SHA-3 submission SIMD Is a Message Digest Principal submitter: Ga¨etanLeurent Ecole´ Normale Sup´erieure D´epartement d'Informatique 45, rue d'Ulm 75005 Paris France [email protected] Tel: +33.1.44.32.20.47 Fax: +33.1.44.32.21.51 Auxiliary submitters: Charles Bouillaguet, Pierre-Alain Fouque Algorithm inventors/developers: Ga¨etanLeurent, Charles Bouillaguet, Pierre-Alain Fouque Backup contact: Pierre-Alain Fouque Ecole´ Normale Sup´erieure D´epartement d'Informatique 45, rue d'Ulm 75005 Paris France [email protected] Tel: +33.1.44.32.20.48 Fax: +33.1.44.32.21.51 Signature: 2 Introduction The SIMD hash function is quite similar to members of the MD/SHA family. It is based on a familiar Merkle-Damg˚arddesign, where the compression function is built from a Feistel-like cipher in Davies-Meyer mode. However there are some innovations in this design: the internal state is twice as big as the output size, we use a strong message expansion, and we use a modified feed-forward in the compression function. The main design criteria was to follow the MD/SHA designs principle which are quite well understood, and to add some elements to avoid all known attacks. SIMD is particularly efficient on platforms with vector instructions (SIMD) which are available on many processors. Such instructions have been proposed since 1997 and are now widely deployed. Moreover, it is also possible to use two cores on multicore processors to boost the performance with a factor 1.8 by splitting the message expansion function and the hashing process. Contents 1 Algorithm Specification and Rationale 5 1.1 Mathematical Preliminaries and Notations . .5 1.1.1 The Field F257 .................................5 1.1.2 The Number-Theoretic Transform . .5 1.1.3 The Ring Z216 and Z232 ............................6 1.2 Description of the Algorithm . .6 1.2.1 Mode of operation . .7 1.2.2 The Message Expansion . .8 1.2.3 The Feistel Ladder . 10 1.2.4 The Final Compression Function . 15 1.2.5 Initialization Vector . 15 1.2.6 Input and Output . 15 1.3 Rationale . 18 1.3.1 Iteration Mode . 18 1.3.2 Davies-Meyer . 18 1.3.3 The Message Expansion . 19 2 Implementation Aspect and Performances 21 2.1 Software Implementation . 21 2.1.1 SIMD instructions . 21 2.1.2 Multi-core . 22 2.1.3 Performance . 22 2.2 8-bit Implementation . 23 2.3 Hardware implementation . 23 3 Expected strength 25 4 Security Analysis 27 4.1 Mode of Operation . 27 4.1.1 Mode of Operation for the Hash Function . 27 4.1.2 Security Results for Some Hash Based Constructions . 27 4.1.3 Mode of Operation for the Compression Function . 28 4.2 Security of the Compression Function . 28 4.2.1 Resistance to Differential Cryptanalysis . 28 4.2.2 The Step Update Function . 28 4.3 Reduced Versions . 29 4.3.1 SIMD-n/2:k ................................... 29 4.3.2 SIMD-n/k .................................... 29 3 4 CONTENTS 5 Advantages and limitations 31 5.1 Parallelism . 31 5.2 Strong Message Expansion . 31 5.3 Performance . 31 6 Test Vectors 33 6.1 SIMD-224 ........................................ 33 6.1.1 Empty message . 33 6.1.2 One block message . 40 6.1.3 Two blocks message . 54 6.2 SIMD-256 ........................................ 75 6.2.1 Empty message . 75 6.2.2 One block message . 82 6.2.3 Two blocks message . 95 6.3 SIMD-384 ........................................ 116 6.3.1 Empty message . 116 6.3.2 One block message . 128 6.3.3 Two blocks message . 152 6.4 SIMD-512 ........................................ 187 6.4.1 Empty message . 187 6.4.2 One block message . 200 6.4.3 Two blocks message . 223 Chapter 1 Algorithm Specification and Rationale This document defines the SIMD family of hash functions. This family is based on two functions SIMD-256 and SIMD-512; we define SIMD-n with n ≤ 256 as a truncation of SIMD-256, and SIMD-n with 256 < n ≤ 512 as a truncation of SIMD-512. Each function SIMD-n takes as input a message of arbitrary size, and outputs a digest of n bits. 1.1 Mathematical Preliminaries and Notations The design of SIMD uses a number of different operations with useful mathematical properties. In this section, we introduce the operations that will be used through this document, and detail their properties. 1.1.1 The Field F257 Since 257 is a prime, the field F257 is only the ring Z257 of the integers modulo 257. The operations in this field are indicated with (mod 257). This field is interesting because we can map a byte to an element of the field, and the operations in F257 can be computed efficiently in software and in hardware. 1.1.2 The Number-Theoretic Transform The Number-theoretic transform of size n in F257 is defined as: n n NTTn : F257 7! F257 n−1 n−1 n−1 X ij (xi)i=0 ! (yi)i=0 : yi = xj! (mod 257): j=0 where n ≤ 256, and ! is a n-th root of unity in F257. We can see it as a polynomial evaluation: if n−1 Pn−1 j i the sequence (xi)i=0 is interpreted as a polynomial P = j=0 xjX , then we have yi = P (! ). This transformation is similar to the Discrete Fourier Transform but it operates on a finite field instead of the field of complex numbers. It can be computed efficiently by the same algorithm as the Fast Fourier Transform, which has a complexity of O(n log n) field operations. 5 6 CHAPTER 1. ALGORITHM SPECIFICATION AND RATIONALE 1.1.3 The Ring Z216 and Z232 16 32 Z216 denotes the ring of integers modulo 2 , and Z232 denotes the ring of the integers modulo 2 . We use and to represent the modular addition and multiplication in these rings. (Actually, we only use in Z232 and in Z216 ). Since an element of Z216 can be seen as a 16-bit word, and an element of Z232 can be seen as a 32-bit word, we can apply bit-wise boolean functions to them. We will use the following functions: IF(A; B; C) = (A ^ B) _ (:A ^ C) MAJ(A; B; C) = (A ^ B) _ (A ^ C) _ (B ^ C) where _ denotes the boolean OR, ^ denotes AND, and : denotes NOT. We also use ⊕ for the exclusive or. IF acts as a conditional, and MAJ is the majority function. These function are already used in some hash functions because they have good properties: the output is unbiased, and no input bit has a linear effect on the output. 1.2 Description of the Algorithm The SIMD hash is an iterative hash function that follows the Merkle-Damg˚arddesign. The main component of a Merkle-Damg˚ardhash function h is a compression function C : f0; 1gp × m p f0; 1g 7! f0; 1g . To compute h(M), the message M is first divided into k chunks Mi's of m bits. Then the compression function is used to compress the message chunks and the internal state: Hi+1 = C(Hi;Mi). There is a padding rule to fill the last m-bit blocks, and the padding usually includes the message size (this is known as the Merkle-Damg˚ardstrengthening). The initial value of the internal state is called IV and is fixed in the description of the hash function. The output of the hash function is given by computing a finalization function D : f0; 1gp 7! f0; 1gn on the last internal state Hk−1. The Davies-Meyer mode is a common way to build a compression function C from a block cipher E: it is defined as C(h; m) = Em(h)⊕h. Many hash functions use a custom block cypher, designed with a message expansion step, and Feistel ladder. The SIMD family uses a similar design, and the size parameters are as follows: Output size n Message block size m Internal state size p SIMD-256 256 512 512 SIMD-512 512 1024 1024 The inner state is represented as a matrix of 32-bit words. For SIMD-256, it is a 4 × 4 matrix, while SIMD-512 has a 8 × 4 inner state: 2 3 A0 B0 C0 D0 6A1 B1 C1 D17 2 3 6 7 A0 B0 C0 D0 6A2 B2 C2 D27 6 7 6A1 B1 C1 D17 6A3 B3 C3 D37 S256 = 6 7 S512 = 6 7 4A2 B2 C2 D25 6A4 B4 C4 D47 6 7 A3 B3 C3 D3 6A5 B5 C5 D57 6 7 4A6 B6 C6 D65 A7 B7 C7 D7 In this section, we will describe more precisely the operating mode of SIMD, and the inside of the compression function: the message expansion and the Feistel ladder. 1.2. DESCRIPTION OF THE ALGORITHM 7 M M0 M1 M2 M3 jMj C C C C C0 D IV H0 H1 H2 H3 H4 h(M) Figure 1.1: The iteration used in SIMD 1.2.1 Mode of operation Iteration Our mode of operation is similar to the wide-pipe construction of Lucks [15] and to Chop-MD [5]: the internal state is twice as large as the output. The padding rule is quite simple: the last message block is filled with zeros if it is smaller than m bits, and an extra block containing the size of the message in bits is added. This extra block is compressed with a slightly modified compression function C0, and the output is truncated.