sign in sign up
<<
Home , Lane (hash function)

The Lane Hash Function

Sebastiaan Indesteege [email protected]

COSIC, ESAT/SCD, Katholieke Universiteit Leuven, Belgium

First SHA-3 Candidate Conference

Contributors: Elena Andreeva, Christophe De Canni`ere, Orr Dunkelman, E m ili a K¨ asper, S vet l a Nik ova, B art P renee l , El mar Ti sc hh auser

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 1/11 Introduction Lane

• is simple, elegant, easy to understand and analyse. • has a clear design rationale. • has undergone an extensive security analysis. • is flexible in implementation.

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 2/11 Description of Lane

M ⋆ n, S M0 · · · · · · t || 0 l, S

0 · · · h(M)

0 c0 · · · · · · ct 0

Iteration Mode

• Very simple and lightweight • Features: bit counter, output transformation, (opt.) • Security: No length extension attacks, no long message second pre i mage a tt ac k s, i n di s ti ngu i s h a bl e f rom a ran d om oracle (prefix-free encoding), PRF preserving (MACs), . . .

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 3/11 Description of Lane

Hi−1 Mi

Compression Function Message Expansion • Simple structure • Message expansion P0 P1 P2 P3 P4 P5 • 6 P-lanes (6 resp. 8 rounds) • 2 Q-lanes + + (3 resp. 4 rounds) • XOR combiners Q0 Q1 • Parallelism + (but low memory possible)

Hi

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 4/11 Description of Lane

+ + I 0 II II I 0 0 0 0 0

2 0 I I 0 I 0 0 I 0 0 0 0 3 + II I II I W . . . W H Mh Ml 6 0 0 0 0 0 0 7 [ 0 || || 5] = h || || i · 6 I I I I 7 6 0 0 0 0 0 0 0 0 7 6 II II I I 7 6 0 0 0 0 0 0 7 4 I 0 I 0 0 I 0 0 0 0 0 I 5

Message Expansion

• Simple, lightweight, parallelisable, linear • Easy and fast to implement (XOR of large blocks) • Ensures minimum 4 active lanes (linear code over GF(4) with minimum distance 4) • Stops straightforward inversion and meet--- in the middle

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 5/11 Description of Lane

+ +

+ ShiftRows ShiftRows SubBytes SubBytes MixColumns MixColumns Permutation ‘lanes’

• From AES:

k k8i + 8i+4 + ShiftRows, SubBytes, MixColumns k8i+1 + k8i+5 + k k 8i+2 + 8i+6 + • New: k8i+3 + k8i+7 + c i mod 2 + AddConstants, AddCounter, SwapColumns • Constants ki generated by LFSR • Lane-512 similar (Lane-256)

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 6/11 Security of Lane

• Lane has undergone an extensive security analysis

• Differential • Truncated differential cryptanalysis • Higher order differential cryptanalysis • Algebraic attacks • Attacks based on reduced query complexity • Generalised • Meet-in-the-middle attacks • Long message second-preimage attacks • Length-extension attacks • Multicollision attacks • . . . • Refer to the supporting documentation: S. Indesteege, E. Andreeva, C. De Canni`ere, O. Dunkelman, E. K¨asper, S. Nikova, B. Preneel, E. Tischhauser The Lane Hash Function

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 7/11 Se curity of Lane

Example: why standard differential cryptanalysis fails

• Lane-256 • Any differential characteristic Q • ≥ 4 active P-lanes • ≥ 45 active S-boxes per lane • Pr ≤ 2−6 per active S-box • ⇒ Pr(Q) ≤ 2−1080 • Assume perfect message modification • 832 degrees of freedom • ⇒ Pr ((m, m ′) ∈ Q) ≤ 2−248 • Very unlikely that a right pair even exists for a given characteristic Q!

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 8/11 Implementation of Lane

• Lane is flexible in implementation • Reuse techniques for implementing AES • Lane + AES = share code/ROM/hardware • Roughly half the speed of AES:

AES-128 128 bits 10 AES rounds • ×0.48 Lane-256 512 bits 84 AES rounds { AES-256 128 bits 14 AES rounds • ×0.50 { Lane-512 1024 bits 224 AES rounds

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 9/11 Implementation of Lane

Performance results

• Intel Core2: 25.7 cpb (Lane-256) • Intel AES-NI: Lane-256 at 5 cpb ? • Embedded systems: 108 bytes of RAM (Lane-256) • Hardware (Lane-256, 0.13 µm CMOS): 16 kGE @ 23.3 Mbps— 243 kGE @ 14.2 Gbps

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 10/11 Conclusion

The Lane hash function • is simple, elegant, easy to understand and analyse. • has a clear design rationale. • has undergone an extensive security analysis. • is flexible in implementation.

Designer: Sebastiaan Indesteege Contributors: Elena Andreeva, Christophe De Canni`ere, Orr Dunkelman, Emilia K¨asper, Svetla Nikova, , Elmar Tischhauser http://www.cosic.esat.kuleuven.be/lane/

Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 11/11