The Lane Hash Function
Sebastiaan Indesteege [email protected]
COSIC, ESAT/SCD, Katholieke Universiteit Leuven, Belgium
First SHA-3 Candidate Conference
Contributors: Elena Andreeva, Christophe De Canni`ere, Orr Dunkelman, E m ili a K¨ asper, S vet l a Nik ova, B art P renee l , El mar Ti sc hh auser
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 1/11 Introduction Lane
• is simple, elegant, easy to understand and analyse. • has a clear design rationale. • has undergone an extensive security analysis. • is flexible in implementation.
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 2/11 Description of Lane
M ⋆ n, S M0 · · · · · · t || 0 l, S
0 · · · h(M)
0 c0 · · · · · · ct 0
Iteration Mode
• Very simple and lightweight • Features: bit counter, output transformation, salt (opt.) • Security: No length extension attacks, no long message second pre i mage a tt ac k s, i n di s ti ngu i s h a bl e f rom a ran d om oracle (prefix-free encoding), PRF preserving (MACs), . . .
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 3/11 Description of Lane
Hi−1 Mi
Compression Function Message Expansion • Simple structure • Message expansion P0 P1 P2 P3 P4 P5 • 6 P-lanes (6 resp. 8 rounds) • 2 Q-lanes + + (3 resp. 4 rounds) • XOR combiners Q0 Q1 • Parallelism + (but low memory possible)
Hi
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 4/11 Description of Lane
+ + I 0 II II I 0 0 0 0 0
2 0 I I 0 I 0 0 I 0 0 0 0 3 + II I II I W . . . W H Mh Ml 6 0 0 0 0 0 0 7 [ 0 || || 5] = h || || i · 6 I I I I 7 6 0 0 0 0 0 0 0 0 7 6 II II I I 7 6 0 0 0 0 0 0 7 4 I 0 I 0 0 I 0 0 0 0 0 I 5
Message Expansion
• Simple, lightweight, parallelisable, linear • Easy and fast to implement (XOR of large blocks) • Ensures minimum 4 active lanes (linear code over GF(4) with minimum distance 4) • Stops straightforward inversion and meet--- in the middle
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 5/11 Description of Lane
+ +
+ ShiftRows ShiftRows SubBytes SubBytes MixColumns MixColumns Permutation ‘lanes’
• From AES:
k k8i + 8i+4 + ShiftRows, SubBytes, MixColumns k8i+1 + k8i+5 + k k 8i+2 + 8i+6 + • New: k8i+3 + k8i+7 + c i mod 2 + AddConstants, AddCounter, SwapColumns • Constants ki generated by LFSR • Lane-512 similar (Lane-256)
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 6/11 Security of Lane
• Lane has undergone an extensive security analysis
• Differential cryptanalysis • Truncated differential cryptanalysis • Higher order differential cryptanalysis • Algebraic attacks • Attacks based on reduced query complexity • Generalised birthday attack • Meet-in-the-middle attacks • Long message second-preimage attacks • Length-extension attacks • Multicollision attacks • . . . • Refer to the supporting documentation: S. Indesteege, E. Andreeva, C. De Canni`ere, O. Dunkelman, E. K¨asper, S. Nikova, B. Preneel, E. Tischhauser The Lane Hash Function
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 7/11 Se curity of Lane
Example: why standard differential cryptanalysis fails
• Lane-256 • Any differential characteristic Q • ≥ 4 active P-lanes • ≥ 45 active S-boxes per lane • Pr ≤ 2−6 per active S-box • ⇒ Pr(Q) ≤ 2−1080 • Assume perfect message modification • 832 degrees of freedom • ⇒ Pr ((m, m ′) ∈ Q) ≤ 2−248 • Very unlikely that a right pair even exists for a given characteristic Q!
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 8/11 Implementation of Lane
• Lane is flexible in implementation • Reuse techniques for implementing AES • Lane + AES = share code/ROM/hardware • Roughly half the speed of AES:
AES-128 128 bits 10 AES rounds • ×0.48 Lane-256 512 bits 84 AES rounds { AES-256 128 bits 14 AES rounds • ×0.50 { Lane-512 1024 bits 224 AES rounds
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 9/11 Implementation of Lane
Performance results
• Intel Core2: 25.7 cpb (Lane-256) • Intel AES-NI: Lane-256 at 5 cpb ? • Embedded systems: 108 bytes of RAM (Lane-256) • Hardware (Lane-256, 0.13 µm CMOS): 16 kGE @ 23.3 Mbps— 243 kGE @ 14.2 Gbps
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 10/11 Conclusion
The Lane hash function • is simple, elegant, easy to understand and analyse. • has a clear design rationale. • has undergone an extensive security analysis. • is flexible in implementation.
Designer: Sebastiaan Indesteege Contributors: Elena Andreeva, Christophe De Canni`ere, Orr Dunkelman, Emilia K¨asper, Svetla Nikova, Bart Preneel, Elmar Tischhauser http://www.cosic.esat.kuleuven.be/lane/
Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 11/11