Fast Hashing and Stream Encryption with Panama 1 2 Joan Daemen Craig Clapp 1 Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium email: [email protected] 2 PictureTel Corp oration, 100 Minuteman Rd., Andover, MA 01810, USA email: [email protected] Abstract. We present a cryptographic mo dule that can b e used b oth as a cryptographic hash function and as a stream cipher. High p erformance is achieved through a combination of lowwork-factor and a high degree of paralleli sm. Throughputs of 5.1 bits/cycle for the hashing mo de and 4.7 bits/cycle for the stream cipher mo de are demonstrated on a com- mercially available VLIW micro-pro cessor. 1 Intro duction Panama is a cryptographic mo dule that can b e used b oth as a cryptographic hash function and a stream cipher. It is designed to b e very ecient in software implementations on 32-bit architectures. Its basic op erations are on 32-bit words. The hashing state is up dated bya parallel nonlinear transformation, the bu er op erates as a linear feedback shift register, similar to that applied in the compression function of SHA [6]. Panama is largely based on the StepRightUp stream/hash mo dule that was describ ed in [4]. Panama has a low p er-byte work factor while still claiming very high security. The price paid for this is a relatively high xed computational overhead for every execution of the hash function. This makes the Panama hash function less suited for the hashing of messages shorter than the equivalentofatyp ewritten page. For the stream cipher it results in a relatively long initialization pro cedure. Hence, in applications where sp eed is critical, to o frequent resynchronization should b e avoided. Atypical application for Panama might b e the encryption or decryption of video-rate data in conditional access applications e.g. pay-TV. Set-top b oxes and future digital televisions will increasingly include media pro cessors for de- co ding compressed video and for p erforming other computationally intensive image pro cessing tasks. This is an application space where data rates are high, high-p erformance pro cessors are increasingly likely to b e present, and decryption must b e done yet must not unduly burden an already heavily loaded pro cessor. After sp ecifying the Panama hash function and stream cipher, we discuss the particular design strategy and the implementation asp ects. We don't attempt to give a pro of of security.However, a motivation for the design choices is given. A C reference implementation of Panama and PostScript and PDF versions of [4] are available from http://www.esat.kuleuven.ac.be/~rijmen/daemen. 2 Basic design principles Panama is based on a nite state machine with a 544-bit state and a 8192- bit bu er. The state and bu er can b e up dated by p erforming an iteration. There are two mo des for the iteration function. A Push mo de, that allows to inject an input and generates no output, and a Pul l mo de that takes no input and generates an output. A blank Pull iteration is a Pull iteration in which the output is discarded. The up dating transformation of the state has high di usion and distributed nonlinearity. Its design is aimed at providing very high nonlinearity and fast dif- fusion for multiple iterations. This is realised by the combination of four distinct transformations each with its sp eci c contribution. There is one for nonlinearity, one for bit disp ersion, one for inter-bit di usion, and one for injection of bu er and input bits. The bu er b ehaves as a linear feedback shift register that ensures that input bits are injected into the state over a wide interval of iterations. In the Push mo de the input to the shift register is formed by the external input, in the Pull mo de, by part of the state. The Panama hash function is de ned as p erforming Push iterations with message blo cks as input. If all message blo cks have b een injected, a number of blank Pull iterations are p erformed to allow the last message blo cks b e di used into the bu er and state. This is followed by a nal Pull iteration to retrieve the hash result. The Panama stream encryption scheme is initialised by doing two Push iterations to inject the key and diversi cation parameter followed bya number of blank Pull iterations to allow the key and parameter to b e di used into the bu er and state. After this initialisation, the scheme is ready to generate keystream bits at leisure by p erforming Pull iterations. 3 Sp eci cation The state is denoted by a and consists of 17 32-bit words a to a . The bu er 0 16 b is a linear feedback shift register with 32 stages, each consisting of 8 words. An j j 8-word stage is denoted by b and its words by b . Both stages and words are i indexed starting from 0. The three p ossible modes for the Panama mo dule are Reset, Push and Pull. In Reset mo de the state and bu er are set to 0. In Push mo de an 8-word input is applied and there is no output. In Pull mo de there is no input and an 8-word output is delivered. The bu er up date op eration is denoted by .Wehave with d = b: j j 1 d = b if j 62 f0; 25g; 0 31 d = b q; 1 25 24 31 d = b b for 0 i<8 : i i i+2 mo d 8 In Push mo de q is the input blo ck p, in Pull mo de it is part of the state a, with its 8 comp onentwords given by q = a for 0 i<8 : 2 i i+1 The state up dating transformation is denoted by . It is comp osed of a num- b er of sp eci c transformations: = : 3 Here denotes the asso ciative comp osition of transformations where the right- most transformation is executed rst. is an invertible linear transformation de ned by: c = a , c = a a a for 0 i<17 ; 4 i i i+1 i+4 with the indices taken mo dulo 17. The invertibilityof follows from the fact 4 17 that 1 x x is coprime to 1 x . is an invertible nonlinear transformation de ned by: a for 0 i<17 ; 5 c = a , c = a a OR i+2 i i i+1 with the indices taken mo dulo 17. A pro of for the invertibilityof can b e found in [4]. The p ermutation combines cyclic word shifts and a p ermutation of the word p ositions. If we de ne to b e a rotation over k p ositions from LSB to k MSB, wehave: c = a , c = a ; 6 i k j with j =7i mod17 and 7 k = ii +1=2 mod32 : The transformation corresp onds with bitwise addition of bu er and input words. It is given by let c = a: c = a 00000001 ; 0 0 hex c = a ` for 0 i<8 ; 8 i+1 i+1 i 16 for 0 i<8 : c = a b i+9 i+9 i 4 In the Push mo de ` corresp onds with the input p, in the Pull mo de ` = b . In the Pull mo de the output z consists of 8 words given by z = a for 0 i< 8 : 9 i i+9 The transformation is illustrated in Fig. 1, the Push and Pull mo des of the Panama mo dule are illustrated in Fig. 2. γ π θ σ Fig. 1. The state up dating transformation . p 0 31 ρ a 0 31 ρ a z Fig. 2. Push ab ove and Pull b elow mo des of Panama. 3.1 The Panama hash function The Panama hash function maps a message of arbitrary length M to a hash result of 256 bits. The Panama hash function is executed in two phases: 0 {Padding M is converted into a string M with a length that is a multiple of 256 by app ending a single 1 followed byanumber d of 0-bits with 0 d< 256. 0 1 2 V { Iteration The input sequence M = p p :::p is loaded into the Panama mo dule according to Table 1. After all input blo cks have b een loaded, an additional 32 blank Pull iterations are p erformed. Then the Hash result h is returned. The numb er of Push and Pull iterations to hash an V -blo ck input sequence is V + 33. Time step t Mo de Input Output 0 reset { { t 1;:::;V Push p { V +1;:::;V +32 Pull { { V +33 Pull { h Table 1. The sequence diagram of the iteration phase of the Panama hash function. The design goal for the Panama hash function is that it should b e hermetic. For the de nition of this term we refer to [4]. In short, for a hermetic hash function, the following statements are true. Assume we take as hash result the value of a subset of n bits of the for Panama 256-bit output: n=2 { the exp ected workload of generating a collision is of the order of 2 execu- tions of the hash function, { given an n-bit value, the exp ected workload of nding a message that hashes n to that value is of the order of 2 executions of the hash function, { given a message and its n-bit hash result, the exp ected workload of nding a n second message that hashes to the same value is of the order of 2 executions of the hash function.