NaSHA Cryptographic Hash Function 2.B Algorithm Speci¯cations and Supporting Documentations 2.B.1 Algorithm Speci¯cations Designers: Smile Markovski and Aleksandra Mileva Implementation Contributors: Simona Samardziska and Boro Jakimovski Skopje and Stip,· MACEDONIA, 2008 1 Abstract We propose the NaSHA-(m; k; r) family of cryptographic hash func- tions, based on quasigroup transformations. We use huge quasigroups de¯ned by extended Feistel networks from small bijections and a novel design principle: the quasigroup used in every iteration of the compres- sion function is di®erent and depends on the processed message block. We present in all details of the implementations of NaSHA-(m; 2; 6) where m 2 f224; 256; 384; 512g. 1 Introduction In this part we give the algorithm speci¯cation of our NaSHA hash function, consisting of 5 sections: 2. Mathematical background, 3. The NaSHA-(m; k; r) hash algorithm, 4. Implementation of NaSHA- (m; 2; 6) hash functions for m 2 f224; 256; 384; 512g, 5. Design ratio- nale and 6. Preliminary security analysis. 2 Mathematical background 2.1 Quasigroups A quasigroup (Q; ¤) is a groupoid, i.e., a set Q with a binary operation ¤, such that the equations a ¤ x = b and y ¤ a = b have unique solutions x and y in Q for each given a; b 2 Q. Note that when Q is ¯nite then the main body of the multiplication table of (Q; ¤) is a Latin square, i.e., the rows and the columns are permutations of Q. Given a quasigroup (Q; ¤), two adjoint operations = and n can be de¯ned by x=y = z () x = z ¤ y and xny = z () x ¤ z = y: Then the groupoids (Q; =) and (Q; n) are quasigroups too. By a quasigroup of a good cryptographic quality we mean a ¯nite quasigroup that is non-commutative, non-associative, non-idempotent, without right or left units and without a proper sub-quasigroups. That quasigroup (Q; ¤) should not be linear, in the sense that no output bit of a ¤ b is a linear combination of the input bits of a and b, for each a; b 2 Q. Also, the quasigroup should not satisfy identities of the kinds x(::: ¤ (x ¤y)) = y and y = ((y ¤ x) ¤ :::) ¤ x for some l < 2n, where n is | {z } | {z } l l 2 the order of the quasigroup. 2.2 Quasigroup transformation used in NaSHA For NaSHA hash family we use the following quasigroup transforma- tions. De¯nition 1 (Quasigroup additive string transformation Al : Qt ! Qt with leader l) Let t be a positive integer, let (Q; ¤) be a quasigroup, Q = Z2n , and l; xj; zj 2 Q. The transformation Al is de¯ned by ½ (l + x1) ¤ x1; j = 1 Al(x1; : : : ; xt) = (z1; : : : ; zt) , zj = (zj¡1 + xj) ¤ xj; 2 · j · t (1) where + is addition modulo 2n. The element l is said to be a leader of A. De¯nition 2 (Quasigroup reverse additive string transforma- t t tion RAl : Q ! Q with leader l) Let t be a positive integer, let (Q; ¤) be a quasigroup, Q = Z2n , and l; xj; zj 2 Q. The transformation RAl is de¯ned by ½ xj ¤ (xj + zj+1); 1 · j · t ¡ 1 RAl(x1; : : : ; xt) = (z1; : : : ; zt) , zj = xt ¤ (xt + l); j = t (2) where + is addition modulo 2n. The element l is said to be a leader of RA. n n n For an element z 2 Z2 denote by ½(z; b 2 c) the element in Z2 n obtained by rotating left for b 2 c bits the n-bit representation of z. t Given a string Z = (z1; : : : ; zt) 2 (Z2n ) , we denote by ½(Z) the string ¡ n n ¢ t ½(Z) = ½(z ; b c); : : : ; ½(z ; b c) 2 (Z n ) : 1 2 t 2 2 For a function f = f(Z) we de¯ne a new function ½(f) = ½(f)(Z) by ½(f)(Z) = f(½(Z)). 3 De¯nition 3 (Quasigroup main transformation MT : Qt ! Qt) Let Q = Z2n and let t and k be positive integers, where k is even. (k is called the complexity of MT .) The transformation MT is de¯ned as composition of transformations of kind Ali followed by ½(RAlj ), for suitable choices of the leaders li and lj as functions depending on vari- ables x1; x2; : : : ; xt, as follows. For every x¸ 2 Q MT (x1; : : : ; xt) = ½(RAl1 )(Al2 (::: (½(RAlk¡1 )(Alk (x1; : : : ; xt))) ::: )); (3) i.e., MT = ½(RAl1 ) ± Al2 ± ¢ ¢ ¢ ± ½(RAlk¡1 ) ± Alk , where ± denotes a composition of functions. 2.3 Left and right quasigroups A groupoid (G; ¢) is said to be a left (a right) quasigroup if the equation xa = b (ay = b) have a unique solution x (y) in G for every a; b 2 G. Proposition 1 Let (G; +) be a group and let (G; ¤) be a quasigroup. Then the operation ² de¯ned by x ² y = (x + y) ¤ y de¯nes a left quasigroup (G; ²). Proof The solution x = (b=a) ¡ a of the equation x ² a = b is unique, since x ² y = x0 ² y =) x = x0: ¤ Proposition 2 Let (G; +) be a group and let (G; ¤) be a quasigroup. Then the operation ¦ de¯ned by x ¦ y = x ¤ (x + y) de¯nes a right quasigroup (G; ¦). Proof The solution y = ¡a+(anb) of the equation a¦y = b is unique, since x ¦ y = x ¦ y0 =) y = y0: ¤ Given a groupoid (G; ¢), for each a 2 G the left and the right transla- tions La and Ra are de¯ned by La(x) = xa and Ra(x) = ax respectfully. If (G; ¢) is a left (right) quasigroup then its left (right) translation is a permutation, while the right (left) translation can be arbitrary map- ping. Considering the left and the right quasigroups de¯ned as in Propo- sition 1 and Proposition 2, the situation is quite di®erent in the case n when G = Z2n and the group operation is addition modulo 2 . Namely, 4 the right translation of (G; ²) and the left translation of (G; ¦) may not be permutations in that case either. However, the probability of that event is quite small, roughly speaking, around 2=jGj. To show the last statement we consider the problem of ¯nding solutions of the equation x ¦ a = b, i.e., x ¤ (x + a) = b (4) where a; b 2 G are given, and x is unknown. Proposition 3 Let G = Z2n be with group operation addition modulo 2n. Let a quasigroup operation ¤ on G be chosen randomly. Then the probability the right quasigroup (G; ¦) to have two di®erent solutions 2 x 6= x of the equation (4) is less or equal to : 1 2 2n ¡ 1 Proof Let x1 and x2 be two di®erent solutions of the equation x¤(x+ a) = b. Then ½ ½ x1 ¤ (x1 + a) = b x1 n b ¡ x1 = a ) ) x1nb¡x2nb = x1¡x2 6= 0: x2 ¤ (x2 + a) = b x2 n b ¡ x2 = a At ¯rst, we ¯nd the probability a random quasigroup to satisfy the event x1 n b ¡ x2 n b = x1 ¡ x2 6= 0: The di®erence x1 ¡ x2 can take any value r 2 G, where r 6= 0: ¡2n¢ Fix an r 6= 0. Then there are 2 pairs of di®erent elements of G, and n exactly 2 of them satisfy the equation x1 ¡x2 = r: Hence, we have this 2 probability for any ¯xed r 6= 0 : Prfx1; x2 2 G; x1 ¡ x2 = rg = 2n¡1 : Consider now the equation x1nb ¡ x2nb = s; where s 6= 0 2 G is given. Denote by K the set of all quasigroups on G and let ¯x a solution (x1; x2) of x1nb ¡ x2nb = s: Denote by Ks = Ks(x1; x2) the set of all quasigroups on G with the property x1nb ¡ x2nb = s: Then jKsj = jKtj for each s and t. Namely, if (G; n1) 2 Ks, then we can construct a quasigroup (G; n2) 2 Kt as follows. At ¯rst choose x1n2b and x2n2b such that x1n2b ¡ x2n2b = t and let ¼ be the permutation generated by the two transpositions (x1n1b; x1n2b); (x2n1b; x2n2b). Then de¯ne the operation n2 for each u; v 2 G by un2v = ¼(un1v): (Note that we have obtained (G; n2) from (G; n1) in such a way that we have only replaced in the multiplication table of (G; n1) all appearances of x1n1b (x2n1b) by x1n2b (x2n2b).) Now, for given x1; x2 2 G and randomly chosen 5 quasigroup (Q; n), we have the probability PsfQ 2 K; x1nb ¡ x2nb = jKsj 1 s is true in Qg = jKj = 2n¡1 : Consequently, the probability a random quasigroup (G; ¤) to satisfy the event x1 n b ¡ x2 n b = x1 ¡ x2 6= 0 is P fx1 ¡ x2 = r; x1nb ¡ x2nb = r; r > 0g = Xq¡1 P fx1 ¡ x2 = r; x1nb ¡ x2nb = rg = r=1 2Xn¡1 P fx1nb ¡ x2nb = rj x1 ¡ x2 = rgP fx1 ¡ x2 = rg = r=1 n 2X¡1 2 P fQ 2 K; x nb ¡ x nb = rgP fx ; x 2 G; x ¡ x = rg = : s 1 2 r 1 2 1 2 2n ¡ 1 r=1 Finally, if we additionally take the condition x1nb ¡ x1 = a, we conclude that the probability a right quasigroup (G; ¦) to have two 2 di®erent solutions x1 6= x2 of the equation (4) is less or equal to 2n¡1 : ¤ In similar way one can prove the same property for left quasigroup (G; ²). Proposition 4 Let G = Z2n be with group operation addition modulo 2n. Let a quasigroup operation ¤ on G be chosen randomly. Then the probability the left quasigroup (G; ²) to have two di®erent solutions x1 6= x2 of the equation (a + x) ¤ x = b (5) 2 is less or equal to : ¤ 2n ¡ 1 Remark 1 In the set of all 576 quasigroups of order 4, each equation of kind x ¤ (x + a) = b (or (a + x) ¤ x = b) has two (or more) solutions in exactly 168 quasigroups.