Fast Hashing and Stream Encryption with
Panama
1 2
Joan Daemen Craig Clapp
1
Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium
email: [email protected]
2
PictureTel Corp oration, 100 Minuteman Rd., Andover, MA 01810, USA
email: [email protected]
Abstract. We present a cryptographic mo dule that can b e used b oth as
a cryptographic hash function and as a stream cipher. High p erformance
is achieved through a combination of lowwork-factor and a high degree
of paralleli sm. Throughputs of 5.1 bits/cycle for the hashing mo de and
4.7 bits/cycle for the stream cipher mo de are demonstrated on a com-
mercially available VLIW micro-pro cessor.
1 Intro duction
Panama is a cryptographic mo dule that can b e used b oth as a cryptographic
hash function and a stream cipher. It is designed to b e very ecient in software
implementations on 32-bit architectures.
Its basic op erations are on 32-bit words. The hashing state is up dated bya
parallel nonlinear transformation, the bu er op erates as a linear feedback shift
register, similar to that applied in the compression function of SHA [6]. Panama
is largely based on the StepRightUp stream/hash mo dule that was describ ed
in [4].
Panama has a low p er-byte work factor while still claiming very high security.
The price paid for this is a relatively high xed computational overhead for every
execution of the hash function. This makes the Panama hash function less suited
for the hashing of messages shorter than the equivalentofatyp ewritten page. For
the stream cipher it results in a relatively long initialization pro cedure. Hence,
in applications where sp eed is critical, to o frequent resynchronization should b e
avoided.
Atypical application for Panama might b e the encryption or decryption of
video-rate data in conditional access applications e.g. pay-TV. Set-top b oxes
and future digital televisions will increasingly include media pro cessors for de-
co ding compressed video and for p erforming other computationally intensive
image pro cessing tasks. This is an application space where data rates are high,
high-p erformance pro cessors are increasingly likely to b e present, and decryption
must b e done yet must not unduly burden an already heavily loaded pro cessor.
After sp ecifying the Panama hash function and stream cipher, we discuss the
particular design strategy and the implementation asp ects. We don't attempt to
give a pro of of security.However, a motivation for the design choices is given.
A C reference implementation of Panama and PostScript and PDF versions
of [4] are available from http://www.esat.kuleuven.ac.be/~rijmen/daemen.
2 Basic design principles
Panama is based on a nite state machine with a 544-bit state and a 8192-
bit bu er. The state and bu er can b e up dated by p erforming an iteration.
There are two mo des for the iteration function. A Push mo de, that allows to
inject an input and generates no output, and a Pul l mo de that takes no input
and generates an output. A blank Pull iteration is a Pull iteration in which the
output is discarded.
The up dating transformation of the state has high di usion and distributed
nonlinearity. Its design is aimed at providing very high nonlinearity and fast dif-
fusion for multiple iterations. This is realised by the combination of four distinct
transformations each with its sp eci c contribution. There is one for nonlinearity,
one for bit disp ersion, one for inter-bit di usion, and one for injection of bu er
and input bits.
The bu er b ehaves as a linear feedback shift register that ensures that input
bits are injected into the state over a wide interval of iterations. In the Push
mo de the input to the shift register is formed by the external input, in the Pull
mo de, by part of the state.
The Panama hash function is de ned as p erforming Push iterations with
message blo cks as input. If all message blo cks have b een injected, a number of
blank Pull iterations are p erformed to allow the last message blo cks b e di used
into the bu er and state. This is followed by a nal Pull iteration to retrieve the
hash result.
The Panama stream encryption scheme is initialised by doing two Push
iterations to inject the key and diversi cation parameter followed bya number of
blank Pull iterations to allow the key and parameter to b e di used into the bu er
and state. After this initialisation, the scheme is ready to generate keystream
bits at leisure by p erforming Pull iterations.
3 Sp eci cation
The state is denoted by a and consists of 17 32-bit words a to a . The bu er
0 16
b is a linear feedback shift register with 32 stages, each consisting of 8 words. An
j
j
8-word stage is denoted by b and its words by b . Both stages and words are
i
indexed starting from 0.
The three p ossible modes for the Panama mo dule are Reset, Push and Pull.
In Reset mo de the state and bu er are set to 0. In Push mo de an 8-word input
is applied and there is no output. In Pull mo de there is no input and an 8-word
output is delivered.
The bu er up date op eration is denoted by .Wehave with d = b:
j j 1
d = b if j 62 f0; 25g;
0 31
d = b q; 1
25 24 31
d = b b for 0 i<8 :
i i
i+2 mo d 8
In Push mo de q is the input blo ck p, in Pull mo de it is part of the state a,
with its 8 comp onentwords given by
q = a for 0 i<8 : 2
i i+1
The state up dating transformation is denoted by . It is comp osed of a num-
b er of sp eci c transformations:
= : 3
Here denotes the asso ciative comp osition of transformations where the right-
most transformation is executed rst.
is an invertible linear transformation de ned by:
c = a , c = a a a for 0 i<17 ; 4
i i i+1 i+4
with the indices taken mo dulo 17. The invertibilityof follows from the fact
4 17
that 1 x x is coprime to 1 x .
is an invertible nonlinear transformation de ned by:
a for 0 i<17 ; 5 c = a , c = a a OR
i+2 i i i+1
with the indices taken mo dulo 17. A pro of for the invertibilityof can b e found
in [4].
The p ermutation combines cyclic word shifts and a p ermutation of the
word p ositions. If we de ne to b e a rotation over k p ositions from LSB to
k
MSB, wehave:
c = a , c = a ; 6
i k j
with
j =7i mod17 and
7
k = ii +1=2 mod32 :
The transformation corresp onds with bitwise addition of bu er and input
words. It is given by let c = a:
c = a 00000001 ;
0 0 hex
c = a ` for 0 i<8 ;
8
i+1 i+1 i
16
for 0 i<8 : c = a b
i+9 i+9
i
4
In the Push mo de ` corresp onds with the input p, in the Pull mo de ` = b .
In the Pull mo de the output z consists of 8 words given by
z = a for 0 i< 8 : 9
i i+9
The transformation is illustrated in Fig. 1, the Push and Pull mo des of the
Panama mo dule are illustrated in Fig. 2. γ
π
θ
σ
Fig. 1. The state up dating transformation .
p 0 31
ρ
a
0 31
ρ
a z
Fig. 2. Push ab ove and Pull b elow mo des of Panama.
3.1 The Panama hash function
The Panama hash function maps a message of arbitrary length M to a hash
result of 256 bits. The Panama hash function is executed in two phases:
0
{Padding M is converted into a string M with a length that is a multiple
of 256 by app ending a single 1 followed byanumber d of 0-bits with 0
d< 256.
0 1 2 V
{ Iteration The input sequence M = p p :::p is loaded into the Panama
mo dule according to Table 1.
After all input blo cks have b een loaded, an additional 32 blank Pull iterations
are p erformed. Then the Hash result h is returned. The numb er of Push and Pull
iterations to hash an V -blo ck input sequence is V + 33.
Time step t Mo de Input Output
0 reset { {
t
1;:::;V Push p {
V +1;:::;V +32 Pull { {
V +33 Pull { h
Table 1. The sequence diagram of the iteration phase of the Panama hash function.
The design goal for the Panama hash function is that it should b e hermetic.
For the de nition of this term we refer to [4]. In short, for a hermetic hash
function, the following statements are true.
Assume we take as hash result the value of a subset of n bits of the for
Panama 256-bit output:
n=2
{ the exp ected workload of generating a collision is of the order of 2 execu-
tions of the hash function,
{ given an n-bit value, the exp ected workload of nding a message that hashes
n
to that value is of the order of 2 executions of the hash function,
{ given a message and its n-bit hash result, the exp ected workload of nding a
n
second message that hashes to the same value is of the order of 2 executions
of the hash function.
Moreover, it is infeasible to detect systematic correlations b etween any linear
combination of input bits and any linear combination of bits of the hash result.
A hermetic hash function can b e turned into a secure MACby simply includ-
ing a secret key in the message input. Its security is indep endent of the p ositions
of the secret key bits in the message. It may b e app ended, pre-p ended, inserted
somewhere in the middle of the message or even b e distributed over bits spread
all over the message. Observe that this is not the case with hash functions of the
MD4 family [8].
3.2 The Panama stream encryption scheme
The stream cipher is initialized by rst loading the 256-bit key K , the 256-bit
diversi cation parameter Q and p erforming 32 additional blank Pull iterations.
During keystream generation an 8-word blo ck z is delivered at the output for
every iteration. In practice, the diversi cation parameter allows for frequent
resynchronisation without the need to change the key.
The sequence diagram of the Panama stream encryption scheme is given in
Table 2.
Time step t Mo de Input Output