Hardware Evaluation of the Stream Cipher-Based Hash Functions Radiogatun´ and Irrupt

Hardware Evaluation of the Stream Cipher-Based Hash Functions Radiogatun´ and Irrupt

Hardware Evaluation of the Stream Cipher-based Hash Functions RadioGatun´ and irRUPT L. Henzen, F. Carbognani, N. Felber, and W. Fichtner Integrated Systems Laboratory, ETH Zurich, Switzerland [email protected] Abstract days digital signature schemes, NIST introduced in 2007 a public call for new cryptographic hash algorithms [9]. The In the next years, new hash function candidates will re- intent of the competition is to identify modern secure hash place the old MD5 and SHA-1 standards and the current functions and to define the new SHA-3 family. SHA-2 family. The hash algorithms RadioGatun´ and ir- Although the security provided by an algorithm is the RUPT are potential successors based on a stream structure, most important evaluation criterion, in a second phase of which allows the achievement of high throughputs (particu- the competition the hardware profile of the candidates will larly with long input messages) with minimal area occupa- be evaluated. In particular, NIST will emphasize the com- tion. In this paper, several hardware architectures of the two putational efficiency and the implementation costs of every above mentioned hash algorithms have been investigated. algorithm. Therefore, candidate algorithms should be suit- The implementation on ASIC of RadioGatun´ with a word able for hardware implementations (ASIC or FPGA) in var- length of 64 bits shows a complexity of 46 k gate equiva- ious embedded systems, where high-speed, low-power, or lents (GE) and reaches 5.7 Gbps throughput with a 3 · 64- limited memory requirements may play a cardinal role. bit input message. The same design approaches 120 Gbps The hash function RadioGatun´ [2] has been presented on ASIC with long input messages (63.4 Gbps on a Virtex- as a competitive alternative algorithm in terms of perfor- 4 FPGA with 2.9 kSlices). On the other hand, the irRUPT mances, while the cryptographic algorithm irRUPT is a spe- core turns out to be the most compact circuit (only 5.8 kGE cific hash function based on the symmetric cryptographic on ASIC, and 370 Slices on FPGA) achieving 2.4 Gbps (with primitive EnRUPT [10]. Since RadioGatun´ and irRUPT long input messages) on ASIC, and 1.1 Gbps on FPGA. have an intrinsic simplicity in computing the hash value, their hardware implementations are expected to be very compact, while reaching very high throughput. This work 1 Introduction presents the first complete VLSI characterization of the Ra- dioGatun´ and irRUPT hash functions, through the investi- Hash functions are cryptographic primitives that take an gation of six hardware architectures. Their suitability for input message and generate an output referred to as hash hardware implementation is eventually confirmed by the value or digest. Since a message of arbitrary bit-length pro- achieved results and the comparison with other hash algo- duces a fixed-length output, different messages might be rithms. hashed into the same digest. The fundamental character- The remainder of this paper is organized as follows. Sec- istic of hash functions is, therefore, the ability to keep the tion 2 introduces the computational processes of Radio- probability of such a collision low. Moreover, for a given Gatun´ and irRUPT and the required parameters. Section 3 output it should be computationally infeasible to recover describes the methodologies used in the implementation of any of the generator inputs. These properties are referred to the hardware architectures. The achieved experimental re- as collision resistance and preimage resistance [7]. Digital sults are presented in section 4 with a comparison between signature, message authentication, and data integrity make the analyzed algorithms and other hash functions. Eventu- an extensive usage of hash functions. ally, section 5 draws the conclusions. Recently, the old hash primitives MD5 and SHA-1 have been broken (collisions found) [5, 16]. Hence, the National 2 Algorithm Specification Institute of Standards and Technologies (NIST) have stan- dardized the SHA-2 family [8]. Since these algorithms rely Hash functions generally work over an iterative model, on similar computational structure and a successful colli- which computes the fixed-size hash value by processing sion attack on SHA-2 could have catastrophic effects for to- successive fixed-size input blocks. A message of arbitrary 978-3-9810801-5-5/DATE09 © 2009 EDAA length is divided into l-bit blocks (with a padding process on Algorithm 1 Alternating-input construction the last block), that are sequentially injected into an internal Z RadioGatun´ w(M) collision-resistant compression function. The compression (A; B) = (0; 0) function generates an n-bit intermediate digest using the in- for i = 0; 1; : : : ; nm − 1 do 0 0 (A ; B ) = Fi(A; B; M) put block and the previous intermediate result. The last in- 0 0 termediate digest is defined as the final n-bit hash value, af- (A; B) = R(A ; B ) ter all input blocks are processed. This model is also called end forfInjectiong i ; ; : : : ; nb the Merkle-Damgard˚ (MD) construction [7]. The security for = 0 1 − 1 do (A; B) = R(A; B) level of MD-based hash algorithms is defined by the col- end forfManglingg lision resistance of the compression function. The SHA-1 for i = 0; 1; : : : ; nz − 1 do and SHA-2 families are hash functions based on this itera- (A; B) = R(A; B) tive structure, as well as MD5 [13] and the NESSIE candi- (z2i; z2i+1) = (a1; a2) date Whirlpool [12]. end forfExtractiong However, several attacks on MD-based hash functions have recently been demonstrated, turning the MD construc- tion into an insecure model. Alternative designs rely on round. In the input phase, the iterations of the round func- modern stream ciphers [15]. This is the case of RadioGatun´ tion are alternated with the insertion of the input blocks. and irRUPT. Although the former relies on the alternating- The output phase executes the round function over the state input IMF (iterative mangling function) [2] and the latter on and outputs some elements of the state variables as the hash a stream mode of the cryptographic primitive EnRUPT [10], value. the resulting stream cipher-based hashing schemes present similarities. The peculiarity resides in the computational 2.1 The RadioGatun´ Hash Function schedule of the algorithms. Instead of running a compres- sion process for every l-bit input block, the whole message RadioGatun´ is based on the alternating-input construc- is first entirely inserted into the hash function and, then, it tion of IMF. As described in Alg. 1, the phases of Fig. 1 are is elaborated to obtain the related hash value. The phase injection, mangling, and extraction. The l-bit input block schedule of this structure (see Fig. 1) consists of a message M = (m ; m +1; m +2), where every element is a w-bit input phase, where the message blocks are sequentially in- i i i word (l = 3w), is mapped into the state variables A (mill) serted, a blank round phase, i.e., a series of blank rounds, and B (belt) by the function F (). After n iterations a and the digest output phase, where every iteration generates i m message of 3wn bits is taken. Then, n = 16 blank the elements of the final hash value. m b rounds are repeated over the state A and B, followed by RadioGatun´ and irRUPT are defined over a simple round nz iterations of the round function and the extraction of two function, which updates the internal state variables at every words from A. The central component is the round function R(). Its belt-and-mill structure (see Alg. 2) consists of the Mill() and the Belt() functions with the Mill to Belt and the Message Input Phase Belt to Mill operations. The mill A consists of 19 words ai, while the belt B has 13 stages bi of three words bi;j . Message Round Block Function The Mill() function consists of four invertible transfor- mation (see Alg. 3). Among these, the first is the only one introducing non-linearity in the hashing process. The input Blank Round Phase Round Algorithm 2 Round function Function (A0; B0) R(A; B) for i = 0; 1; : : : ; 12 do b0(i) = b(i − 1 mod 13) Digest Output Phase end forfBelt functiong for i = 0; 1; : : : ; 11 do Round 0 0 Hash b (i + 1; i mod 3) = b (i + 1; i mod 3) ⊕ a(i + 1) Function Value end forfMill to Beltg A0 = Mill(A) for i = 0; 1; 2 do Figure 1. Phase schedule of the hash func­ a0(i + 13) = a0(i + 13) ⊕ b(12; i) tions RadioGatun´ and irRUPT. end forfBelt to Millg 2 Algorithm 3 Mill function (indices are modulo 19) Algorithm 4 stream hashing (indices of x are modulo h) 0 A Mill(A) Z irRUPTw(M) for i = 0; 1; : : : ; 18 do X = 0; d = 0; r = 1 0 a (i) = a(i) ⊕ [a(i + 1) _ a(i + 2)] for i = 0; 1; : : : ; nm − 1 do end for ir2s(mi) for i = 0; 1; : : : ; 18 do end forfProcessg 0 a(i) = a (7i) o i(i + 1)=2 for i = 0; 1; : : : ; h − 1 do end for ir2s(0) for i = 0; 1; : : : ; 18 do end forfFinalizeg 0 a (i) = a(i) ⊕ a(i + 1) ⊕ a(i + 4) for i = 0; 1; : : : ; h=2 − 1 do end for ir2s(0) 0 0 a (0) = a (0) ⊕ 1 zi = d end forfOutputg mapping function Fi() is defined as 3 Hardware Implementations 0 ai+16 = ai+16 ⊕ mi i = 0; 1; 2 8 0 The core of the implementation of the presented hash al- 0 0 ai = ai else (A ; B ) = > 0 (1) gorithms is the single round function (R() or ir2s()) and the < b = b0 ⊕ m i = 0; 1; 2 0;i ;i i memory unit to store the intermediate state variables.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us