) − (X14 ⊕ 0123456789ABCDEF)

This adds negligible cost to the attack complexity and X6, X7 are alwayscorrect after computing the key schedule backward. Note that X5 can bechosen freely, because we can modify C4 such that C4 ⊕ X5 stay constant.

4. Run the rounds 4, 3, 2, 1 and 0 backwards to compute the initial valuesA−1, B−1 and C−1. Since there is a difference in the message word X1 inthe MSB, we introduce the same difference in the initial value to cancel itout. Since the difference is in the MSB, this happens with probability 1.

∆⊕(A−1) = I

5. Of course, the feed forward destroys the pseudo-collision. After the feedforward we get the same output differences as in the initial values:

∆⊕(A′20) = ∆⊕(A−1 ⊕ A20) = I .

Hence, we can construct a pseudo-near-collision for Tiger-21 with complexity ofabout 244 applications of the compression function. For an ideal hash function witha hash value of 192-bit we would expect a complexity of about 290 applications ofthe compression function instead of 244.

9.2 A Pseudo-Collision for Tiger-21

In a similar way as we construct a pseudo-near-collision in Tiger-21, we canconstruct a pseudo-collision in Tiger-21. For the attack we use again thekey-schedule difference given in (5). The attack can be summarized as follows:


2. Choose random values for X1, X2, X3, X4 and calculate A4, B4, C4.

3. Employ the attack on 16 rounds of Tiger, to find message words X5, . . . , X9

and X10[even], X11[even] such that the output after round 20 collides.

4. To compute the real message words X0, . . . , X7, we have to choose suitablevalues for X0, X1 and X2 such that X8, X9 and X10[even], X11[even] arecorrect after computing the key schedule. Note that X0 and X1 can bechosen freely, because we can modify C0 and C1 such that C−1 ⊕ X0 andC0 ⊕ X1 stay constant. Since a difference is introduced by X1, we have afterround 1 that ∆⊕(C1) 6= 0. Hence, X2 can not be chosen freely.

APPENDIX 119

However, since we can choose the value of C0 ⊕ X1 in the beginning ofthe attack, we can guarantee that the Hamming weight of ∆⊕(C1) issmall. Computer experiments show that the smallest weight we can getis 22. Consequential there are 264−22 = 242 possible choices for C1 andX2 such that ∆⊕(C1 ⊕ X2) and C1 ⊕ X2 stay constant. Hence, we have264+64+42 = 2170 degrees of freedom in the key schedule of Tiger. Therefore,we have to repeat the attack at most 222 times to guarantee that X8, X9 andX10[even], X11[even] are correct after applying the key schedule.

Hence, we can find a pseudo-collision in Tiger-21 with a complexity of about244+22 = 266 applications of the compression function. Note that we assume inthe analysis that it is computational easy to find suitable values for X0, X1, X2.

Publication

MAME: A CompressionFunction with ReducedHardware Requirements

Publication Data

H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, Ö. Küçük,and B. Preneel, “MAME: a compression function with reducedhardware requirements,” Cryptographic Hardware and EmbeddedSystems, CHES 2009, LNCS, vol. 4727, Springer, pp 148–165, 2007.

Contributions

• Principal author. We performed a security analysis of the MAMEcompression function. The design of MAME was performed by DaiWatanabe. A hardware implementation of MAME was performed by JunKitahara.

121

MAME: A Compression Function with ReducedHardware Requirements ∗

Hirotaka Yoshida1, Dai Watanabe1, Katsuyuki Okeya1, Jun Kitahara1,Hongjun Wu2, Özgül Küçük2, and Bart Preneel2

1 Systems Development Laboratory, Hitachi, Ltd.,1099 Ohzenji, Asao-ku, Kawasaki-shi, Kanagawa-ken, 215-0013 Japan


Abstract. This paper describes a new compression function, MAMEdesigned for hardware-oriented hash functions which can be used inapplications with reduced hardware requirements. MAME takes a256-bit message block and a 256-bit chaining variable as input andproduces a 256-bit output. In the light of recent attacks on MD5 andSHA-1, our design strategy is very conservative, and we show thatour compression function is secure against various kinds of widelyknown attacks with very large security margins. The simple logicaloperations and the hardware efficient S-boxes are used to achievea hardware implementation of MAME requiring only 8.1 Kgates on0.18 µm technology.

Keywords: hash functions, compression functions, low-resourceimplementation

1 Introduction

Ubiquitous systems are becoming popular in a wide variety of applications such assecure supply-chain automation, proving genuineness of goods, etc. These applica-tions have to deal with security problems such as confidentiality, more importantly,authentication and privacy. Thus, the importance of secure cryptographictechniques in ubiquitous systems has increased significantly. However, in order todevelop secure ubiquitous systems, cryptographic algorithms must be implementedunder restricted source environments, such as low-cost or low-power environments.As for authentication, what has been commonly used is cryptographic hashfunctions and their applications.

A cryptographic hash function is an algorithm that takes input strings ofarbitrary (typically very large) length and maps these to short fixed length output

∗This work was supported in part by a consignment research from the National Institute onInformation and Communications Technology (NiCT), Japan. This work was supported in partby the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government.

123

124 MAME: A COMPRESSION FUNCTION WITH REDUCED HARDWARE REQUIREMENTS

strings. Most hash functions proposed so far are called iterated hash functions,which are constructed from a compression function. They work as follows. Let hbe a compression function. The message m is padded to a multiple of the blocklength and subsequently divided into t blocks M1, . . . , Mt. Then the hash value istaken as Ht, where Hi = h(Hi−1, Mi) and H0 = IV is called an initial value. Thevalues Hi are called the chaining variable.

A secure cryptographic hash function has to satisfy the following requirements:

• preimage resistance: it is computationally infeasible to find any inputwhich hashes to any pre-specified output.

• second preimage resistance: it is computationally infeasible to find anysecond input which has the same output as any specified input.

• collision resistance: it is computationally infeasible to find a collision, i.e.two distinct inputs that hash to the same result.

For an ideal hash function with an m-bit output, finding a preimage or a secondpreimage requires about 2m operations and the fastest way to find a collision isthe birthday attack which needs approximately 2m/2 operations.

In order to satisfy those security requirements, most iterated hash functionsuse the Merkle-Damgård (MD) strengthening, which fixes IV and appends themessage length to the message (to prevent extension attacks).

For the last years, there has been much progress in cryptanalysis of iteratedhash functions. Attacks regarding collision resistance have been reported on mostwidely used iterated hash functions such as MD5 [26] and SHA-1 [22]. Meanwhile,iterated hash functions with the MD strengthening were revealed susceptible toseveral generic kinds of attacks (independent of the specific compression functions),such as the long second preimage attack [11, 14, 15] and the attack for findingmulti-collisions [13].

We argue that the design strategy of hash functions and security evaluationmethods must be revisited. As for security, we limit ourselves to collision resistancebecause the above second preimage attack still requires more complexities thanthe birthday attack does. One way of viewing the collision attacks mentioned theabove is that these attacks essentially apply differential cryptanalysis [5] to findcollisions. One could claim that a new hash function is only taken seriously if itis accompanied with evidence that it resists differential cryptanalysis.

In order to have a secure implementation, it is highly recommended to havea chaining value of 256 bits. Thus, an implementor could use SHA-256 [22].However, SHA-256 has a large footprint, as it was designed for 32-bit processorsusing XORs, shifts, and modular addition.

This motivates us to develop a new compression function MAME to be usedwith any domain extension algorithm in order to build a light weight hash function.MAME accepts a chaining value of 256 bits and message blocks of 256 bits. Theoutput size is 256 bits as well.

SPECIFICATION 125

The outline of this paper is as follows. In Sect. 3, we give the specificationof the MAME compression function. In Sect. 8, we explain our design strategy.In Sect. 4, we evaluate the security of MAME. We then discuss the performanceissues in Sect. 5. Our conclusions are given in Sect. 7.

2 Specification

2.1 Notation

The specification uses the following notations:

⊕ bit-wise exclusive-or ≫ n n-bit rotation to the right (32 bit length)|| concatenation ≪ n n-bit rotation to the left (32 bit length)

In the remainder of this paper, we denote the message block by M and chainingvariable by H respectively for simplicity.

2.2 The Algorithm of MAME

The MAME compression function denoted by h is constructed from the blockcipher fE defined below in the following manner known as the Matyas-Meyer-Oseas(MMO) mode ( [19], pp 340), h(H, M) = fE(H, M) ⊕ M .

2.2.1 Overview of the Block Cipher

The structure of the block cipher fE(·, ·) is shown in Figure 17. The block

constantgenerator

key schedulingfunction

message mixingfunction

key input message input

output

fC

fC

fC

fK

fK

fK

fR

fR

fR

c ( 0 )

Figure 1 – The structure of the encryption function.


size and the key size of the block cipher fE are both 256 bits. The cipher isa type 1 4-branch generalized Feistel network (GFN) [29] with 96 rounds. Forimplementation reasons, each of the branches is stored in two 32-bit words.

The cipher is broken down into three parts: the constant generation function,the key schedule function, the mixing function, each of which uses a sub-functioniteratively. We denote the corresponding sub-functions by fC , fK , and fR

respectively.The constant generator is initialized with the initial constant value c(0) and

generates a round constant C(r) by iteratively applying the round constantgeneration function fC . Together with the key, these round constants are usedas input parameters to the key schedule function.

The round keys K(r) are calculated from the key by iteratively applying theround key generation function fK . Each round of the key schedule functiongenerates the round key K(r), which becomes the sub-key to the round function fR.Finally, the mixing function uses the round function fR iteratively to transform amessage block into a ciphertext.

2.2.2 The Mixing Function

The mixing function is defined by iterating the round function fR. The inputvariables of fR are x0, x1, . . . , x7, each a 32-bit word. The 256-bit plaintext isdenoted by P = (p0, p1, . . . , p7) and the 256-bit ciphertext by E = (e0, e1, . . . , e7),the mixing function is defined in the following:

(x(0)0 , x

(0)1 , . . . , x

(0)7 ) = (p0, p1, . . . , p7),

(x(r)0 , x

(r)1 , . . . , x

(r)7 ) = fR(x(r−1)

0 , x(r−1)1 , . . . , x

(r−1)7 ), 1 ≤ r ≤ 96,

(e0, e1, . . . , e7) = (x(96)0 , x

(96)1 , . . . , x

(96)7 ).

The round function fR consists of a key addition, a non-linear function F , anda word-wise permutation.

In the key addition operation, the round subkey K(r) from the key scheduleis XORed with x4. The F function is a non-linear transformation with 2-wordinput and 2-word output. The inputs of the F function are x4 ⊕ K(r) and x5. Theoutput of the F function is XORed with x6, x7. We denote the most significantword of the output of the F function by FH , and the least significant word by FL.Figure 2 describes the round function fR which is defined as follows:

x(r)0 = x

(r−1)6 ⊕ F (x(r−1)

4 ⊕ K(r), x(r−1)5 )H ,

x(r)1 = x

(r)7 ⊕ F (x(r−1)

4 ⊕ K(r), x(r−1)5 )L,

x(r)2 = x

(r−1)0 , x

(r)3 = x

(r−1)1 , x

(r)4 = x

(r−1)2 ,

x(r)5 = x

(r−1)3 , x

(r)6 = x

(r−1)4 , x

(r)7 = x

(r−1)5 .

We now describe how the F function works. We denote the input words to theF function by aH , aL. The F function consists of two layers, the S-box layer S,

SPECIFICATION 127

F

x ( r )0 x ( r )

1 x ( r )2 x ( r )

3 x ( r )4 x ( r )

5 x ( r )6 x ( r )

7

K ( r )

x ( r - 1 )0 x ( r - 1 )

1 x ( r - 1 )2 x ( r - 1 )

3 x ( r - 1 )4 x ( r - 1 )

5 x ( r - 1 )6 x ( r - 1 )

7

Figure 2 – The round function fR.

and the linear diffusion layer L. Each of the two layers is a transformation with a64-bit input and a 64-bit output. The F function is the composition of these twotransformations: F = L S.

The S-box layer was designed for bit slice implementations. It uses asubstitution table S with a 4-bit input and a 4-bit output, which is defined inthe following:

S[16] = 4, 14, 15, 1, 13, 9, 10, 0, 11, 2, 7, 12, 3, 6, 8, 5.

Denoting the output words by bH , bL, the S-box layer S is defined as follows:

bH,i+16||bH,i||bL,i+16||bL,i = S[aH,i+16||aH,i||aL,i+16||aL,i], 0 ≤ i < 16.

The linear diffusion layer L consists of cyclic rotations and XOR operationsand is defined in the following:

bL = bL ⊕ (bH ≪ 1), bH = bH ⊕ (bL ≪ 3), bL = bL ⊕ (bH ≪ 4),

bH = bH ⊕ (bL ≪ 7), bL = bL ⊕ (bH ≪ 8), bH = bH ⊕ (bL ≪ 14).

2.2.3 The Key Schedule Function

The round-key generation function fK has the same structure as the fR does. Thedifference is that fK takes as an input the key instead of the plaintext and thesubkeys are generated by the constant generation function (rather than the keyschedule function).

k(r)0 = k

(r−1)6 ⊕ F (k(r−1)

4 ⊕ C(r), k(r−1)5 )H ,

k(r)1 = k

(r−1)7 ⊕ F (k(r−1)

4 ⊕ C(r), k(r−1)5 )L,

k(r)2 = k

(r−1)0 , k

(r)3 = k

(r−1)1 , k

(r)4 = k

(r−1)2 ,

k(r)5 = k

(r−1)3 , k

(r)6 = k

(r−1)4 , k

(r)7 = k

(r−1)5 .

The r-th round-key K(r) is defined by K(r) = k(r)3 .


2.2.4 The Round Constants Generation

The input C(r) to the round-key generation function fK is generated sequentiallyfrom a fixed initial value c(0) by means of a simple linear transformationfC . Starting from a fixed initial value c(0) = 0xcae1ac3f55054a96, Theround-constant generation function fC generates 64-bit variables c(r)’s in thefollowing manner:

tH ||tL = fL(c(r−1)),

c(r) = tL||tH ,

where fL is a Linear feedback shift register (LFSR) defined by the polynomial g(x)over GF(2) described in the Annex. The r-th round constantC(r) uses the 32 leastsignificant bits of c(r).

3 Design Rationale

In our design of MAME, we aim to satisfy the following requirements:

• The security analysis should be simple in order to have confidence in thedesign.

• The security margins should be large enough to ensure long term security asa 256-bit hash function.

• It should be possible to achieve compact implementations in hardware.

• The software performance on general purpose machines should be good.

To meet these goals, we use the following design principles:

• Minimize the input/output length while achieving the required security.

• Use only known and understood building blocks such as XORs, whichmakes security assessment less complicated than with most previous hashfunctions, which use building blocks like arithmetic operations for which thefull analysis is hard.

• Use a conservative estimation for the number of rounds, the choice of whichconsiders attacks applying the input/output whitening techniques.

3.1 Parameter (input/output)

Since the output length of the MAME is 256 bits, the message block length has tobe at least the same size. From hardware implementation point of view, shorterinput length implies that the number of required registers is smaller. Thereforewe determined that the length of message block is 256 bits.

SECURITY ANALYSIS 129

3.2 Structure

We note that the SP structure is considered to be more hardware consuming thanthe Feistel structure. Thus, we have chosen to use Feistel over SP network. Wehave decided to use the unbalanced Feistel construction which allows for a morecompact implementation without losing security (given sufficiently many rounds).

3.3 The Mode to Construct the Compression Function

The use of the MMO mode allows the usage of the block cipher theory inunderstanding the security of MAME. The MMO mode is also more likely towithstand side channel attacks (e.g., when the hash function is used for keyderivation) than the common Davies-Meyer [23].

3.4 The F Function

The function F is the most significant component in the MAME. To reduce thearea requirements, 16 small 4-bit-to-4-bit S-boxes are used in parallel. To increasethe software performance, those 16 small S-boxes are identical to enable bit sliceimplementation. The linear diffusion layer uses simple rotations and XORs toreduce hardware and software complexity. Security-wise, we have picked thediffusion layer to have a branch number of 8.

As for the S-box, we adopted a function which is affine equivalent to theinversion function in GF(24) for security reasons. We imposed the restrictionthat S has no fixed points. The S-box has the properties:

• Maximum differential and linear probabilities are 2−2.

• The degree of the Boolean polynomial of every output bit is 3.

• The number of monomials of polynomial expression over GF(24) is 14.

3.5 The Key Schedule Function and the Round Constants

We use the encryption for function to derive the subkeys from the key, thus allowingfor a large diffusion in the key schedule algorithm. We re-use the F function forthe key schedule such that there is no extra hardware/memory requirements. Theround constants introduce randomness, non-regularity, and asymmetry into thekey schedule function. Thus, attacks which are based on the similarity of therounds are easily prevented.

4 Security Analysis

Despite the fact that the most threatening attacks on hash functions at thismoment are differential attacks, we evaluate the security of MAME with respect


to various kinds of widely known attacks on block ciphers. These include notonly differential attacks, but also linear attacks, higher order differential attacks,interpolation attacks, Square attacks.

The methods used to evaluate the compression function’s resistance againstthese attacks are described below. In general, our analysis indicates that MAMEhas a large security margin against all of these attacks.

The motivation to analyze the MAME compression function with respect toattacks which do not immediately apply to hash functions as such, is that wewant to ensure its security against future attacks which might borrow techniquesfrom the field of block cipher cryptanalysis. Another motivation is that a numberof block cipher based constructions, including the MMO mode, can be proved tobe collision resistant if the underlying block cipher behaves as a pseudo-randomfunction (see [3, 25]). The best way to verify this pseudo-randomness, is to applyblock cipher analysis techniques to the core function fE , and to see if this revealsany weakness or non-random behavior.

4.1 Differential and Linear Attacks

Considering the fact that the most successful attacks on hash functions are ofdifferential nature, and that differential [5] and linear cryptanalysis [20] are twoof the most powerful tools in block cipher cryptanalysis, we start our evaluationwith an analysis of the resistance of fE against differential and linear attacks.

In order to estimate the strength of fE with respect to differential and linearattacks, we will try to compute upper bounds on the probabilities of differentialand linear characteristics. As is commonly done in block cipher cryptanalysis, wewill make abstraction of the exact differences or masks used in these characteristics,and just consider patterns of active S-boxes. More precisely, instead of analyzinghow a full 256-bit difference (or mask) at the input of fE propagates over differentrounds, we only consider a 4 × 16-bit pattern whose bits indicate which of the64 S-boxes in the first four rounds are active, and analyze to which patterns itcan possibly propagate in all subsequent sequences of four consecutive rounds. Inorder to simplify notations in the remainder of this section, we will denote by xthe 16-bit pattern of active S-boxes that correspond with a 64-bit difference ormask x at the input of the function F . Once we have found a bound on the totalnumber of active S-boxes in a characteristic, we can apply the following theorem:

Theorem .1. Let Dmin and Lmin be lower bounds on the total number of activeS-boxes in a differential/linear characteristic. Then, the maximum probabilitiesof the differential/linear characteristics are upper bounded by pDmin

s and qLmins ,

respectively, where ps and qs denote the maximum differential/linear probabilitiesof the S-box, and are defined as follows:

ps = max∆x 6=0,∆y

Pr[S(x) ⊕ S(x ⊕ ∆x) = ∆y]

qs = maxΓy 6=0,Γx

(2 Pr[x · Γx = S(x) · Γy] − 1)2


Hereafter, we only explain our method of evaluating the security againstdifferential cryptanalysis as we can apply a similar method regarding linearcryptanalysis because of its duality to differential cryptanalysis [6].

In the case of MAME, we estimate the lower bounds of the number of activeS-boxes by applying the Viterbi algorithm often used in the error correction codes.This algorithm considers a set of states where each of two states has distance andthen, it exhaustively searches for paths with minimum distance. In our case, eachstate is defined as the intermediate state of fE after certain round, the distancebetween a state at round r and a state at round r + 1 is measured by the numberof active S-box which has been increased through an application of r-th round.

However, we had a problem of too large memory requirement of 264 in the theViterbi algorithm.

To solve this, we consider the Hamming weight of a 64-bit difference ratherthan 64-bit difference itself. For such a 16-bit word xi, Ham(x) ranges from 0 to16 and it can be represented as a 5-bit string. In the end, we manage to truncatethe 64-bit space into the 20-bit space, which results in a practical usage of memory220 in carrying out the Viterbi algorithm.

Carrying out the Viterbi algorithm requires us to construct some tablerepresenting the propagation of the weight of the differences through F whichis shown in Table 1 where 0 indicates the corresponding transition of Hammingweight of a difference is not possible, otherwise we put 1. For the row i, the columnj, the element ai,j in Table 1 is determined in the following way:

• Case 1(i ≤ 6): For any 64-bit x such that Ham(x) = i, compute Ham(L(x)).

If there exists x such that Ham(L(x)) = j, then let ai,j be 1. Otherwise letai,j be 0.

• Case 2(j ≤ 6): For any 64-bit y such that Ham(y) = j, compute

Ham(L−1(y)). If there exists y such that Ham(L−1(y)) = i, then let ai,j

be 1. Otherwise let ai,j be 0.

• Case 3(Otherwise): Let ai,j be 1.

It took us several hours on a PC to perform experiments for each case. Table 1tells us that the branch number of L is equal to 8, which is defined as follows:

Definition 1. The branch number BL of linear transformation L is defined by

BL = minx 6=0

(Ham(x) + Ham(L(x)),

where we denote the Hamming weight of y by Ham(y).

In the Viterbi algorithm, for an input difference, one standard way of computingthe Hamming weight of the output difference is to use the branch number. In thisway, we estimate that the value Dmin is more than the required number 131 forMAME reduced to 80 rounds.


Table 1 – Branch table for differential attacks0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 = Ham(L(x))

0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 1 12 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 13 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 14 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 15 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 16 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 17 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 18 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 19 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 110 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 111 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 112 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 113 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 114 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 115 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 116=Ham(x) 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

In order to improve the precision of estimation, we next used the Table 1instead of the branch number when we performed the Viterbi algorithm. Inaddition, we captured information on how the weights of the differences changethrough two applications of F . We experimentally obtained information on how

Ham( ˜F F (x)) behaves. This limits the possibilities for the output differenceof the second application of F , compared to what we expect from the case ofsingle application of F , the Table 1 3. During performing the Viterbi algorithmif an output difference of the first application is not influenced at XOR which isprocessed just after F , we can use the above information. In this way, the Viterbialgorithm found us some better result that the value Dmin is 130 for MAMEreduced to 58 rounds.

As for the linear attack, we obtain the same value for the branch number,8. We perform similar approach to the case of differential cryptanalysis and weestimate that the value Lmin is 129 for MAME reduced to 53 rounds.

From the above theorem, we estimate that the maximum differential/linearcharacteristic probabilities are upper bounded by 2−260 and 2−258, respectively.It follows that there is no effective differential/linear characteristic for MAMEreduced to 58 rounds.

4.2 A Dedicated Differential Attack

We give an alternative description of the Feistel structure for ease of analysis.Denote the four 64-bit words of the internal state at round r as yr

0 , yr1 , yr

2 and yr3,

then the round function is given as follows:

yr0 = yr−1

3 ⊕ F (yr−12 ⊕ Kr);

3 e.g.if Ham(x) = 3 and Ham(F (x))=5), then Ham( ˜F F (x))=3 is not possible)


yr1 = yr−1

0 ;yr

2 = yr−11 ;

yr3 = yr−1

2 ;

Suppose that F (∆0) = ∆1, F (∆1) = ∆2, F (∆2) = ∆3 and F (∆3) = ∆0 withprobability p0, p1, p2 and p3, respectively. We obtain the 15-round differencepropagation as shown in Table 2.

The probability for the 15-round differential path is p30 × p2

1 × p22 × p3. The

probability for the next 15-round differential is p31 × p2

2 × p23 × p0. For 60 rounds,

the differential probability is p80 × p8

1 × p82 × p8

3.We search for the differences with at most 7 active S-boxes for each difference.

There are 241.5 such differences. Searching through all these differences, but thereis no differential relations F (∆0) = ∆1, F (∆1) = ∆2, F (∆2) = ∆3 and F (∆3) =∆0. It shows clearly that there is no differential path with small number of activeS-boxes.

Then we increase the number of active S-boxes to search for the differentialpaths. Let the number of active Sboxes in ∆0 and ∆2 be both 3. We allow thenumber of active S-boxes in ∆1 and ∆3 to be as large as 15. We searched all thesedifferences, and found that there are 14,045 differential paths. And the maximumnumber of the differential paths that starts from the same difference is only 6.Each set of (∆0, ∆1, ∆2, ∆3) involves at least 34 active S-boxes. The probabilityof a 60-round differential path is less than 2−700, which shows MAME has a largesecurity margin against this kind of attacks.

4.3 Higher Order Differential Attack

In the higher order differential attacks [16], the attacker constructs Booleanpolynomial expression for the cipher to be attacked. In the encryption process,each bit of each intermediate state can be expressed as a Boolean polynomial interms of bits of the plaintext.

The idea of the attack is that if the intermediate bits are expressed by Booleanpolynomials of degree at least d, the (d+1)-th order differential in polynomial senseof the Boolean polynomial would be 0. Therefore if the value d is small enough,the attack would be feasible.

In the case of MAME, we found that every output bit of the S-box S can beexpressed as a Boolean polynomial of degree 3 in terms of input bits. One naiveapproach for a higher order differential attack is to construct a Boolean polynomialof degree 256 for the 256-bit block cipher in MAME by assigning one variable for1 bit. However, the attacker could construct a more simple expression of smallerdegree by substituting 0 into certain variables, which makes various possibilitiesfor the variables in the polynomial expression.

We performed experiments dealing with all of these possibilities in order toobserve how the S-box applications increase the degree of Boolean functions as thenumber of rounds are increased. We confirmed that the degree of such polynomials


for MAME with 21 rounds reaches to the required degree, which depends on howmany variables the polynomial has. This prohibits higher order differential attackson the full rounds of MAME.

4.4 Interpolation Attack

In the interpolation attacks [12], the attacker constructs polynomials (typicallyover some finite field) expressing the cipher to be attacked by using pairs ofplaintext and ciphertext. The idea of the attack is that if the degree of constructedpolynomial is small, required plaintexts and ciphertexts are a few in order to solvefor the coefficient depending on the key in the polynomial.

In the case of MAME, the S-box S can be expressed for as a polynomialover GF(24). By applying the Lagrange interpolation technique, we found such apolynomial expression of degree 14 for S.

If we assign one variable for each 4 bits for MAME, we could construct apolynomial expression with 64 variables over GF(24). The attacker could constructa more simple expression by substituting 0 into certain variables.

We performed experiments dealing with such attacking scenario and weconfirmed that the degree of such polynomials increases to more than 255. Thisprohibits interpolation attacks on more than 18 rounds of MAME.

4.5 Square Attack

The Square attack has been developed to evaluate the security of the byte-orientedciphers such as Square and AES [7]. Here we analyse the block cipher in MAMEby applying this technique. The attack introduces the following terms. The ithbyte is passive if and only if values of all ith byte in the collection of texts areequal. The ith byte is active if and only if values of all ith byte in the collection oftexts are different. The ith byte is balanced if and only if the sum of all ith byte is0. The byte which is not categorized to be any of these bytes is called unbalanced.In the attack on reduced-round AES, staring from a collection of texts with oneactive byte, the attacker obtains balance bytes after several rounds, which resultin constructing an distinguisher leading to a successful attack.

In the case of MAME, we make 64-bit words play the same role as bytes do inthe Square attacks on reduced AES. In this way, we have 4 different word positionsin each intermediate states hence we have 24 states for plaintext, depending onthe positions where words are active or passive. We confirmed that starting fromany of those states, any word becomes unbalanced after 17 rounds of MAME.Therefore we consider that the square attack is very unlikely to be feasible to thefull round MAME.


4.6 Analysis of the Iterated Hash Function Based on MAMEwith the MD strengthening

In order to use MAME in practice, we specify certain iterated hash functionbased on MAME with the MD strengthening with the 256-bit initial vectorH0 = (H0,0, H0,1, . . . , H0,7) which is given in the following:

H0,0 = 0xbc18bf6d, H0,1 = 0x369c955b, H0,2 = 0xbb271cbc,H0,3 = 0xdd66c368, H0,4 = 0x356dba5b, H0,5 = 0x33c00055,H0,6 = 0x50d2320b, H0,7 = 0x1c617e21.

We investigate the security of the hash function against the collision attacksby Wang et al. In the collision attacks on MAME, choosing the message input toMAME corresponds to choosing the plaintext to the underlying block cipher. Forany differential characteristic the attacker finds, its differential probability is upperbounded by 2−256. The attacker next tries to build a system of equations for thischaracteristic which is called sufficient conditions and then tries to satisfy themby controlling the chaining variable input and the message block input. However,direct control over the chaining variable input should be very difficult because thekey schedule input is the output of the previous application of MAME. Therefore,all the attacker can control should be 256 bits of plaintext with which we considerit is very difficult in order to fulfill the conditions. Therefore, we consider theattacks by Wang et al is very unlikely to be feasible to the MAME based hashfunction specified here.

4.7 Regularity Analysis of Reduced MAME

The simple design of MAME enables us to develop reduced versions keeping almostthe whole design principles and primitives unchanged. We used this property tolaunch some experiments which are not possible to do on the real size. We believethat those analysis could help us to have a better understanding of hash functionsbased on this kind of construction.

There are two aims in this approach. The first one is to detect possibleirregularities or differential anomalies in the reduced version which may indicatea security flaw in the design approach. The second one is to parameterize thesecurity (against differential kind of attacks for example) to some properties of theprimitives and to some parameters such as number of rounds.

MAME has a 4x4 bit S-box and uses an unbalanced Feistel network. We canform 32, 64 and 128 bits block size versions without changing those structures butreducing the word size and replacing the linear transformation. Our preliminaryanalysis focuses on 32 bits block size but it would also be interesting to analyzeother sizes and correlations among them. From now on we will call the reducedversion of MAME which uses a 32 bits block size MAME-32. A detailedspecification of MAME-32 is given in appendix 7.1.

The most basic collision-finding attack we might mount on a hash function isthe so-called birthday attack. In a birthday attack we choose inputs to the hash


function until we find two inputs that produce the same output. If the points arechosen independently at random, birthday attack on a hash function h with rangesize r requires about r1/2 trials to find a collision. But as it is pointed out in [2]the range points computed in the attack are uniformly distributed over R if andonly if h is regular, meaning every range point has the same number of pre-imagesunder h. We will use the balance measure for a hash function introduced in [2]for our regularity analysis of MAME-32:Let h : D → R be a hash function where the range R contains r ≥ 2 pointsR1, ..., Rr. For i = 1, ..., r let h−1(Ri) = x ∈ D|h(x) = Ri be the pre-image ofRi under h. Let di = |h−1(Ri)| and d = |D| be the cardinality of this pre-image

set and the domain respectively. Balance of h is defined as µ(h) = logr[ d2

d21+...+d2

r].

where logr() denotes the logarithm in base r. This is a real number between 0 and1. Balance 1 indicates that the hash function is regular and balance 0 that it is aconstant function, meaning as irregular as it can be. Let Ch(q) be the probabilitythat the birthday attack on hash function h succeeds in finding a collision in q

trials. Then by [2]:Ch(q) =

(qr

)1

rµ(h) , i.e., a collision is expected in about

rµ(h)/2 trials. With this equation, performance of the birthday attack can becharacterized in terms of the balance of the hash function h.As we have pointed out before, the main difference between MAME and reducedversions is the word size and the diffusion layer. Therefore we calculated µ valuesfor three different reduced versions such as with a linear transformation consistingof shifts and XOR (as in MAME), without a linear transformation, and finallywith an MDS matrix.

MAME-32 without a diffusion layer has lower balance. Note that for the 32bits block size word size is 4 bits and F function inputs and outputs 8 bits. Halfof the bits input to the S-boxes. Unlike the real size any weak diffusion wouldhave greater impact on the following rounds. As we can observe from Table 3,regularity with a diffusion layer consisting of shifts and XORs does not differ fromthe one with an MDS matrix and it is reasonably high. MAME-32 has a blockcipher structure for the first layer and uses Matyas-Meyer-Oseas mode for thesecond layer. Underlying block cipher as should be is 1-1 and onto, one mightthink that balancedness is mainly due to the second layer, however as can be seenfrom Table 3, it is effected from the diffusion layer.

5 Performance

5.1 Hardware Performance

The use of logical operations in the most part of the design allows us to achieve ahardware implementation of MAME requiring 8.1 Kgates on 0.18 µm technology.In our implementation, fK and fR share the same circuit and processing one roundtakes one cycle. We also implemented SHA-256 in the same environment as we did

CONCLUSION 137

in the case of MAME. We here present our hardware implementation comparisonof MAME with SHA-256 [22]. as shown in Table 4.

We note that the relatively slower throughput is not a real barrier in the caseof a hash function aimed at low-end devices, as they are not expected to handlelarge amounts of data in any case.

5.2 Software Performance

We present our software implementations of MAME and SHA-256 on somemicrocomputer made by Renesas for smart cards. In software implementation,we partially unroll the round functions code to increase the speed and we takethe approach described in [24] to achieve a bit slice implantation where S-box istransformed into 20 logical operations. We also implemented SHA-256 in thesame environment as we did in the case of MAME. We present our softwareimplementation comparison of MAME with SHA-256 as shown in Table 5.

Acknowledgements

The authors would like to thank Christophe De Cannière, Orr Dunkelman,Sebastiaan Indesteege, Joseph Lano, and Souradyuti Paul for useful discussions onthis work and improving the editorial quality of this paper. We are also gratefulto the anonymous referees for their valuable remarks.

6 Conclusion

We presented a new compression function, MAME designed for ahardware-oriented hash function. We make it clear what the design rational weadopt and evaluate its security applying techniques from block cipher analysis andconfirm that there is no weakness in MAME. Our implementation shows somesort of compactness of MAME but this leaves room for further optimizations.

References

[1] M.Bellare, R.Canetti, H.Krawczyk, “Keying Hash Functions for MessageAuthentication,” Advances in Cryptology - CRYPTO 96, LNCS1109,(1996),1-15.

[2] M.Bellare, T.Kohno, “Hash Function Balance and Its Impact on BirthdayAttacks,” Advances in Cryptology- Eurocrypt 2004, Springer-Verlag, LNCS3027, (2004).


[3] J. Black, P. Rogaway, and T. Shrimpton, “Black-box analysis of theblock cipher-based hash-function constructions from PGV,” Advances inCryptology - CRYPTO 2002, Springer-Verlag, LNCS 2442, (2002), 320-335.

[4] A. Biryukov, D. Wagner, “Advanced slide attacks,” in Proceedings ofEurocrypt 2000, LNCS 1807, B. Preneel, Ed., Springer-Verlag, pp. 589–606,2000.


[6] F. Chabaud and S. Vaudenay, “Links between Differential and LinearCryptanalysis,” in Proceedings of Eurocrypt ’94, LNCS 950, Springer-Verlag,pp. 356–365, 1995.

[7] J. Daemen, L.R. Knudsen and V. Rijmen, “The block cipherSquare,” Fast Software Encryption, LNCS 1267, E. Biham,Ed., Springer-Verlag, 1997, pp. 149-165. Also available ashttp://www.esat.kuleuven.ac.be/rijmen/square/fse.ps.gz.

[8] I. Damgård, “A design principle for hash functions,” in Proceedings ofCrypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, pp. 416–427, 1990.

[9] B. R. Gladman,http://fp.gladman.plus.com/cryptography_technology/

[10] M. Feldhofer, C. Rechberger, “A Case Against Currently Used HashFunctions in RFID Protocols”, proceedings of On the Move to MeaningfulInternet Systems 2006: OTM 2006 Workshops, LNCS 4227, pp. 372–381,Springer-Verlag, 2006.

[11] J. J. Hoch, A. Shamir, “Breaking the ICE – Finding Multicollisions in IteratedConcatenated and Expanded (ICE) Hash Functions”, Proceedings of FastSoftware Encryption 2006, , LNCS 4047, pp. 179–194, 2006.

[12] T. Jakobsen, L. R. Knudsen, “The interpolation attack on block ciphers,”In Fast Software Encryption, Israel, LNCS 1267, pp. 28–40, Springer-Verlag,1997

[13] Antoine Joux, “Multicollisions in Iterated Hash Functions, Advances inCryptology,” Proceedings of CRYPTO 2004, LNCS 3152, pp. 306–316,Springer-Verlag, 2004.

[14] J. Kelsey, B. Schneier, “Second Preimages on n-Bit Hash Functions for MuchLess than 2n Work,” In Advances in Cryptology-Eurocrypt’2005, volume 3494of Lecture Notes in Computer Science, pages 474–490, Springer-Verlag, 2005.

http://fp.gladman.plus.com/cryptography_technology/

REFERENCES 139

[15] J. Kelsey and T. Kohno, “Herding hash functions and the Nostradamusattack,”. In Advances in Cryptology- EUROCRYPT 2006, volume 4004 ofLNCS, pages 183–200, S. Vaudenay, Ed., Springer-Verlag, 2006.

[16] L.R. Knudsen, “Truncated and Higher Order Differentials,” Proceedings ofthe Second Internation al Workshop on Fast Software Encryption, Leuven,Belgium, 1995, LNCS 1008, Springer, pp.196-211.

[17] C.Kocher, J.Jaffe, B.Jun, “Differential Power Analysis,” Advances inCryptology- CRYPTO 99, LNCS1666, (1999), 388-397.

[18] K.Lemke, K.Schramm, C.Paar, “DPA on n-Bit Sized Boolean and ArithmeticOperations and Its Application to IDEA, RC6, and the HMAC Construction,”Cryptographic Hardware and Embedded Systems (CHES 2004), LNCS3156,(2004), 205-219.

[19] A. J. Menezes, P. C. van Oorshot, and S. A. Vanstone, Handbook of AppliedCryptography, CRC Press, 1997.

[20] M. Matsui, “Linear Cryptanalysis Method for DES cipher,” in Proceedingsof EUROCRYPT’93, LNCS 765, pp.386-397, 1994.

[21] T.S.Messerges, E.A.Dabbish, R.H.Sloan, “Investigations of Power AnalysisAttacks on Smartcards,” USENIX Workshop on Smartcard Technology(1999).

[22] National Institute of Standards and Technology, FIPS-180-2: “Secure HashStandard (SHS),” August 2002.

[23] K. Okeya, “Side Channel Attacks against HMACs based on Block-Cipherbased Hash Functions,” ACISP 2006 Conference, Proceedings, pp. 317–329,2006.

[24] D. A. Osvik, “Speeding up Serpent,” The 3rd AES Conference, Proceedings,pp. 317–329, 2000.

[25] B. Preneel, R. Govaerts, and J. Vandewalle, “Hash functions based on blockciphers: A synthetic approach,” Advanced in Cryptology, CRYPTO 93,Springer-Verlag, LNCS 773, (1994), 368-378.

[26] R. Rivest, “The MD5 message-digest algorithm,” Request for Comments(RFC) 1321, Internet Activities Board, Internet Privacy Task Force,April1992.

[27] X. Wang, Y. L. Yin, H. Yu, “Finding collisions in the full SHA1,” inProceedings of CRYPTO 2005, LNCS 3621, V. Shoup, Ed., Springer-Verlag,pp. 17–36, 2005.


[28] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Cryptanalysis of the HashFunctions MD4 and RIPEMD, in Proceedings of Eurocrypt 2005, LNCS 3494,R. Cramer, Ed., Springer-Verlag, pp. 1–18, 2005.

[29] Y. Zheng, T. Matsumoto, H. Imai, “On the Construction of Block CiphersProvably Secure and Not Relying on Any Unproved Hypotheses”, Advancesin Cryptology, proceedings of CRYPTO 1989, LNCS 435, pp. 461–480,Springer-Verlag, 1989.

7 Appendix

7.1 Specifications for MAME-32

A detailed specification of MAME-32 is given as follows:

1. MDS matrix over GF (2)[x]/x4 + x + 1:

(x + 1 x2

x2 + x x2 + x + 1

)

2. Initial value = 0x1b5b8cbd.

3. The constants are the same as 4 LSBs of the MAME-32.

4. The linear transformation layer:

bL = bL ⊕ (bH <<< 3); bH = bH ⊕ (bL <<< 2)

7.2 Round constants

For the constant generation function, the following polynomial g(x) over GF(2)defining the Linear feedback shift register (LFSR) fL is given:

g(x) = x63 + x62 + x58 + x55 + x54 + x52 + x50 + x49 + x46 + x43

+x40 + x38 + x37 + x35 + x34 + x30 + x28 + x26 + x24

+x23 + x22 + x18 + x17 + x12 + x11 + x10 + x7 + x3 + x2 + 1

Round constants C(0), . . . , C(95), are shown as follows:

APPENDIX 141

Table 2 – Difference propagation for 15 roundsround y0 y1 y2 y3

r + 0 0 0 0 0

r + 1 0 0 0 0r + 2 0 0 0 0r + 3 0 0 0 0r + 4 1 0 0 0

r + 5 0 1 0 0r + 6 0 0 1 0r + 7 2 0 0 1

r + 8 0 2 0 0

r + 9 0 0 2 0r + 10 3 0 0 2

r + 11 2 3 0 0r + 12 1 2 3 0

r + 13 0 1 2 3

r + 14 0 0 1 2

r + 15 0 0 0 1

Table 3 – µ values for MAME-32 with different diffusion layersRounds with no diffusion similar diffusion with mds matrix

8 0.962917 0.972480 0.97203716 0.937925 0.968750 0.96875032 0.937983 0.968750 0.96875164 0.937815 0.968750 0.96875096 0.938165 0.968750 0.968751

Table 4 – Comparison of hardware implementation of MAME withSHA-256

Algorithm Area (KGates) throughput (Mbps) Max Frequency (MHz)

MAME 8.1 440 333SHA-256 18.0 2600 333SHA-256 [10] 10.9 22.5 50


Table 5 – Comparison of software implementation of MAME withSHA-256

Algorithm Time (ms) RAM (Bytes)

MAME 49.4 96SHA-256 31.4 128

Table 6 – Round constantsC(0) = 0x51151113, C(1) = 0x3b4f5a2f, C(2) = 0x2b0e343a, C(3) = 0x46b151a6,C(4) = 0xac38d0e9, C(5) = 0xde130ff4, C(6) = 0x1b6f7abf, C(7) = 0xbc9a76bc,C(8) = 0xc631d3e6, C(9) = 0xf269daf1, C(10) = 0xdc1106f5, C(11) = 0xa6fd1bb3,C(12) = 0x1f1e6ba2, C(13) = 0x307857d6, C(14) = 0x7c79ae88, C(15) = 0xc1e15f59,C(16) = 0x3530f34d, C(17) = 0x68df0d12, C(18) = 0x7f4ff42f, C(19) = 0x67aa7d25,C(20) = 0x9265a0cb, C(21) = 0xf1f384e2, C(22) = 0xe21aba37, C(23) = 0x03185ae5,C(24) = 0xe73098aa, C(25) = 0xa7ed528f, C(26) = 0x58142bc4, C(27) = 0x34397327,C(28) = 0xa486e67c, C(29) = 0x7b69f586, C(30) = 0x921b99f1, C(31) = 0x29719f74,C(32) = 0xe3e25ede, C(33) = 0xa5c67dd1, C(34) = 0x4b5f3214, C(35) = 0x3c95ce5f,C(36) = 0xe9aa813c, C(37) = 0x59db0067, C(38) = 0x627c4d9d, C(39) = 0x083671eb,C(40) = 0xe6ab4602, C(41) = 0x8b55feb7, C(42) = 0x5e7b5164, C(43) = 0x86dbc3c7,C(44) = 0xbd3b0cfc, C(45) = 0xb0e33606, C(46) = 0xf4ec33f0, C(47) = 0xc38cd819,C(48) = 0x176686ad, C(49) = 0x61691012, C(50) = 0xf61623af, C(51) = 0x41720925,C(52) = 0xb702fecb, C(53) = 0x6a9254e2, C(54) = 0x7787c237, C(55) = 0x6e9f1ae5,C(56) = 0xb14578ab, C(57) = 0xd5261be2, C(58) = 0x6e99dbb7, C(59) = 0x904e26e5,C(60) = 0xd53d1eaa, C(61) = 0xeab4a28f, C(62) = 0x902233c5, C(63) = 0xc588fa4a,C(64) = 0xeb04f60f, C(65) = 0xd2f5a045, C(66) = 0xc349a84b, C(67) = 0x248cf163,C(68) = 0x627cd15a, C(69) = 0x39bffc97, C(70) = 0x4d250c04, C(71) = 0x4d73cb47,C(72) = 0xf042797d, C(73) = 0x5a955d6b, C(74) = 0xae539583, C(75) = 0x050f05da,C(76) = 0x12c26f16, C(77) = 0x143c1768, C(78) = 0x4b09bc58, C(79) = 0x50f05da1,C(80) = 0xe8f0b80d, C(81) = 0x2c9b06f3, C(82) = 0xcc989042, C(83) = 0x19e022d7,C(84) = 0xf6b40864, C(85) = 0xcc0cb247, C(86) = 0x1e0668fd, C(87) = 0x5f68b96a,C(88) = 0xd3959aef, C(89) = 0xb974acc5, C(90) = 0x210c1bca, C(91) = 0x4e5e8a0e,C(92) = 0x84306f29, C(93) = 0xfdac6154, C(94) = 0xbb4d85bf, C(95) = 0x3267cc3c.

Publication

SHA-3 proposal: Lesamnta

Publication Data

S. Hirose, H. Kuwakado, and H. Yoshida, “SHA-3 proposal:Lesamnta,” http://csrc.nist.gov/groups/ST/hash/sha-3/

Round1/documents/Lesamnta.zip, October 2008. Latest version:http://www.hitachi.com/rd/yrl/crypto/lesamnta/.

Contributions

• Principal author. We designed the underlying block cipher of the Lesamntahash function and performed a security analysis of Lesamnta with respect toknown attacks. The design of mode of operation and the security reductionproofs were performed by Shoichi Hirose and Hidenori Kuwakado. Softwareimplementations of Lesamnta were provided by Kota Ideguchi. A securityanalysis of Lesamnta using the known key distinguisher was performed byFlorian Mendel and Vincent Rijmen.

• Due to page restrictions, test vectors and some descriptions of securityreduction proofs are omitted. For more details, the readers can refer tothe above SHA-3 submission document.

143




SHA-3 Proposal: Lesamnta

Shoichi Hirose2, Hidenori Kuwakado

13 and Hirotaka Yoshida1

1 Systems Development Laboratory, Hitachi, [email protected]

2 University of [email protected]

3 Kobe [email protected]

1 Introduction

This document specifies a family of hash functions, Lesamnta1, which consists offour algorithms: Lesamnta-224, Lesamnta-256, Lesamnta-384, and Lesamnta-512.The four algorithms differ in terms of the sizes of the blocks and words of datathat are used during hashing. Figure 1 summarizes the basic properties of all fourLesamnta algorithms.

Algorithm Message length Block size Word size Message digest size Security2

(bits) (bits) (bits) (bits) (bits)

Lesamnta-224 < 264 256 32 224 112

Lesamnta-256 < 264 256 32 256 128

Lesamnta-384 < 2128 512 64 384 192

Lesamnta-512 < 2128 512 64 512 256

Figure 1 – Lesamnta algorithm properties.

2 Definitions

2.1 Glossary of Terms and Acronyms

The following definitions are used throughout this specification.

2.2 Algorithm Parameters and Symbols

The specification uses the following parameters and symbols.

1Lesamnta is pronounced like “Lezanta”.2In this context, “security” refers to the fact that a birthday attack on a message digest of

size n produces a collision with a workfactor of approximately 2n/2.

145

146 SHA-3 PROPOSAL: LESAMNTA

Bit A binary digit having a value of 0 or 1.Byte A group of eight bits.Block Cipher Key A cryptographic key used by the Key Expansion routine to generate

a set of Round Keys.Compressionfunction

A function mapping the (i − 1)th hash value H(i−1) and the ith

message block M (i) to the ith hash value H(i).Key Expansion A routine used to generate a series of Round Keys from the Block

Cipher Key.Output function A function mapping the (N − 1)th hash value H(N−1) and the N th

message block M (N) to the final hash value H(N).Round Key Values derived from the Block Cipher Key by the Key Expansion

routine; they are applied to the SubState256 and SubState512 datain the Compression and Output functions.

State An intermediate hash value.SubState256 A 64-bit unit of data used in Lesamnta-256; it can be pictured as

a rectangular array of bytes with two rows and four columns.

SubState512 A 128-bit unit of data used in Lesamnta-512; it can be pictured asa rectangular array of bytes with four rows and four columns.

S-box A non-linear substitution table used in several byte substitutiontransformations and in the Key Expansion routine to performone-for-one substitution of a byte value.

Word A group of either 32 bits (4 bytes) or 64 bits (8 bytes), dependingon the Lesamnta algorithm.

2.3 Functions

The specification uses the following functions.

DEFINITIONS 147

C(round) The roundth round constant.H(i) The ith hash value. H(0) is the initial hash value; H(N) is the final

hash value and is used to determine the message digest.

H(i)j The jth word of the ith hash value, where H

(i)0 is the leftmost word

of hash value i.K(round) The roundth Round Key.l The length of the message M in bits.m The number of bits in a message block M (i).M The message to be hashed.M (i) The message block i, with a size of m bits.

M(i)j The jth word of the ith message block, where M

(i)0 is the leftmost

word of message block i.N The number of blocks in the padded message.Nr_comp256 The number of rounds for the Compression256() function. For

this document, Nr_comp256 is 32.Nr_comp512 The number of rounds for the Compression512() function. For

this document, Nr_comp512 is 32.Nr_out256 The number of rounds for the Output256() function. For this

document, Nr_out256 is 32.Nr_out512 The number of rounds for the Output512() function. For this

document, Nr_out512 is 32.w The number of bits in a word.xj The w-bit word of the State.XOR The exclusive OR operation.⊕ The exclusive OR operation.∨ The OR operation.• Finite field multiplication.|| Concatenation.


AddRoundKey256() A transformation used in Compression256() and Output256(),in which a Round Key is added to a SubState256 by using an XORoperation. The length of the Round Key equals the size of theSubState256.

AddRoundKey512() A transformation used in Compression512() and Output512(),in which a Round Key is added to a SubState512 by using an XORoperation. The length of the Round Key equals the size of theSubState512.

ByteTranspos256() A function used in the Key Expansion routines, which takes an8-byte word and performs a bytewise transposition.

ByteTranspos512() A function used in the Key Expansion routines, which takes a16-byte word and performs a bytewise transposition.

Compression256() The Compression function of Lesamnta-256.Compression512() The Compression function of Lesamnta-512.EncComp256 The encryption function of the block cipher used in the

Compression function of Lesamnta-256.EncComp512 The encryption function of the block cipher used in the

Compression function of Lesamnta-512.EncOut256 The encryption function of the block cipher used in the Output

function of Lesamnta-256.EncOut512 The encryption function of the block cipher used in the Output

function of Lesamnta-512.F256 A non-linear transformation used in a round, consisting of

AddRoundKey256(), SubBytes256(), ShiftRows256(), andMixColumns256().

F512 A non-linear transformation used in a round, consisting ofAddRoundKey512(), SubBytes512(), ShiftRows512(), andMixColumns512().

FK The round function of the key scheduling function.FM The round function of the mixing function.KeyExpComp256() The Key Expansion routine used in EncComp256.KeyExpComp512() The Key Expansion routine used in EncComp512.KeyExpOut256() The Key Expansion routine used in EncOut256.KeyExpOut512() The Key Expansion routine used in EncOut512.KeyLinear256() A linear function used in the Key Expansion routine

KeyExpComp256().KeyLinear512() A linear function used in the Key Expansion routine

KeyExpComp512().

DEFINITIONS 149

MixColumns256() A transformation used in Compression256() and Output256(),which takes all of the columns of a SubState256 and mixes theirdata (independently of one another) to produce new columns.

MixColumns512() A transformation used in Compression512() and Output512(),which takes all of the columns of a SubState512 and mixes theirdata (independently of one another) to produce new columns.

Output256() The Output function used in Lesamnta-256.Output512() The Output function used in Lesamnta-512.ShiftRows256() A transformation used in Compression256() and Output256(),

which processes a SubState256 by cyclically shifting the secondrow of the SubState256 by one byte.

ShiftRows512() A transformation used in Compression512() and Output512(),which processes a SubState512 by cyclically shifting the last threerows of the SubState512 by different offsets.

SubBytes256() A transformation used in Compression256() and Output256(),which processes a SubState256 by using a non-linear bytesubstitution table (i.e., the S-box) that operates independently oneach of the SubState256 bytes.

SubBytes512() A transformation used in Compression512() and Output512(),which processes a SubState512 by using a non-linear bytesubstitution table (i.e., the S-box) that operates independently oneach of the SubState512 bytes.

SubWords256() A function used in the Key Expansion routines KeyExpComp256()and KeyExpOut256(), which takes 8 bytes from two input wordsand applies a non-linear byte substitution table (i.e., the S-box) toeach of the 8 bytes to produce two output words.

SubWords512() A function used in the Key Expansion routines KeyExpComp512()and KeyExpOut512(), which takes 16 bytes from two input wordsand applies a non-linear byte substitution table (i.e., the S-box) toeach of the 16 bytes to produce two output words.

WordRotation256() A function used in Compression256(), Output256(), and the KeyExpansion routines, which takes eight 32-bit words and performs acyclic permutation.

WordRotation512() A function used in Compression512(), Output512(), and the KeyExpansion routines, which takes eight 64-bit words and performs acyclic permutation.


3 Notation and Conventions

3.1 Inputs and Outputs

Lesamnta takes a message with less than 264 bits (for Lesamnta-224 andLesamnta-256) or 2128 bits (for Lesamnta-384 and Lesamnta-512) and outputsa message digest. The message digest ranges in length from 224 to 512 bits,depending on the algorithm.

3.2 Bytes

All byte values in the Lesamnta algorithm are presented as a concatena-tion of the individual bit values (0 or 1) between braces, in the orderb0, b1, b2, b3, b4, b5, b6, b7. These bytes are interpreted as finite field elements byusing a polynomial representation:

b0x7 + b1x6 + b2x5 + b3x4 + b4x3 + b5x2 + b6x + b7 =7∑

i=0

b7−ixi.

For example, 01100011 identifies the specific finite field element x6 + x5 + x+ 1.It is also convenient to denote byte values by hexadecimal notation, with each

of two groups of four bits being denoted by a single character, as illustrated inFig. 2.

Bit pattern Character0000 0

0001 1

0010 2

0011 3


0101 5

0110 6

0111 7


1001 9

1010 a

1011 b

Bit pattern Character1100 c

1101 d

1110 e

1111 f

Figure 2 – Hexadecimal representations of bit patterns.

Hence, the element 01100011 can be represented as 63, where thecharacter denoting the four-bit group containing the higher-numbered bits is tothe left.

Some finite field operations involve one additional bit (b−1) to the left of an8-bit byte. Where this extra bit is present, it appears as ‘01’ immediatelypreceding the 8-bit byte; for example, a 9-bit sequence is presented as 011b.

3.3 Arrays of Bytes

Arrays of bytes are represented in the following form:

a0, a1, . . . , a7.

NOTATION AND CONVENTIONS 151

The bytes and the bit ordering within bytes are derived from a 64-bit inputsequence

input0, input1, . . . , input63,

as follows:

a0 = input0, input1, . . . , input7,

a1 = input8, input9, . . . , input15,

...

a7 = input56, input57, . . . , input63.

The pattern can be extended to longer sequences (i.e., for Lesamnta-384/512), sothat, in general,

an = input8n, input8n+1, . . . , input8n+7.

Taking the notation of Secs. 3.2 and 3.3 together, Fig. 3 shows how the bits withineach byte are numbered.

Input bit sequence 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 . . .Byte number 0 1 . . .Bit number in byte 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 . . .Bit number in word 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 . . .

Figure 3 – Indices for bytes and bits.

3.4 Endian

Throughout this document, the big-endian convention is followed in expressingboth 32- and 64-bit words, so that within each word, the most significant bit isstored in the leftmost bit position.

3.5 Bit Strings

A word is a w-bit string that can be represented as a sequence of hexadecimal, orhex, digits. To convert a word to hex digits, each 4-bit string is converted to itshex digit equivalent, as shown in Fig. 2. For example, the 32-bit string

1010 0001 0000 0011 1111 1110 0010 0011

can be expressed as a103fe23, and the 64-bit string

1010 0001 0000 0011 1111 1110 0010 0011

0011 0010 1110 1111 0011 0000 0001 1010

can be expressed as a103fe2332ef301a.


3.6 Message Block

For the Lesamnta algorithms, the size of the message block - m bits - dependson the algorithm.

1. For Lesamnta-224 and Lesamnta-256, each message block has 256 bits,which are represented as a sequence of eight 32-bit words.

2. For Lesamnta-384 and Lesamnta-512, each message block has 512 bits,which are represented as a sequence of eight 64-bit words.

3.7 SubState256

For a 64-bit part of a state, the Lesamnta-224 and Lesamnta-256 algorithms’ oper-ations are performed on a two-dimensional array of bytes called a SubState256.The SubState256 consists of two rows of bytes, each containing four bytes. In aSubState256 array, denoted by the symbol s, each individual byte has two indices,with its row number r in the range 0 ≤ r < 2 and its column number c in therange 0 ≤ c < 4. This allows an individual byte of the SubState256 to be referredto as either sr,c or s[r, c].

At the start of the F256 function in each round of Compression256()

and Output256(), as described in Sec. 5.3, the input - the array of bytesin0, in1, . . . , in7 - is copied into the SubState256 array, as illustrated in Fig. 4.The Compression256() or Output256() function is then executed on thisSubState256 array, after which the array’s final set of values is copied to theoutput: an array of bytes out0, out1, . . . , out7.

SubState256Input bytes Output bytes

in0

in1

in2

in3

in4

in5

in6

in7

s0,0

s1,0

s0,1

s1,1

s0,2

s1,2

s0,3

s1,3

out0

out1

out2

out3

out4

out5

out6

out7

Figure 4 – SubState256 array input and output.

Hence, at the beginning of the F256 function, the input array in is copied tothe SubState256 array, according to this scheme:

s[r, c] = in[r + 2c], for 0 ≤ r < 2 and 0 ≤ c < 4,

and at the end of the F256 function, the SubState256 array is copied to the outputarray out as follows:

out[r + 2c] = s[r, c], for 0 ≤ r < 2 and 0 ≤ c < 4.

MATHEMATICAL PRELIMINARIES 153

3.8 SubState512

For a 128-bit part of a state, the Lesamnta-384 and Lesamnta-512 algorithms’ op-erations are performed on a two-dimensional array of bytes called a SubState512.The SubState512 consists of four rows of bytes, each containing four bytes. In aSubState512 array, denoted by the symbol s, each individual byte has two indices,with its row number r in the range 0 ≤ r < 4 and its column number c in therange 0 ≤ c < 4. This allows an individual byte of the SubState512 to be referredto as either sr,c or s[r, c].

At the start of the F512 function in each round of Compression512()

and Output512(), as described in Sec. 5.5, the input - the array of bytesin0, in1, . . . , in15 - is copied into the SubState512 array, as illustrated in Fig. 5.The Compression512() or Output512() function is then executed on thisSubState512 array, after which the array’s final set of values is copied to theoutput: an array of bytes out0, out1, . . . , out15.

SubState512Input bytes Output bytes

in0

in1

in2

in3

in4

in5

in6

in7

in8

in9

in10

in11

in12

in13

in14

in15

s0,0

s1,0

s2,0

s3,0

s0,1

s1,1

s2,1

s3,1

s0,2

s1,2

s2,2

s3,2

s0,3

s1,3

s2,3

s3,3

out0

out1

out2

out3

out4

out5

out6

out7

out8

out9

out10

out11

out12

out13

out14

out15

Figure 5 – SubState512 array input and output.

Hence, at the beginning of the F512 function, the input array in is copied tothe SubState512 array, according to this scheme:

s[r, c] = in[r + 4c], for 0 ≤ r < 4 and 0 ≤ c < 4,

and at the end of the F512 function, the SubState512 array is copied to the outputarray out as follows:

out[r + 4c] = s[r, c], for 0 ≤ r < 4 and 0 ≤ c < 4.

4 Mathematical Preliminaries

Lesamnta uses certain operations in the finite field GF(28). Such a finite field hasmany different representations. We fix a characteristic polynomial and representan element of GF(28) by a polynomial.

First, we define the finite field GF(28) as GF(28) = GF(2)[x]/(ϕ(x)), wherethe polynomial ϕ(x) is given as follows:

ϕ(x) = x8 + x4 + x3 + x + 1 = 011b.


4.1 Addition

The sum of two polynomials over GF(28) is a polynomial whose coefficients aregiven by the sums modulo 2 of the corresponding coefficients. In other words,addition is calculated by a bitwise XOR. For example, the sum of 57 and a3

is calculated as follows:

57 + a3 = (x6 + x4 + x2 + x + 1) + (x7 + x5 + x + 1)

= x7 + x6 + x5 + x4 + x2

= f4.

4.2 Multiplication

Multiplication in GF(28) (denoted by •) can be divided into two steps. First, wedefine the multiplication of any element f(x) =

∑7i=0 a7−ix

i and x by using ϕ(x)as follows:

x · f(x) =7∑

i=0

a7−ixi+1 mod ϕ(x).

For example, the multiplication of 02 and 87 is calculated as follows:

02 • 87 = x · (x7 + x2 + x + 1)

= x8 + x3 + x2 + x

= (x4 + x3 + x + 1) + x3 + x2 + x

= x4 + x2 + 1

= 15.

Second, we calculate xi · f(x) for any i by iterative application of the abovedefinition.

5 Specification

This chapter describes the Lesamnta algorithms.

5.1 Round Constants

5.1.1 Lesamnta-224/256

Lesamnta-224 and Lesamnta-256 use the same sequence ofNr_comp256(=Nr_out256) constant 64-bit words, C(round). These wordsare defined by the following equation:

C(round) = 000000XY000000ZW,

SPECIFICATION 155

where XY is 2 ∗ round + 1 in hex, and ZW is 2 ∗ round in hex. The round constantsC(0), C(1), . . . , C(31) are the following (from left to right, in hex):

0000000100000000, 0000000300000002, 0000000500000004, 0000000700000006,

0000000900000008, 0000000b0000000a, 0000000d0000000c, 0000000f0000000e,

0000001100000010, 0000001300000012, 0000001500000014, 0000001700000016,

0000001900000018, 0000001b0000001a, 0000001d0000001c, 0000001f0000001e,

0000002100000020, 0000002300000022, 0000002500000024, 0000002700000026,

0000002900000028, 0000002b0000002a, 0000002d0000002c, 0000002f0000002e,

0000003100000030, 0000003300000032, 0000003500000034, 0000003700000036,

0000003900000038, 0000003b0000003a, 0000003d0000003c, 0000003f0000003e.

5.1.2 Lesamnta-384/512

Lesamnta-384 and Lesamnta-512 use the same sequence ofNr_comp512(=Nr_out512) constant 128-bit words, C(round). These wordsare defined by the following equation:

C(round) = 00000000000000XY00000000000000ZW,

where XY is 2 ∗ round + 1 in hex, and ZW is 2 ∗ round in hex. The round constantsC(0), C(1), . . . , C(31) are the following (from left to right, in hex):

00000000000000010000000000000000, 00000000000000030000000000000002,

00000000000000050000000000000004, 00000000000000070000000000000006,

00000000000000090000000000000008, 000000000000000b000000000000000a,

000000000000000d000000000000000c, 000000000000000f000000000000000e,

00000000000000110000000000000010, 00000000000000130000000000000012,

00000000000000150000000000000014, 00000000000000170000000000000016,

00000000000000190000000000000018, 000000000000001b000000000000001a,

000000000000001d000000000000001c, 000000000000001f000000000000001e,

00000000000000210000000000000020, 00000000000000230000000000000022,

00000000000000250000000000000024, 00000000000000270000000000000026,

00000000000000290000000000000028, 000000000000002b000000000000002a,

000000000000002d000000000000002c, 000000000000002f000000000000002e,

00000000000000310000000000000030, 00000000000000330000000000000032,

00000000000000350000000000000034, 00000000000000370000000000000036,

00000000000000390000000000000038, 000000000000003b000000000000003a,

000000000000003d000000000000003c, 000000000000003f000000000000003e.

5.2 Preprocessing

Preprocessing takes place before hash computation begins. This preprocessingconsists of three steps: padding the message M (Sec. 5.2.1), parsing the paddedmessage into message blocks (Sec. 5.2.2), and setting the initial hash value H(0)

(Sec. 5.2.3).


5.2.1 Padding the Message

The message M is padded before hash computation begins. The purpose of thispadding is to ensure that the message consists of a multiple of 256 or 512 bits,depending on the algorithm.

5.2.1.1 Lesamnta-224/256

Suppose that the length of message M is l bits. Append the bit “1” to the end ofthe message, followed by k + 191 zero bits, where k is the minimum non-negativeinteger such that l + 1 + k + 191 ≡ 192 (mod 256). Then, append a 64-bit blockequal to the number l as expressed in binary representation. The length of thepadded message should now be a multiple of 256 bits.

Tail of M 001 ..... l

191 64

Figure 6 – Last two blocks of a padded message forLesamnta-224/256 (l ≡ 0 (mod 256)).

Tail of M 00 001 ..... l

191 64

...

k

Figure 7 – Last two blocks of a padded message forLesamnta-224/256 (l 6≡ 0 (mod 256)).

5.2.1.2 Lesamnta-384/512

Suppose that the length of message M is l bits. Append the bit “1” to the end ofthe message, followed by k + 383 zero bits, where k is the minimum non-negativeinteger such that l + 1 + k + 383 ≡ 384 (mod 512). Then, append a 128-bit blockequal to the number l as expressed in binary representation. The length of thepadded message should now be a multiple of 512 bits.

5.2.2 Parsing the Padded Message

After a message has been padded, it must be parsed into N m-bit blocks beforethe hash computation can begin.

5.2.2.1 Lesamnta-224/256

For Lesamnta-224 and Lesamnta-256, the padded message is parsed into N 256-bitblocks: M (1), M (2), . . . , M (N). Since the 256 bits of the input block can be

SPECIFICATION 157

Tail of M 001 ..... l

383 128

Figure 8 – Last two blocks of a padded message forLesamnta-384/512 (l ≡ 0 (mod 512)).

replacemen

Tail of M 00 001 ..... l

383 128

...

k

Figure 9 – Last two blocks of a padded message forLesamnta-384/512 (l 6≡ 0 (mod 512)).

expressed as eight 32-bit words, the first 32 bits of message block M (i) are denotedas M

(i)0 ; the next 32 bits, as M

(i)1 ; and so on up to M

(i)7 .

5.2.2.2 Lesamnta-384/512

For Lesamnta-384 and Lesamnta-512, the padded message is parsed into N 512-bitblocks: M (1), M (2), . . . , M (N). Since the 512 bits of the input block can beexpressed as eight 64-bit words, the first 64 bits of message block M (i) are denotedas M

(i)0 ; the next 64 bits, as M

(i)1 ; and so on up to M

(i)7 .

5.2.3 Setting the Initial Hash Value

Before hash computation begins for each of the Lesamnta algorithms, the initialhash value H(0) must be set. The size of the words in H(0) depends on the messagedigest size.

5.2.3.1 Lesamnta-224

For Lesamnta-224, the initial hash value H(0) consists of the following eight 32-bitwords, in hex:

H(0)0 = 00000224,

H(0)1 = 00000224,

H(0)2 = 00000224,

H(0)3 = 00000224,

H(0)4 = 00000224,

H(0)5 = 00000224,

H(0)6 = 00000224,

H(0)7 = 00000224.




H(0)0 = 00000256,

H(0)1 = 00000256,

H(0)2 = 00000256,

H(0)3 = 00000256,

H(0)4 = 00000256,

H(0)5 = 00000256,

H(0)6 = 00000256,

H(0)7 = 00000256.



H(0)0 = 0000000000000384,

H(0)1 = 0000000000000384,

H(0)2 = 0000000000000384,

H(0)3 = 0000000000000384,

H(0)4 = 0000000000000384,

H(0)5 = 0000000000000384,

H(0)6 = 0000000000000384,

H(0)7 = 0000000000000384.

SPECIFICATION 159



H(0)0 = 0000000000000512,

H(0)1 = 0000000000000512,

H(0)2 = 0000000000000512,

H(0)3 = 0000000000000512,

H(0)4 = 0000000000000512,

H(0)5 = 0000000000000512,

H(0)6 = 0000000000000512,

H(0)7 = 0000000000000512.

5.3 Lesamnta-256 Algorithm

Lesamnta-256 can be used to hash a message M having a length of l bits, where0 ≤ l < 264. The final result of Lesamnta-256 is a 256-bit message digest.

5.3.1 Lesamnta-256 Preprocessing

1. Pad the message M , according to Sec. 5.2.1.1.

2. Parse the padded message into N 256-bit message blocksM (1), M (2), . . . , M (N), according to Sec. 5.2.2.1.

3. Set the initial hash value H(0), as specified in Sec. 5.2.3.2.

5.3.2 Lesamnta-256 Computation

The Lesamnta-256 hash computation uses the round constants defined in Sec. 5.1.1.After preprocessing is completed, each message block M (1), M (2), . . . , M (N) is

processed in order, as follows:

for i = 1 to N - 1

Compression256(H(i−1), M (i))

end for

Output256(H(N−1), M (N))

Figure 10 – Pseudocode for the Lesamnta-256 computation.


The resulting 256-bit message digest of the message M is

H(N)0 ||H(N)

1 ||H(N)2 ||H(N)

3 ||H(N)4 ||H(N)

5 ||H(N)6 ||H(N)

7 .

Algorithm 1 Lesamnta-256 computation.

1: Compression256(word chain[8], word mb[8])2: word K[Nr_comp256][2]3: word x[8]4: word substate256[2]5: 1. Prepare the key schedule of the block cipher EncComp256:6:

7: KeyExpComp256(chain, K)8:

9: 2. Compute the encryption function of the block cipher EncComp256:10:

11: for j = 0 to 7 do12: x[j] = mb[j]13: end for14: for round = 0 to Nr_comp256 - 1 do15: substate256[0] = x[4]16: substate256[1] = x[5]17: AddRoundKey256(substate256, K[round])18: for iteration = 0 to 3 do19: SubBytes256(substate256)20: ShiftRows256(substate256)21: MixColumns256(substate256)22: end for23: x[6] = x[6] ⊕ substate256[0]24: x[7] = x[7] ⊕ substate256[1]25: WordRotation256(x)26: end for27: 3. Compute the intermediate hash value H(i):28:

29: for j = 0 to 7 do30: chain[j] = x[j] ⊕ mb[j]31: end for

At the end of Compression256(), H(i) is given bychain[0]||chain[1]||. . . ||chain[7].

SPECIFICATION 161

Figure 11 illustrates the round function of the block cipher EncComp256.

K(round)1

K(round)0

F256

32

Figure 11 – Round function in EncComp256.


The Output function Output256() is shown in the following pseudocode:

Algorithm 2 Pseudocode for Output256().

1: Output256(word chain[8], word mb[8])2: word K[Nr_out256][2]3: word x[8]4: word substate256[2]5: 1. Prepare the key schedule of the block cipher EncOut256:6:

7: KeyExpOut256(chain, K)8:

9: 2. Compute the encryption function of the block cipher EncOut256:10:

11: for j = 0 to 7 do12: x[j] = mb[j]13: end for14: for round = 0 to Nr_out256 - 1 do15: substate256[0] = x[4]16: substate256[1] = x[5]17: AddRoundKey256(substate256, K[round])18: for iteration = 0 to 3 do19: SubBytes256(substate256)20: ShiftRows256(substate256)21: MixColumns256(substate256)22: end for23: x[6] = x[6] ⊕ substate256[0]24: x[7] = x[7] ⊕ substate256[1]25: WordRotation256(x)26: end for27: 3. Compute the final hash value H(N):28:


5.3.2.1 SubBytes256() Transformation

The SubBytes256() transformation is a non-linear byte substitution that operatesindependently on each byte of the SubState256 by using the substitution tableS-box, defined in Fig. 12. The SubBytes256() transformation proceeds as follows:

s′r,c = S-box(sr,c), for 0 ≤ r < 2 and 0 ≤ c < 4.

SPECIFICATION 163

y

0 1 2 3 4 5 6 7 8 9 a b c d e f

0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76

1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0

2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15

3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75

4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84

5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf

6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8

x 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2

8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73

9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db

a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79

b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08

c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a

d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e

e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df

f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Figure 12 – S-box: substitution values for the byte xy (inhexadecimal format).

5.3.2.2 ShiftRows256() Transformation

In the ShiftRows256() transformation, the bytes in the second row of theSubState256 are cyclically shifted over one byte (offset). The first row is notshifted. Specifically, the ShiftRows256() transformation proceeds as follows:

s′1,c = s1,(c+1) mod 4, for 0 ≤ c < 4.

5.3.2.3 MixColumns256() Transformation

The MixColumns256() transformation uses multiplication over a finite field, asdefined in Sec. 4.2, in the following manner:

[s′

0,c

s′1,c

]=

[02 01

01 02

] [s0,c

s1,c

], for 0 ≤ c < 4.

As a result of this multiplication, the two bytes in a column are replaced by thefollowing:

s′0,c = (02 • s0,c) ⊕ s1,c,

s′1,c = s0,c ⊕ (02 • s1,c).

5.3.2.4 AddRoundKey256() Transformation

In the AddRoundKey256() transformation, the two-word Round Key K(round) =K

(round)0 ||K(round)

1 from the key schedule, as described in Secs. 5.3.2.6 and 5.3.2.7,is added to the SubState256 by a simple bitwise XOR operation. The two wordsare each added into the SubState256, such that

[s′

0,0, s′1,0, s′

0,1, s′1,1

]= [s0,0, s1,0, s0,1, s1,1] ⊕ K

(round)0 ,

[s′

0,2, s′1,2, s′

0,3, s′1,3

]= [s0,2, s1,2, s0,3, s1,3] ⊕ K

(round)1 .


5.3.2.5 WordRotation256()

WordRotation256() takes eight 32-bit words x0, x1, . . . , x7 as input and performsa cyclic permutation. The function proceeds as follows:

x′j+2 mod 8 = xj , for 0 ≤ j < 8.

5.3.2.6 KeyExpComp256()

During the process of Compression256(H(i−1), M (i)), the EncComp256 block

cipher takes the intermediate hash value H(i−1) as the Block Cipher Key andperforms the Key Expansion routine KeyExpComp256() to generate a key schedule.

KeyExpComp256() generates a total of 2 ∗ Nr_comp256 words: the algorithmrequires an initial set of eight words, and each of the Nr_comp256 rounds requireseight words of key data. The resulting key schedule consists of a linear array ofwords, with i in the range of 0 ≤ i < 2 ∗ Nr_comp256. The round constant wordarray C(round) = C

(round)0 ||C(round)

1 is defined in Sec. 5.1.1. Expansion of the inputkey into the key schedule proceeds according to the pseudocode shown in Fig. 3.

SubWords256() is a function that takes 8-byte input words and appliesthe S-box (Fig. 12) to each of the 8 bytes to produce output words.WordRotation256() is defined in Sec. 5.3.2.5.

Algorithm 3 Pseudocode for KeyExpComp256().

1: KeyExpComp256(word chain[8], word K[Nr_comp256][2])2: word K[Nr_out256][2]3: word t[2] /* The structure is not a SubState256 */4:

5: for round = 0 to Nr_comp256 - 1 do6: t[0] = chain[4] ⊕ C[round][0]7: t[1] = chain[5] ⊕ C[round][1]8:

9: SubWords256(t)10: KeyLinear256(t)11: ByteTranspos256(t)12:

13: chain[6] = chain[6] ⊕ t[0]14: chain[7] = chain[7] ⊕ t[1]15:

16: WordRotation256(chain)17: K[round][0] = chain[2]18: K[round][1] = chain[3]19: end for

SPECIFICATION 165

Each of the functions KeyLinear256() and ByteTranspos256() takes 8 bytesa0, a1, . . . , a7 as input and performs a bytewise permutation. KeyLinear256() isa bytewise operation given by the following equation, where multiplication overGF(28) is defined in Sec. 4.2:

a′i

a′i+1

a′i+2

a′i+3

=

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

ai

ai+1

ai+2

ai+3

, i = 0, 4.

a′i = (02 • ai) ⊕ (03 • ai+1) ⊕ ai+2 ⊕ ai+3,

a′i+1 = ai ⊕ (02 • ai+1) ⊕ (03 • ai+2) ⊕ ai+3,

a′i+2 = ai ⊕ ai+1 ⊕ (02 • ai+2) ⊕ (03 • ai+3),

a′i+3 = (03 • ai) ⊕ ai+1 ⊕ ai+2 ⊕ (02 • ai+3).


ByteTranspos256() performs bytewise transposition in the following manner:

a′0 = a4, a′

1 = a5, a′2 = a2, a′

3 = a3,

a′4 = a0, a′

5 = a1, a′6 = a6, a′

7 = a7.

5.3.2.7 KeyExpOut256()

During the process of Output256(H(N−1), M (N)), the EncOut256 block cipher

takes the intermediate hash value H(N−1) as the Block Cipher Key and performsthe Key Expansion routine KeyExpOut256() to generate a key schedule.

KeyExpOut256() generates a total of 2 ∗ Nr_out256 words: the algorithmrequires an initial set of eight words, and each of the Nr_out256 rounds requireseight words of key data. The resulting key schedule consists of a linear array ofwords, with i in the range of 0 ≤ i < 2 ∗ Nr_out256. The round constant wordarray C(round) = C

(round)0 ||C(round)


The functions SubBytes256(), ShiftRows256(), MixColumns256(), andWordRotation256() are defined in Secs. 5.3.2.1, 5.3.2.2, 5.3.2.3, and 5.3.2.5,respectively.

Algorithm 4 Pseudocode for KeyExpOut256().

1: KeyExpOut256(word chain[8], word K[Nr_out256][2])2: word K[Nr_out256][2]3: word substate256[2]4:

5: for round = 0 to Nr_out256 - 1 do6: substate256[0] = chain[4] ⊕ C[round][0]7: substate256[1] = chain[5] ⊕ C[round][1]8:

9: for iteration = 0 to 3 do10: SubBytes256(substate256)11: ShiftRows256(substate256)12: MixColumns256(substate256)13: end for14:

15: chain[6] = chain[6] ⊕ substate256[0]16: chain[7] = chain[7] ⊕ substate256[1]17:


SPECIFICATION 167


Lesamnta-224 can be used to hash a message M having a length of l bits, where 0 ≤l < 264. The algorithm is defined in exactly the same manner as for Lesamnta-256(Sec. 5.3), with the following two exceptions:

1. The initial hash value H(0) is set as specified in Sec. 5.2.3.1.

2. The 224-bit message digest is obtained by truncating the final hash valueH(N) to its leftmost 224 bits:

H(N)0 ||H(N)

1 ||H(N)2 ||H(N)

3 ||H(N)4 ||H(N)

5 ||H(N)6 .



Lesamnta-512 can be used to hash a message M having a length of l bits, where0 ≤ l < 2128. The final result of Lesamnta-512 is a 512-bit message digest.

5.5.1 Lesamnta-512 Preprocessing

1. Pad the message M , according to Sec. 5.2.1.2.

2. Parse the padded message into N 512-bit message blocksM (1), M (2), . . . , M (N), according to Sec. 5.2.2.2.

3. Set the initial hash value H(0), as specified in Sec. 5.2.3.4.

5.5.2 Lesamnta-512 Computation

The Lesamnta-512 hash computation uses the round constants defined in Sec. 5.1.2.After preprocessing is completed, each message block M (1), M (2), . . . , M (N) is

processed in order, as follows:

for i = 1 to N - 1

Compression512(H(i−1), M (i))

end for

Output512(H(N−1), M (N))

Figure 13 – Pseudocode for the Lesamnta-512 computation.

The resulting 512-bit message digest of the message M is

H(N)0 ||H(N)

1 ||H(N)2 ||H(N)

3 ||H(N)4 ||H(N)

5 ||H(N)6 ||H(N)

7 .

SPECIFICATION 169

The Compression function Compression512() is shown in the followingpseudocode:

Algorithm 5 Lesamnta-512 computation.

1: Compression512(word chain[8], word mb[8])2: word K[Nr_comp512][2]3: word x[8]4: word substate512[2]5: 1. Prepare the key schedule of the block cipher EncComp512:6:

7: KeyExpComp512(chain, K)8:

9: 2. Compute the encryption function of the block cipher EncComp512:10:

11: for j = 0 to 7 do12: x[j] = mb[j]13: end for14: for round = 0 to Nr_comp512 - 1 do15: substate512[0] = x[4]16: substate512[1] = x[5]17: AddRoundKey512(substate512, K[round])18: for iteration = 0 to 3 do19: SubBytes512(substate512)20: ShiftRows512(substate512)21: MixColumns512(substate512)22: end for23: x[6] = x[6] ⊕ substate512[0]24: x[7] = x[7] ⊕ substate512[1]25: WordRotation512(x)26: end for27: 3. Compute the intermediate hash value H(i):28:


At the end of Compression512(), H(i) is given bychain[0]||chain[1]||. . . ||chain[7].Figure 14 illustrates the round function of the block cipher EncComp512.


K(round)1

K(round)0

F512

64

Figure 14 – Round function in EncComp512.

SPECIFICATION 171

The Output function Output512() is shown in the following pseudocode:

Algorithm 6 Pseudocode for Output512().

1: Output512(word chain[8], word mb[8])2: word K[Nr_out512][2]3: word x[8]4: word substate512[2]5: 1. Prepare the key schedule of the block cipher EncOut512:6:

7: KeyExpOut512(chain, K)8:

9: 2. Compute the encryption function of the block cipher EncOut512:10:

11: for j = 0 to 7 do12: x[j] = mb[j]13: end for14: for round = 0 to Nr_out512 - 1 do15: substate512[0] = x[4]16: substate512[1] = x[5]17: AddRoundKey512(substate512, K[round])18: for iteration = 0 to 3 do19: SubBytes512(substate512)20: ShiftRows512(substate512)21: MixColumns512(substate512)22: end for23: x[6] = x[6] ⊕ substate512[0]24: x[7] = x[7] ⊕ substate512[1]25: WordRotation512(x)26: end for27: 3. Compute the final hash value H(N):28:


At the end of Output512(), H(N) is given bychain[0]||chain[1]||. . . ||chain[7].

5.5.2.1 SubBytes512() Transformation

The SubBytes512() transformation is a non-linear byte substitution that operatesindependently on each byte of the SubState512 by using the substitution table


S-box, defined in Fig. 12. The SubBytes512() transformation proceeds as follows:

s′r,c = S-box(sr,c), for 0 ≤ r < 4 and 0 ≤ c < 4.

5.5.2.2 ShiftRows512() Transformation

In the ShiftRows512() transformation, the bytes in the last three rows of theSubState512 are cyclically shifted over different numbers of bytes (offsets). Thefirst row is not shifted. Specifically, the ShiftRows512() transformation proceedsas follows:

s′r,c = sr,(c+r) mod 4, for 0 < r < 4 and 0 ≤ c < 4.

5.5.2.3 MixColumns512() Transformation

The MixColumns512() transformation uses multiplication over a finite field, asdefined in Sec. 4.2, in the following manner:

s′0,c

s′1,c

s′2,c

s′3,c

=

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

s0,c

s1,c

s2,c

s3,c

, for 0 ≤ c < 4.

As a result of this multiplication, the two bytes in a column are replaced by thefollowing:

s′0,c = (02 • s0,c) ⊕ (03 • s1,c) ⊕ s2,c ⊕ s3,c,

s′1,c = s0,c ⊕ (02 • s1,c) ⊕ (03 • s2,c) ⊕ s3,c,

s′2,c = s0,c ⊕ s1,c ⊕ (02 • s2,c) ⊕ (03 • s3,c),

s′3,c = (03 • s0,c) ⊕ s1,c ⊕ s2,c ⊕ (02 • s3,c).

5.5.2.4 AddRoundKey512() Transformation

In the AddRoundKey512() transformation, the two-word Round Key K(round) =K

(round)0 ||K(round)

1 from the key schedule, as described in Secs. 5.5.2.6 and 5.5.2.7,is added to the SubState512 by a simple bitwise XOR operation. The two wordsare each added into the SubState512, such that

[s′

0,0, s′1,0, s′

2,0, s′3,0, s′

0,1, s′1,1, s′

2,1, s′3,1

]= [s0,0, s1,0, s2,0, s3,0, s0,1, s1,1, s2,1, s3,1]

⊕ K(round)0 ,[

s′0,2, s′

1,2, s′2,2, s′

3,2, s′0,3, s′

1,3, s′2,3, s′

3,3

]= [s0,2, s1,2, s2,2, s3,2, s0,3, s1,3, s2,3, s3,3]

⊕ K(round)1 .

SPECIFICATION 173

5.5.2.5 WordRotation512()

WordRotation512() takes eight 64-bit words x0, x1, . . . , x7 as input and performsa cyclic permutation. The function proceeds as follows:

x′j+2 mod 8 = xj , for 0 ≤ j < 8.

5.5.2.6 KeyExpComp512()

During the process of Compression512(H(i−1), M (i)), the EncComp512 block

cipher takes the intermediate hash value H(i−1) as the Block Cipher Key andperforms the Key Expansion routine KeyExpComp512() to generate a key schedule.

KeyExpComp512() generates a total of 2 ∗ Nr_comp512 words: the algorithmrequires an initial set of eight words, and each of the Nr_comp512 rounds requireseight words of key data. The resulting key schedule consists of a linear array ofwords, with i in the range of 0 ≤ i < 2 ∗ Nr_comp512. The round constant wordarray C(round) = C

(round)0 ||C(round)


SubWords512() is a function that takes 16-byte input words and ap-plies the S-box (Fig. 12) to each of the 16 bytes to produce output words.WordRotation512() is defined in Sec. 5.5.2.5.

Algorithm 7 Pseudocode for KeyExpComp512().

1: KeyExpComp512(word chain[8], word K[Nr_comp512][2])2: word K[Nr_out512][2]3: word t[2] /* The structure is not a SubState512 */4:

5: for round = 0 to Nr_comp512 - 1 do6: t[0] = chain[4] ⊕ C[round][0]7: t[1] = chain[5] ⊕ C[round][1]8:

9: SubWords512(t)10: KeyLinear512(t)11: ByteTranspos512(t)12:

13: chain[6] = chain[6] ⊕ t[0]14: chain[7] = chain[7] ⊕ t[1]15:



Each of the The functions KeyLinear512() and ByteTranspos512()

takes 16 bytes a0, a1, . . . , a15 as input and performs a bytewise permutation.KeyLinear512() is a bytewise operation given by the following equation, wheremultiplication over GF(28) is defined in Sec. 4.2:

a′i

a′i+1

a′i+2

a′i+3

a′i+4

a′i+5

a′i+6

a′i+7

=

01 01 02 0a 09 08 01 04

04 01 01 02 0a 09 08 01

01 04 01 01 02 0a 09 08

08 01 04 01 01 02 0a 09

09 08 01 04 01 01 02 0a

0a 09 08 01 04 01 01 02

02 0a 09 08 01 04 01 01

01 02 0a 09 08 01 04 01

ai

ai+1

ai+2

ai+3

ai+4

ai+5

ai+6

ai+7

, i = 0, 8.

a′i = ai ⊕ ai+1 ⊕ (02 • ai+2) ⊕ . . . ⊕ (08 • ai+5) ⊕ ai+6 ⊕ (04 • ai+7),

a′i+1 = (04 • ai) ⊕ ai+1 ⊕ ai+2 ⊕ . . . ⊕ (09 • ai+5) ⊕ (08 • ai+6) ⊕ ai+7,

a′i+2 = ai ⊕ (04 • ai+1) ⊕ ai+2 ⊕ . . . ⊕ (09 • ai+6) ⊕ (08 • ai+7),

a′i+3 = (08 • ai) ⊕ ai+1 ⊕ . . . ⊕ (02 • ai+5) ⊕ (0a • ai+6) ⊕ (09 • ai+7),

a′i+4 = (09 • ai) ⊕ (08 • ai+1) ⊕ . . . . . . ⊕ (02 • ai+6) ⊕ (0a • ai+7),

a′i+5 = (0a • ai) ⊕ (09 • ai+1) ⊕ . . . ⊕ (04 • ai+4) ⊕ ai+5 ⊕ ai+6 ⊕ (02 • ai+7),

a′i+6 = (02 • ai) ⊕ (0a • ai+1) ⊕ . . . ⊕ ai+4 ⊕ (04 • ai+5) ⊕ ai+6 ⊕ ai+7,

a′i+7 = ai ⊕ (02 • ai+1) ⊕ (0a • ai+2) . . . ⊕ (04 • ai+6) ⊕ ai+7.

ByteTranspos512() performs bytewise transposition in the following manner:

a′0 = a8, a′

1 = a9, a′2 = a10, a′

3 = a11,a′

4 = a4, a′5 = a5, a′

6 = a6, a′7 = a7,

a′8 = a0, a′

9 = a1, a′10 = a2, a′

11 = a3,a′

12 = a12, a′13 = a13, a′

14 = a14, a′15 = a15.

5.5.2.7 KeyExpOut512()

During the process of Output512(H(N−1), M (N)), the EncOut512 block cipher

takes the intermediate hash value H(N−1) as the Block Cipher Key and performsthe Key Expansion routine KeyExpOut512() to generate a key schedule.

KeyExpOut512() generates a total of 2 ∗ Nr_out512 words: the algorithmrequires an initial set of eight words, and each of the Nr_out512 rounds requireseight words of key data. The resulting key schedule consists of a linear array ofwords, with i in the range of 0 ≤ i < 2 ∗ Nr_out512. The round constant wordarray C(round) = C

(round)0 ||C(round)

1 is defined in Sec. 5.1.2.Expansion of the input key into the key schedule proceeds according to the

pseudocode shown in Fig. 8.

SPECIFICATION 175

The functions SubBytes512(), ShiftRows512(), MixColumns512(), andWordRotation512() are defined in Secs. 5.5.2.1, 5.5.2.2, 5.5.2.3, and 5.5.2.5,respectively.

Algorithm 8 Pseudocode for KeyExpOut512().

1: KeyExpOut512(word chain[8], word K[Nr_out512][2])2: word K[Nr_out512][2]3: word substate512[2]4:

5: for round = 0 to Nr_out512 - 1 do6: substate512[0] = chain[4] ⊕ C[round][0]7: substate512[1] = chain[5] ⊕ C[round][1]8:

9: for iteration = 0 to 3 do10: SubBytes512(substate512)11: ShiftRows512(substate512)12: MixColumns512(substate512)13: end for14:

15: chain[6] = chain[6] ⊕ substate512[0]16: chain[7] = chain[7] ⊕ substate512[1]17:



Lesamnta-384 can be used to hash a message M having a length of l bits, where 0 ≤l < 2128. The algorithm is defined in exactly the same manner as for Lesamnta-512(Sec. 5.5), with the following two exceptions:

1. The initial hash value H(0) is set as specified in Sec. 5.2.3.3.

2. The 384-bit message digest is obtained by truncating the final hash valueH(N) to its leftmost 384 bits:

H(N)0 ||H(N)

1 ||H(N)2 ||H(N)

3 ||H(N)4 ||H(N)

5 .


6 Performance Figures

We present some performance figures for the Lesamnta algorithms here.

6.1 Software Implementation

6.1.1 8-bit Processors

Lesamnta has been implemented in C and assembly languages for 8-bit processors.

6.1.1.1 Implementation on Atmel R© AVR R© ATmega8515 Processor

Lesamnta was implemented on the Atmel R© AVR R© ATmega8515 processor in theassembly language, using Atmel R©’s AVR studio R© as a development environmentand simulator. The performance results are shown in Table 1.

Table 1 – Execution time and memory requirements for Lesamntaon the Atmel R© AVR R© ATmega8515 in assembly language.

Message digest Execution time Memory requirementssize Bulk speed One-block message Constant data Code length RAM

(cycles/byte) (cycles/message) (bytes) (bytes) (bytes)224 631 47312 256 1118 66

901 69678 256 456 68256 631 47312 256 1118 66

901 69678 256 456 68384 783 114031 256 2604 132

988 147088 256 928 135512 783 114031 256 2604 132

988 147088 256 928 135

The second and third columns list the execution time for hashing. The formercorresponds to bulk speed, that is throughput speed when hashing a long message.The latter is for the execution time to hash a 256-bit message with Lesamnta-224or Lesamnta-256 and a 512-bit message with Lesamnta-384 or Lesamnta-512. Thefourth, fifth and sixth columns list memory requirements. The fourth lists thesize of constant data and the fifth lists the code length of instructions. The sixthcolumn lists the RAM size. Since Lesamnta does not have any other algorithm thanthe main algorithm, which processes messages and chaining values, the algorithmsetup takes no time.

Time-Memory Trade-Off All the implementations above have only an S-boxtable of 256 bytes. The difference of code length between the implementationscomes from whether internal functions are inlined or not. Then, the time-memorytradeoff can be seen on Table 1.

PERFORMANCE FIGURES 177

6.1.1.2 Renesas R© H8 R©/300L Processor

Lesamnta was implemented on the Renesas R© H8 R©/300L processor in assemblyand C languages, using Renesas R©’s High-performance Embedded Workshop as adevelopment environment and simulator. The performance results are shown inTables 2 and 3.

Table 2 – Execution time and memory requirements for Lesamntaon the Renesas R© H8 R©/300L processor in assembly language.

Messge digest Execution time Memory requirementssize Bulk speed One-block message Constant data Code length RAM

(cycles/byte) (cycles/message) (bytes) (bytes) (bytes)224 1526 114660 512 904 80256 1526 114660 512 904 80

Table 3 – Execution time and memory requirements for Lesamntaon the Renesas R© H8 R©/300L processor in C language.

Messge digest Execution time Memory requirementssize Bulk speed One-block message Constant data Code length RAM

(cycles/byte) (cycles/message) (bytes) (bytes) (bytes)224 5442 429232 256 1140 62256 5442 429232 256 1140 62384 7551 1012408 256 1712 123512 7551 1012408 256 1712 123

In the tables, the second and third columns list the execution time for hashing.The former corresponds to bulk speed, that is throughput speed when hashinga long message. The latter is for the execution time to hash a 256-bit messagewith Lesamnta-224 or Lesamnta-256 and a 512-bit message with Lesamnta-384or Lesamnta-512. The fourth, fifth and sixth columns list memory requirements.The fourth lists the size of constant data and the fifth lists the code length ofinstructions. The sixth column lists the stack size. Since Lesamnta does nothave any other algorithm than the main algorithm, which processes messages andchaining values, the algorithm setup takes no time.

6.1.2 32-bit Processors

Here, we show some performance figures for Lesamnta on 32-bit processors.

6.1.2.1 ANSI C Implementation on NIST Reference Platform

We implemented Lesamnta in ANSI C language on the NIST Reference Platform.The NIST Reference Platform contains the Intel R© Core

TM

2Duo E6600 processor,Microsoft R©’s VisualStudio R© 2005 C++ compiler and Windows Vista R© Ultimate


32-bit Edition. The platform is shown at Table 4. This implementation followsthe NIST API format.

Table 4 – NIST Reference Platform.Language CPU Memory OS Compiler

CoreTM

2 Duo Windows Vista R©

ANSI C E6600 (2.4GHz) 2 GBytes Ultimate 32-bit Edition VisualStudio R©2005

Table 5 shows performance figures of the implementation. The second columnlists the execution time to hash a long message, which corresponds to bulkspeed. The third column lists the execution time to hash a 256-bit messagefor Lesamnta-224 or Lesamnta-256 and a 512-bit message for Lesamnta-384 orLesamnta-512. The fourth column shows the size of constant data which arelook-up tables, round constants and initial vectors. The size of the look-up tablesdominates the value. Since Lesamnta does not have any other algorithm thanthe main algorithm, which processes messages and chaining values, the algorithmsetup takes no time.

Note that the result for the implementation includes overhead coming from theNIST API format.

Table 5 – Performance figure of implementations in ANSI C languagewith NIST API on the NIST Reference Platform.

Message digest Execution time Memory requirementsize Bulk speed One-block message Constant data

(cycles/byte) (cycles/message) (bytes)224 68.9 5709 8288256 68.9 5709 8288384 97.7 14320 12416512 97.7 14320 12416

6.1.2.2 Assembly Implementation on Intel R© CoreTM

2 Duo E6600Processor

Here, we show performance figures of assembly implementations of Lesamnta onthe Intel R© Core

TM

2 Duo processor. The used platform is shown at Table 6.Table 7 shows performance figures of the implementations. The second column

lists the execution time to hash a long message, which corresponds to bulkspeed. The third column lists the execution time to hash a 256-bit messagefor Lesamnta-224 or Lesamnta-256 and a 512-bit message for Lesamnta-384 orLesamnta-512. The fourth column shows the size of constant data which arelook-up tables, round constants and initial vectors. The size of the look-up tablesdominates the value. The fifth column lists the code length of the instructions.


Table 6 – NIST Reference Platform.Language CPU Memory OS Compiler

CoreTM

2 Duo Ubuntu R© Linux R© 8.04Assembly E6600 (2.4GHz) 2 GBytes 32-bit distribution gnu as

The sixth column lists the size of stack. Since Lesamnta does not have any otheralgorithm than the main algorithm, which processes messages and chaining values,the algorithm setup takes no time.

Table 7 – Performance figure of implementations in assemblylanguage on the Intel R© Core

TM

2 Duo processor.Message digest Execution time Memory requirements

size Bulk speed One-block message Constant data Code length Stack(cycles/byte) (cycles/message) (bytes) (bytes) (bytes)

224 59.2 4750 8288 5705 84100.2 8383 1632 7463 84

256 59.2 4750 8288 5705 84100.2 8383 1632 7463 84

384 54.5 8827 20608 10944 14871.5 10968 9344 13549 148

512 54.5 8827 20608 10944 14871.5 10968 9344 13549 148

Time-Memory Tradeoff As is seen from Table 7, there is tradeoff between thespeed of hashing and the size of look-up tables.

6.1.2.3 ANSI C Implementation on ARM R© ARM926EJ-STM

Proces-sor

Lesamnta was implemented on the ARM R© ARM926EJ-STM

processor in ANSIC language, using ARM R©’s RealView R© Development Suite as a developmentenvironment and simulator. The performance results are shown in Table 8.



Table 8 – Performance figure of implementations in ANSI C languagewith NIST API on the ARM R© ARM926EJ-S

TM

processor.Message digest Execution time Memory requirement

size Bulk speed One-block message Constant data(cycles/byte) (cycles/message) (bytes)

224 204.1 15978 8288256 204.1 15978 8288384 244.0 34020 12416512 244.0 34020 12416

6.1.3 64-bit Processor

Here, we show some performance figures for Lesamnta on a 64-bit processor.

6.1.3.1 ANSI C Implementation on NIST Reference Platform

We implemented Lesamnta in ANSI C language on the NIST Reference Platform.The NIST Reference Platform contains the Intel R© Core

TM

2 Duo 2.4GHz processor,Microsoft R©’s VisualStudio R© 2005 C++ compiler and Windows Vista R© Ultimate64-bit Edition. The platform is shown at Table 9. Moreover, the implementationfollows the NIST API format.

Table 9 – NIST 64-bit Reference Platform.Language CPU Memory OS Compiler

CoreTM

2 Duo Windows Vista R©

ANSI C E6600 (2.4GHz) 2 GBytes 64-bit Edition VisualStudio R© 2005


Note that the result for the implementation includes overhead coming from theNIST API format.

6.1.3.2 Assembly Implementation on Intel R© CoreTM

2 Duo Processor

Here, we show performance figures of assembly implementations of Lesamnta onthe Intel R© Core

TM

2 Duo processor. The used platform is shown at Table 11.


Table 10 – Performance figure of implementations in ANSI Clanguage with NIST API on the NIST 64-bit Reference Platform.

Message digest Execution time Memory requirementsize Bulk speed One-block message Constant data

(cycles/byte) (cycles/message) (bytes)224 78.4 6581 8288256 78.4 6581 8288384 65.4 10962 24704512 65.4 10962 24704

Table 11 – 64-bit Platform used for measurement of assembly codes.Language CPU Memory OS Compiler

CoreTM

2 Duo Ubuntu R© Linux R© 8.04Assembly E6600 (2.4GHz) 2 GBytes 64-bit distribution gnu as

Table 12 shows performance figures of the implementations. The secondcolumn lists the execution time to hash a long message, which corresponds tobulk speed. The third column lists the execution time to hash a 256-bit messagefor Lesamnta-224 or Lesamnta-256 and a 512-bit message for Lesamnta-384 orLesamnta-512. The fourth, fifth and sixth columns list memory requirements.The fourth column shows the size of constant data which are look-up tables, roundconstants and initial vectors. The size of the look-up tables dominates the value.The fifth column lists the code length of the instructions. The sixth columnlists the size of stack. Since Lesamnta does not have any other algorithm thanthe main algorithm, which processes messages and chaining values, the algorithmsetup takes no time.

Time-Memory Tradeoff As is seen from Table 12, there is tradeoff between thespeed of hashing and the size of look-up tables.

6.2 Hardware

6.2.1 ASIC Implementation

We made estimations for speed and gate count of several different hardwarearchitectures of Lesamnta. These estimates are based on existing 90 nm CMOSstandard cell library. A gate is a two-input NAND equivalent. The results areshown in Table 1.


Table 12 – Performance figure of implementations in assemblylanguage on the Intel R© Core

TM

2 Duo processor.Message digest Execution time Memory requirements

size Bulk speed One-block message Constant data Code length Stack(cycles/byte) (cycles/message) (bytes) (bytes) (bytes)

224 52.7 4318 16672 5921 8893.8 8151 1824 7817 80

256 52.7 4318 16672 5921 8893.8 8151 1824 7817 80

384 51.2 8373 24704 12326 20070.8 10752 9344 13948 208

512 51.2 8373 24704 12326 20070.8 10752 9344 13948 208

7 Tunable Security Parameters

Lesamnta provides the following tunable security parameters.

1. The number of rounds for EncComp256: Nr_comp256;

2. The number of rounds for EncOut256: Nr_out256;

3. The number of rounds for EncComp512: Nr_comp512; and

4. The number of rounds for EncOut512: Nr_out512.

Choosing the values for these parameters enables selection of a range of possiblesecurity/performance tradeoffs. Considering the security analysis results describedin Sec. 5, however, we recommend a value of 32 for each of these parameters, asspecified in Sec. 3. Hereafter, we denote this recommended value of 32 by nR.

8 Design Rationale

8.1 Block-Cipher-Based Hash Functions

The design rationale of Lesamnta is based on achieving the following goals:

• To provide the same application program interface as that of the SHA-2family;

• To ensure both attack-based security and proof-based security; and

• To be efficient on a wide range of platforms.

To achieve these goals, we adopted an iterative hash function based on the blockcipher as the basic design. Since the idea of building hash functions from blockciphers goes back more than 30 years, the enormous volume of research on thisidea helped us to design Lesamnta.

DESIGN RATIONALE 183

Table 13 – ASIC implementation estimates of Lesamnta.Message digest Architecture Gate count Max. frequency Throughput

size (k gates) (MHz) (Mbps)Speed Optimized 190.1 282.5 6026.4

256 Balance Optimized 68.0 636.9 3623.5Area Optimized 20.7 169.8 336.9Speed Optimized 393.0 234.2 9992.2

512 Balance Optimized 144.9 571.4 6501.6Area Optimized 44.3 144.1 571.9

Hence, Lesamnta basically follows a traditional design but incorporates newmethods to resist recent attacks and provide security proof.

8.2 Domain Extension

The domain extension scheme of Lesamnta is designed to achieve the followinggoals: efficiency comparable to that of the Merkle-Damgård iteration, and securityagainst the length-extension attack. The scheme consists of the Merkle-Damgårditeration of the compression function, enveloped with the output function. Wecall this MDO, and it is illustrated in Figure 15. Unlike the NMAC-like domainextension in [9], the output function g has the last block of a padded message inputas a part of the input. The output function avoids the length-extension attack.The overhead of the output function is small, since it shares components with thecompression function.

h h h gH (0)

M (1)

M (2)

M (N−1)

M (N)

Figure 15 – Domain extension scheme MDO. h is the com-pression function, and g is the output function. pad(M) =M (1)‖M (2)‖ · · · ‖M (N−1)‖M (N), where pad is the padding functionand M is a message input.

8.3 Compression Function

8.3.1 PGV Mode

The criteria taken into account in designing the compression function are thefollowing:

• Efficiency equal to that of the underlying block cipher;


• Provable security in theoretical models; and

• Security evaluation using attacks against block ciphers.

The first criterion implies that the compression function should be as efficient asthe underlying block cipher in terms of any computational resource. The secondand third criteria imply that the security aspects of the compression function canbe reduced to those of the block cipher.

The PGV modes [7] meet the first criterion, because they use the block cipherexactly one time. Not all PGV modes, however, meet the second criterion. It hasbeen shown that the twelve PGV modes are secure in the ideal cipher model interms of collision resistance and preimage resistance [7].

Lesamnta uses the Matyas-Meyer-Oseas (MMO) mode, which is one of thesecure PGV modes in terms of collision resistance and preimage resistance. TheMMO mode is defined as follows:

h(H(i−1), M (i)) = E(H(i−1), M (i)) ⊕ M (i) ,

where E is an encryption function and H(i−1) works as a key, as illustrated inFigure 16 [24].

M (i)

H(i)

H(i−1) E

Figure 16 – Matyas-Meyer-Oseas (MMO) mode.

The MMO mode has no feedforward of the key, but only feedforward of themessage. Compared with the other eleven secure PGV modes, it is easier to analyzethe security of the MMO mode with block-cipher attacks. Thus, the security ofthe MMO mode can be reduced to the security of an underlying block cipher, inthe senses of both proof-based security and attack-based security.

8.4 Output Function

To increase the security margin in terms of pseudo-randomness and to offer atradeoff between security and efficiency, Lesamnta uses an output function g,constructed from an encryption function L in the following manner:

g(H(N−1), M (N)) = L(H(N−1), M (N)) ⊕ M (N) .

DESIGN RATIONALE 185

8.5 Block Ciphers

Each of the four Lesamnta algorithms uses two block ciphers, E and L. We set thefollowing requirements as goals for our design of these underlying block ciphers.

• 256-bit block ciphers for Lesamnta-224/256 and 512-bit block ciphers forLesamnta-384/512.

• Key lengths of 256 bits for the 256-bit block ciphers and 512 bits for the512-bit block ciphers

• Resistance against known attacks.

• Design simplicity:

To facilitate ease of security analysis:

To facilitate ease of implementation.

• Speed on processors for general purposes, on processors for servers, on futureprocessors, and on various hardware platforms.

• Capable of implementation on an 8-bit processor with a small amount ofRAM.

• Capable of implementation on hardware with a small gate count.

Figure 17 shows an overview of the encryption function E.

C(0)

C(1)

C(nR−1) fK

fK

fK

fM

fM

fM

Key input Plaintext input

Output

Roundconstants

Key scheduling

function

Mixing

function

Figure 17 – Structure of the encryption function for the hashfunction, E.

The encryption function E is broken into two parts to process data: the keyscheduling function and the mixing function. Each of these iteratively uses a


sub-function. Therefore, we denote the corresponding sub-functions for the keyscheduling function and mixing function by fK and fM , respectively.

Figure 18 shows an overview of the encryption function L.

C(0)

C(1)

C(nR−1) fM

fM

fM

fM

fM

fM

Key input Plaintext input

Output

Roundconstants

Key scheduling

function

Mixing

function

Figure 18 – Structure of the encryption function for the outputfunction, L.

The structure of L is similar to that of E. In L, both the key schedulingfunction and the mixing function use fM as the round function.

MOTIVATION FOR DESIGN CHOICES 187

9 Motivation for Design Choices

9.1 Padding Method

The padding method of Lesamnta adopts Merkle-Damgård strengthening. Thus,the last block of a padded message includes the binary representation of the lengthof the message input.

For the padding method of Lesamnta, the last block does not contain any partof the message input. It only contains the length of the message input. As shownin Figs. 6 and 7 or Figs. 8 and 9, there are at most two possibilities for the lastblock corresponding to the remaining blocks. This property is necessary to provethat Lesamnta is indifferentiable from a random oracle in the ideal cipher model.

9.2 MMO Mode

We have four motivations for choosing the MMO mode.

1. Attack-based securityFrom the viewpoint of attacks on a block cipher, recent collision-findingattacks use the fact that an attacker can directly control the key of a blockcipher. This is because popular hash functions such as the SHA-2 familyuse the Davies-Meyer (DM) mode with a poor key scheduling function.In contrast, the MMO mode does not allow the attacker to control thekey of a block cipher. Rather, since the key corresponds to the previouschaining values, the attack must control the chaining values by varying themessage block. When we assume that the key (i.e., the previous chainingvalues) is fixed for the attacker, the attack model is similar to the attackmodel of block-cipher cryptanalysis. Then, known countermeasures againstblock-cipher cryptanalysis can be applied to design a secure MMO mode.

2. Proof-based securityThe MMO mode enables us to reduce the security of Lesamnta to that of theunderlying block ciphers to a greater extent than with the DM mode usedby the SHA family. In particular, the PRF property of HMAC is almostreduced to the PRP property of the underlying block ciphers. Furthermore,Lesamnta can be shown indifferentiable from a random oracle in the idealcipher model.

3. Efficiency of implementationThe computational resources required by the MMO mode are almost thesame as those required by the block cipher. In particular, the followingproperties contribute to performance:

• The number of invocations of the block cipher is exactly one.

• The size of the internal buffer is less than that of other secure PGVmodes such as the Miyaguchi-Preneel mode.


• The output length is equal to that of the block cipher.

4. Resistance against side-channel attacksSide-channel attacks should be taken into account in hardware implementa-tion. It has been pointed out that one can perform side-channel attacks onHMAC with hash functions using the DM mode, such as the SHA family [27].We thus adopt the MMO mode, with which HMACs remains secure againstside-channel attacks.

9.3 Output Function

The primary purpose of the output function is to make length-extension attacksimpossible. Resisting length-extension attacks requires that the following tasks beinfeasible, where h and g are the compression function and the output function,respectively.

• To find H(k−1), M (k) satisfying h(H(k−1), M (k)) = g(H(k−1), M (k)); and

• To find H(N−1) satisfying y = g(H(N−1), M (N)) for given y and M (N).

In Lesamnta, h and g are in the MMO mode, but the underlying block ciphersare different. The use of different block ciphers is effective in making the firsttask infeasible. To make the second task infeasible, Lesamnta uses a well-designedunderlying block cipher for g. Additionally, to keep the implementation cost low,the block cipher of g consists of only the mixing function of h.

9.4 Block Cipher

Each algorithm of Lesamnta uses two block ciphers E and L. E is used in thecompression function and the other is used in the output function. For reducingthe hardware complexity, E shares the mixing function with L. In addition, themixing function is identical to the key scheduling function in L except that theadditional input parameter changes from the round key to the round constant.

The block size and key size of the block ciphers are both 256 (512) bits forLesamnta-256 (Lesamnta-512). The block cipher plays an important role in bothensuring resistance against cryptanalytic attacks and achieving high performance.To meet these requirements, for the round function, we adopt a well-studied Feistelnetwork and apply the design approach of AES in designing the F function, whichis the most significant component in the underlying block ciphers. As a result, wecan show that 12 rounds are secure against differential cryptanalysis in the sensethat the maximum differential characteristic probability is less than 2−256 (2−512).


9.4.1 Mixing Function

The plaintext is denoted by P = (p0, p1, . . . , p7), and the ciphertext by C =(c0, c1, . . . , c7). The mixing function is defined as follows:

(x(0)0 , x

(0)1 , . . . , x

(0)7 ) = (p0, p1, . . . , p7) ,

(x(r)0 , x

(r)1 , . . . , x

(r)7 ) = fM (x(r−1)

0 , x(r−1)1 , . . . , x

(r−1)7 ) 1 ≤ r ≤ nR ,

(c0, c1, . . . , c7) = (x(nR)0 , x

(nR)1 , . . . , x

(nR)7 ) .

9.4.1.1 Network in the Round Function

Our strategy to design the mixing function of Lesamnta is to construct it fromblock cipher components whose security and efficiency have been well-studied.This is because techniques to design and analyze block ciphers have been wellunderstood through the AES competition. For now, we know a lot about bothhow to design 64-bit or 128-bit block ciphers and how to evaluate these ciphers.

Our design approach is to construct a 256-bit (512-bit) hash function from a64-bit (128-bit) block-cipher like permutation. In this respect, the Feistel networkis more suitable than the SP network since using the SP network would require todesign 256-bit and 512-bit block ciphers which we think are less mature in termsof design, analysis, and implementation.

F

Round key

Figure 19 – Type 1 4-branch generalized Feistel network.

The mixing function of the block cipher of Lesamnta uses a type 1 4-branchgeneralized Feistel network (GFN) [36] for simplicity and hardware flexibility. Itis illustrated in Fig. 2. For implementation reasons, each of the branches is storedin two 32-bit (64-bit) words for Lesamnta-256 (Lesamnta-512).

The round function fM consists of XOR operations, a nonlinear function F ,and a wordwise permutation. The F function is a non-linear transformation with atwo-word input and a two-word round key input K(r) taken from the key schedule,and a two-word output. The round function fM is defined as follows:

x(r)0 ||x(r)

1 = (x(r−1)6 ||x(r−1)

7 ) ⊕ F (K(r), x(r−1)4 ||x(r−1)

5 ) ,

x(r)2 = x

(r−1)0 , x

(r)3 = x

(r−1)1 , x

(r)4 = x

(r−1)2 ,

x(r)5 = x

(r−1)3 , x

(r)6 = x

(r−1)4 , x

(r)7 = x

(r−1)5 .


9.4.1.2 F Function

The functions F256 and F512 are the most significant components in the underlyingblock ciphers. Note that we denote F256 and F512 by F when the messagedigest size is not relevant. Our requirement on the F functions is both efficiencyand resistance against known attacks such as differential cryptanalysis. Anotherrequirement on the F functions is inversibility for a given round key to make theanalysis of collision attacks easy. To design the F functions, we applied one ofthe most successful approaches known as the wide trail strategy [10] which is usedin the design of AES. We can show that the maximum differential characteristicprobability for Lesamnta-256 (Lesamnta-512) is less than 2−54 (2−150) by applyingthe Four-Round Propagation Theorem in the wide trail strategy to the F functions:

Hereafter, we explain each step used in the F functions. In Lesamnta-224/256and Lesamnta-384/512, operations are performed on SubState256 and Sub-State512.

The functions F256 and F512 are the composite mappings which are parame-terized by the round key:

F256 = F256 AddRoundKey256(),where F256 = (ShiftRows256() ByteTranspos256() SubBytes256())4.

F512 = F512 AddRoundKey512(),where F512 = (ShiftRows512() ByteTranspos512() SubBytes512())4.The function F is a sequence of transformations called steps like AES. The steps

used in the full Lesamnta are the round key addition step, the non-linear step, thebyte transposition step, and the linear diffusion step. For Lesamnta-384/512, eachstep in F512 is the same as the corresponding step in AES.

9.4.1.3 Round Key Addition Step

The round key addition steps AddRoundKey256() and AddRoundKey512() simplycombine the SubState with the round key by means of bitwise XOR operation tofacilitate ease of security analysis and of implementation.

9.4.1.4 Non-Linear Step

The non-linear steps SubBytes256() and SubBytes512() consist of parallelapplications of a non-linear substitution box. As for the S-box, we apply theS-box used in AES, for security reasons and implementation reasons. This S-boxhas the following properties:

• The maximum differential probabilities are 2−6.

• The S-box has no fixed points.


9.4.1.5 Byte Transposition Step

The byte transposition steps ByteTranspos256() and ByteTranspos512()

cyclically shift rows over different numbers of bytes (offsets). These offsets areselected in a way that ByteTranspos256() and ByteTranspos512() are diffusionoptimal [10], which means that the different bytes in each column are distributedover all different columns.

9.4.1.6 Linear Diffusion Step

The linear diffusion steps ShiftRows256() and ShiftRows512() are linearmappings based on the MDS code. An important diffusion measure introducedin [10] is the branch number. The branch numbers for ShiftRows256()

and ShiftRows512() are 3 and 5, respectively. ShiftRows256() andShiftRows512() have an effect to mix the bytes in each SubState256 columnand in each SubState512 column, respectively.

9.4.2 Key Scheduling Function

Since the structure of the key scheduling function is similar to that of the mixingfunction, strong non-linearity is ensured as compared with key scheduling functionsof the SHA-2 family.

We designed the key scheduling function in E for the following purposes:

1. It introduces asymmetry which prevents symmetry between rounds leadingto attacks such as slide attacks.

2. It provides the resistance against pseudo-collision attacks.

Note that in the collision attack model, the attacker cannot control the inputto the key scheduling function in a direct way due to the MMO mode whilein the pseudo-collision attack model, he can.

3. It should be efficient on a wide range of platforms.

For the security purposes, the key scheduling function uses the type 1 generalFeistel network where the non-linear function uses the composition of a non-linearstep and the linear diffusion step as is commonly done in block ciphers. For theperformance purposes, the linear diffusion step is composed of a linear mappingbased on a MDS code and a bytewise permutation because linear diffusion stepsconsisting of a single linear mapping based on a MDS code would be expensive. Thebranch numbers of the linear mappings for E256 and E512 are 5 and 9, respectively.Since the key scheduling function shares most of its components with the mixingfunction, an efficient hardware implementation is possible.


9.4.3 Round Constants

The round constants introduce randomness, non-regularity, and asymmetry intothe key scheduling function. The round constants of Lesamnta are generated bya counter-like function (Sec. 5.1). Each of two words of a round constant changesits value over rounds. This is because the linear mapping used in the key scheduleoperates on one word rather than two.

In contrast, the round constants of popular hash functions are often generatedfrom real numbers such as

√2. Hence, they are usually implemented via a large

lookup table. Round constant generation by a counter-like function is moresuitable for a hardware efficient implementation on resource-poor devices suchas RFID tags than is generation by a large lookup table.

EXPECTED STRENGTH AND SECURITY GOALS 193

10 Expected Strength and Security Goals

Table 14 shows the expected strength of Lesamnta for each of the securityrequirements (i.e., the expected complexity of attacks). What values in Table 14mean is explained below. The row indicated by “HMAC” lists the approximatenumber of queries required by any distinguishing attack against HMAC usingLesamnta. The row indicated by “PRF” lists the approximate number of queriesrequired by any distinguishing attack against the additional PRF modes. Therow indicated by “Randomized hashing” lists the approximate complexity to findanother pair of a message and a random value for a given pair of a 2k-bit messageand a random value. The fourth row lists the approximate complexity of anycollision attack. The fifth row lists the approximate complexity of any preimageattack. The sixth row lists the approximate complexity of the Kelsey-Schneiersecond-preimage attack with any first preimage shorter than 2k bits. The seventhrow lists the approximate number of queries required by any length-extensionattack against Lesamnta. A cryptanalytic attack may be a profound threat toLesamnta if its complexity is much less than the complexity in Table 14.

Table 14 – Expected strength of Lesamnta.

Requirement Lesamnta

224 256 384 512

HMAC 2112 2128 2192 2256

PRF 2112 2128 2192 2256

Randomized hashing 2256−k 2256−k 2512−k 2512−k

Collision resistance 2112 2128 2192 2256

Preimage resistance 2224 2256 2384 2512

Second-preimage resistance 2256−k 2256−k 2512−k 2512−k

Length-extensionattacks 2112 2128 2192 2256

Table 14 includes proof-based strength and attack-based strength. The securityproof of Lesamnta is given as follows:

Proved security 1: Lesamnta is indifferentiable from a random oracle under theassumption that block ciphers E, L are independent ideal ciphers.

This proof partially ensures the security of randomized hashing, col-lision resistance, preimage resistance, second-preimage resistance, andlength-extension attacks.

Proved security 2: Lesamnta is collision resistant under the assumption that thecompression function h and the output function g are collision resistant.


This proof ensures the security of collision resistance, and in part, preimageresistance and second-preimage resistance.

Proved security 3: Lesamnta is a pseudorandom function under the assumptionthat block ciphers E, L are independent pseudorandom permutations.

This proof ensures the security of HMAC and PRF.

The attack-based strength is estimated in security analysis against known attacksdescribed in Sec. 5.

11 Security Reduction Proof

11.1 MMO Mode

11.1.1 Collision Resistance

The collision resistance of the MMO mode is proved in the ideal cipher model.The MMO mode is given by h(H, M) = E(H, M)⊕M , where E is an ideal cipher.Consider an infinitely powerful adversary A that makes q queries to E and E−1.Then, the col-advantage of A is defined as

Advcolh (A) = Pr [((H, M) 6= (H ′, M ′) ∧ h(H, M) = h(H ′, M ′))

∨h(H, M) = H(−1)|AE,E−1

= ((H, M), (H ′, M ′))]

,

where n is the block length of E. According to Black et al.’s analysis [7], thecol-advantage is given by

0.039(q − 1)(q − 2)

2n≤ Advcol

h (A) ≤ q(q + 1)

2n.

The above inequality means that any adversary must make about 2n/2 queries tofind a collision.

In Lesamnta, the dedicated block cipher is in place of the ideal cipher E.Although it is not the ideal cipher, the above inequality suggests that the MMOmode is a good choice for designing a compression function.

11.1.2 Preimage Resistance

The preimage resistance of the MMO mode is proved in the ideal cipher model.Then, the pre-advantage of A is defined as, for any public constant K,

Advpreh (A) = Pr

[M 6∈ Q ∧ h(K, M) = H |AE,E−1

= (M, H)]

where Q is the set of messages that A sends to E and A receives from E−1 [7].Since h(K, M) = E(K, M) ⊕ M , the pre-advantage is transformed into

Advpreh (A) = Pr

[M 6∈ Q ∧ E(K, M) = H ⊕ M |AE,E−1

= (M, H)]

.

SECURITY REDUCTION PROOF 195

Denoting by q the number of queries, we have

Advpreh (A) =

1

2n − q.

In Lesamnta, the dedicated block cipher is in place of the ideal cipher E.Although it is not the ideal cipher, the preimage resistance of the MMO mode isreduced to the correlation between a plaintext and a ciphertext for a known key.

11.1.3 Pseudorandom Function

Consider an adversary A that outputs a bit after making queries to an oracle.Suppose that K is randomly chosen from a key space, ρ is a random function, andπ is a random permutation. Then, the prf-advantage and the prp-advantage of Ais defined as

AdvprfE (A) =

∣∣∣Pr[AE(K,·) = 1

]− Pr [Aρ = 1]

∣∣∣ ,

AdvprpE (A) =

∣∣∣Pr[AE(K,·) = 1

]− Pr [Aπ = 1]

∣∣∣ ,

where E is an underlying block cipher of the MMO mode. For any adversary Athat makes q queries to the oracle where q < 2n/2, the PRP/PRF switching lemmayields

AdvprpE (A) − q(q − 1)

2n+1≤ Advprf

E (A) ≤ AdvprpE (A) +

q(q − 1)

2n+1.

Since the MMO mode h is given by h(K, M) = E(K, M)⊕M , there is an adversaryB that makes queries the same times as A and has the same prf-advantage.

Advprfh (B) = Advprf

E (A)

Hence, we have

AdvprpE (A) − q(q − 1)

2n+1≤ Advprf

h (B) ≤ AdvprpE (A) +

q(q − 1)

2n+1.

The above inequality roughly means that if E is a secure block cipher, then h is apseudorandom function.

11.2 MDO Domain Extension with MMO Functions

11.2.1 Collision Resistance

It is easy to see that Lesamnta is collision-resistant (CR) if its compression functionand output function are CR, that is, it is difficult to compute a pair of distinct(S, X) and (S′, X ′) such that

ES(X) ⊕ X = ES′(X ′) ⊕ X ′ or LS(X) ⊕ X = LS′(X ′) ⊕ X ′


for the underlying block ciphers E and L. Unfortunately, the pseudorandomnessof a block cipher cannot imply the property. It is easy to find a counterexample.However, it is still reasonable to assume that well-designed block ciphers have thisproperty.

The CR of Lesamnta can also be proved in the ideal cipher model using thetechnique by Black et al. in [7].

11.2.2 HMAC

Lesamnta supports HMAC specified in FIPS 198:

HMAC(K, M) = H((K ⊕ opad)‖H((K ⊕ ipad)‖M)) ,

where H represents Lesamnta and K is a secret key. A diagram of HMAC usingLesamnta is given in Figure 20.

E

M (1)

Kip

IV

M (N−1)

E E L

E

Kop

IV E L

1‖bin(|KopV |)

inner hashing

outer hashing

V

M (N)

Figure 20 – Diagram of HMAC using Lesamnta. E and L areunderlying (n, n) block ciphers. Kip = K⊕ipad and Kop = K⊕opad.For a massage input M , pad(Kip‖M) = KipM

(1) · · · M (N), where pad

is the padding function. bin(|KopV |) represents the (n−1)-bit binaryrepresentation of the length of Kop‖V .

The security of HMAC using Lesamnta is reduced to the security of theunderlying block ciphers. HMAC using Lesamnta resists any distinguishingattack that requires much fewer than 2n/2 queries if the underlying block ciphersare independent pseudorandom permutations and the following function is apseudorandom bit generator:

µE(K) = (EIV (Kop) ⊕ Kop)‖(EIV (Kip) ⊕ Kip) ,

where Kop = K ⊕ opad and Kip = K ⊕ ipad.

PRELIMINARY ANALYSIS 197

11.2.3 Indifferentiability from the Random Oracle

Many cryptographic protocols are proved to be secure on the assumption that theunderlying hash functions are random oracles. Thus, it is important to supportthis kind of results by validating the ideal assumption in such a way as in [9].

Lesamnta is shown to resist any attack to differentiate it from the randomoracle with much fewer than 2n/2 queries in the ideal cipher model.

12 Preliminary Analysis

In our preliminary analysis, we analyzed resistance of Lesamnta against variouskinds of known attacks such as attacks collision-finding, first-preimage-finding,second-preimage-finding, length-extension attack, multicollision attack. The bestresults on attacks on Lesamnta-256 are a collision finding attack on 16 rounds witha complexity 297, a first preimage finding attack on 16 rounds with a complexity2193, and a second preimage finding attack on 16 rounds with a complexity 2193.These attacks are easily repeated in the case of Lesamnta-512. The best resultson attacks on Lesamnta-512 are a collision finding attack on 16 rounds with acomplexity 2193, a first preimage finding attack on 16 rounds with a complexity2385, and a second preimage finding attack on 16 rounds with a complexity 2385.

In this section, we view the 256-bit internal state in Lesamnta-256 as four64 bit words, instead of eight 32-bit words, in order to make the analysis easier.Similarly, we view the 512-bit internal state in Lesamnta-512 as four 128 bit words,instead of eight 64-bit words. We denote F256 and F512 by F . Furthermore, wedecompose F as F = F AddRoundKey. Note that F is a permutation.

Figure 21 and 22 illustrate another representation of FM and F permutation,respectively.

y0 y1 y2 y3

y′0 y′

1 y′2 y′

3

F

Round key

Figure 21 – Another representation of FM .


AddRoundKey

FF : Permutation

Figure 22 – F permutation.

12.1 Length-Extension Attack

As an actual method for making the length-extension attack impossible, Lesamntauses the output function different from the compression function. Furthermore,Lesamnta is proved to be indifferentiable from the random oracle in the ideal ciphermodel. Security against the length-extension attack is a necessary condition to beindifferentiable from the random oracle.

12.2 Multicollision Attack

Joux’s multicollision attack [17] can be applied to Lesamnta. It is easy to see thatthe complexity to find 2t collisions of Lesamnta is O(t 2n/2) if the birthday attackis used to find collisions of its compression function or output function.

12.3 Kelsey-Schneier Attack for Second-Preimage-Finding

The Kelsey-Schneier second-preimage attack [18] can be applied to Lesamnta.Against the attack, it has second-preimage resistance of approximately n − k bitsfor any message shorter than 2k bits.

12.4 Randomized Hashing Mode

The randomized hashing mode in NIST SP 800-106 [12] can be applied toLesamnta. However, the more general mode called RMX [14] is suitable for iteratedhash functions. The following function rmx specifies a version of RMX optimizedfor Lesamnta: It maximizes the number of random bits applied to the paddedmessage. rmx takes two inputs: a message M and a random salt r. For simplicity,the length of r is assumed to be n, the output length of Lesamnta.

1. Let t be the minimum non-negative integer such that |M | + t + 16 ≡ 0(mod n).

2. M = M‖0t‖(16-bit binary representation of t)

3. R =

|M |/n︷︸︸︷r‖r‖ · · · ‖r


4. rmx(M, r)def= r‖(M ⊕ R)

The Kelsey-Schneier second-preimage attack can be applied to Lesamnta withrmx. Thus, it provides approximately n − k bits of security against the followingattack:

The attacker chooses a message M with 2k bits. Then, given random r,the attacker attempts to find a second message M ′ and a randomizationvalue r′ that yield the same randomized hash value.

12.5 Attacks for Collision-Finding and Preimage-Finding

In this section, we present a collision and second preimage attack for 16 roundsof Lesamnta-256. The analysis can easily be repeated for the case of 16 rounds ofLesamnta-512. This attack is based on our preliminary analysis and the analysisof a previous version of Lesamnta by Florian Mendel.

First, we show how to construct collisions for the compression function. LetH = H0‖H1‖H2‖H3 denote the output of the compression function. Now assumethat we can find 296 message blocks m∗, such that all message blocks produce thesame value H3. Then we know that due to the birthday paradox two of thesemessage blocks also lead to the same values H0, H1, and H2. In other words,we have constructed a collision for the compression function. Based on this shortdescription, we will show now how to construct message blocks m∗, which allproduce the same value H3. We get the following characteristic:

where the symbol ? denotes an arbitrary difference. and ∆ denotes amessage block difference The differences have to be selected such that they can betransformed by F −1 in the following way:

δ → ∆2

∆2 → ∆1

∆1 → ∆0

∆0 → ∆3.

It is easy to see that this characteristic for 16 rounds can be used to fix 64 bits ofthe output of the compression function. It can be summarized as follows.

1. Choose a random message block m = M0‖M1‖M2‖M3 and compute H =H0‖H1‖H2‖H3 and check if H3 = d for a predefined value d.

2. If H3 6= d then adjust δ = H3 ⊕ d accordingly and compute


∆2 = M2 ⊕ (F −1(F (M2 ⊕ K(0)) ⊕ δ)

⊕K(0)),

∆1 = M1 ⊕ (F −1(F (M1 ⊕ K(1)) ⊕ ∆2)

⊕K(1)),

∆0 = M0 ⊕ (F −1(F (M0 ⊕ K(2)) ⊕ ∆1)

⊕K(2)),

∆3 = (M3 ⊕ δ) ⊕ (F −1(F (M3 ⊕ K(3) ⊕ δ)

⊕∆0) ⊕ K(3)),

where K(r)’s are round keys.

3. Now we have to construct m∗ by adjusting m such that H3 = d as follows:m∗ = M0 ⊕ ∆0‖M1 ⊕ ∆1‖M2 ⊕ ∆2‖M3 ⊕ (∆3 ⊕ δ)

Hence, we can find a message block m∗ such that H3 = d for an arbitrary value ofd with a complexity of about 2 compression function evaluations. Therefore, wecan find a collision for the compression function (and the hash function) with acomplexity of about 297 compression function evaluations.

In a similar way as we can construct a collision for the compression function, wecan construct a preimage for the compression function. In the attack, we have tofind a message m∗, such that h(K, m∗) = H for the given value of H and K. Sincewe can find a message block m∗, where H3 is correct (note that the value of d canbe chosen freely) with a complexity of about 2 compression function evaluations,we can construct a preimage for the compression function with a complexity of2193. By repeating the attack 2192 times we will find a message block m∗ suchthat H0, H1, and H2 are correct.

Due to the final output transformation of the hash function we can not extendthe attack to a preimage attack on the hash function. However we can use it toconstruct second preimages for the hash function with a complexity of about 2193

compression function evaluations.

12.5.1 Collision Attacks Using the Message Modification

Wang et al. showed methods for finding collisions for widely used hashfunctions including MD5 and SHA-1. Their approach is based on the differentialcryptanalysis and the message modification technique. As for Lesamnta-256, themaximum differential characteristic probability for 12 rounds is less than 2−256 andthe message block space is a 256-bit space. Their methods for finding collisionsrequire a differential characteristic with a large probability and a large degree offreedom in the message block space. Considering the limited size of the messageblock space and very small maximum differential characteristic probability, it


is very unlikely to apply their collision finding methods to Lesamnta-256. Theanalysis can easily be repeated for the case of Lesamnta-512.

12.6 Attacks for Non-Randomness-Finding

Despite the fact that the most threatening attacks on hash functions at thismoment are differential attacks, we evaluate the security of Lesamnta with respectto various kinds of widely known attacks on block ciphers. These include notonly differential attacks, but also linear attacks, interpolation attacks, and Squareattacks.

The methods used to evaluate the compression function’s resistance againstthese attacks are described below. In general, our analysis indicates that Lesamntahas large security margins against all of these attacks.

The motivation to analyze the Lesamnta compression function with respectto attacks which do not immediately apply to hash functions is that we wantto ensure its security against future attacks which might borrow techniques fromthe field of block cipher cryptanalysis. Another motivation is that a number ofblock-cipher-based constructions, including the MMO mode, can be proved tobe collision resistant if the underlying block cipher behaves as an ideal cipher(see [7, 30]). An ideal cipher has the true-randomness property.

The best way to ensure this randomness is to apply block cipher analysistechniques to the core function E, and to see if this reveals any weakness ornon-random behavior. So far, we have not found any weakness in the full blockcipher.

12.6.1 Differential and Linear Attacks

Considering the fact that the most successful attacks on hash functions are ofdifferential nature, and that differential [5] and linear cryptanalysis [22] are two ofthe most powerful tools in block cipher cryptanalysis, we examined resistance ofE and L against differential and linear attacks.

In order to estimate the strength of E with respect to differential and linearattacks, we compute upper bounds on the probabilities of differential and linearcharacteristics. As is commonly done in block cipher cryptanalysis, we will makeabstraction of the exact differences or masks used in these characteristics, andjust consider patterns of active S-boxes. Hereafter, we only explain our methodof evaluating the security against differential cryptanalysis as we can apply asimilar method regarding linear cryptanalysis because of its duality to differentialcryptanalysis [8].

By applying the wide trail strategy, we can prove that the upper bounds onthe probabilities of differential characteristics F256 and F512 are 2−54 and 2−150

respectively. On the other hand, it is easy to prove that four consecutive roundshas at least one active F function. As a result, it is provable that the probabilitiesof differential characteristics of 20 rounds of Lesamnta-256 and Lesamnta-512 are


upperbounded by 2−256 and 2−512. Furthermore, by making experiments with theViterbi algorithm, we observed that 12 rounds of Lesamnta-256 and Lesamnta-512have at least five active F functions, which means that 12 rounds of them achievethe above bounds as well. As a result, it is very unlikely to apply differential/linearattacks to the full Lesamnta.

12.6.2 Interpolation Attack

In the interpolation attack [16], an attacker constructs a polynomial using cipherinput/output pairs and then he aims to determine key-dependent coefficients apolynomial expression of a cipher. If the number of terms in the polynomialexpression is reasonably small, the interpolation attack can be mounted.

Lesamnta-256 uses the AES S-box which can be expressed as a polynomialof degree 254 over GF(28). Lesamnta uses a fixed characteristic polynomialto represent an element over GF(28). Our analysis only considers polynomialexpressions based on this characteristic polynomial.

A few rounds of Lesamnta-256 can be expressed as a polynomial with 32variables over GF(28). We have confirmed that after the 10th round, an inputto the F function depends on all the 32 variables. Then, due to high degree of theS-box, we expect that the number of coefficients reaches the maximum some roundsafter the 10th round. This analysis is easily repeated in the case of Lesamnta-512.Thus we believe that the full 32 rounds Lesamnta is secure against interpolationattacks.

12.6.3 Square Attack

We analyze the resistance of Lesamnta against the Square attack [10]. (This attackis sometimes referred to as the Saturation attack.) It is a chosen-plaintext attackwith security requirements in the case of block ciphers. An important characteristicof this attack is that it does not depend on the specific structure of the functionF . The only requirement for this analysis to be valid, is that F is an invertibletransformation. This attack is based on our preliminary analysis and analysis ofa previous version of Lesamnta by Vincent Rijmen. We present the attack forthe case of Lesamnta-256. The analysis can easily be repeated for the case ofLesamnta-512.

In Table 16 we present a characteristic over 19 rounds. Here we start witha set of 2192 blocks such that the first 64 bits are constant and the remaining192 bits take all values. We denote this by using the symbols b1, b2, b3. Here adenotes that the input takes all possible values over the set, − denotes that theinput is constant, s denotes that the sum of the values over the set equals −,and ‘?’ denotes that we cannot predict this input. Some explanation with thischaracteristic is as follows:


Round 1: Consider only the last two lines of the input. This Feistel constructionis invertible hence we can write the symbols b1, b2, b3 at the output. (Evenif the values in the line marked by ‘b3’ have changed.)

Round 4: At the output of round 4, we have the property that the 192 bits fromthe second, third and fourth lines take all possible values. Also the 192 bitsfrom the first, second and third lines take all possible values. Note howeverthat the values in the first and the fourth lines have no special relation amongone another. This will cause a deterioration of property in round 8.

Round 16: The output s is the sum of 3 balanced words.

Suppose now that we would be studying a block cipher. Then, an attackercan use this characteristic to attack a 20-round version of the block ciphers E, Lby guessing the last round key, partially decrypting the ciphertexts and checkingwhether the s property would hold. This would eliminate false guesses for the lastround key.

The attacker would first construct 4 sets of 2192 texts with the right structurefor the characteristic. Then, for each guess of the roundkeys of the last round (64bits), the attacker would partially decrypt and verify whether he obtains an s. Fora wrong guess of the roundkeys, this will happen with probability 2−64. Henceafter verifying against the 4 sets, all wrong guesses will have been eliminated. Formost of the roundkeys, only one check needs to be done. The complexity of theattack can be roughly estimated as follows:

4 × (264 roundkey guesses ) × (2192 partial decryptions/guess ) ×( complexity of one partial decryption)

Estimating the complexity of one partial decryption at 1/20 ≈ 2−4.3 of a fulldecryption, we obtain for the total complexity the figure of 2253.7 full decryptions.

12.6.4 Attacks Using the Known-Key Distinguisher

Recently, a new method for attacking block ciphers has been proposed [31]. Thisattack is a distinguishing attack where the attacker knows the key. Thereforethe distinguisher is called known-key distinguisher. We examined the resistanceof Lesamnta-256 against this kind of attack. As a result, we can construct aknown-key distinguisher for Lesamnta-256 reduced to 12 rounds. The distinguishercomputes two plaintexts denoted by p and p which have a special property. Let thecorresponding ciphertexts be denoted by c = (z0, z1, z2, z3) and c = (z0, z1, z2, z3),then the following equation will hold with probability 1.

z3 = z3.

Figure 23 shows the algorithm to compute the plaintexts p and p satisfying theequation.


Table 15 – Characteristic for the collision attack.Round Inputs (64-bit words)

message block ∆0 ∆1 ∆2 ∆3 ⊕ δ0 ∆3 ∆0 ∆1 ∆2

1 − ∆3 ∆0 ∆1

2 − − ∆3 ∆0

3 − − − ∆3

4 ∆3 − − −5 − ∆3 − −6 − − ∆3 −7 ? − − ∆3

8 ∆3 ? − −9 − ∆3 ? −

10 ? − ∆3 ?11 ? ? − ∆3

12 ∆3 ? ? −13 ? ∆3 ? ?14 ? ? ∆3 ?15 ? ? ? ∆3

feedforward ? ? ? δ

Input :

The 12 subkeys K(0), ..., K(11), with K(2) 6= K(0).

Algorithm :1. Choose an arbitrary value for x.

2. Define the values γ, α as:γ = K(2) ⊕ K(0)

α = F −1(F (x) ⊕ K(0) ⊕ K(8)) ⊕ x ⊕ K(1) ⊕ K(5)

3. Computep = (y0, y1, y2, y3)

p = (y0, F −1(y2) ⊕ K(3), F (y1 ⊕ K(3)), y3)

,where y0 = K(2) ⊕ F −1(α)

It follows that y3 ⊕ z3 = F (y2 ⊕ F (y1 ⊕ K(3)) ⊕ K(8)) = y3 ⊕ z3.

Consequently, z3 = z3.

Figure 23 – Algorithm to compute the plaintexts p and p satisfyingthe equation.

ADVANTAGES AND LIMITATIONS 205

Table 16 – Characteristic for the Square attack.Round Inputs

0 − b1 b2 b3

1 b3 − b1 b2

2 b2 b3 − b1

3 b1 b2 b3 −4 b3 b1 b2 b3

5 b3 b3 b1 b2

6 b2 b3 b3 b1

7 b1 b2 b3 b3

8 s b1 b2 b3

9 b3 s b1 b2

10 b2 b3 s b1

11 ? b2 b3 s12 s ? b2 b3

13 b3 s ? b2

14 ? b3 s ?15 ? ? b3 s16 s ? ? b3

17 ? s ? ?18 ? ? s ?19 ? ? ? s

13 Advantages and Limitations

13.1 Advantages

Flexibility

• The number of the rounds of the underlying block ciphers is a tunableparameter. It allows the selection of a range of possible security/performancetradeoffs.

• Lesamnta can be implemented securely and efficiently on a wide variety ofplatforms, including constrained environments, such as smart cards.

Simplicity

• We take a rather conservative and simple approach to design Lesamnta.It is a Merkle-Damgård iterated hash function of a compression functionenveloped by an output function. Furthermore, both the compressionfunction and the output function are MMO modes using distinct blockciphers.


• The underlying block ciphers do not base its security or part of it on obscureand not well understood interactions between arithmetic operations.

• The tight design of Lesamnta does not leave enough room to hide a trapdoor.

Hardware Design Scalability

• Lesamnta is suited to be implemented in dedicated hardware. Hardwarearchitectures of Lesamnta can be designed to meet the high-speed processingdemand because of its highly parallelizable structure.

• The type-1 general Feistel network used in Lesamnta allows to processthree F functions in parallel without additional delay. As for designingsize-optimized architectures, Lesamnta has a nice feature that the F functionis parallel and it consists of four iterations of the same function. The gatecount of the Lesamnta hardware can be reduced by using a shared functionmodule.

13.2 Limitations

• The design of the Lesamnta domain extension is performance-oriented,and it makes only a small change to the Merkle-Damgård iteration. Itdoes not increase the resistance against Joux’s multicollision attack andthe Kelsey-Schneier second-preimage attack in comparison with the SHA-2family.

14 Applications of Hash Functions

Lesamnta has the same application program interface as the SHA-2 family.Therefore, Lesamnta supports all applications that are supported by the SHA-2family such as:

• digital signatures (FIPS 186-2);

• key derivation (NIST Special Publication 800-56A);

• hash-based message authentication codes (FIPS 198); and

• deterministic random bit generators (SP 800-90).

The proof-based and attack-based security analyses show that the securityprovided by Lesamnta against known attacks is not less than that provided bythe SHA-2 family.

TRADEMARKS 207

15 Trademarks

• ARM R© and RealView R© are registered trademarks and ARM926EJ-STM

is atrademark of ARM Limited in the United States and/or other countries.

• Atmel R©, AVR R© and AVR Studio R© are registered trademarks of AtmelCorporation in the United States and/or other countries.

• Intel R© is a registered trademark and CoreTM

is a trademark of IntelCorporation in the United States and/or other countries.

• Microsoft R©, Visual Studio R© and Windows Vista R© are registered trademarksof Microsoft Corporation in the United States and/or other countries.

• Renesas R© and H8 R© are registered trademarks of Renesas TechnologyCorporation in the United States and/or other countries.

16 Acknowledgments

In the first place we would like to thank Kota Ideguchi for his efficient ANSI-Cand assembly implementations. Many people have been extremely helpful duringthe design of Lesamnta. In particular we would like to thank Kazuo Ota, KazuoSakiyama, Lei Wang, Yasuko Fukuzawa, Toru Owada. We would like to thankFlorian Mendel, Vincent Rijmen, Orr Dunkelman, Sebastiaan Indesteege, ÖzgülKüçük, Bart Preneel, Hongjun Wu for their cryptanalysis of preliminary versions.We would like to thank Masahiro Ito, Satoshi Kawanami, and Yuji Matsuowho helped us with the proposal of Lesamnta from implementation perspective.This work was partially supported by the National Institute on Information andCommunications Technology, Japan. Finally we would also like to thank the NISTSHA-3 team for initiating the SHA-3 process.


References

[1] M. Bellare, “New proofs for NMAC and HMAC : Security withoutcollision-resistance,” Advances in Cryptology - CRYPTO 2006, Lecture Notesin Computer Science, vol. 4117, pp. 602–619, 2006. http://eprint.iacr.

org/2006/043.pdf.

[2] M. Bellare, R. Canetti, and H. Krawczyk, “Keying hash functions for messageauthentication,” Advances in Cryptology - CRYPTO ’96, Lecture Notes inComputer Science, vol. 1109, pp. 1–15, 1996. http://www-cse.ucsd.edu/

~mihir/papers/kmd5.pdf.

[3] M. Bellare and T. Kohno, “Hash function balance and its impact on birthdayattacks,” Advances in Cryptology - EUROCRYPT 2004, Lecture Notes inComputer Science, vol. 3027, pp. 401–418, 2004. http://www-cse.ucsd.

edu/users/mihir/papers/balance.pdf.

[4] E. Biham and O. Dunkelman, “A framework for iterative hash functions —HAIFA,” The Second Cryptographic Hash Workshop, 2006. http://csrc.

nist.gov/groups/ST/hash/documents/DUNKELMAN_NIST3.pdf.

[5] E. Biham and A. Shamir, Differential Cryptanalysis of the Data EncryptionStandard, Springer, 1993.

[6] A. Biryukov and D. Wagner, “Advanced slide attacks,” Advances in Cryp-tology - EUROCRYPT 2000, Lecture Notes in Computer Science, vol. 1807,pp. 589–606, 2000. http://www.iacr.org/archive/eurocrypt2000/1807/

18070595-new.pdf.

[7] J. Black, P. Rogaway, and T. Shrimpton, “Black-box analysis of theblock-cipher-based hash-function constructions from PGV,” Advances inCryptology - CRYPTO 2002, Lecture Notes in Computer Science, vol. 2442,pp. 320–335, 2002.

[8] F. Chabaud and S. Vaudenay, “Links between differential and linearcryptanalysis,” Advances in Cryptology - EUROCRYPT ’94, Lecture Notesin Computer Science, vol. 950, pp. 356–365, 1995.

[9] J.S. Coron, Y. Dodis, C. Malinaud, and P. Puniya, “Merkle-Damgårdrevisited: How to construct a hash function,” Advances in Cryptology -CRYPTO 2005, Lecture Notes in Computer Science, vol. 3621, pp. 430–448,2005.

[10] J. Daemen, L. R. Knudsen, and V. Rijmen, “The block cipher SQUARE,” FastSoftware Encryption, FSE ’97, Lecture Notes in Computer Science, vol. 1267,pp. 149–165, 1997. http://www.esat.kuleuven.ac.be/~cosicart/pdf/

VR-9700.PDF.



http://www-cse.ucsd.edu/~mihir/papers/kmd5.pdf

http://www-cse.ucsd.edu/~mihir/papers/kmd5.pdf

http://www-cse.ucsd.edu/users/mihir/papers/balance.pdf

http://www-cse.ucsd.edu/users/mihir/papers/balance.pdf

http://csrc.nist.gov/groups/ST/hash/documents/DUNKELMAN_NIST3.pdf

http://csrc.nist.gov/groups/ST/hash/documents/DUNKELMAN_NIST3.pdf

http://www.iacr.org/archive/eurocrypt2000/1807/18070595-new.pdf

http://www.iacr.org/archive/eurocrypt2000/1807/18070595-new.pdf



REFERENCES 209

[11] I. B. Damgård, “A design principle for hash functions,” Advances inCryptology - CRYPTO ’89, Lecture Notes in Computer Science, vol. 435,pp. 416–427, 1990.

[12] Q. Dang, “Randomized hashing digital signatures (2nd draft),” Draft NISTSpecial Publication 800-106, 2008. http://csrc.nist.gov/publications/

drafts/800-106/2nd-Draft_SP800-106_July2008.pdf.

[13] B. Gladman, http://fp.gladman.plus.com/cryptography_technology/.

[14] S. Halevi and H. Krawczyk, “Strengthening digital signatures via randomizedhashing,” Advances in Cryptology - CRYPTO 2006, Lecture Notesin Computer Science, vol. 4117, pp. 41–59, 2006. http://www.

ee.technion.ac.il/~hugo/rhash/rhash.pdf, http://tools.ietf.org/

html/draft-irtf-cfrg-rhash-01.

[15] S. Hirose, J. H. Park, and A. Yun, “A simple variant of the Merkle-Damgårdscheme with a permutation,” Advances in Cryptology - ASIACRYPT 2007,Lecture Notes in Computer Science, vol. 4833, pp. 113–129, 2007.

[16] T. Jakobsen and L. R. Knudsen, “The interpolation attack on block ciphers,”Fast Software Encryption, FSE ’97, Lecture Notes in Computer Science,vol. 1267, pp. 28–40, 1997. http://homes.esat.kuleuven.be/~cosicart/

ps/LRK-9700.ps.gz.

[17] A. Joux, “Multicollisions in iterated hash functions. Application to cascadedconstruction,” Advances in Cryptology - CRYPTO 2004, Lecture Notes inComputer Science, vol. 3152, pp. 306–316, 2004.

[18] J. Kelsey and B. Schneier, “Second preimages on n-bit hash functions formuch less than 2n work,” Advances in Cryptology - EUROCRYPT 2005,Lecture Notes in Computer Science, vol. 3494, pp. 474–490, 2005. http://

www.schneier.com/paper-preimages.pdf.

[19] L. R. Knudsen, “Truncated and higher order differentials,” Fast SoftwareEncryption – Second International Workshop, Lecture Notes in ComputerScience, pp. 196–211, 1995. ftp://ftp.esat.kuleuven.ac.be/cosic/

knudsen/trunc.ps.Z.

[20] P. Koche, J. Jaffe, and B. Jun, “Differential power analysis,” Advances inCryptology - CRYPTO ’99, Lecture Notes in Computer Science, vol. 1666,pp. 388–397, 1999.

[21] K. Lemke, K. Schramm, and C. Paar, “DPA on n-bit sized booleanand arithmetic operations and its application to IDEA, RC6, and theHMAC-construction,” Cryptographic Hardware and Embedded Systems -CHES 2004, vol. 3156, pp. 205–219, 2004.

http://csrc.nist.gov/publications/drafts/800-106/2nd-Draft_SP800-106_July2008.pdf

http://csrc.nist.gov/publications/drafts/800-106/2nd-Draft_SP800-106_July2008.pdf

http://fp.gladman.plus.com/cryptography_technology/

http://www.ee.technion.ac.il/~hugo/rhash/rhash.pdf

http://www.ee.technion.ac.il/~hugo/rhash/rhash.pdf

http://tools.ietf.org/html/draft-irtf-cfrg-rhash-01

http://tools.ietf.org/html/draft-irtf-cfrg-rhash-01

http://homes.esat.kuleuven.be/~cosicart/ps/LRK-9700.ps.gz

http://homes.esat.kuleuven.be/~cosicart/ps/LRK-9700.ps.gz

http://www.schneier.com/paper-preimages.pdf

http://www.schneier.com/paper-preimages.pdf

ftp://ftp.esat.kuleuven.ac.be/cosic/knudsen/trunc.ps.Z

ftp://ftp.esat.kuleuven.ac.be/cosic/knudsen/trunc.ps.Z


[22] M. Matsui, “Linear cryptanalysis method for DES cipher,” Lecture Notesin Computer Science Advances in Cryptology - EUROCRYPT ’93, vol. 765,pp. 386–397, 1994.

[23] U. Maurer, R. Renner, and C. Holenstein, “Indifferentiability, impossibilityresults on reductions, and applications to the random oracle methodology,”First Theory of Cryptography Conference, TCC 2004, Lecture Notes inComputer Science, vol. 2951, pp. 21–39, 2004.

[24] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, HANDBOOK ofAPPLIED CRYPTOGRAPHY, CRC Press, 1996.

[25] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Investigationsof power analysis attacks on smartcards,” Proceedings of the USENIXWorkshop on Smartcard Technology on USENIX Workshop on SmartcardTechnology, 1999. http://www.usenix.org/events/smartcard99/full_

papers/messerges/messerges.pdf.

[26] National Institute of Standards and Technology, “Secure hash standard,”Federal Information Processing Standards Publication 180-2, August 2002.http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf.

[27] K. Okeya, “Side channel attacks against HMACs based on block-cipherbased hash functions,” Information Security and Privacy, 11th AustralasianConference, ACISP 2006, Lecture Notes in Computer Science, vol. 4058,pp. 432–443, 2006.

[28] D. A. Osvik, “Speeding up Serpent,” AES Candidate Conference, pp. 317–329,2000. http://www.ii.uib.no/~osvik/pub/aes3.pdf.

[29] W. W. Peterson and J. E. J. Weldon. Error-Correcting Codes. The MITPress, 1972.

[30] B. Preneel, R. Govaerts, and J. Vandewalle, “Hash functions based on blockciphers: a synthetic approach,” Advances in Cryptology - CRYPTO ’93,Lecture Notes in Computer Science, vol. 773, pp. 368–378, 1994.

[31] L. R. Knudsen, and V. Rijmen, “Known-Key Distinguishers for Some BlockCiphers,” Asiacrypt 2007, Lecture Notes in Computer Science, vol. 1267,pp. 149–165, 2007.


[33] R. L. Rivest, “Abelian square-free dithering and recoding for iterated hashfunctions,” First Cryptographic Hash Workshop, 2005. http://csrc.nist.

gov/groups/ST/hash/documents/rivest-asf-paper.pdf.

http://www.usenix.org/events/smartcard99/full_papers/messerges/messerges.pdf

http://www.usenix.org/events/smartcard99/full_papers/messerges/messerges.pdf


http://www.ii.uib.no/~osvik/pub/aes3.pdf


http://csrc.nist.gov/groups/ST/hash/documents/rivest-asf-paper.pdf

http://csrc.nist.gov/groups/ST/hash/documents/rivest-asf-paper.pdf

REFERENCES 211

[34] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Cryptanalysis of the hashfunctions MD4 and RIPEMD,” Advances in Cryptology - EUROCRYPT2005, Lecture Notes in Computer Science, vol. 3494, pp. 1–18, 2005.

[35] X. Wang, Y. L. Yin, and H. Yu, “Finding collisions in the full SHA-1,”Advances in Cryptology - CRYPTO 2005, Lecture Notes in Computer Science,vol. 3621, pp. 17–36, 2005.

[36] Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block ciphersprovably secure and not relying on any unproved hypotheses,” Advances inCryptology - CRYPTO ’89, Lecture Notes in Computer Science, vol. 435,pp. 461–480, 1990.

Publication

Finding Collisions for ReducedLuffa-256 v2 (Poster)

Publication Data

B. Preneel, H. Yoshida, and D. Watanabe, “Finding Collisions forReduced Luffa-256 v2 (Poster),” Information Security and Privacy -16th Australasian Conference, ACISP 2011, LNCS, vol. 6812, Springer,pp. 423-427, 2011.

Contributions

• Principal author. We devised a collision attack on the Luffa hash function,up to 4 out of steps. The attack strategy to apply message modificationtechniques was suggested by Dai Watanabe.

213

Finding Collisions for Reduced Luffa-256 v2 (Poster)

Bart Preneel2,3 Hirotaka Yoshida123 and Dai Watanabe1

1 Yokohama Research Laboratory, Hitachi, Ltd.,292 Yoshida-cho, Totsuka-ku, Yokohama-shi, Kanagawa-ken, 244-0817 Japan


3 Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium

Abstract. Luffa is a family of cryptographic hash functions thathas been selected as a second round SHA-3 candidate. Thisarticle analyses the collision resistance of reduced-round versions ofLuffa-256 v2 which is the 256-bit hash function in the Luffa family.This paper focuses on the hash function security. To the best ofour knowledge, this is the first collision analysis for fixed initialvector of Luffa. We show that collisions for 4 out of 8 steps ofLuffa-256 v2 can be found with complexity 290 using sophisticatedmessage modification techniques.

Keywords: Hash functions, collision attack, message modification

1 Introduction

Recent cryptanalytic results focus on the collision resistance of hash functions.In response to the collision attack [9] on SHA-1 [6], NIST launched the SHA-3competition [7] to find an alternative to the SHA-2 family. NIST received morethan 60 candidate hash functions and it currently focuses on the 5 final roundcandidates.

Luffa is a family of cryptographic hash functions that has been selected asone of the 14 second round SHA-3 candidate. The hash function Luffa adoptsthe structure of a sponge function and a wide-pipe strategy. In the previousresults on Luffa, its building blocks have been extensively analyzed: the designersfound a differential path for the internal permutation of Luffa. Aumasson andMeier [1] constructed an algebraic zero-sum distinguisher for the same component.Watanabe et. al [8] constructed a higher order distinguisher for 7-steps of thecompression function of Luffa v1. Khovratovich et. al [5] found a semi-free startcollision for 7 steps of the compression function of Luffa-256 v2.

This article analyses the collision resistance of reduced-round versions of Luffawhich is the 256-bit hash function in the Luffa family. We show how collisionattacks, using sophisticated message modification techniques, can be mounted onreduced variants of Luffa-256 v2. We present an attack on Luffa-256 v2 reducedfrom 8 to 4 steps with a complexity of 290.

215

216 FINDING COLLISIONS FOR REDUCED LUFFA-256 V2 (POSTER)

The outline of this paper is as follows. In Sect. 3, we give a short descriptionof Luffa-256 v2. In Sect. 3, the results of the collision attacks on 4-step variant ofLuffa-256 v2 are presented. Section 7 concludes the paper.

2 Specification of Luffa-256 v2

In this section, we introduce a part of the specification of Luffa to describe theattack. The reader is referred to [4] for the details of the specification.

2.1 Chaining and Round Function

The chaining of Luffa is a variant of a sponge function [2], that processes 256message bits in each iteration. The message is padded with 10...0 to ensure thatthe padded message has a length divisible by 256.

The round function is a composition of a message injection function MI andthree permutations Qj of 256 bits input. Let the input of the i-th round be

(H(i−1)0 , H

(i−1)1 , H

(i−1)2 ), then the output of the i-th round is given by

H(i)j = Qj(Xj), 0 ≤ j < 3,

X0||X1||X2 = MI(H(i−1)0 , H

(i−1)1 , H

(i−1)2 , M (i)) ,

where H(0)j = Vj . The MI function is linear over GF(28) and can be represented

by a matrix over the ring GF(28)32. The map from an 8-word value (a0, . . . , a7)to an element of the ring is defined by (

∑0≤k<8 ak,lx

k)0≤l<32.

2.2 Non-Linear Permutation

At the beginning of the step function process in the permutation Qj, 256 bits

of data are stored in 8 32-bit registers denoted by a(r)k for 0 ≤ k < 8. The

permutation Qj is defined as the composition of an input tweak and iterations ofa step function Step. which consists of the following three functions: SubCrumb,MixWord, AddConstant. The number of iterations of a step function is 8.

In permutation Qj , the input tweak rotates the least significant four words tothe left by j bits. SubCrumb substitutes the bits of a0, a1, a2, a3 (or a4, a5, a6, a7)by a 4-bit S-box S. Let the output of SubCrumb be x0, x1, x2, x3 (or x4, x5, x6, x7).Then SubCrumb is given by x3,l||x2,l||x1,l||x0,l = S[a3,l||a2,l||a1,l||a0,l] and

x4,l||x7,l||x6,l||x5,l = S[a4,l||a7,l||a6,l||a5,l], (0 ≤ l < 32).MixWord is a linear permutation of two words. Let the output words be yk and

yk+4 where 0 ≤ k < 4. Then MixWord is given by the following equations:

yk+4 = xk+4 ⊕ xk, yk = xk ≪ 2, yk = yk ⊕ yk+4, yk+4 = yk+4 ≪ 14,

yk+4 = yk+4 ⊕ yk, yk = yk ≪ 10, yk = yk ⊕ yk+4, yk+4 = yk+4 ≪ 1.

THE COLLISION ATTACK ON 4-STEP Luffa-256 v2 217

3 The Collision Attack on 4-step Luffa-256 v2

We here present a collision attack on 4-step Luffa-256 v2. We give a generalidea of how the attack works: there are three round function calls, meaning thatthe attack uses three message blocks which are used in the following manner: theattack uses the first message block M (1) with no difference for finding a good valuefor the second round function input (H(1)

0 , H(1)1 , H

(1)2 ), the second message block

pair (M (2), M (2) ⊕ ∆) introduces the differences conforming the differential pathfor each permutation and those differences are erased with the third message blockpairs (M (3), M (3) ⊕ ∆′). The attack first constructs a differential path producinga collision and then applies the message modification [9] to reduce the complexity.We adopt the attacking principle in [5] in the following sense:

1. We apply the modification technique on S-box level.

2. We store the degrees of freedom as the information on the set of messageinputs which give the right input for the active S-boxes.

On the other hand, the techniques used in the rebound attack such as match-in-themiddle and multi-path are difficult to apply in our attack because we consider thehash function security where IV is fixed. We apply the basic modification usingsingle message bundle for each active S-box and advanced modification [9] usingmultiple message bundles for each active S-box respectively. In order to reducethe attack complexity, we attempt to take the following ideas:

1. Maximize the number of applications of basic modification.

2. Minimize the number of involved message bundles for advanced modification.

For this optimization purpose, we took some heuristic approach where messagebundles which have been used before have higher priorities to be used in thefollowing step than the others.

As for preliminary, we view the 256-bit message block as 32 8-bit bundles andconsider their positions t (0 ≤ t < 32), to which we will refer as message bundleand message bundle position respectively. In other words, We handle the messageon 8-bit level. Each of these bundles is obtained in a bit-slice manner as adopted inLuffa-256 v2: one bit of a bundle is taken from one 32-bit word of in the messageblock. For the same reason, we will view the 256-bit chaining variable input of thepermutation Qj as 64 4-bit bundles, each of which is taken as input to S-box, andconsider their positions u (0 ≤ u < 64), to which we will refer as S-box position.

3.1 The Differential Path

Our attack first constructs a good differential path for the second round. Theoverview of how we derive our differential path is that first, we find a goodtruncated differential path on the permutation Qj by considering the linear


function MixWord and the Tweak function and then, we determine the best inputoutput differences of the active Sboxes when the constraint due to the messageinjection function MI is taken into account. We performed experiments to find agood truncated differential path for the permutation Qj . The best one we foundhas 49 active S-boxes shown in Table 1. From this truncated path, we derive ourdifferential path where differential probabilities are 2−7, 2−7, and 2−6 for the firststep, the second step, and the third step, respectively.

Table 1 – The truncated differential path for Qj.Step Weight 0 1 2 3 4 5 6

0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 01230 07 0000000100 0100000001 0101010000 0100000000 0000000000 0000000000 00001 08 0100000100 0000010001 0100000101 0000000000 0000000000 0000000000 00102 19 0001010100 0100011100 1001000100 1100000000 0000000110 1010000000 11103 15 0000010000 0001010100 0101000100 0010110010 0010000000 0000000010 10104 (42) 0011011000 1110110001 0110011010 1111101110 1111110111 1110011110 0111

3.2 Message Modification

As for the first step, after applying the basic message modification to 7 activeS-boxes, the remaining degrees of freedom in the second message block is 221 bitsout of 256 bits. We face more difficult situations at the second and the third stepsdue to the effect of the MixWord which ensures that the input to an S-box dependson multiple message bundles and that one message bundle may affect multipleactive S-boxes. It follows that, even if a condition on the input of an active S-boxis fulfilled by means of a modification with some message bundle at some step,this fulfillment can be afterwards destroyed by means of a modification with thesame message bundle at the following step. Hence the important problem we haveto solve is:

For each active S-box, from which message bundles we assign their degrees offreedom to it in order to optimize the attack complexity?

Our strategy to find an optimal (or nearly optimal) solution to this problem isto search for correspondences between active S-boxes and message bundles whereeach modification per active S-box performed uses message bundles in such a waythat the total number of used message bundles including the ones which previousmodifications have already used is as small as possible, instead of exhaustivelysearching for correspondences. Our search considers not only the degrees offreedom left step by step but also the orders in which active S-boxes are dealt with:the earlier modifications deal with the active S-boxes which are more restrictedthan the others in terms of the total degrees of freedom of the correspondingmessage bundles. Our strategy allows us to perform some message modificationsindependently of the others. This helps to optimize the complexity of the messagemodification performed in total. After applying the message modification to 8

CONCLUSION 219

active S-boxes and 19 active S-boxes, the degrees of freedom in the second messageblock is 165 bits (out of 256 bits) remaining after the second step and 51 bitsremaining after the third step. Table 2 indicates the position correspondencebetween the active S-boxes and the message bundles.

Table 2 – Position correspondence between active S-boxes andmessage bundles.

Second S-box pos. 27 7 62 21 29 1 15 19step Mes. bundle pos. 7,19,21 1,19,31 15 1,15 9,23 25,27 9,27 11, 13

Third S-box pos. 27 62 3 30 5 17 52 20 7 11step Mes. bundle pos. 2 2,13 9,24 3,24,26 26 29 29,30 3,30 10 10,12

S-box pos. 47 31 15 16 23 61 48 50 60Mes. bundle pos. 5,12 3,5 28 0,28 0,4 4 6 8 14

As for the fourth step, there are 15 active S-boxes and the product of differentialprobabilities for S-boxes in the same (S-box) position over Qj is 2−6. Hence,in this step, we would need to control 90 bits in the message block. Since thedegrees of freedom in the second message block is 51 bits in this step, our randomattempt uses the first message block with a complexity of 290−51. As a result,we expect to find a collision for 4-step Luffa-256 v2 with a total complexity of290

; 239(214 +216 +241 +251) where 214, 216, 241, and 251 are the complexities forthe message modifications at the first, second, third, and fourth steps respectively.

4 Conclusion

By taking a simple and effective approach of applying message modification, weshow that collisions for 4 steps of Luffa-256 v2 can be found with complexity 290.This is the first analysis of Luffa regarding the hash function security.

References

[1] J.P. Aumasson and W. Meier, “Zero-sum distinguishers for reduced Keccak-fand for the core functions of Luffa and Hamsi,” 2009.

[2] G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, “On theIndifferentiability of the Sponge Construction,” Eurocrypt 2008, pp. 181–197,2008.

[3] C. De Cannière, H. Sato, D. Watanabe, “Hash Function Luffa: SupportingDocument,” Submission to NIST SHA-3 Competition, 2008.

[4] C. De Cannière, H. Sato, D. Watanabe, “Hash Function Luffa: Specification,”Submission to NIST SHA-3 Competition, 2008.


[5] D. Khovratovich, M. N. Plasencia, A. Roeck, M. Schlaeffer, “Cryptanalysisof Luffa v2 components,” Selected Areas in Cryptography, SAC 2010, August2010.


[7] National Institute of Standards and Technology, “Announcing request forcandidate algorithm nominations for a new cryptographic hash algorithm(SHA-3) family,” http://csrc.nist.gov/groups/ST/hash/documents/,November 2007.

[8] D. Watanabe, Y. Hatano, T. Yamada and T. Kaneko, “Higher OrderDifferential Attack on Step-Reduced Variants of Luffa v1,” FSE 2010,LNCS 6147, pp. 270–285, 2010.

[9] X. Wang, Y. L. Yin, and H. Yu, “Finding collisions in the full SHA-1,”CRYPTO 2005, LNCS, vol. 3621, pp. 17–36, 2005.



Publication

An AES Based 256-bit HashFunction for LightweightApplications: Lesamnta-LW

Publication Data

S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel andH. Yoshida, “An AES Based 256-bit Hash Function for LightweightApplications: Lesamnta-LW,” IEICE TRANSACTIONS on Funda-mentals of Electronics, Communications and Computer Sciences,vol. E95-A No.1. pp.89–99, 2012.

Contributions

• Principal author. We designed the underlying block cipher of theLesamnta-LW hash function and performed a security analysis of Lesamntawith respect to known attacks. The design of mode of operation and thesecurity reduction proofs are due to Shoichi Hirose and Hidenori Kuwakado.Software implementations were provided by Kota Ideguchi. Hardwareimplementations were provided by Toru Owada.

221

A Lightweight 256-bit Hash Function for Hardwareand Low-end Devices: Lesamnta-LW

Shoichi Hirose1, Kota Ideguchi2, Hidenori Kuwakado3, Toru Owada2,Bart Preneel4, and Hirotaka Yoshida24

1 Graduate School of Engineering, University of Fukui3-9-1, Bunkyo, Fukui 910-8507, Japan

2 Systems Development Laboratory, Hitachi, Ltd.292 Yoshida-cho, Totsuka-ku, Yokohama, Kanagawa 244-0817, Japan

3 Graduate School of Engineering, Kobe University1-1 Rokkodai, Nada, kobe 657-8501, Japan

4 Department of Electrical Engineering ESAT/SCD-COSIC,Katholieke Universiteit Leuven

Kasteelpark Arenberg 10, B–3001 Heverlee, Belgium

Abstract. This paper5 proposes a new lightweight 256-bit hashfunction Lesamnta-LW. The security of Lesamnta-LW is reduced tothat of the underlying AES-based block cipher and it is theoreti-cally analyzed for an important application, namely the key-prefixmode. While most of recently proposed lightweight primitivesare hardware-oriented with very small footprints, our main targetwith Lesamnta-LW is to achieve compact and fast hashing forlightweight application on a wider variety of environments rangingfrom inexpensive devices to high-end severs at the 2120 security level.As for performance, our primary target CPUs are 8-bit and it isshown that, for short message hashing, Lesamnta-LW offers bettertradeoffs between speed and cost on an 8-bit CPU than SHA-256.

Keywords: Hash functions, lightweight cryptography, securityreduction proofs

1 Introduction

Systems and solutions using small portable electronic devices employing low-cost8-bit CPUs have gained increasing attention from both companies and endusers. About 55 % of all CPUs sold in the world are 8-bit microcontrollers andmicroprocessors and over 4 billion 8-bit controllers were sold in 2006 [37,46]. Thesedevices include low-end smart cards and RFID (Radio frequency identification)tags. Based on the report in [40] stating that the passive RFID tag market is

5An earlier version of this paper is appeared in the pre-proceedings of the ICISC 2010conference.

223

224 AN AES BASED 256-BIT HASH FUNCTION FOR LIGHTWEIGHT APPLICATIONS: LESAMNTA-LW

expected to hit $486M in 2013, it is expected that, in the near future, we will seea wide variety of applications for mobile phones and wireless sensor networks, etc.

Security and privacy in such devices have recently opened up an active researcharea called lightweight cryptography. The main challenge in this area is to designcryptographic primitives or protocols that meet the system requirements whichare often very severe in the sense that the available resources are quite limitedfor implementing these cryptographic components. Lightweight ciphers such asPRESENT [9] and KATAN [12] have been proposed. On the other hand, it ispointed out [18] that in RFID security community, it is commonly assumed thathash functions are the better choice than block ciphers from an implementationperspective, even though RFID tags supporting AES are already available [17].In this sense, lightweight hash functions such as H-PRESENT [10], MAME [43],SQUASH [38] and QUARK [2] hold promise for implementation. However, thesehash functions mentioned above are hardware-oriented with very small footprints.Hardware-oriented schemes do not necessarily provide good performance on 8-bitCPUs. We also notice that there are not large RAM/ROM available on smallportable electronic devices.

This paper proposes a 256-bit hash function, Lesamnta-LW, that provides goodperformance on memory-constrained devices employing 8-bit CPUs. Its domainextension is the strengthened Merkle-Damgård construction and its underlyingcomponent is an AES-based block cipher taking a 256-bit plaintext and a 128-bitkey. As for choice of algorithms, block cipher technology appears to be moremature than hash function technology due to the AES competition organized byNIST. Note that Lesamnta-LW is a lightweight variant of Lesamnta [22] thatwas submitted to the SHA-3 competition. The design goals of Lesamnta-LW aresummarized below.

1. Compact and fast, optimized for lightweight applications on a wider varietyof environments ranging from cheap devices to high-end severs:

Our primary target CPUs are 8-bit and it is shown that, for shortmessage hashing, Lesamnta-LW offers better tradeoffs between speed andcost on an 8-bit CPU than SHA-256. Our software implementation ofLesamnta-LW requires only 50 bytes of RAM. On high-end processors whereAES instruction set can be utilized, Lesamnta-LW is reasonably fast.

A provably secure key-prefix (KP) mode (required in PPP ChallengeHandshake Authentication Protocol [39]) of Lesamnta-LW gains significantadvantage over the standard method HMAC-SHA-256.

2. 2120 security level achieved with a high security margin:

The compression function is a new mode of a block cipher, called theLW1 mode, which enables us to provide proofs reducing the security ofLesamnta-LW to that of the underlying block cipher. The block cipher isbased on AES in order to gain confidence in its security.

DESIGN PRINCIPLE 225

For the security levels, an ideal 256-bit hash function would provide the 2256

security level against preimage attacks. However, the 2120 security level is sufficientfor most applications, especially on small devices. We give preference to cost overpreimage resistance in the design of Lesamnta-LW. (There is always a tradeoffbetween security and cost. The security and the cost do not go together generally.)

The outline of this paper is as follows. In Sect. 2, we explain our designstrategy. In Sect. 3, we give the specification of the Lesamnta-LW hash function.In Sect. 4, we discuss the security reduction of Lesamnta-LW. In Sect. 5, weevaluate the security of Lesamnta-LW against all relevant attacks. Section 6presents implementation results. Section 7 concludes the paper.

2 Design Principle

While recent symmetric-key primitive proposals provide a relatively low securitylevels such as 64-bit and 80-bit levels, we argue that there is an increasing demandfor lightweight hash functions providing a high security level. A reasonableapplication would be code signing for small but highly sensitive devices which canbe targeted at medical applications or car electronics. Our main design goal tosatisfy these application requirements is to develop a secure 256-bit hash functionwhich achieves small hardware/software implementations. More specifically, themost important aspects are to have security reductions, to have a small hardwarefootprint, and to have a low working memory (RAM) requirement for software.Our next target is to achieve fairly fast speed when taking into account the context,including the length of the input message and the modes of operation. This isbecause the required efficiency could include good performance for very shortmessages such as IDs or for the pseudorandom function derived from the hashfunction with constructions such as HMAC or Key-Prefix (KP) mode as discussedin this paper. A speedup can be obtained with the KP mode, compared to thestandard solution HMAC with SHA-256.

2.1 Padding Method

For the padding method of Lesamnta-LW, the last block does not contain anypart of the message input. It only contains the length of the message input. Thisproperty is required to guarantee preimage resistance of Lesamnta-LW.

2.2 LW1 Mode

Sophisticated designs and attacks on block ciphers were presented in the AEScompetition. Knowledge on block ciphers is useful in designing secure hashfunctions. This is why Lesamnta-LW is designed as a block-cipher-based hashfunction. A few reasons for choosing the LW1 mode are also listed below. First,from the viewpoint of attacks on a block cipher, recent collision attacks use the


fact that an attacker can directly control the key of a block cipher. In contrast,the LW1 mode does not allow attackers to control the key of the block cipherdirectly. Second, the LW1 mode is theoretically analyzed. It enables us to reducethe security of Lesamnta-LW to that of the underlying block cipher to a greaterextent than the popular Davies-Meyer mode [30] used by the SHA family.

2.3 Block Cipher

The block cipher is designed to meet the following requirements:

• The security analysis should be simple to have confidence in the design.

• It should be compact in software/hardware.

• It should offer a reasonable speed on high-end/low-end CPUs.

For this purpose, the block cipher is an AES-based design such that Lesamnta-LWcan gain clear advantages over known block-cipher based designs such as SHA-256and MAME. The key scheduling function ensures a strong non-linearity and anexcellent diffusion property by re-using the 32-bit permutation of the mixingfunction; this reduces the hardware complexity since a part of the hardware canbe reused. The round constants sequentially generated from a linear feedback shiftregister introduce randomness and asymmetry into the key scheduling function.

3 Specification

3.1 Message Padding

The first step of the hash computation is the padding of the message. The purposeof the padding is to ensure that the input consists of a multiple of 128 bits. Supposethat the length of a message M is l bits. Append the bit “1” to the end of themessage, followed by k + 63 zero bits, where k is the smallest non-negative integersuch that l+k ≡ 0 (mod 128). Then, append a 64-bit block equal to the number las expressed in binary representation. Thus, the maximum length of the messageis 264 − 1.

3.2 Compression Function and Domain Extension

Lesamnta-LW is a Merkle-Damgård iterated hash function [15, 31] using the

following compression function on 128-bit words H(i−1)0 , H

(i−1)1 , and M (i):

h(H(i−1), M (i)) = EH

(i−1)0

(M (i)‖H(i−1)1 ) ,

where H(i−1) = H(i−1)0 ‖H

(i−1)1 and EK is a 256-bit block cipher with a 128-bit key

K. We call this method to construct a compression function the LW1 mode. For

SPECIFICATION 227

a padded message input M = M (1)‖ · · · ‖M (N), Lesamnta-LW works as follows:H(i) = h(H(i−1), M (i)) for 1 ≤ i ≤ N , where H(0) is a fixed initial value andH(N) is the output. It is illustrated in Fig. 1. This structure is referred to asLWE(H(0), M) later in Sect. 4.

E

M(1)

E

M(2)

E

M(N−1)

E

M(N)

H(0)

H(0)0

1 H(N)1

H(N)0

Figure 1 – The structure of Lesamnta-LW.

3.3 Block Cipher

Lesamnta-LW uses a 64-round block cipher E that takes as input a 128-bit keyand a 256-bit plaintext. The block cipher consists of two parts: the key schedulingfunction mapping the key to the round keys and the mixing function taking asinput a plaintext and the round keys to produce a ciphertext. Both of themuse a type-1 4-branch generalized Feistel network (GFN) (cf. Zheng et al. [48]).One round of the block cipher is illustrated in Fig. 2. The input variables toround r for the mixing function and the key scheduling function are denoted by(x(r)

0 , x(r)1 , x

(r)2 , x

(r)3 ) and (k(r)

0 , k(r)1 , k

(r)2 , k

(r)3 ) respectively. Each x

(r)i is a 64-bit

word and each k(r)i is a 32-bit word.

Q

K(r)

G

32 64

k0(r)

k1(r)

k2(r)

k3(r)

k0(r+1)

k1(r+1)

k2(r+1)

k3(r+1)

x0(r)

x1(r)

x2(r)

x3(r)

x0(r+1)

x1(r+1)

x2(r+1)

x3(r+1)

key scheduling function mixing function

Q Q

R

64

32

function G

C(r)

Figure 2 – The round function.

The mixing function consists of XORs, a wordwise permutation, and anon-linear function G. Taking as input a 32-bit round key K(r), the mixingfunction updates its intermediate state in the following manner:

x(r+1)0 = x

(r)3 ⊕ G(x(r)

2 , K(r)), x(r+1)1 = x

(r)0 ,

x(r+1)2 = x

(r)1 , x

(r+1)3 = x

(r)2 .

The function G consists of XOR operations, a 32-bit non-linear permutationQ, and a function R. For a 64-bit input y = y0 ‖ y1 and a 32-bit round key K(r),


G(y, K(r)) is defined as follows:

G(y, K(r)) = R(Q(y0 ⊕ K(r)) ‖ Q(y1)).

Using the AES components [14], the function Q is defined as follows:

Q = MixColumns SubBytes.

The SubBytes transformation is a non-linear byte substitution that takes 4bytes s0, s1, s2, s3 as input and operates independently on each byte by using theAES S-box. It proceeds as follows:

s′i = S-box(si) for 0 ≤ i < 4.

The MixColumns step is a bytewise operation that takes 4 bytes s0, s1, s2, s3

as input. The MixColumns step is given by the AES MDS matrix multiplicationdefined over GF(28) as follows:

s′0

s′1

s′2

s′3

=

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

s0

s1

s2

s3

.

For a 64-bit input s = s0 ‖ s1 ‖ s2 ‖ s3 ‖ s4 ‖ s5 ‖ s6 ‖ s7, the function R(s) isdefined as follows: R(s) = s4 ‖ s5 ‖ s2 ‖ s3 ‖ s0 ‖ s1 ‖ s6 ‖ s7.

One round of the key scheduling function consists of the following two steps:Firstly, it generates the r-th round-key K(r) = k

(r)0 .

Secondly, it updates the intermediate state in the following manner:

k(r+1)0 = k

(r)3 ⊕ Q(C(r) ⊕ k

(r)2 ), k

(r+1)1 = k

(r)0 ,

k(r+1)2 = k

(r)1 , k

(r+1)3 = k

(r)2 ,

where the 32-bit round constants C(r) are generated using the algorithm presentedin Fig. 3. The algorithm is based on the linear feedback shift register (LFSR) ofthe following primitive polynomial:

g(x) = x32 + x31 + x29 + x28 + x26 + x25 + x24

+ x23 + x20 + x19 + x17 + x16 + x15 + x12

+ x11 + x8 + 1.

4 Security Reduction

In this section, it is assumed that E is a block cipher with key length n/2 andblock length n for even n. For Lesamnta-LW, n = 256.

SECURITY REDUCTION 229

ConstantGenerator(word C[64])

begin

word c;

c = ffffffff; /*in hexadecimal*/

for i = 0 to (64 * 3) - 1

/* Galois LFSR */

if c & 00000001 == 00000001

c = (c >> 1) ^ dbcdcc80;

else

c = c >> 1;

end if

if i mod 3 == 0

C[i/3] = c;

end if

end for

end

Figure 3 – The algorithm for generating the round constants.

4.1 Collision Resistance

The collision resistance of LWE can be proved in the ideal cipher model using thetechnique by Black et al. in [8].

Let BC(κ, ν) be the set of all block ciphers with key size κ and block size ν. LetHE be a hash function using a block cipher E. Let A be an adversary trying tofind a collision for HE . The col-advantage of A against HE, Advcol

HE (A), is givenby

Pr[AE = (M, M ′) ∧ M 6= M ′ ∧ HE(M) = HE(M ′)

],

where E is chosen uniformly at random from BC(κ, ν).The following theorem gives an upper bound on the probability of finding a

collision of LWE in the ideal cipher model. It implies that Lesamnta-LW hasa claimed security level of at least 2120 block-cipher operations against collisionattacks.

Theorem .1. For any collision-finding adversary A against LWE asking at mostq queries to E,

AdvcolLWE (A) ≤ (γ(n) + 3)q

2n/2 − 1

in the ideal cipher model, where γ(n) = (e/2)n/(log2 n − log2 log2 e − 1).

The following lemma is used for the analysis of multi-collision, which should betaken into consideration to evaluate the success probability of meet-in-the-middleattacks.


Lemma 2 (Theorem 3.1 in [32]). Suppose that there are t balls and t bins andthat each ball is placed in a bin chosen independently and uniformly at random.Then, with probability at least 1 − 1/t, no bin has more than e ln t/ ln ln t balls init.

Proof of Theorem .1: For 1 ≤ i ≤ q, let (ti, ki, wi‖xi, yi‖zi) be a tuple suchthat E(ki, wi‖xi) = yi‖zi and ti ∈ e, d obtained by the i-th query. ti representsthe type of the i-th query: encryption (e) or decryption (d). Let G1, G2, . . . , Gq

be a sequence of directed graphs such that Gi = (Vi, Li), where

• V1 = k1‖x1, y1‖z1, L1 = (k1‖x1, y1‖z1), and

• Vi = Vi−1 ∪ ki‖xi, yi‖zi, Li = Li−1 ∪ (ki‖xi, yi‖zi) for 2 ≤ i ≤ q.

Each edge (ki‖xi, yi‖zi) is labeled by (ti, wi). Notice that yi‖zi = h(ki‖xi, wi),where h is the compression funcuion of LWE .

Suppose that the adversary A finds a collision of LWE with the i-th query forthe first time. Then, there must be a path in Gi from the initial value IV to somecolliding output, which does not exist in G1, . . . , Gi−1. This path also containsthe nodes ki‖xi and yi‖zi, and the edge (ti, wi).

If ti = e, that is, the i-th query is an encryption query, then there must be anevent such that yi‖zi ∈ yj‖zj | 1 ≤ j ≤ i − 1 ∪ kj‖xj | 1 ≤ j ≤ i − 1 ∪ IV . Ifti = d, then there must be an event such that ki‖xi ∈ yj‖zj | 1 ≤ j ≤ i−1∪IV .

For the case where ti = d and ki‖xi ∈ yj‖zj | 1 ≤ j ≤ i − 1, let us look into

the new path in Gi mentioned above. Let IV(tj1 ,Mj1 )−→ vj1

(tj2 ,Mj2 )−→ · · ·(tjl−1

,Mjl−1)

−→vjl−1

(tjl,Mjl

)−→ vjlbe the prefix of the path, where vjl−1

= ki‖xi, (tjl, Mjl

) = (d, wi)and vjl

= yi‖zi. We start from vjland go back toward IV until we first find

an edge (e, Mjk) or reach the node IV without finding such an edge. Suppose

that we reach IV . Then, it implies that there is an event such that ti′ = d andki′ ‖xi′ = IV for some i′ such that 1 ≤ i′ < i. On the other hand, suppose that wefind an edge (e, Mjk

). Then, it implies that there is an event such that ti′ = e andyi′‖zi′ ∈ kj‖xj | 1 ≤ j < i′ for some i′ such that 1 < i′ < i, or an event such thatti′ = d and ki′‖xi′ ∈ yj‖zj | 1 ≤ j < i′ ∧ tj = e for some i′ such that 1 < i′ ≤ i.

From the discussions above, if A finds a collision with at most q queries, thenit implies that there must be at least one of the following events for some i suchthat 1 ≤ i ≤ q:

Ai ti = e and yi‖zi = IV ,

Bi ti = e and yi‖zi ∈ yj‖zj | 1 ≤ j ≤ i − 1 ∪ kj‖xj | 1 ≤ j ≤ i − 1,

Ci ti = d and ki‖xi = IV ,

Di ti = d and ki‖xi ∈ yj‖zj | 1 ≤ j < i ∧ tj = e.


It is easy to see that

Pr[Ai] ≤ 1/(2n − (i − 1)) ,

Pr[Bi] ≤ 2(i − 1)/(2n − (i − 1)) ,

Pr[Ci] ≤ 2n/2/(2n − (i − 1)) .

For Di, the probability of multicollision on yj should be taken into consideration.From Lemma 2, for 1 ≤ q ≤ 2n,

Pr[Di] ≤ γ(n)2n/2/(2n − (i − 1)) + 1/2n/2 .

Precisely speaking, the distribution of yj‖zj is not uniform on 0, 1n since Eis a keyed permutation. However, since Pr[yj ∈ y1, . . . , yj−1] ≤ Pr[yj 6∈y1, . . . , yj−1], the probability of multicollision is smaller in this case.

Thus, for 1 ≤ q ≤ 2n,

Advcolkp-LWE (A) ≤

q∑

i=1

(Pr[Ai] + Pr[Bi] + Pr[Ci] + Pr[Di])

≤ (γ(n) + 3)q/(2n/2 − 1) .

The upper bound exceeds 1 for q > 2n/2.

4.2 (Second-)Preimage Resistance

The preimage resistance of LWE can also be proved in the ideal cipher modelusing the same technique. It is at the same level as its collision resistance.It implies that Lesamnta-LW also has a claimed security level of at least 2120

block-cipher operations against (second-)preimage attacks. Lesamnta-LW cannotprovide security larger than 2128 since its compression function is invertible.

4.3 Keyed Hashing Mode

4.3.1 Keyed-via-IV (KIV) Mode.

The KIV mode is a method to construct a PRF from a given hash function. Itsimply replaces the initial value IV with a secret key.

The KIV mode of Lesamnta-LW with the first half of the output chopped offresists any distinguishing attack that requires much fewer than 2128 queries if theunderlying block cipher is a pseudorandom permutation (PRP).

Let F(X , Y) be a set of all functions from X to Y. Let F : K × X → Y be akeyed function from X to Y, where K is its key space. Let A be an adversary whichhas oracle access to functions from X to Y and outputs 0 or 1. The prf-advantageof A against F , Advm-prf

F (A), is given by∣∣Pr[AFK1 ,...,FKm = 1] − Pr[Aρ1,...,ρm = 1]

∣∣ ,


where Kj’s and ρj ’s are chosen uniformly and independently at random from Kand F(X , Y), respectively. Adv1-prf

F (A) is simply denoted by AdvprfF (A). F is

called a PRF if AdvprfF (A) is negligible for any efficient A.

Let P(X ) be a set of all permutations on X . If F is a keyed permutation onX and A has oracle access to permutations in P(X ), then the advantage of A iscalled prp-advantage and denoted by Advm-prp

F (A).In the remaining part, the KIV mode of LWE with the first half of the output

chopped off is denoted by kiv-LWE .

Theorem .2. Let A be a prf-adversary against kiv-LWE. Suppose that A runsin time at most t, and makes at most q queries, and each query has at most ℓmessage blocks. Then, there exists a prp-adversary B against E such that

Advprf

kiv-LWE (A) ≤ ℓq · AdvprpE (B) +

ℓq(q − 1)

22n+1.

B makes at most q queries and runs in time at most t + O(ℓqTE), where TE

represents the time required to compute E.

Theorem .2 follows from Lemmas 3 and 4 shown below. Proofs are given in8.2 and 8.3, respectively.

Lemma 3. Let A be a prf-adversary against kiv-LWE. Suppose that A runs intime at most t, and makes at most q queries, and each query has at most ℓ messageblocks. Then, there exists a prf-adversary B against E with access to q oracles suchthat

Advprfkiv-LWE (A) = ℓ · Advq-prf

E (B) .

B makes at most q queries and runs in time at most t + O(ℓqTE), where TE


Lemma 4. Let A be a prf-adversary against E with m oracles. Suppose thatA runs in time at most t, and makes at most q queries. Then, there exists aprp-adversary B against E such that

Advm-prfE (A) ≤ m · Advprp

E (B) +q(q − 1)

22n+1.

B makes at most q queries and runs in time at most t + O(q TE), where TE


4.3.2 Key-Prefix (KP) Mode.

The KP mode is a method to construct a PRF from a given hash function [42].It simply feeds K‖M to the hash function as an input, where K is a secret keyand M is a given message. This mode uses a hash function as a black box. In thissense, it is similar to HMAC [34].


The KP mode of Lesamnta-LW with the first half of the output chopped offresists any distinguishing attack that requires much fewer than 2128 queries if theunderlying block cipher is a pseudorandom permutation (PRP) and it also has amild security property given later.

Let h be the compression function of LWE and B = 0, 1n/2. Let GE1 :

B × B → B2 be a keyed function such that GE1 (K, M) = h(h(IV, K), M), where

K ∈ B and M ∈ B. Let GE2 : B2 × B → B2 be a keyed function such that

GE2 (K ′, M) = h(K ′, M), where K ′ ∈ B2 and M ∈ B.

In the remaining part, the KP mode of LWE with the first half of the outputchopped off is denoted by kp-LWE .

Theorem .3. Let A be a prf-adversary against kp-LWE . Suppose that A runsin time at most t, and makes at most q queries, and each query has at most ℓmessage blocks. Then, there exist an adversary B against GE

1 such that

Advprfkp-LWE (A) ≤ Advprf

kiv-LWE (A) + AdvGE

2

GE1

(B) ,

whereAdv

GE2

GE1

(B) =∣∣∣Pr[BGE

1 (K,·) = 1] − Pr[BGE2 (K′,·) = 1]

∣∣∣

and K and K ′ are random variables uniformly distributed over B and B2,respectively. B makes at most q queries and runs in time at most t + O(ℓqTE),where TE represents the time required to compute E.

Proof. Let ρ be a random function uniformly distributed over F(B≤ℓ, B), whereB≤ℓ =

⋃ℓi=0 Bi. Let K and K ′ be random variables uniformly distributed over B

and B2, respectively. Then,

Advprfkp-LWE (A) =

∣∣∣Pr[Akp-LWEK = 1] − Pr[Aρ = 1]

∣∣∣

≤∣∣∣Pr[Akp-LWE

K = 1] − Pr[Akiv-LWE

K′ = 1]∣∣∣

+∣∣∣Pr[Akiv-LWE

K′ = 1] − Pr[Aρ = 1]∣∣∣ .

It is easy to see that∣∣∣Pr[Akiv-LWE

K′ = 1] − Pr[Aρ = 1]∣∣∣ = Advprf

kiv-LWE (A) .

Let us consider the following adversary B against GE1 . B first runs A. For

each query M = M1‖Mtail from A, B asks the first block M1 to its oracle andreceives the reply H . Then, B returns the second half of H if Mtail is empty andLWE(H, Mtail) otherwise. Finally, B outputs A’s output. Then,

AdvGE

2

GE1

(B) =∣∣∣Pr[BGE

1 (K,·) = 1] − Pr[BGE2 (K′,·) = 1]

∣∣∣

=∣∣∣Pr[Akp-LWE

K = 1] − Pr[Akiv-LWE

K′ = 1]∣∣∣ .

This completes the proof.


GE2 is a PRF if E is a PRP. Thus, Adv

GE2

GE1

(B) is negligible for any efficient B

if E is a PRP and GE1 is a PRF.

5 Preliminary Analysis

In our preliminary analysis, we evaluate the security of Lesamnta-LW and theunderlying block cipher against all relevant attacks. In the analysis of the blockcipher, the attacker can have at most 2128 complexity because of the key length(128 bits) of the cipher rather than the plaintext length (256 bits).

5.1 Differential and Linear Attacks

We examined resistance of the block cipher against differential [6] and linearattacks [29] which are two of the most powerful tools in block cipher cryptanalysis.Hereafter, we only explain our method of evaluating the security against differentialcryptanalysis as we can apply a similar method regarding linear cryptanalysisbecause of its duality to differential cryptanalysis [13]. For this purpose, wecompute upper bounds on the probabilities of differential and linear characteristics.Our method is as follows:

• Make abstraction of the exact differences used in these characteristics andthen just consider patterns of active S-boxes.

• Perform experiments with the Viterbi algorithm to compute lower boundson the minimum number of the active S-boxes. These experiments considerthe MDS matrix property whose branch number is 5.

With this method, we can observe that the minimum number of theactive S-boxes for 24 rounds is 24. Therefore the probabilities of differentialcharacteristics of 24 rounds of Lesamnta-LW are upperbounded by 2−144 becausethe maximum differential probability of the AES S-box is 2−6. As a result, it isvery unlikely that differential/linear attacks can be applied successfully to the fullLesamnta-LW.

5.2 Higher Order Differential and Interpolation Attack

In the higher order differential attacks [27], the attacker constructs Booleanpolynomial expressions for a cipher. The idea of the attack is that if the bits in theintermediate state are expressed by Boolean polynomials of degree at most d, the(d+1)-th order differential in polynomial sense of the Boolean polynomial wouldbe 0. Therefore if the value d is reasonably small, the attack can be mounted.In the case of Lesamnta-LW, we found that every output bit of the S-box canbe expressed as a Boolean polynomial of degree 7 in terms of input bits. Ourexperiments confirmed that the degree of such polynomials for Lesamnta-LW with


19 rounds reaches to the required degree 256. Therefore, we expect that the fullLesamnta-LW is secure against higher order differential attacks.

In the interpolation attack [24], an attacker constructs a polynomial expressionfor a cipher over some field using cipher input/output pairs and then he aims todetermine its key-dependent coefficients. If the number of terms in the polynomialexpression is reasonably small, the attack can be mounted. Lesamnta-LW uses theAES S-box which can be expressed as a polynomial of degree 254 over GF(28).Our experiments have confirmed that after the 16th round, each byte in theintermediate state of the mixing function depends on all the 32 variables whilethis is not the case just after the 15th round. We expect that the number ofcoefficients grows fast after the 16th round due to the high degree of the S-boxand deduce that the full Lesamnta-LW is secure against interpolation attacks.

5.3 Impossible Differential Attack

In the impossible differential Attack [5], an attacker exploits differences that areimpossible at some intermediate state of the cipher. The best impossible differencewe have found is the difference of the form (0, ∆, 0, 0 ) at input → (?, ?, ?, 0) after the 11th rounds. Note that the symbol ? denotes an arbitrary differenceand ∆ denotes non-zero difference. However, we expect that it is unlikely thatimpossible differential attacks can be successful against the full Lesamnta-LW.

5.4 Related-key Attacks

In the related-key setting model, the attacker chooses the relation between thekeys, which typically is a difference between the keys. We can show thatthe maximum differential characteristic probabilities for 24 rounds of the keyscheduling function are less than 2−128 in the same way we did in Sect 5.1. Hence,we expect that it is unlikely that related-key attacks can be successful againstLesamnta-LW because it is very difficult to find a high probability related-keydifferentials.

5.5 Collision Attacks Using Message Modification

Wang et al. [44, 45] showed methods for finding collisions for widely used hashfunctions such as SHA-1. Their approach is based on the differential cryptanalysisand the message modification technique which can be used to reduce the attackcomplexity by exploiting degrees of freedom in the input message.

For differential collision attacks on Lesamnta-LW, the attacker has to usemessages of at least two blocks because the message block is shorter than thechaining variable. Using multiple block message, he has some control over 384bits of the input to the compression function. However, out of these 384 bits,the only input bits over which he can have control in a deterministic way are128 bits, which correspond to the message block input. He can have control over


the remaining 256 bits corresponding to the chaining variable input only in aprobabilistic way. On the other hand, we can show that the maximum differentialcharacteristic probabilities for 44 rounds of the mixing function and for 24 roundsof the key scheduling function are less than 2−256 and 2−128 in the same way we didin Sect 5.1. Their methods for finding collisions require a differential characteristicwith a large probability and a large degree of freedom in the message block space.Thus, we expect that it is very unlikely that differential attacks with messagemodification are effective against Lesamnta-LW.

5.6 Attacks on the Lesamnta Compression Function UsingSelf-Duality

Recently, attacks [11] on the compression function of the SHA-3 Round-1 candidateLesamnta [22] have been reported. The main idea is to find some structure inround constants. The block cipher of Lesamnta exhibits a correlation betweenkeys, ciphertexts and plaintexts. This correlation is caused by the self-duality ofthe key schedule and the mixing function. Using the correlation, the block cipherof Lesamnta is easily distinguished from an ideal cipher, and a pseudo-collision forLesamnta can be found with less complexity than expected. Note that the conceptof self-duality was given as the property of the AES round function [28].

Since Lesamnta-LW has been designed in such a way that it does not havethe self-duality property, similar attacks are not applicable to Lesamnta-LW. Itis easy to destroy the self-duality, that is, it is sufficient that the round keylooks like random. In the case of Lesamnta, since the 32-bit difference of a64-bit round constant is periodically constant, it is easy to find a key such thatthe round key satisfies special conditions. In the case of Lesamnta-LW, roundconstants are generated with the linear feedback shift register that is based onthe primitive polynomial with degree 32. Since the primitive polynomial has 17non-zero coefficients, almost half of bits of the internal state may be changed byone operation. In addition, the mixing function of Lesamnta-LW was designed insuch a way that the size of a round key is a half the size of G. This guaranteesthat the mixing function does not have the self-duality property independent ofthe value of a round key.

6 Implementation Results

We present software and hardware implementation results to show the flexibilityof Lesamnta-LW for lightweight applications.

6.1 Low-Area ASIC Implementation Results

We have estimated speed and gate count of a hardware architecture ofLesamnta-LW, MAME, and SHA-256. In Table 1, our results are compared

IMPLEMENTATION RESULTS 237

to known results on the SHA-3 final round candidates such as BLAKE-32 [1],Grφstl-224/256 [21], and Skein [19]. It is clear that Lesamnta-LW achieves a verysmall implementation and it is substantially smaller than most of them.

Table 1 – Our ASIC implementation estimates of Lesamnta-LW,MAME, and SHA-256 with known results on other hash functions.The digest size of SHA-3 candidates is omitted.

Algorithm Logic Area Throughput ClockProcess (kGates) (Mbit/s) (MHz)

BLAKE [41] 0.35 µm 25.57 15.4 31.25Grφstl [41] 0.35 µm 14.62 145.9 55.87Skein [41] 0.35 µm 12.89 19.8 80SHA-256 [18] 0.35 µm 10.9 22.5 50Lesamnta-LW 90 nm 8.24 125.55 188.3MAME 90 nm 12.95 1164.48 436.68SHA-256 90 nm 14.6 1766 220.8

6.2 Software Implementation Results

For software, Lesamnta-LW is targeted at RAM requirement on an 8-bit CPUemployed in smart devices. In low-cost 8-bit CPU applications, hash functionsshould require limited resources, memory and computation time. We argue thatthe most important constraint for hash functions is the limited RAM which couldbe critical in many cases.

6.2.1 8-bit CPU

We have estimated RAM/ROM requirements of SHA-3 candidates, SHA-256, andLesamnta-LW. Our results are shown in Table 2. As for RAM requirement, it isclear that Lesamnta-LW achieves a very small implementation that is substantiallysmaller than most SHA-3 final round candidates. As for ROM requirement, weestimate the size of constants such as initial vectors, lookup tables, and roundconstants. Lesamnta-LW is larger than the other algorithms shown in Table2. However, it is typical on 8-bit CPUs that the ROM size is large enough forsymmetric-key algorithm implementations. We expect that the ROM requirementof Lesamnta-LW is reasonable.

We have estimated speed and ROM/RAM size of Lesamnta-LW and SHA-256on an 8-bit CPU Renesas R© H8 R©in assembly language. The performance resultsare shown in Table 3 where by short message we mean a message whose length isless than 128 bits.

As for RAM requirement, it is clear that Lesamnta-LW gains advantages overSHA-256 with respect to speed on short messages and RAM/ROM requirements.


Table 2 – Our estimates of RAM/ROM requirements on low-cost8-bit CPUs.

Algorithm RAM(bytes) ROM(CONST.)(bytes)BLAKE [1] 96 172Grøstl [21] 128 288

JH [47] 128 144Keccak [4] 200 144Skein [19] 96 46

SHA-256 [33] 128 288MAME [43] 64 40

Lesamnta-LW 50 768

Table 3 – Our software implementation estimates on an 8-bit CPURenesas R© H8 R©. Three type values are shown depending on theimplementation policy, namely ROM-optimized, RAM-optimized,and balanced.

Algorithm Bulk Short ROM RAMSpeed Message (CONST. (byte)

(cycles/ (cycles/ +CODE)byte) message) (byte)

SHA-256 1033.3 66434 32 + 37034 3301046.9 67308 288 + 5046 3301281.1 82296 288 + 948 330

Lesamnta-LW 1650.9 52828 512 + 20006 501736.5 55568 768 + 1346 502055.0 65760 768 + 370 54

6.2.2 32-bit CPU

We have estimated the speed of Lesamnta-LW and SHA-256 on the Intel Corei5 processor which offers instructions for fast encryption of AES. Our results areshown in Table 4. Lesamnta-LW is reasonably fast on this platform.

7 Conclusion

A new lightweight 256-bit hash function Lesamnta-LW has been proposed.We claim that its distinct features over the existing lightweight primitives arecompactness, high-speed, and a very good tradeoff between speed and cost on

REFERENCES 239

Table 4 – Our software implementation estimates on the Intel R© Corei5

TM

processor where, for our estimate of the speed of SHA-256, weuse the code used in OpenSSH.

Algorithm Language cycles/byte cycles/byte(32-bit mode) (64-bit mode)

SHA-256 ANSI C 26.9 30.4Lesamnta-LW assembly 43.4 39.2

8-bit CPUs as well as the high security levels with security reductions. We expectthat Lesamnta-LW will open up a new set of lightweight applications.

Although we believe that the underlying block cipher of Lesamnta-LWwithstands a number of recently proposed attacks because of our conservativedesign, more extensive analysis such as evaluation of security against reboundattacks would be needed.

Acknowledgments

We would like to mention the people who gave us valuable feedback and importantcomments on this work: Yasuko Fukuzawa, Kazuo Ota, and Kazuo Sakiyama.

References

[1] J. P. Aumasson, L. Henzen, W. Meier and R. C.-W. Phan, “SHA-3 proposalBLAKE”. http://131002.net/blake/

[2] J. P. Aumasson, L. Henzen, W. Meier and M. Naya-Plasencia, “QUARK: ALightweight Hash,” Cryptographic Hardware and Embedded Systems CHES2010, LNCS, vol. 6225, pp 1–15, 2010.

[3] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I .Verbauwhede,“Low-Cost Elliptic Curve Cryptography for Wireless Sensor Networks,”Security and Privacy in Ad-Hoc and Sensor Networks, ESAS 2006, LNCS,vol. 4357, pp 6–17, 2007.

[4] G. Bertoni, J. Daemen, M. Peeters and G. V. Assche, “Keccak specifications”.http://keccak.noekeon.org/

[5] E. Biham, A. Biryukov and A. Shamir, “Cryptanalysis of Skipjack Reducedto 31 Rounds Using Impossible Differentials,” Advances in Cryptology -EUROCRYPT ’99, LNCS, vol. 1807, pp. 12–23,1999.

http://131002.net/blake/

http://keccak.noekeon.org/


[6] E. Biham and A. Shamir, Differential Cryptanalysis of the Data EncryptionStandard, Springer, 1993.

[7] A. Biryukov and D. Wagner, “Advanced slide attacks,” Advances inCryptology - EUROCRYPT 2000, LNCS, vol. 1807, pp. 589–606, 2000.

[8] J. Black, P. Rogaway, and T. Shrimpton, “Black-box analysis of theblock-cipher-based hash-function constructions from PGV,” Advances inCryptology - CRYPTO 2002, LNCS, vol. 2442, pp. 320–335, 2002.

[9] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann,M. J. B. Robshaw, Y. Seurin, and C. Vikkelsoe, “PRESENT: AnUltra-Lightweight Block Cipher,” Cryptographic Hardware and EmbeddedSystems CHES 2007, LNCS, vol. 4727, pp 450–466, 2007.

[10] A. Bogdanov, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, andY. Seurin, “Hash Functions and RFID Tags: Mind the Gap,” CryptographicHardware and Embedded Systems CHES 2008, LNCS, vol. 5154, pp 283–299,2008.

[11] C. Bouillaguet, O. Dunkelman, G. Leurent, and P. A. Fouque, “Another lookat complementation properties,” Fast Software Encryption 2010 WorkshopFSE 2010, LNCS, vol. 6147, pp 347-364, 2010.

[12] C. D Canniére, O. Dunkelman, and M. Knezevic, “KATAN and KTANTAN afamily of small and efficient hardware-oriented block ciphers,” CryptographicHardware and Embedded Systems CHES 2009, LNCS, vol. 5747, pp. 272-288,2009.

[13] F. Chabaud and S. Vaudenay, “Links between differential and linearcryptanalysis,” Advances in Cryptology - EUROCRYPT ’94, LNCS, vol. 950,pp. 356–365, 1995.

[14] J. Daemen and V. Rijmen, The Design of Rijndael: AES -AdvancedEncryption Standard, Springer-Verlag, 2002.

[15] I. B. Damgård, “A design principle for hash functions,” Advances inCryptology - CRYPTO ’89, LNCS, vol. 435, pp. 416–427, 1990.

[16] E. Fleischmann, C. Forler, and M. Gorski, “Classification of the SHA-3Candidates”, eprint archive: http://eprint.iacr.org/2008/511

[17] M. Feldhofer, S. Dominikus, J. Wolkerstorfer, "Strong Authentication forRFID Systems using the AES Algorithm", In Proceedings of Workshop ofCryptographic Hardware and Embedded Systems - CHES 2004, Volume 3156of LNCS, Springer, pp. 357–370, 2004.


REFERENCES 241

[18] M. Feldhofer and C. Rechberger, “A case against currently used hash functionsin RFID protocols,” Proceedings of On the Move to Meaningful InternetSystems 2006: OTM 2006 Workshops, LNCS, vol. 4227, pp. 372–381, 2006.

[19] N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno,J. Callas, and J. Walker, “The Skein Hash Function Family”. http://www.

schneier.com/skein.html

[20] G. Gaubatz, J. P. Kaps, E. Ozturk, and B. Sunar, “State of the Art inUltra-Low Power Public Key Cryptography for Wireless Sensor Networks,”Workshop on Pervasive Computing and Communication Security PerSec 2005.

[21] P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger,M. Schläffer, and S. S. Thomsen, “Grøstl – a SHA-3 candidate”. http://www.groestl.info/

[22] S. Hirose, H. Kuwakado, and H. Yoshida, “SHA-3 proposal: Lesam-nta,” http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/

Lesamnta.zip, October 2008. latest version: http://www.sdl.hitachi.co.jp/crypto/lesamnta/.

[23] S. Hirose, H. Kuwakado, and H. Yoshida, “Security analysis of the compres-sion function of Lesamnta and its impact,” http://csrc.nist.gov/groups/

ST/hash/sha-3/Round1/documents/LESAMNTA_Comments.pdf, June 2009.

[24] T. Jakobsen and L. R. Knudsen, “The interpolation attack on block ciphers,”Fast Software Encryption, FSE ’97, LNCS, vol. 1267, pp. 28–40, 1997.

[25] A. Joux, “Multicollisions in iterated hash functions. Application to cascadedconstruction,” Advances in Cryptology - CRYPTO 2004, Lecture Notes inComputer Science, vol. 3152, pp. 306–316, 2004.

[26] J. Kelsey and B. Schneier, “Second preimages on n-bit hash functions formuch less than 2n work,” Advances in Cryptology - EUROCRYPT 2005,LNCS, vol. 3494, pp. 474–490, 2005.

[27] L. R. Knudsen, “Truncated and higher order differentials,” Fast SoftwareEncryption, FSE’94, LNCS, pp. 196–211, 1995.

[28] T. V. Le, R. Sparr, R. Wernsdorf, and Y. Desmedt, “Complementation-likeand cyclic properties of AES round functions,” Advanced EncryptionStandard – AES, 4th International Conference, AES 2004, Lecture Notesin Computer Science, vol. 3373, pp. 128–141, 2005.

[29] M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances inCryptology - EUROCRYPT ’93, LNCS, vol. 765, pp. 386–397, 1994.







http://www.sdl.hitachi.co.jp/crypto/lesamnta/

http://www.sdl.hitachi.co.jp/crypto/lesamnta/




[30] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, HANDBOOK ofAPPLIED CRYPTOGRAPHY, CRC Press, 1996.

[31] R. C. Merkle, “One way hash functions and DES,” CRYPTO’89, LNCS,vol. 435, pp. 428–446, 1990.

[32] R. Motwani and P. Raghavan, “Randomized Algorithms,” CambridgeUniversity Press, 1995.


[34] National Institute of Standards and Technology, “The keyed-hash messageauthentication code (HMAC),” Federal Information Processing StandardsPublication 198, March 2002.

[35] National Institute of Standards and Technology, “Announcing request forcandidate algorithm nominations for a new cryptographic hash algorithm(SHA-3) family,” http://csrc.nist.gov/groups/ST/hash/documents/,November 2007.


[37] http://www.semico.com.

[38] A. Shamir, “SQUASH - A New MAC with Provable Security Properties forHighly Constrained Devices Such as RFID Tags,” Fast Software Encryption,FSE 2008, Lecture Notes in Computer Science, vol. 5086, pp. 144–157, 2008.

[39] W. Simpson, “PPP Challenge Handshake Authentication Protocol (CHAP),”Request for Comments, no. 1994, 1996. http://www.ietf.org/rfc/

rfc1994.txt

[40] M. L. Songini, “Passive RFID tag market to hit $486M in2013,” InfoWorld, http://www.infoworld.com/t/networking/

passive-rfid-tag-market-hit-486m-in-2013-102.

[41] S. Tillich, M. Feldhofer, W. Issovits, T. Kern, H. Kureck, M. Muhlberghuber,G. Neubauer, A. Reiter, A. Kofler, and M. Mayrhofer, “Compact hardwareimplementations of the SHA-3 candidates ARIRANG, BLAKE,Grφstl, andSkein,”, eprint archive: http://eprint.iacr.org/2009/349.pdf.

[42] G. Tsudik, “Message authentication with one-way hash functions,” ACMComputer Communications Review, Vol. 22, No. 5, 1992, pp. 29–38.




http://www.semico.com






APPENDIX 243

[43] H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, Ö. Küçük,and B. Preneel, “MAME: a compression function with reduced hardwarerequirements,” Cryptographic Hardware and Embedded Systems CHES 2009,LNCS, vol. 4727, pp 148–165, 2007.

[44] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Cryptanalysis of the hashfunctions MD4 and RIPEMD,” Advances in Cryptology - EUROCRYPT2005, LNCS, vol. 3494, pp. 1–18, 2005.

[45] X. Wang, Y. L. Yin, and H. Yu, “Finding collisions in the full SHA-1,”Advances in Cryptology - CRYPTO 2005, LNCS, vol. 3621, pp. 17–36, 2005.

[46] Wikipedia, “Microprocessor”, ch. Market statistics, http://en.wikipedia.

org/wiki/Microprocessor.

[47] H. Wu, “The Hash Function JH”. http://www3.ntu.edu.sg/home/wuhj/

research/jh/

[48] Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block ciphersprovably secure and not relying on any unproved hypotheses,” Advances inCryptology - CRYPTO ’89, LNCS, vol. 435, pp. 461–480, 1990.

8 Appendix

8.1 Lesamnta-LW Example

The 32-bit round constants C(r) are

a432337f 945e1f8f 92539a11 24b90062

6971c64c d6e3f449 2c2f0da9 33769295

eb506df2 708cebfe b83ab7bf 97df0f17

9223b802 7fa29140 0ff45228 01fe8a45

ed016ee8 1da02ddd ee8aba1b 46c4c223

53cd0d24 d1b46d24 c1fb4124 c3f2a4a4

c3b39814 c3bbbf82 759191b0 0eb23236

b7fd6c86 a0d48750 141a90ea 6f65b45d

e0d2092b 470fd445 e5df4528 1cbbe8a5

eea9c2b4 c618f4d6 aee8345a 783be0cb

5412e979 3c712e0f 87567c21 2619bca4

df0efb14 c02c13e2 75e3643c d571a007

9a766de0 134ecdbc d9a41537 9becdb46

a556b1a8 14aad635 efabe566 abde566c

ceb6064d f4e87f69 286e7ccd e8337039

2bf51d27 85a6fa44 cb7913c8 196f2279






For Lesamnta-LW, the initial hash value H(0) is

H(0)0 ‖H

(0)1 ‖H

(0)2 ‖H

(0)3 ‖H

(0)4 ‖H

(0)5 ‖H

(0)6 ‖H

(0)7 ,

where each H(0)i is a 32-bit word 00000256 in hex.

Let the message M be the 24-bit (l = 24) ASCII string “abc”, which isequivalent to the following binary string: 01100001 01100010 01100011. Thenthe resulting 256-bit message digest is

2558c1d3 7f9f307b e3cddad4 a23c8654

518f6079 7eb491e7 3758727d fc83de65 .

8.2 Proof of Lemma 3

Let B = 0, 1n/2. Let B≤i =⋃i

d=0 Bd. Let M[1,l] = M1‖M2‖ · · · ‖Ml for 1 ≤ l ≤ ℓ.For i ∈ 0, 1, . . . , ℓ (ℓ ≥ 1), let Ii : B≤ℓ → B be a random function such thatIi(M[1,l]) equals

α1(M[1,l]) if l ≤ i,

kiv-LWE(α0(M[1,i])‖α1(M[1,i]), M[i+1,l]) otherwise ,

where α0 and α1 are random functions uniformly distributed over F(Bi, B) andF(B≤i, B), respectively. Notice that α0 and α1 are just random elements from Bif i = 0. Let Pi = Pr[AIi = 1]. Then,

Advprf

kiv-LWE (A) =∣∣P0 − Pℓ

∣∣ .

Let us consider the following prf-adversary B with q oracles u1, . . . , uq using Aas a subroutine.

B first selects i from 1, . . . , ℓ uniformly at random. Then, B runs A. Bsimulates a random function β uniformly distributed over F(B≤i−1, B) via lazy

sampling. When B receives the k-th query M (k) = M(k)[1,l] of A, B returns

β(M (k)[1,l]) if l ≤ i − 1,

ω(uidx(k)(M(k)i ‖β(M (k)

[1,i−1]))) if l = i,

kiv-LWE(υ(M (k)[1,i]), M

(k)[i+1,l]) if l ≥ i + 1,

where ω is a function which outputs the second half of its input, and υ(M (k)[1,i]) =

uidx(k)(M(k)i ‖β(M (k)

[1,i−1])). idx(k) is a unique integer in 1, . . . , q. If there is a

previous query M (p) (p < k) such that M(p)[1,i−1] = M

(k)[1,i−1], then idx(k) = idx(p).

Otherwise, idx(k) = k.

APPENDIX 245

Now, suppose that B has oracle access to EK1 , EK2 , . . ., EKq, where Kj’s are

independent random variables uniformly distributed over B. Then, in response toM

(k)[1,l], B returns

β(M (k)

[1,l]) if l ≤ i − 1,

kiv-LWE(Kidx(k)‖β(M (k)[1,i−1]), M

(k)[i,l]) if l ≥ i.

Since Kidx(k) can be regarded as a random function of M(k)[1,i−1], we can say that A

has oracle access to Ii−1. Therefore,

Pr[BEK1 ,...,EKq = 1] =1

ℓ

ℓ∑

i=1

Pi−1 .

Next, suppose that B has oracle access to ρ1, . . . , ρq, where ρj ’s are independentrandom functions uniformly distributed over F(B2, B2). Since the first half and

the second half of ρidx(k)(M(k)i ‖β(M (k)

[1,i−1])) are independent random functions of

M(k)[1,i], we can say that A has oracle access to Ii. Therefore,

Pr[Bρ1,...,ρq = 1] =1

ℓ

ℓ∑

i=1

Pi .

From the discussions above,

Advq-prfE (B) =

∣∣∣Pr[BEK1 ,...,EKq = 1] − Pr[Bρ1,...,ρq = 1]∣∣∣

=1

ℓAdvprf

kiv-LWE (A) .

B makes at most q queries and runs in time at most t + O(ℓqTE).

8.3 Proof of Lemma 4

Let B = 0, 1n/2. Let K1, . . . , Km be independent random variables uniformlydistributed over B. Let ρ1, . . . , ρm be independent random functions uniformlydistributed over F(B2, B2). Let 1, . . . , m be independent random permutationsuniformly distributed over P(B2). Then,

Advm-prfE (A)

=∣∣Pr[AEK1 ,...,EKm = 1] − Pr[Aρ1,...,ρm = 1]

∣∣

≤∣∣Pr[AEK1 ,...,EKm = 1] − Pr[A1,...,m = 1]

∣∣+ |Pr[A1,...,m = 1] − Pr[Aρ1,...,ρm = 1]| .

For 0 ≤ i ≤ m, let Oi be m oracles such that EK1 , . . . , EKi, i+1, . . . , m.


A prp-adversary B is constructed using A as a subroutine. B has an oracleu, which is either EK or , where K is a random variable uniformly distributedover B and is a random permutation uniformly distributed over P(B2). B firstselects i uniformly at random from 1, 2, . . . , m. Then, B runs A with oraclesEK1 , . . . , EKi−1 , u, i+1, . . . , m, and outputs A’s output. Then,

AdvprpE (B) =

∣∣∣ Pr[BEK = 1] − Pr[B = 1]∣∣∣

=1

m

∣∣∣Pr[AOm = 1] − Pr[AO0 = 1]∣∣∣ .

B makes at most q queries and runs in time at most t + O(q TE).It is possible to distinguish 1, . . . , m and ρ1, . . . , ρm only by the fact that

there may be a collision for ρi’s. Thus, since A makes at most q queries,

|Pr[A1,...,m = 1] − Pr[Aρ1,...,ρm = 1]| ≤ q(q − 1)

22n+1.

Trademarks

• Renesas R© and H8 R© are registered trademarks of Renesas TechnologyCorporation.

• Intel R© is a registered trademark of Intel Corporation in the United Statesand/or other countries.

• Intel R© CoreTM

i5 is a trademark of Intel Corporation in the U.S. and/orother countries.

• Lesamnta is a registered trademark of Hitachi, Ltd. in Japan.

Curriculum Vitae

Hirotaka Yoshida was born on 19th June, 1974 in Chiba, Japan. He receivedthe B.S. degree from Meiji University (Japan) in 1999 and the M.S. degree fromTokyo Institute of Technology (Japan) in 2001. In 2001, he joined the departmentof information security at systems development laboratory Hitachi, Ltd (Japan).From November 2003 to December 2004, he visited the research group COSIC(COmputer Security and Industrial Cryptography) at the Department of ElectricalEngineering (ESAT) of the KU Leuven in Belgium. Since 2006, he is a Japaneseexpert in working group ISO/IEC JTC1/SC27/WG2 (Security Techniques andMechanisms), where he has been editor of the international standards ISO/IEC10118-2 and 29192-3. In January 2009, he joined the research group COSIC at theDepartment Electrical Engineering (ESAT) of the KU Leuven. He is a member ofthe IACR (International Association for Cryptologic Research).

247

Arenberg Doctoral School of Science, Engineering & Technology

Faculty of Engineering Science

Department of Electrical Engineering (ESAT)

COmputer Security and Industrial Cryptography (COSIC)

Kasteelpark Arenberg 10

B-3001 Heverlee

Documents

COSIC · Design and Analysis of Cryptographic Hash Functions Özgül KÜÇÜK Jury: Dissertation presented in partial Prof. dr. Adhemar Bultheel, chairman fulﬁllment of the requirements