The Lane Hash Function Sebastiaan Indesteege [email protected] COSIC, ESAT/SCD, Katholieke Universiteit Leuven, Belgium First SHA-3 Candidate Conference Contributors: Elena Andreeva, Christophe De Canni`ere, Orr Dunkelman, Em ili aK¨ asper, S vetl aNik ova,B artP reneel ,El marTi schh auser Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 1/11 Introduction Lane • is simple, elegant, easy to understand and analyse. • has a clear design rationale. • has undergone an extensive security analysis. • is flexible in implementation. Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 2/11 Description of Lane M ⋆ n, S M0 · · · · · · t || 0 l, S 0 · · · h(M) 0 c0 · · · · · · ct 0 Iteration Mode • Very simple and lightweight • Features: bit counter, output transformation, salt (opt.) • Security: No length extension attacks, no long message second prei mage att ack s,i ndi sti ngui sh abl ef rom a rand om oracle (prefix-free encoding), PRF preserving (MACs), . Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 3/11 Description of Lane Hi−1 Mi Compression Function Message Expansion • Simple structure • Message expansion P0 P1 P2 P3 P4 P5 • 6 P-lanes (6 resp. 8 rounds) • 2 Q-lanes + + (3 resp. 4 rounds) • XOR combiners Q0 Q1 • Parallelism + (but low memory possible) Hi Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 4/11 Description of Lane + + I 0 II II I 0 0 0 0 0 2 0 I I 0 I 0 0 I 0 0 0 0 3 + II I II I W . W H Mh Ml 6 0 0 0 0 0 0 7 [ 0 || || 5] = h || || i · 6 I I I I 7 6 0 0 0 0 0 0 0 0 7 6 II II I I 7 6 0 0 0 0 0 0 7 4 I 0 I 0 0 I 0 0 0 0 0 I 5 Message Expansion • Simple, lightweight, parallelisable, linear • Easy and fast to implement (XOR of large blocks) • Ensures minimum 4 active lanes (linear code over GF(4) with minimum distance 4) • Stops straightforward inversion and meet--- in the middle Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 5/11 Description of Lane + + + ShiftRows ShiftRows SubBytes SubBytes MixColumns MixColumns Permutation ‘lanes’ • From AES: k k8i + 8i+4 + ShiftRows, SubBytes, MixColumns k8i+1 + k8i+5 + k k 8i+2 + 8i+6 + • New: k8i+3 + k8i+7 + c i mod 2 + AddConstants, AddCounter, SwapColumns • Constants ki generated by LFSR • Lane-512 similar (Lane-256) Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 6/11 Security of Lane • Lane has undergone an extensive security analysis • Differential cryptanalysis • Truncated differential cryptanalysis • Higher order differential cryptanalysis • Algebraic attacks • Attacks based on reduced query complexity • Generalised birthday attack • Meet-in-the-middle attacks • Long message second-preimage attacks • Length-extension attacks • Multicollision attacks • . • Refer to the supporting documentation: S. Indesteege, E. Andreeva, C. De Canni`ere, O. Dunkelman, E. K¨asper, S. Nikova, B. Preneel, E. Tischhauser The Lane Hash Function Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 7/11 Security of Lane Example: why standard differential cryptanalysis fails • Lane-256 • Any differential characteristic Q • ≥ 4 active P-lanes • ≥ 45 active S-boxes per lane • Pr ≤ 2−6 per active S-box • ⇒ Pr(Q) ≤ 2−1080 • Assume perfect message modification • 832 degrees of freedom • ⇒ Pr ((m, m ′) ∈ Q) ≤ 2−248 • Very unlikely that a right pair even exists for a given characteristic Q! Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 8/11 Implementation of Lane • Lane is flexible in implementation • Reuse techniques for implementing AES • Lane + AES = share code/ROM/hardware • Roughly half the speed of AES: AES-128 128 bits 10 AES rounds • ×0.48 Lane-256 512 bits 84 AES rounds { AES-256 128 bits 14 AES rounds • ×0.50 { Lane-512 1024 bits 224 AES rounds Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 9/11 Implementation of Lane Performance results • Intel Core2: 25.7 cpb (Lane-256) • Intel AES-NI: Lane-256 at 5 cpb ? • Embedded systems: 108 bytes of RAM (Lane-256) • Hardware (Lane-256, 0.13 µm CMOS): 16 kGE @ 23.3 Mbps— 243 kGE @ 14.2 Gbps Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 10/11 Conclusion The Lane hash function • is simple, elegant, easy to understand and analyse. • has a clear design rationale. • has undergone an extensive security analysis. • is flexible in implementation. Designer: Sebastiaan Indesteege Contributors: Elena Andreeva, Christophe De Canni`ere, Orr Dunkelman, Emilia K¨asper, Svetla Nikova, Bart Preneel, Elmar Tischhauser http://www.cosic.esat.kuleuven.be/lane/ Sebastiaan Indesteege (COSIC, K.U. Leuven) The Lane Hash Function 11/11 .