The CHI Family of Cryptographic Hash Algorithms
Total Page:16
File Type:pdf, Size:1020Kb
Submission to the SHA-3 Competition: The CHI Family of Cryptographic Hash Algorithms Design Team: Cryptographic Hash Initiative, Qualcomm International Lead Designers: Phil Hawkes, Cameron McDonald [email protected], [email protected] Level 3, 230 Victoria Rd, Gladesville, NSW 2111, Australia October 30, 2008 Abstract This document specifies the CHI family of cryptographic hash algorithms for the SHA-3 hash function competition being sponsored by NIST. The CHI family improves on the SHA-2 family by utilizing a stronger bit-wise non-linear function and ensuring better diffusion. This reduces the number of steps required to make the hash function secure and reduces the number of addition operations required. The addition operations are the largest and most power-hungry operations of the SHA-2 family, so the CHI family offers significant reduction in both energy usage and (in the case of hardware implementations) speed /area metrics. The CHI family targets 64-bit architecture, but is efficiently implemented on smaller architectures. 1 1 Introduction This document introduces four cryptographic hash algorithms collectively known as the CHI al- gorithms. The algorithms are denoted CHI-224, CHI-256, CHI-384 and CHI-512 according to the length of the output hash. The algorithms for CHI-224 and CHI-384 are almost identical to CHI- 256 and CHI-512 respectively, differing only in the values of some constants. The basic parameters of the CHI algorithms are shown in Table 1. Features of the CHI algorithms Regarding padding and parsing messages into message blocks for submitting to the compression function, the CHI algorithm processing is identical to FIPS 180-2 [56]. The compression function is then applied iteratively to the message blocks, as with the FIPS 180-2 algorithms. In order to provide resistance to length-extension attacks, the compression function for the final message block is slightly different from the compression function for the earlier blocks. The main distinguishing feature of the CHI compression function is the MAP, a complex bit- sliced function with four inputs and three outputs. Research indicated that such a MAP function is one of the most efficient methods of maximizing non-linear effects when followed by addition operations. Since the MAP function is bit-sliced, the MAP is well suited to implementation on any platform. The remaining operations are common to most processors, making the CHI algorithms efficient across many platforms. Implementing the CHI algorithms The primary goal of the designers has been to have good overall performance on all software platforms. For CHI-224 and CHI-256, this means that the algorithms may not be as fast as their SHA-2 counterparts on 32-bit platforms, in order to improve the efficiency on 64-bit processors. CHI-384 and CHI-512, on the other hand, are faster than their SHA-2 counterparts on all platforms. In hardware, all CHI algorithms are significantly more efficient that their SHA-2 counterparts. Algorithm Output Internal State Message Block Maximum Size Size Size Message Length CHI-224 224 256 512 264 − 1 CHI-256 256 256 512 264 − 1 CHI-384 384 512 1024 2128 − 1 CHI-512 512 512 1024 2128 − 1 Table 1: Basic parameters of the CHI algorithms. All sizes are given in bits. The Cryptographic Hash Initiative (CHI) Project The CHI Project was instigated by Greg Rose, head of the Qualcomm Product Security Initiative. The CHI project was coordinated by Phil Hawkes. Phil Hawkes and Cameron McDonald led the design effort. Brian Rosenberg and Lu Xiao were major contributors to the design and design review, with notable contributions from Steve Millendorf, Craig Northway, David Jacobson, Lu Xiao and Yafei Yang. Cameron McDonald coordinated the software implementation, with assistance from Craig Brown, Craig Northway and Jessica Purser. Bijan Ansari implemented the hardware simulation. Arun Balakrishnan, Alexander Gantman, John Jozwiak, Yinian Mao, Michael Paddon, Anand Palanigounder, Aram Perez and Miriam Wiggers de Vries completed the CHI project team. 2 1.1 Organization of this Document This document is organized in the following way. The remainder of the introduction contains definitions that are used by all parts of this document. The CHI algorithms are specified in Part I. The design rationale for the CHI algorithms is provided in Part II. A discussion on the cryptanalysis of CHI algorithms follows in Part III. Part IV discusses implementation characteristics of the CHI algorithms. Part V clarifies how this submission fulfills the submission requirements, and explains why we believe the CHI algorithms rate well with respect to the evaluation criteria. Appendix A shows an example of the intermediate values for CHI-224. 1.2 Definitions 1.2.1 Glossary of Terms and Acronyms Tables 2 and 3 contain a glossary of the terms used in this document. Table 4 contains a list of the acronyms used in this document. Bias A measure of the distance of a given distribution from a uniform distribution. Bit A binary digit having a value of 0 or 1. Block A group of bits of specified length. Byte A group of eight bits. Compression Function A function that produces an output hash value by combining an input hash value and a message block. Compression Feedback Func- A function that alters the input hash value prior to combin- tion ing with the output of the step functions. Constant A value that is independent of the message being processed. Differential Cryptanalysis A form of analysis based on tracing the propagation of dif- ferences through an algorithm. Linear Approximation An XOR sum of bits from the inputs and outputs of an operation. Linear Cryptanalysis A form of analysis based on biased linear approximations to non-linear components of an algorithm. Message Block The padded message is partitioned into message blocks. The size of the message block depends on the algorithm. Message Expansion The process of expanding a message block into a sequence of step inputs. Microcontrollers Low-end processors. These are typically 8-bit processors and 16-bit, although some 32-bit processors are now considered microcontrollers. Table 2: Glossary of terms beginning with A-M used in this document 3 Nabla differential characteris- A description of the location of bit differences and the sign tic of those bit differences. Padding The process of adding bits to the input message in order to form a multiple of the required block length. Parsing The process of partitioning the padded message into message blocks for processing by the compression function. SHA-1 SHA-1 algorithm specified in [56]. SHA-2 The set of SHA-224, SHA-256, SHA-384 and SHA-512 algo- rithms specified in [56]. SHA-3 predecessors The MD5, SHA-1 and SHA-2 algorithms. Sign (of a bit difference): a positive difference \+" indicates that the bit values changes from 0 to 1, while a negative difference \-" indicates that the bit values changes from 1 to 0. Step One application of the step function. Step Constant A value that is independent of the message but which changes from one step to the next. Step Input The sequence of word64s output from the message expan- sion, that are used in the step function . Step Input Package The set of step inputs and step constants used in a single step. Step Function A set of operations used to update the working variables based on the step input package. Underlying Block Cipher The CHI algorithms use a compression function in which most of the processing takes place in an underlying block cipher. Word32 A group of 32 bits (4 bytes). Word64 A group of 64 bits (8 bytes). Working Variables A set of variables whose values are updated by the step function. XOR differential A description of the location of bit differences. Table 3: Glossary of terms beginning with N-Z used in this document 4 AES Advanced Encryption Standard ALU Arithmetic Logical Unit ANF Algebraic Normal Form ASIC Application Specific Integrated Circuit CHI Cryptographic Hash Initiative (both the name of the development team and the name of the submission algorithm) DES Data Encryption Standard DSP Digital Signal Processor FPGA Field Programmable Gate Array HMAC Keyed-Hash Message Authentication Code LAB Linear Approximation Bias LSB Least Significant Bit MAC Message Authentication Code MSB Most Significant Bit NIST National Institute of Standards and Technology NDP Nabla Differential Probability PRF Pseudo-Random Function SHA Secure Hash Algorithm SIMD Single Instruction Multiple Data (a type of co-processor) XDP XOR-Differential Probability Table 4: List of acronyms used in this document 1.2.2 Symbols The uses of the \=" symbol in this document are defined in Table 5. Symbols that do not denote transformations on bit-strings are defined in Table 6. Symbols denoting transformations on bit- strings used in this document are defined in Table 7. Symbol Meaning = The expressions on both sides of the symbol can be consid- ered equivalent. := The variable on the left of the symbol is defined to be the resulting value of the expression to the right. == Returns TRUE if the evaluation of both sides are identical, and returns FALSE otherwise. Table 5: Uses of the \=" symbol in this document. 5 Symbol Meaning x[i] The i-th least significant bit of the bit string x jxj The number of non-zero bits in the bit string x (Hamming weight) P r(Event 1jEvent 2) The probability of Event 1 occurring given that 2 has oc- curred Table 6: Other symbols in this document. Symbol Meaning Operand Bit Length ^ Bitwise AND operation Any _ Bitwise OR (\inclusive-OR") operation Any ⊕ Bitwise XOR (\exclusive-OR") operation Any