R ADIO G ATÚN , R ADIO G ATÚN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni, Joan Daemen, Michaël Peeters * and Gilles Van Assche STMicroelectronics * De Valck Consultants Second Cryptographic Hash Workshop
Introduction Introduction • New hash function (family) • Alternative design • Not based on fixed-length comp. function (Damgård-Merkle) • Not based on reduction Variable-length input, variable-length output • Diversity • Building upon P ANAMA • Generalizing collision-generating attack [Rijmen et al.] • Simplify and strengthen • Performance in SW and HW Second Cryptographic Hash Workshop
Alternating-input construction Alternating-input construction 0 Input block • State Round • Starts from 0 Input block • Iterate with input blocks Round • Input mapping ... • State size > input block size ( l i ) Blank Round • Do blank iterations iterations • Iterate with output blocks Round • Output mapping Output block • Fixed number for hash function Round Output block ... Second Cryptographic Hash Workshop
Belt-and-mill structure Belt-and-mill structure • State = ( mill , belt ) Mill Belt • Mill function Input • Non-linear function mapping • Diffusion and confusion Bell • Belt function Milt • Linear function • Long-term diffusion Mill Belt • Belt-to-mill + mill-to-belt function function • Bell + milt • Linear mappings Second Cryptographic Hash Workshop
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell • Parameter: word size Milt • R ADIO G ATÚN [32] • R ADIO G ATÚN [64] Mill Belt function function Belt Function Input Input Block Mapping 2 1 0 Belt Mill 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 Mill Function 6 7 8 0 1 2 3 4 5 Second Cryptographic Hash Workshop
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell Milt Mill Belt function function Belt Function Input Input Block Mapping 2 1 0 Belt Mill 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 Mill Function 6 7 8 0 1 2 3 4 5 Second Cryptographic Hash Workshop
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell • The mill function contains: Milt • Bitwise logical operations (XOR, AND, NOT) • Cyclic shifts Mill Belt function function Belt Function Input Input Block Mapping 2 1 0 Belt Mill 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 Mill Function 6 7 8 0 1 2 3 4 5 Second Cryptographic Hash Workshop
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell • The mill function contains: Milt • Bitwise logical operations (XOR, AND, NOT) • Cyclic shifts Mill Belt function function a 10 a 11 a 12 a 13 a 14 a 15 a 16 a 17 a 18 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 ° ¼ 105 120 136 153 171 55 66 78 91 10 15 21 28 36 45 0 1 3 6 µ Second Cryptographic Hash Workshop A 10 A 11 A 12 A 13 A 14 A 15 A 16 A 17 A 18 A 0 A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 A 9
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell Milt Mill Belt function function Belt Function Input Input Block Mapping 2 1 0 Belt Mill 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 Mill Function 6 7 8 0 1 2 3 4 5 Second Cryptographic Hash Workshop
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell Milt Mill Belt function function Belt Function Input Input Block Mapping 2 1 0 Belt Mill 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 Mill Function 6 7 8 0 1 2 3 4 5 Second Cryptographic Hash Workshop
Mill Belt R ADIO G ATÚN R ADIO G Input ATÚN mapping Bell Milt Mill Belt function function Belt Function Input Input Block Mapping 2 1 0 Belt Mill 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 1 1 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 Mill Function 6 7 8 0 1 2 3 4 5 Second Cryptographic Hash Workshop
s 0 Differential trails Differential trails p 0 t 0 DP Round s 0 • Differential trail • State differences + input differences p 0 • Used to find an internal collision t 0 • Weight DP Round s 0 • Negative (binary) logarithm of probability ... p 0 t 0 DP Round s 0 Second Cryptographic Hash Workshop
Trail backtracking Trail backtracking • Propagate difference lonesome weight round • Through each round input blocks right pairs coming out (neg. log.) • Only if right pair backtracking cost right pairs entering (neg. log.) • weight > l i : fraction thru • weight ≤ l i : pair creation • Complexity • Lonesome round • Crowded round crowded round • Backtracking cost • Also for algebraic attacks rounds Second Cryptographic Hash Workshop
Analysis Analysis • R ADIO G ATÚN [1, 2, 4, …] useful for analysis • Explicit search of collisions • Differential trails with lowest complexity • Trail for R ADIO G ATÚN [1] extends to R ADIO G ATÚN [ n ] • Symmetry destroyed in the mill • Specific trails for R ADIO G ATÚN [ n ] may exist with lower cost • Other aspects • Fixed points • Algebraic attacks on R ADIO G ATÚN [1, 2, 3, 4, …, 64] • Ongoing • Prove bounds Second Cryptographic Hash Workshop
Performance Performance • Extremely fast in hardware • Fast in software Dell Precision 670 with Windows (32 bits) Linux (x86_64) Intel Xeon 3GHz Visual Studio 2005 GCC 3.3.5 (in Mbyte/sec) SHA-1 90 91 SHA-256 65 80 P ANAMA 480 288 R ADIO G ATÚN [32] 120 175 R ADIO G ATÚN [64] 55 270 Second Cryptographic Hash Workshop
Conclusion Conclusion • Belt-and-mill structure • Simplicity (analysis) • R ADIO G ATÚN • Performance • Existence of toy cipher (analysis) • No patent • Analysis ongoing • Do not hesitate to attack! • See security claims in R ADIO G ATÚN paper http://radiogatun.noekeon.org Second Cryptographic Hash Workshop
Recommend
More recommend
