An AES Based 256-Bit Hash Function for Lightweight Applications: Lesamnta-LW∗

IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.1 JANUARY 2012 89

PAPER Special Section on Cryptography and Information Security An AES Based 256-bit Hash Function for Lightweight Applications: Lesamnta-LW∗

Shoichi HIROSE†, Kota IDEGUCHI††, Hidenori KUWAKADO†††, Members,ToruOWADA††, Bart PRENEEL††††, Nonmembers, and Hirotaka YOSHIDA††,††††a), Member

SUMMARY This paper proposes a new lightweight 256-bit hash func- these cryptographic components. Lightweight ciphers such tion Lesamnta-LW. The security of Lesamnta-LW is reduced to that of as PRESENT [9] and KATAN [12] have been proposed. the underlying AES-based block cipher and it is theoretically analyzed On the other hand, it is pointed out [18] that in RFID se- for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very curity community, it is commonly assumed that hash func- small footprints, our main target with Lesamnta-LW is to achieve compact tions are the better choice than block ciphers from an imple- and fast hashing for lightweight application on a wider variety of environ- mentation perspective, even though RFID tags supporting 120 ments ranging from inexpensive devices to high-end severs at the 2 se- AES are already available [17]. In this sense, lightweight curity level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs hash functions such as H-PRESENT [10], MAME [43], between speed and cost on an 8-bit CPU than SHA-256. SQUASH [38] and QUARK [2] hold promise for implemen- key words: hash functions, lightweight cryptography, security reduction tation. However, these hash functions mentioned above are proofs hardware-oriented with very small footprints. Hardware- oriented schemes do not necessarily provide good perfor- 1. Introduction mance on 8-bit CPUs. We also notice that there are not large RAM/ROM available on small portable electronic devices. Systems and solutions using small portable electronic de- This paper proposes a 256-bit hash function, Lesamnta- vices employing low-cost 8-bit CPUs have gained increas- LW, that provides good performance on memory-constrained ing attention from both companies and end users. About devices employing 8-bit CPUs. Its domain extension is the 55% of all CPUs sold in the world are 8-bit microcon- strengthened Merkle-Damgård construction and its underly- trollers and microprocessors and over 4 billion 8-bit con- ing component is an AES-based block cipher taking a 256- trollers were sold in 2006 [37], [46]. These devices include bit plaintext and a 128-bit key. As for choice of algorithms, low-end smart cards and RFID (Radio frequency identifica- block cipher technology appears to be more mature than tion) tags. Based on the report in [40] stating that the pas- hash function technology due to the AES competition or- sive RFID tag market is expected to hit $486M in 2013, it ganized by NIST. Note that Lesamnta-LW is a lightweight is expected that, in the near future, we will see a wide va- variant of Lesamnta [22] that was submitted to the SHA-3 riety of applications for mobile phones and wireless sensor competition. The design goals of Lesamnta-LW are summa- networks, etc. rized below. Security and privacy in such devices have recently opened up an active research area called lightweight cryp- 1. Compact and fast, optimized for lightweight applica- tography. The main challenge in this area is to design cryp- tions on a wider variety of environments ranging from tographic primitives or protocols that meet the system re- cheap devices to high-end severs: quirements which are often very severe in the sense that Our primary target CPUs are 8-bit and it is shown ff the available resources are quite limited for implementing that, for short message hashing, Lesamnta-LW o ers better tradeoffs between speed and cost on an 8-bit Manuscript received March 31, 2011. CPU than SHA-256. Our software implementation Manuscript revised July 1, 2011. † of Lesamnta-LW requires only 50 bytes of RAM. On The author is with the Graduate School of Engineering, Uni- high-end processors where AES instruction set can be versity of Fukui, Fukui-shi, 910-8507 Japan. †† utilized, Lesamnta-LW is reasonably fast. The authors are with Systems Development Laboratory, Hi- tachi, Ltd. Yokohama-shi, 244-0817 Japan. A provably secure key-prefix (KP) mode (required †††The author is with the Graduate School of Engineering, Kobe in PPP Challenge Handshake Authentication Protocol University, Kobe-shi, 657-8501 Japan. [39]) of Lesamnta-LW gains significant advantage over ††††The authors are with Katholieke Universiteit Leuven, Dept. the standard method HMAC-SHA-256. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B-3001 Heverlee, 2. 2120 security level achieved with a high security mar- Belgium. ∗ gin: An earlier version of this paper is appeared in the pre- proceedings of the ICISC 2010 conference. The compression function is a new mode of a block ci- a) E-mail: [email protected] pher, called the LW1 mode, which enables us to provide DOI: 10.1587/transfun.E95.A.89 proofs reducing the security of Lesamnta-LW to that of

Copyright c 2012 The Institute of Electronics, Information and Communication Engineers IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.1 JANUARY 2012 90

the underlying block cipher. The block cipher is based also listed below. First, from the viewpoint of attacks on on AES in order to gain confidence in its security. a block cipher, recent collision attacks use the fact that an attacker can directly control the key of a block cipher. In For the security levels, an ideal 256-bit hash function would 256 contrast, the LW1 mode does not allow attackers to control provide the 2 security level against preimage attacks. the key of the block cipher directly. Second, the LW1 mode 120 ffi However, the 2 security level is su cient for most ap- is theoretically analyzed. It enables us to reduce the security plications, especially on small devices. We give preference of Lesamnta-LW to that of the underlying block cipher to to cost over preimage resistance in the design of Lesamnta- ff a greater extent than the popular Davies-Meyer mode [30] LW. (There is always a tradeo between security and cost. used by the SHA family. The security and the cost do not go together generally.) The outline of this paper is as follows. In Sect. 2, we 2.3 Block Cipher explain our design strategy. In Sect. 3, we give the specification of the Lesamnta-LW hash function. In Sect. 4, we dis- The block cipher is designed to meet the following require- cuss the security reduction of Lesamnta-LW. In Sect. 5, we ments: evaluate the security of Lesamnta-LW against all relevant attacks. Section 6 presents implementation results. Section 7 • The security analysis should be simple to have confi- concludes the paper. dence in the design. • It should be compact in software/hardware. 2. Design Principle • It should offer a reasonable speed on high-end/low-end CPUs. While recent symmetric-key primitive proposals provide a For this purpose, the block cipher is an AES-based de- relatively low security levels such as 64-bit and 80-bit levels, sign such that Lesamnta-LW can gain clear advantages over we argue that there is an increasing demand for lightweight known block-cipher based designs such as SHA-256 and hash functions providing a high security level. A reason- MAME. The key scheduling function ensures a strong non- able application would be code signing for small but highly linearity and an excellent diffusion property by re-using the sensitive devices which can be targeted at medical applica- 32-bit permutation of the mixing function; this reduces the tions or car electronics. Our main design goal to satisfy hardware complexity since a part of the hardware can be these application requirements is to develop a secure 256- reused. The round constants sequentially generated from / bit hash function which achieves small hardware software a linear feedback shift register introduce randomness and implementations. More specifically, the most important as- asymmetry into the key scheduling function. pects are to have security reductions, to have a small hardware footprint, and to have a low working memory (RAM) 3. Specification requirement for software. Our next target is to achieve fairly fast speed when taking into account the context, including 3.1 Message Padding the length of the input message and the modes of operation. This is because the required efficiency could include good The first step of the hash computation is the padding of the performance for very short messages such as IDs or for the message. The purpose of the padding is to ensure that the pseudorandom function derived from the hash function with input consists of a multiple of 128 bits. Suppose that the constructions such as HMAC or Key-Prefix (KP) mode as length of a message M is l bits. Append the bit “1” to the discussed in this paper. A speedup can be obtained with the end of the message, followed by k + 63 zero bits, where KP mode, compared to the standard solution HMAC with k is the smallest non-negative integer such that l + k ≡ 0 SHA-256. (mod 128). Then, append a 64-bit block equal to the number l as expressed in binary representation. Thus, the maximum 2.1 Padding Method length of the message is 264 − 1.

For the padding method of Lesamnta-LW, the last block 3.2 Compression Function and Domain Extension does not contain any part of the message input. It only contains the length of the message input. This property is re- Lesamnta-LW is a Merkle-Damgård iterated hash function quired to guarantee preimage resistance of Lesamnta-LW. [15], [31] using the following compression function on 128- (i−1) (i−1) (i) bit words H0 , H1 ,andM : 2.2 LW1 Mode (i−1) (i) (i) (i−1) h(H , M ) = E (i−1) (M H ), H0 1 Sophisticated designs and attacks on block ciphers were pre- (i−1) = (i−1) (i−1) sented in the AES competition. Knowledge on block ci- where H H0 H1 and EK is a 256-bit block cipher phers is useful in designing secure hash functions. This is with a 128-bit key K. We call this method to construct a why Lesamnta-LW is designed as a block-cipher-based hash compression function the LW1 mode. For a padded message function. A few reasons for choosing the LW1 mode are input M = M(1)···M(N), Lesamnta-LW works as follows: HIROSE et al.: AN AES BASED 256-BIT HASH FUNCTION FOR LIGHTWEIGHT APPLICATIONS: LESAMNTA-LW 91

ConstantGenerator(word C[64]) begin word c; c = ffffffff; /*in hexadecimal*/ fori=0to(64*3)-1 Fig. 1 The structure of Lesamnta-LW. /* Galois LFSR */ if c & 00000001 == 00000001 c = (c >> 1) ˆ dbcdcc80; else c=c>>1; end if if i mod 3 == 0 C[i/3] = c; end if end for end

Fig. 2 The round function. Fig. 3 The algorithm for generating the round constants.

(i) (i−1) (i) (0) H = h(H , M )for1≤ i ≤ N,whereH is a fixed independently on each byte by using the AES S-box. It pro- (N) initial value and H is the output. It is illustrated in Fig. 1. ceeds as follows: This structure is referred to as LWE(H(0), M) later in Sect. 4. = ≤ si S-box(si)for0 i < 4. 3.3 Block Cipher The MixColumns step is a bytewise operation that takes Lesamnta-LW uses a 64-round block cipher E that takes as 4 bytes s0, s1, s2, s3 as input. The MixColumns step is given 8 input a 128-bit key and a 256-bit plaintext. The block cipher by the AES MDS matrix multiplication defined over GF(2 ) consists of two parts: the key scheduling function mapping as follows: ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ the key to the round keys and the mixing function taking as ⎢ s ⎥ ⎢ 02 03 01 01 ⎥ ⎢ s ⎥ ⎢ 0 ⎥ ⎢ ⎥ ⎢ 0 ⎥ input a plaintext and the round keys to produce a ciphertext. ⎢ ⎥ ⎢ 01 02 03 01 ⎥ ⎢ ⎥ ⎢ s1 ⎥ = ⎢ ⎥ ⎢ s1 ⎥ Both of them use a type-1 4-branch generalized Feistel net- ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ . ⎣⎢ s2 ⎦⎥ ⎣⎢ 01 01 02 03 ⎦⎥ ⎣⎢ s2 ⎦⎥ work (GFN) (cf. Zheng et al. [48]). One round of the block s3 03 01 01 02 s3 cipher is illustrated in Fig. 2. The input variables to round r = for the mixing function and the key scheduling function are For a 64-bit input s s0 s1 s2 s3 s4 s5 s6 s7, (r) (r) (r) (r) (r) (r) (r) (r) the function R(s) is defined as follows: R(s) = s4 s5 s2 denoted by (x0 , x1 , x2 , x3 )and(k0 , k1 , k2 , k3 ) respec- (r) (r) s3 s0 s1 s6 s7. tively. Each xi is a 64-bit word and each ki is a 32-bit word. One round of the key scheduling function consists of The mixing function consists of XORs, a wordwise the following two steps: r K(r) = k(r) . permutation, and a non-linear function G. Taking as input Firstly, it generates the -th round-key 0 a 32-bit round key K(r), the mixing function updates its in- Secondly, it updates the intermediate state in the fol- termediate state in the following manner: lowing manner: (r+1) (r) r (r) (r+1) (r) (r+1) = (r) ⊕ (r) (r) (r+1) = (r) k = k ⊕ Q(C( ) ⊕ k ), k = k , x0 x3 G(x2 , K ), x1 x0 , 0 3 2 1 0 (r+1) (r) (r+1) (r) (r+1) = (r) (r+1) = (r) k = k , k = k , x2 x1 , x3 x2 . 2 1 3 2 The function G consists of XOR operations, a 32-bit where the 32-bit round constants C(r) are generated using non-linear permutation Q, and a function R. For a 64-bit the algorithm presented in Fig. 3. The algorithm is based (r) (r) input y = y0 y1 and a 32-bit round key K , G(y, K )is on the linear feedback shift register (LFSR) of the following defined as follows: primitive polynomial: (r) (r) = 32 + 31 + 29 + 28 + 26 + 25 + 24 G(y, K ) = R(Q(y0 ⊕ K ) Q(y1)). g(x) x x x x x x x + x23 + x20 + x19 + x17 + x16 + x15 + x12 Using the AES components [14], the function Q is de- + 11 + 8 + fined as follows: x x 1. Q = MixColumns ◦ SubBytes. 4. Security Reduction The SubBytes transformation is a non-linear byte sub- stitution that takes 4 bytes s0, s1, s2, s3 as input and operates In this section, it is assumed that E is a block cipher with key IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.1 JANUARY 2012 92

length n/2 and block length n for even n.ForLesamnta-LW, i−1}∪{k jx j | 1 ≤ j ≤ i−1}∪{IV}.Ifti = d, then there must n = 256. be an event such that kixi ∈{y jz j | 1 ≤ j ≤ i − 1}∪{IV}. For the case where ti = d and kixi ∈{y jz j | 1 ≤ j ≤ 4.1 Collision Resistance i − 1}, let us look into the new path in Gi mentioned above. (t j ,M j ) (t j ,M j ) (t j − ,M j − ) (t j ,M j ) Let IV −→1 1 v −→2 2 ··· l −→1 l 1 v −→l l v be the The collision resistance of LWE can be proved in the ideal j1 jl−1 jl prefix of the path, where v = k x ,(t , M ) = (d,w)and cipher model using the technique by Black et al. in [8]. jl−1 i i jl jl i v = y z . We start from v and go back toward IV until Let BC(κ, ν) be the set of all block ciphers with key size jl i i jl we first find an edge (e, M ) or reach the node IV without κ and block size ν.LetHE be a hash function using a block jk finding such an edge. Suppose that we reach IV. Then, it cipher E.LetA be an adversary trying to find a collision for = = E E col implies that there is an event such that ti d and ki xi H . The col-advantage of A against H ,Adv (A), is given HE IV for some i such that 1 ≤ i < i. On the other hand, by suppose that we find an edge (e, M ). Then, it implies that jk there is an event such that t = e and y z ∈{k x | 1 ≤ Pr AE = (M, M ) ∧ M M ∧ HE(M) = HE(M ) , i i i j j j < i } for some i such that 1 < i < i, or an event such that

BC ti = d and ki xi ∈{y jz j | 1 ≤ j < i ∧ t j = e} for some i where E is chosen uniformly at random from (κ, ν). The following theorem gives an upper bound on the such that 1 < i ≤ i. probability of finding a collision of LWE in the ideal cipher From the discussions above, if A finds a collision with model. It implies that Lesamnta-LW has a claimed security at most q queries, then it implies that there must be at least levelofatleast2120 block-cipher operations against colli- one of the following events for some i such that 1 ≤ i ≤ q: sion attacks. Ai ti = e and yizi = IV, = ∈{ | ≤ ≤ − }∪{ | ≤ ≤ Theorem 1: For any collision-finding adversary A against Bi ti e and yi zi y j z j 1 j i 1 k j x j 1 j − } LW E asking at most q queries to E, i 1 , Ci ti = d and kixi = IV, (γ(n) + 3)q D t = d and k x ∈{y z | 1 ≤ j < i ∧ t = e}. Advcol (A) ≤ i i i i j j j LW E n/2 − 2 1 It is easy to see that in the ideal cipher model, where γ(n) = (e/2)n/(log n − 2 Pr[A ] ≤ 1/(2n − (i − 1)), log log e − 1). i 2 2 n Pr[Bi] ≤ 2(i − 1)/(2 − (i − 1)), The following lemma is used for the analysis of multi- ≤ n/2 n − − collision, which should be taken into consideration to eval- Pr[Ci] 2 /(2 (i 1)). uate the success probability of meet-in-the-middle attacks. For Di, the probability of multicollision on y j should be Lemma 1 (Theorem 3.1 in [32]): Suppose that there are t taken into consideration. From Lemma 1, for 1 ≤ q ≤ 2n, balls and t bins and that each ball is placed in a bin chosen Pr[D ] ≤ γ(n)2n/2/(2n − (i − 1)) + 1/2n/2. independently and uniformly at random. Then, with proba- i − bility at least 1 1/t, no bin has more than e ln t/ ln ln t balls Precisely speaking, the distribution of y jz j is not uniform in it. on {0, 1}n since E is a keyed permutation. However, since Pr[y j ∈{y1,...,yj−1}] ≤ Pr[y j {y1,...,yj−1}], the proba- Proof of Theorem 1: For 1 ≤ i ≤ q,let(ti, ki,wixi,yizi)be bility of multicollision is smaller in this case. a tuple such that E(ki,wixi) = yizi and ti ∈{e, d} obtained Thus, for 1 ≤ q ≤ 2n, by the i-th query. ti represents the type of the i-th query: encryption (e) or decryption (d). Let G1, G2,...,Gq be a q sequence of directed graphs such that G = (V , L ), where Advcol (A) ≤ (Pr[A ] + Pr[B ] + Pr[C ] + Pr[D ]) i i i kp-LWE i i i i i=1 • V1 = {k1x1,y1z1}, L1 = {(k1x1,y1z1)},and ≤ (γ(n) + 3)q/(2n/2 − 1). • Vi = Vi−1 ∪{kixi,yizi}, Li = Li−1 ∪{(kixi,yizi)} for ≤ ≤ 2 i q. The upper bound exceeds 1 for q > 2n/2. Each edge (kixi,yizi) is labeled by (ti,wi). Notice that yizi = h(kixi,wi), where h is the compression funcuion 4.2 (Second-)Preimage Resistance of LWE. E Suppose that the adversary A finds a collision of LWE The preimage resistance of LW can also be proved in with the i-th query for the first time. Then, there must be a the ideal cipher model using the same technique. It is at path in Gi from the initial value IV to some colliding output, the same level as its collision resistance. It implies that which does not exist in G1,...,Gi−1. This path also contains Lesamnta-LW also has a claimed security level of at least 120 the nodes kixi and yizi, and the edge (ti,wi). 2 block-cipher operations against (second-)preimage at- If ti = e,thatis,thei-th query is an encryption query, tacks. Lesamnta-LW cannot provide security larger than 128 then there must be an event such that yizi ∈{y jz j | 1 ≤ j ≤ 2 since its compression function is invertible. HIROSE et al.: AN AES BASED 256-BIT HASH FUNCTION FOR LIGHTWEIGHT APPLICATIONS: LESAMNTA-LW 93

most q queries. Then, there exists a prp-adversary B against 4.3 Keyed Hashing Mode E such that q(q − 1) 4.3.1 Keyed-via-IV (KIV) Mode Advm-prf(A) ≤ m · Advprp(B) + . E E 22n+1 The KIV mode is a method to construct a PRF from a given B makes at most q queries and runs in time at most t + hash function. It simply replaces the initial value IV with a O(qTE), where TE represents the time required to compute secret key. E. The KIV mode of Lesamnta-LW with the first half ff of the output chopped o resists any distinguishing attack 4.3.2 Key-Prefix (KP) Mode that requires much fewer than 2128 queries if the underlying block cipher is a pseudorandom permutation (PRP). The KP mode is a method to construct a PRF from a given F X Y X Y Let ( , ) be a set of all functions from to .Let hash function [42]. It simply feeds KM to the hash func- K×X→Y X Y F : be a keyed function from to ,where tion as an input, where K is a secret key and M is a given K is its key space. Let A be an adversary which has oracle message. This mode uses a hash function as a black box. In access to functions from X to Y and outputs 0 or 1. The m-prf this sense, it is similar to HMAC [34]. prf-advantage of A against F,AdvF (A), is given by The KP mode of Lesamnta-LW with the first half of the ff F ,...,F ρ ,...,ρ output chopped o resists any distinguishing attack that re- Pr[A K1 Km = 1] − Pr[A 1 m = 1] , quires much fewer than 2128 queries if the underlying block where K j’s and ρ j’s are chosen uniformly and independently cipher is a pseudorandom permutation (PRP) and it also has at random from K and F (X, Y), respectively. Adv1-prf(A)is a mild security property given later. F Let h be the compression function of LWE and B = simply denoted by Advprf(A). F is called a PRF if Advprf(A) F F {0, 1}n/2.LetGE : B×B → B2 be a keyed function such ffi 1 is negligible for any e cient A. that GE(K, M) = h(h(IV, K), M), where K ∈Band M ∈ P X X 1 Let ( ) be a set of all permutations on .IfF is B.LetGE : B2 ×B → B2 be a keyed function such that X 2 a keyed permutation on and A has oracle access to per- GE(K , M) = h(K , M), where K ∈B2 and M ∈B. mutations in P(X), then the advantage of A is called prp- 2 In the remaining part, the KP mode of LWE with the advantage and denoted by Advm-prp(A). F first half of the output chopped off is denoted by kp-LWE. In the remaining part, the KIV mode of LWE with the E first half of the output chopped off is denoted by kiv-LWE. Theorem 3: Let A be a prf-adversary against kp-LW . E Suppose that A runs in time at most t, and makes at most Theorem 2: Let A be a prf-adversary against kiv-LW . q queries, and each query has at most message blocks. Suppose that A runs in time at most t, and makes at most Then, there exist an adversary B against GE such that q queries, and each query has at most message blocks. 1 Then, there exists a prp-adversary B against E such that prf prf GE Adv (A) ≤ Adv (A) + Adv 2 (B), kp-LWE kiv-LWE GE q(q − 1) 1 prf A ≤ q · prp B + Adv E ( ) AdvE ( ) 2n+1 . where kiv-LW 2 GE E · E · + 2 = G1 (K, ) = − G2 (K , ) = B makes at most q queries and runs in time at most t Adv E (B) Pr[B 1] Pr[B 1] G1 O(qTE), where TE represents the time required to compute E. and K and K are random variables uniformly distributed over B and B2, respectively. B makes at most q queries and Theorem 2 follows from Lemmas 2 and 3 shown be- + low. Proofs are given in Appendix B and Appendix C, re- runs in time at most t O(qTE), where TE represents the spectively. time required to compute E. Proof : Let ρ be a random function uniformly distributed Lemma 2: Let A be a prf-adversary against kiv-LWE. Sup- over F (B≤, B), where B≤ = Bi.LetK and K be pose that A runs in time at most t, and makes at most q i=0 B B2 queries, and each query has at most message blocks. Then, random variables uniformly distributed over and ,re- there exists a prf-adversary B against E with access to q or- spectively. Then, acles such that prf kp-LWE ρ Adv (A) = Pr[A K = 1] − Pr[A = 1] kp-LWE prf q-prf = · E E Adv E (A) AdvE (B). kp-LW kiv-LW kiv-LW ≤ Pr[A K = 1] − Pr[A K = 1]

B makes at most q queries and runs in time at most t + E kiv-LW ρ + Pr[A K = 1] − Pr[A = 1] . O(qTE), where TE represents the time required to compute E. It is easy to see that Lemma 3: Let A be a prf-adversary against E with m or- E kiv-LW ρ prf A t Pr[A K = 1] − Pr[A = 1] = Adv (A). acles. Suppose that runs in time at most ,andmakesat kiv-LWE IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.1 JANUARY 2012 94

E Let us consider the following adversary B against G1 . B are expressed by Boolean polynomials of degree at most d, first runs A. For each query M = M1Mtail from A, B the (d+1)-th order differential in polynomial sense of the asks the first block M1 to its oracle and receives the reply Boolean polynomial would be 0. Therefore if the value d H. Then, B returns the second half of H if Mtail is empty is reasonably small, the attack can be mounted. In the case E and LW (H, Mtail) otherwise. Finally, B outputs A’s output. of Lesamnta-LW, we found that every output bit of the S- Then, box can be expressed as a Boolean polynomial of degree

E 7 in terms of input bits. Our experiments confirmed that G GE(K,·) GE (K ,·) Adv 2 (B) = Pr[B 1 = 1] − Pr[B 2 = 1] GE the degree of such polynomials for Lesamnta-LW with 19 1 E E rounds reaches to the required degree 256. Therefore, we kp-LW kiv-LW = Pr[A K = 1] − Pr[A K = 1] . expect that the full Lesamnta-LW is secure against higher order differential attacks. This completes the proof. In the interpolation attack [24], an attacker constructs E E G2 a polynomial expression for a cipher over some field using G2 is a PRF if E is a PRP. Thus, Adv E (B) is negligible / G1 cipher input output pairs and then he aims to determine its ffi E ffi for any e cient B if E is a PRP and G1 is a PRF. key-dependent coe cients. If the number of terms in the polynomial expression is reasonably small, the attack can be 5. Preliminary Analysis mounted. Lesamnta-LW uses the AES S-box which can be expressed as a polynomial of degree 254 over GF(28). Our In our preliminary analysis, we evaluate the security of experiments have confirmed that after the 16th round, each Lesamnta-LW and the underlying block cipher against all byte in the intermediate state of the mixing function depends relevant attacks. In the analysis of the block cipher, the at- on all the 32 variables while this is not the case just after the tacker can have at most 2128 complexity because of the key 15th round. We expect that the number of coefficients grows length (128 bits) of the cipher rather than the plaintext length fast after the 16th round due to the high degree of the S- (256 bits). box and deduce that the full Lesamnta-LW is secure against interpolation attacks. 5.1 Differential and Linear Attacks 5.3 Impossible Differential Attack We examined resistance of the block cipher against differential [6] and linear attacks [29] which are two of the most In the impossible differential Attack [5], an attacker exploits powerful tools in block cipher cryptanalysis. Hereafter, we differences that are impossible at some intermediate state of only explain our method of evaluating the security against the cipher. The best impossible difference we have found is differential cryptanalysis as we can apply a similar method the difference of the form (0, Δ, 0, 0 ) at input → (?,?,?,0) regarding linear cryptanalysis because of its duality to dif- after the 11th rounds. Note that the symbol ? denotes an ar- ferential cryptanalysis [13]. For this purpose, we compute bitrary difference and Δ denotes non-zero difference. How- upper bounds on the probabilities of differential and linear ever, we expect that it is unlikely that impossible differential characteristics. Our method is as follows: attacks can be successful against the full Lesamnta-LW. • Make abstraction of the exact differences used in these 5.4 Related-Key Attacks characteristics and then just consider patterns of active S-boxes. In the related-key setting model, the attacker chooses the re- • Perform experiments with the Viterbi algorithm to lation between the keys, which typically is a difference be- compute lower bounds on the minimum number of the tween the keys. We can show that the maximum differential active S-boxes. These experiments consider the MDS characteristic probabilities for 24 rounds of the key schedul- matrix property whose branch number is 5. ing function are less than 2−128 in the same way we did in With this method, we can observe that the minimum Sect. 5.1. Hence, we expect that it is unlikely that related- number of the active S-boxes for 24 rounds is 24. Therefore key attacks can be successful against Lesamnta-LW because the probabilities of differential characteristics of 24 rounds it is very difficult to find a high probability related-key dif- of Lesamnta-LW are upperbounded by 2−144 because the ferentials. maximum differential probability of the AES S-box is 2−6. As a result, it is very unlikely that differential/linear attacks 5.5 Collision Attacks Using Message Modification can be applied successfully to the full Lesamnta-LW. Wang et al. [44], [45] showed methods for finding collisions 5.2 Higher Order Differential and Interpolation Attack for widely used hash functions such as SHA-1. Their ap- proach is based on the differential cryptanalysis and the mes- In the higher order differential attacks [27], the attacker con- sage modification technique which can be used to reduce the structs Boolean polynomial expressions for a cipher. The attack complexity by exploiting degrees of freedom in the idea of the attack is that if the bits in the intermediate state input message. HIROSE et al.: AN AES BASED 256-BIT HASH FUNCTION FOR LIGHTWEIGHT APPLICATIONS: LESAMNTA-LW 95

For differential collision attacks on Lesamnta-LW, the Table 1 Our ASIC implementation estimates of Lesamnta-LW, MAME, and SHA-256 with known results on other hash functions. The digest size attacker has to use messages of at least two blocks because of SHA-3 candidates is omitted. the message block is shorter than the chaining variable. Us- Algorithm Logic Area Throughput Clock ing multiple block message, he has some control over 384 Process (kGates) (Mbit/s) (MHz) bits of the input to the compression function. However, out BLAKE [41] 0.35 μm 25.57 15.4 31.25 of these 384 bits, the only input bits over which he can have Grφstl[41] 0.35 μm 14.62 145.9 55.87 Skein [41] 0.35 μm 12.89 19.8 80 control in a deterministic way are 128 bits, which corre- SHA-256 [18] 0.35 μm 10.9 22.5 50 spond to the message block input. He can have control over Lesamnta-LW 90 nm 8.24 125.55 188.3 the remaining 256 bits corresponding to the chaining vari- MAME 90 nm 12.95 1164.48 436.68 able input only in a probabilistic way. On the other hand, SHA-256 90 nm 14.6 1766 220.8 we can show that the maximum differential characteristic probabilities for 44 rounds of the mixing function and for / −256 Table 2 Our estimates of RAM ROM requirements on low-cost 8-bit 24 rounds of the key scheduling function are less than 2 CPUs −128 and 2 in the same way we did in Sect. 5.1. Their meth- Algorithm RAM(bytes) ROM(CONST.)(bytes) ods for finding collisions require a differential characteristic BLAKE[1] 96 172 with a large probability and a large degree of freedom in Grøstl[21] 128 288 the message block space. Thus, we expect that it is very un- JH[47] 128 144 likely that differential attacks with message modification are Keccak[4] 200 144 ff Skein[19] 96 46 e ective against Lesamnta-LW. SHA-256[33] 128 288 MAME[43] 64 40 5.6 Attacks on the Lesamnta Compression Function Using Lesamnta-LW 50 768 Self-Duality

Recently, attacks [11] on the compression function of the SHA-3 Round-1 candidate Lesamnta [22] have been re- 6.1 Low-Area ASIC Implementation Results ported. The main idea is to find some structure in round constants. The block cipher of Lesamnta exhibits a correla- We have estimated speed and gate count of a hardware ar- tion between keys, ciphertexts and plaintexts. This correla- chitecture of Lesamnta-LW, MAME, and SHA-256. In Ta- tion is caused by the self-duality of the key schedule and the ble 1, our results are compared to known results on the SHA- mixing function. Using the correlation, the block cipher of 3 final round candidates such as BLAKE-32 [1], Grφstl- Lesamnta is easily distinguished from an ideal cipher, and a 224/256 [21], and Skein [19]. It is clear that Lesamnta-LW pseudo-collision for Lesamnta can be found with less com- achieves a very small implementation and it is substantially plexity than expected. Note that the concept of self-duality smaller than most of them. was given as the property of the AES round function [28]. Since Lesamnta-LW has been designed in such a way 6.2 Software Implementation Results that it does not have the self-duality property, similar attacks are not applicable to Lesamnta-LW. It is easy to destroy the For software, Lesamnta-LW is targeted at RAM requirement self-duality, that is, it is sufficient that the round key looks on an 8-bit CPU employed in smart devices. In low-cost 8- like random. In the case of Lesamnta, since the 32-bit dif- bit CPU applications, hash functions should require limited ference of a 64-bit round constant is periodically constant, it resources, memory and computation time. We argue that the is easy to find a key such that the round key satisfies special most important constraint for hash functions is the limited conditions. In the case of Lesamnta-LW, round constants RAM which could be critical in many cases. are generated with the linear feedback shift register that is based on the primitive polynomial with degree 32. Since 6.2.1 8-bit CPU the primitive polynomial has 17 non-zero coefficients, al- most half of bits of the internal state may be changed by one We have estimated RAM/ROM requirements of SHA-3 operation. In addition, the mixing function of Lesamnta-LW candidates, SHA-256, and Lesamnta-LW. Our results are was designed in such a way that the size of a round key is a shown in Table 2. As for RAM requirement, it is clear that half the size of G. This guarantees that the mixing function Lesamnta-LW achieves a very small implementation that is does not have the self-duality property independent of the substantially smaller than most SHA-3 final round candi- value of a round key. dates. As for ROM requirement, we estimate the size of constants such as initial vectors, lookup tables, and round 6. Implementation Results constants. Lesamnta-LW is larger than the other algorithms shown in Table 2. However, it is typical on 8-bit CPUs that We present software and hardware implementation results the ROM size is large enough for symmetric-key algorithm to show the flexibility of Lesamnta-LW for lightweight ap- implementations. We expect that the ROM requirement of plications. Lesamnta-LW is reasonable. IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.1 JANUARY 2012 96

Table 3 Our software implementation estimates on an 8-bit CPU RenesasR H8R . Three type values are shown depending on the implemen- References tation policy, namely ROM-optimized, RAM-optimized, and balanced. Algorithm Bulk Short ROM RAM [1] J.P. Aumasson, L. Henzen, W. Meier, and R.C.-W. Phan, “SHA-3 Speed Message (CONST. (byte) proposal BLAKE,” http://131002.net/blake/ / / + (cycles (cycles CODE) [2] J.P. Aumasson, L. Henzen, W. Meier, and M. Naya-Plasencia, byte) message) (byte) “QUARK: A lightweight hash,” Cryptographic Hardwareand Em- SHA-256 1033.3 66434 32 + 37034 330 bedded Systems CHES 2010, LNCS, vol.6225, pp.1–15, 2010. 1046.9 67308 288 + 5046 330 [3] L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede, 1281.1 82296 288 + 948 330 “Low-cost elliptic curve cryptography for wireless sensor networks,” Lesamnta-LW 1650.9 52828 512 + 20006 50 Security and Privacy in Ad-Hoc and Sensor Networks, ESAS 2006, 1736.5 55568 768 + 1346 50 LNCS, vol.4357, pp.6–17, 2007. 2055.0 65760 768 + 370 54 [4] G. Bertoni, J. Daemen, M. Peeters, and G.V. Assche, “Keccak spec- ifications,” http://keccak.noekeon.org/ [5] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of skipjack Table 4 Our software implementation estimates on the Intel R Core TM reduced to 31 rounds using impossible differentials,” Advances in i5 processor where, for our estimate of the speed of SHA-256, we use Cryptology — EUROCRYPT’99, LNCS, vol.1807, pp.12–23, 1999. the code used in OpenSSH. [6] E. Biham and A. Shamir, Differential Cryptanalysis of the Data En- Algorithm Language cycles/byte cycles/byte cryption Standard, Springer, 1993. (32-bit mode) (64-bit mode) [7] A. Biryukov and D. Wagner, “Advanced slide attacks,” Advances in SHA-256 ANSI C 26.9 30.4 Cryptology — EUROCRYPT 2000, LNCS, vol.1807, pp.589–606, Lesamnta-LW assembly 43.4 39.2 2000. [8] J. Black, P. Rogaway, and T. Shrimpton, “Black-box analysis of the block-cipher-based hash-function constructions from PGV,” Ad- We have estimated speed and ROM/RAM size of vances in Cryptology — CRYPTO 2002, LNCS, vol.2442, pp.320– Lesamnta-LW and SHA-256 on an 8-bit CPU RenesasR 335, 2002. H8R in assembly language. The performance results are [9] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe, “PRESENT: An ultra- shown in Table 3 where by short message we mean a mes- lightweight block cipher,” Cryptographic Hardware and Embedded sage whose length is less than 128 bits. Systems CHES 2007, LNCS, vol.4727, pp.450–466, 2007. As for RAM requirement, it is clear that Lesamnta-LW [10] A. Bogdanov, G. Leander, C. Paar, A. Poschmann, M.J. B. Robshaw, gains advantages over SHA-256 with respect to speed on and Y. Seurin, “Hash functions and RFID tags: Mind the gap,” Cryp- short messages and RAM/ROM requirements. tographic Hardware and Embedded Systems CHES 2008, LNCS, vol.5154, pp.283–299, 2008. [11] C. Bouillaguet, O. Dunkelman, G. Leurent, and P.A. Fouque, “An- 6.2.2 32-bit CPU other look at complementation properties,” Fast Software Encryp- tion 2010 Workshop FSE 2010, LNCS, vol.6147, pp.347–364, 2010. We have estimated the speed of Lesamnta-LW and SHA- [12] C.D. Canniere,´ O. Dunkelman, and M. Knezevic, “KATAN and 256 on the Intel Core i5 processor which offers instructions KTANTAN a family of small and efficient hardware-oriented block for fast encryption of AES. Our results are shown in Table ciphers,” Cryptographic Hardware and Embedded Systems CHES 2009, LNCS, vol.5747, pp.272–288, 2009. 4. Lesamnta-LW is reasonably fast on this platform. [13] F. Chabaud and S. Vaudenay, “Links between differential and linear cryptanalysis,” Advances in Cryptology — EUROCRYPT’94, 7. Conclusion LNCS, vol.950, pp.356–365, 1995. [14] J. Daemen and V. Rijmen, The Design of Rijndael: AES — A new lightweight 256-bit hash function Lesamnta-LW has Advanced Encryption Standard, Springer-Verlag, 2002. been proposed. We claim that its distinct features over [15] I.B. Damgård, “A design principle for hash functions,” Advances in Cryptology — CRYPTO’89, LNCS, vol.435, pp.416–427, 1990. the existing lightweight primitives are compactness, high- [16] E. Fleischmann, C. Forler, and M. Gorski, “Classification of the speed, and a very good tradeoff between speed and cost on SHA-3 candidates,” eprint archive: http://eprint.iacr.org/2008/511 8-bit CPUs as well as the high security levels with security [17] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, “Strong authenti- reductions. We expect that Lesamnta-LW will open up a cation for RFID systems using the AES algorithm,” Proc. Workshop new set of lightweight applications. of Cryptographic Hardware and Embedded Systems — CHES 2004, LNCS, vol.3156, pp.357–370, Springer, 2004. Although we believe that the underlying block cipher [18] M. Feldhofer and C. Rechberger, “A case against currently used of Lesamnta-LW withstands a number of recently proposed hash functions in RFID protocols,” Proc. On the Move to Meaning- attacks because of our conservative design, more extensive ful Internet Systems 2006, OTM 2006 Workshops, LNCS, vol.4227, analysis such as evaluation of security against rebound at- pp.372–381, 2006. tacks would be needed. [19] N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas, and J. Walker, “The skein hash function family,” http://www.schneier.com/skein.html Acknowledgments [20] G. Gaubatz, J.P. Kaps, E. Ozturk, and B. Sunar, “State of the art in ultra-low power public key cryptography for wireless sensor net- We would like to mention the people who gave us valuable works,” Workshop on Pervasive Computing and Communication Se- feedback and important comments on this work: Yasuko curity PerSec 2005. Fukuzawa, Kazuo Ota, and Kazuo Sakiyama. [21] P. Gauravaram, L.R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schla¨ffer, and S.S. Thomsen, “Grøstl — A SHA- HIROSE et al.: AN AES BASED 256-BIT HASH FUNCTION FOR LIGHTWEIGHT APPLICATIONS: LESAMNTA-LW 97

3 candidate,” http://www.groestl.info/ and B. Preneel, “MAME: A compression function with reduced [22] S. Hirose, H. Kuwakado, and H. Yoshida, “SHA-3 proposal: Lesam- hardware requirements,” Cryptographic Hardware and Embedded nta,” http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ Systems CHES 2009, LNCS, vol.4727, pp.148–165, 2007. Lesamnta.zip, Oct. 2008. latest version: http://www.sdl.hitachi.co.jp/ [44] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, “Cryptanalysis of crypto/lesamnta/ the hash functions MD4 and RIPEMD,” Advances in Cryptology — [23] S. Hirose, H. Kuwakado, and H. Yoshida, “Security analy- EUROCRYPT 2005, LNCS, vol.3494, pp.1–18, 2005. sis of the compression function of Lesamnta and its impact,” [45] X. Wang, Y.L. Yin, and H. Yu, “Finding collisions in the full SHA- http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ 1,” Advances in Cryptology — CRYPTO 2005, LNCS, vol.3621, LESAMNTA Comments.pdf, June 2009. pp.17–36, 2005. [24] T. Jakobsen and L.R. Knudsen, “The interpolation attack on block [46] Wikipedia, “Microprocessor,” ch. Market statistics, http://en. ciphers,” Fast Software Encryption, FSE’97, LNCS, vol.1267, wikipedia.org/wiki/Microprocessor pp.28–40, 1997. [47] H. Wu, “The hash function JH,” http://www3.ntu.edu.sg/home/wuhj/ [25] A. Joux, “Multicollisions in iterated hash functions. Application to research/jh/ cascaded construction,” Advances in Cryptology — CRYPTO 2004, [48] Y. Zheng, T. Matsumoto, and H. Imai, “On the construction of block Lect. Notes Comput. Sci., vol.3152, pp.306–316, 2004. ciphers provably secure and not relying on any unproved hypothe- [26] J. Kelsey and B. Schneier, “Second preimages on n-bit hash func- ses,” Advances in Cryptology — CRYPTO’89, LNCS, vol.435, tions for much less than 2n work,” Advances in Cryptology — pp.461–480, 1990. EUROCRYPT 2005, LNCS, vol.3494, pp.474–490, 2005. [27] L.R. Knudsen, “Truncated and higher order differentials,” Fast Soft- ware Encryption, FSE’94, LNCS, pp.196–211, 1995. Appendix A: Lesamnta-LW Example [28] T.V. Le, R. Sparr, R. Wernsdorf, and Y.Desmedt, “Complementation- like and cyclic properties of AES round functions,” Advanced En- (r) cryption Standard — AES, 4th International Conference, AES 2004, The 32-bit round constants C are Lect. Notes Comput. Sci., vol.3373, pp.128–141, 2005. [29] M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances a432337f 945e1f8f 92539a11 24b90062 in Cryptology — EUROCRYPT’93, LNCS, vol.765, pp.386–397, 6971c64c d6e3f449 2c2f0da9 33769295 1994. eb506df2 708cebfe b83ab7bf 97df0f17 [30] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, HANDBOOK 9223b802 7fa29140 0ff45228 01fe8a45 of APPLIED CRYPTOGRAPHY, CRC Press, 1996. ed016ee8 1da02ddd ee8aba1b 46c4c223 [31] R.C. Merkle, “One way hash functions and DES,” CRYPTO’89, 53cd0d24 d1b46d24 c1fb4124 c3f2a4a4 LNCS, vol.435, pp.428–446, 1990. [32] R. Motwani and P. Raghavan, Randomized Algorithms, Cambridge c3b39814 c3bbbf82 759191b0 0eb23236 University Press, 1995. b7fd6c86 a0d48750 141a90ea 6f65b45d [33] National Institute of Standards and Technology, “Secure hash stan- e0d2092b 470fd445 e5df4528 1cbbe8a5 dard,” Federal Information Processing Standards Publication 180-2, eea9c2b4 c618f4d6 aee8345a 783be0cb Aug. 2002. http://csrc.nist.gov/publications/fips/fips180-2/fips180- 5412e979 3c712e0f 87567c21 2619bca4 2.pdf df0efb14 c02c13e2 75e3643c d571a007 [34] National Institute of Standards and Technology, “The keyed-hash message authentication code (HMAC),” Federal Information Pro- 9a766de0 134ecdbc d9a41537 9becdb46 cessing Standards Publication 198, March 2002. a556b1a8 14aad635 efabe566 abde566c [35] National Institute of Standards and Technology, “Announcing re- ceb6064d f4e87f69 286e7ccd e8337039 quest for candidate algorithm nominations for a new cryptographic 2bf51d27 85a6fa44 cb7913c8 196f2279 hash algorithm (SHA-3) family,” http://csrc.nist.gov/groups/ST/ / / hash documents , Nov. 2007. For Lesamnta-LW, the initial hash value H(0) is [36] R. Rivest, “The MD5 message-digest algorithm,” Request (0) (0) (0) (0) (0) (0) (0) (0) (0) for Comments, no.1321, April 1992. ftp://ftp.rfc-editor.org/in- H0 H1 H2 H3 H4 H5 H6 H7 , where each Hi is notes/rfc1321.txt a 32-bit word 00000256 in hex. [37] http://www.semico.com Let the message M be the 24-bit (l = 24) ASCII string [38] A. Shamir, “SQUASH — A new MAC with provable security prop- “abc”, which is equivalent to the following binary string: erties for highly constrained devices such as RFID tags,” Fast Soft- 01100001 01100010 01100011. Then the resulting 256- ware Encryption, FSE 2008, Lect. Notes Comput. Sci., vol.5086, pp.144–157, 2008. bit message digest is [39] W. Simpson, “PPP challenge handshake authentication protocol (CHAP),” Request for Comments, no.1994, 1996. http:// 2558c1d3 7f9f307b e3cddad4 a23c8654 www.ietf.org/rfc/rfc1994.txt 518f6079 7eb491e7 3758727d fc83de65. [40] M.L. Songini, “Passive RFID tag market to hit $486M in 2013,” In- // / / / foWorld, http: www.infoworld.com t networking passive-rfid-tag- Appendix B: Proof of Lemma 2 market-hit-486m-in-2013-102 [41] S. Tillich, M. Feldhofer, W. Issovits, T. Kern, H. Kureck, B = { }n/2 B≤i = i Bd = M. Muhlberghuber, G. Neubauer, A. Reiter, A. Kofler, and Let 0, 1 .Let d=0 .LetM[1,l] M. Mayrhofer, “Compact hardware implementations of the SHA-3 M1M2···Ml for 1 ≤ l ≤ .Fori ∈{0, 1,...,} ( ≥ 1), candidates ARIRANG, BLAKE, Grφstl, and Skein,” eprint archive: ≤ let Ii : B →Bbe a random function such that Ii(M[1,l]) // / / http: eprint.iacr.org 2009 349.pdf equals [42] G. Tsudik, “Message authentication with one-way hash functions,” ⎧ ACM Computer Communications Review, vol.22, no.5, pp.29–38, ⎪ ⎨⎪α (M )ifl ≤ i, 1992. ⎪ 1 [1,l] ¨ ⎩⎪ E [43] H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, O. Kuc¨ ¸uk,¨ kiv-LW (α0(M[1,i])α1(M[1,i]), M[i+1,l])otherwise, IEICE TRANS. FUNDAMENTALS, VOL.E95–A, NO.1 JANUARY 2012 98

where α0 and α1 are random functions uniformly distributed i ≤i over F (B , B)andF (B , B), respectively. Notice that α0 Appendix C: Proof of Lemma 3 and α1 are just random elements from B if i = 0. Let Pi = Ii n/2 Pr[A = 1]. Then, Let B = {0, 1} .LetK1,...,Km be independent random B variables uniformly distributed over .Letρ1,...,ρm be Advprf (A) = P − P . kiv-LWE 0 independent random functions uniformly distributed over F (B2, B2). Let ,..., be independent random permu- Let us consider the following prf-adversary B with q 1 m tations uniformly distributed over P(B2). Then, oracles u1,...,uq using A as a subroutine. { } m-prf B ﬁrst selects i from 1,..., uniformly at random. Adv (A) E Then, B runs A. B simulates a random function β uniformly E ,...,E ρ ,...,ρ ≤i− = Pr[A K1 Km = 1] − Pr[A 1 m = 1] distributed over F (B 1, B) via lazy sampling. When B re- (k) (k) = ≤ EK1 ,...,EKm = − 1,..., m = ceives the k-th query M M[1,l] of A, B returns Pr[A 1] Pr[A 1] ⎧ + |Pr[A 1,..., m = 1] − Pr[Aρ1,...,ρm = 1]| . ⎪ (k) ⎪β(M )ifl ≤ i − 1, ⎨⎪ [1,l] ≤ ≤ O ⎪ (k) (k) = For 0 i m,let i be m oracles such that ⎪ω(uidx(k)(Mi β(M[1,i−1]))) if l i, ⎪ E ,...,E , + ,..., . ⎩kiv-LWE(υ(M(k) ), M(k) )ifl ≥ i + 1, K1 Ki i 1 m [1,i] [i+1,l] A prp-adversary B is constructed using A as a subrou- where ω is a function which outputs the second half of its tine. B has an oracle u, which is either EK or ,whereK is a random variable uniformly distributed over B and is input, and υ(M(k) ) = u (M(k)β(M(k) )). idx(k)isa [1,i] idx(k) i [1,i−1] a random permutation uniformly distributed over P(B2). B { } (p) unique integer in 1,...,q . If there is a previous query M i { , ,...,m} (p) (k) ﬁrst selects uniformly at random from 1 2 . Then, (p < k) such that M − = M − ,thenidx(k) = idx(p). [1,i 1] [1,i 1] B runs A with oracles EK1 ,...,EKi−1 , u, i+1,..., m,and Otherwise, idx(k) = k. outputs A’s output. Then,

Now, suppose that B has oracle access to EK1 , EK2 ,..., prp EK ,whereK j’s are independent random variables uni- = EK = − = q AdvE (B) Pr[B 1] Pr[B 1] formly distributed over B. Then, in response to M(k) , B [1,l] 1 O O returns = Pr[A m = 1] − Pr[A 0 = 1] . ⎧ m ⎪ k ⎨⎪β(M( ) )ifl ≤ i − 1, ⎪ [1,l] B makes at most q queries and runs in time at most t + ⎩⎪ E (k) (k) ≥ kiv-LW (Kidx(k) β(M[1,i−1]), M[i,l])ifl i. O(qTE). It is possible to distinguish 1,..., m and ρ1,...,ρm Since K can be regarded as a random function of idx(k) only by the fact that there may be a collision for ρi’s. Thus, (k) M[1,i−1], we can say that A has oracle access to Ii−1.There- since A makes at most q queries, fore, q(q − 1) | A 1,..., m = − Aρ1,...,ρm = | ≤ Pr[ 1] Pr[ 1] 2n+1 . E ,...,E 1 2 Pr[B K1 Kq = 1] = P − . i 1 i=1 Trademarks Next, suppose that B has oracle access to ρ1,...,ρq, R R where ρ j’s are independent random functions uniformly dis- • Renesas and H8 are registered trademarks of Rene- tributed over F (B2, B2). Since the ﬁrst half and the sec- sas Technology Corporation. (k) (k) • R ond half of ρidx(k)(Mi β(M[1,i−1])) are independent random Intel is a registered trademark of Intel Corporation in (k) / functions of M , we can say that A has oracle access to Ii. the United States and or other countries. [1,i] R TM Therefore, • Intel Core i5 is a trademark of Intel Corporation in the U.S. and/or other countries. 1 • Lesamnta is a registered trademark of Hitachi, Ltd. in Pr[Bρ1,...,ρq = 1] = P . i Japan. i=1 From the discussions above,

q-prf = EK1 ,...,EKq = − ρ1,...,ρq = AdvE (B) Pr[B 1] Pr[B 1] 1 = Advprf (A). kiv-LWE B makes at most q queries and runs in time at most t + O(qTE). HIROSE et al.: AN AES BASED 256-BIT HASH FUNCTION FOR LIGHTWEIGHT APPLICATIONS: LESAMNTA-LW 99

Shoichi Hirose received the B.E., M.E. Bart Preneel received the Electr. Eng. and and D.E. degrees in information science from Ph.D. degrees from the Katholieke Universiteit Kyoto University, (Japan) in 1988, 1990 and Leuven (Belgium) in 1987 and 1993. He is a 1995, respectively. From 1990 to 1998, he was full professor in the COSIC research group at a research associate at Faculty of Engineering, the Katholieke Universiteit Leuven in Belgium. Kyoto University. From 1998 to 2005, he was He has authored more than 400 scientiﬁc pub- a lecturer at Graduate School of Informatics, lications and is inventor of 3 patents. His main Kyoto University. From 2005 to 2009, he was research interests are cryptography and informa- an associate professor at Faculty of Engineering, tion security (e.g., privacy and e-voting) and he University of Fukui. From 2009, he is a profes- frequently consults on these topics. He is presi- sor at Graduate School of Engineering, Univer- dent of the IACR (International Association for sity of Fukui. His current interests include cryptography and information Cryptologic Research). He has served as program chair of 14 international security. He received Young Engineer Award from IEICE in 1997, and conferences and he has been invited speaker at more than 70 conferences KDDI Foundation Research Award in 2008. He is a member of ACM, in 30 countries. IEEE, IACR and IPSJ.

Hirotaka Yoshida received the B.S. de- Kota Ideguchi received the B.S., M.S., gree from Meiji University (Japan) in 1999 and and Ph.D. degrees from the University of Tokyo M.S. degree from Tokyo Institute of Technol- (Japan) in 2001, 2003, and 2006, respectively. ogy (Japan) in 2001. He is a researcher of Hi- He is a researcher of Hitachi, Ltd. His current tachi, Ltd. He also is a research assistant in the research focuses on symmetric-key cryptogra- COSIC research group at the Katholieke Univer- phy. siteit Leuven in Belgium. His current research focuses on symmetric-key cryptography. He is a member of the IACR (International Associa- tion for Cryptologic Research).

Hidenori Kuwakado received the B.E., M.E. and D.E. degrees from Kobe University (Japan) in 1990, 1992, and 1999 respectively. He worked for Nippon Telegraph and Telephone Corporation from 1992 to 1996. From 1996 to 2002 he was a Research Associate in the Faculty of Engineering, Kobe University. From 2002 to 2007, he was an Associate Professor in the Faculty of Engineering, Kobe University. Since 2007, he has been an Associate Professor in Graduate School of Engineering, Kobe Univer- sity. His research interests are in cryptography and information security.

Toru Owada received the B.E., and M.E. degrees from Hokkaido University (Japan) in 1992 and 1994 respectively. He is a researcher of Hitachi, Ltd. His current interests include the hardware implementation of cryptographic algorithms.