A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA

Transcription

1 A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA Souradyuti Paul 1, Ekawat Homsirikamol 2, and Kris Gaj 2 1 University of Waterloo, Canada, and K.U. Leuven, Belgium souradyuti.paul@esat.kuleuven.be 2 George Mason University, USA ekawat@gmail.com, kgaj@gmu.edu Abstract. The contribution of the paper is two-fold. First, we design a novel permutation-based hash mode of operation FP, and analyze its security. We show that any n-bit hash function that uses the FP mode is indifferentiable from a random oracle up to 2 n/2 queries (up to a constant factor), if the underlying 2n-bit permutation is free from any structural weaknesses. Based on our further analysis and experiments, we conjecture that the FP mode is resistant to all non-trivial generic attacks with work less than the brute force, mainly due to its large internal state. We compare the FP mode with other permutation-based hash modes. To put this into perspective, we propose a concrete hash function SAMOSA using the new mode and the P -permutations of the SHA-3 finalist Grøstl. Based on our analysis we claim that the SAMOSA family cannot be attacked with work significantly less than the brute force. We also provide hardware implementation (FPGA) results for SAMOSA to compare it with the SHA-3 finalists. In our implementations, SAMOSA family consistently beats Grøstl, Blake and Skein in the throughput to area ratio. With more efficient underlying permutation, it seems possible to design a hash function based on the FP mode that can achieve even higher performances. 1 Introduction Hash mode of operation. Iterative hash functions are generally built from two components: (1) a basic primitive C with finite domain and range, and (2) an iterative mode of operation H to extend the domain of the hash function; the symbol H C denotes the hash function based on the mode H which invokes C iteratively to compute the hash digest. Therefore, to design an efficient hash function one has to be innovative with both the mode H and the basic primitive C. Merkle-Damgård mode used with a secure block cipher was the most attractive choice to build a practical hash function; some examples are SHA-family [22], and MD5 [26]. The security of a hash function based on the Merkle-Damgård S. Galbraith and M. Nandi (Eds.): INDOCRYPT 2012, LNCS 7668, pp , c Springer-Verlag Berlin Heidelberg 2012

2 510 S. Paul, E. Homsirikamol, and K. Gaj mode crucially relies on the fact that C is collision and pre-image resistant. The compression function C achieves these properties when it is constructed using a secure block cipher [8]. However, several security issues changed this popular design paradigm in the last decade. The first concern is that the security of Merkle-Damgård mode of operation irrespective of the strength of the primitive C came under a host of generic attacks; the length-extension attack [10], expandable message attack [18], multi-collision attacks [15] and herding attack [9,17] are some of them. Several strategies were discovered to thwart the above attacks. Lucks came up with the proposal of making the output of the primitive C at least twice as large as the hash output; this proposal is outstanding since, apart from rescuing the security of the Merkle-Damgård mode, it is also simple and easy to implement. Another interesting proposal was HAIFA that includes a counter injected into the compression function C to rule out many of the aforementioned attacks. Using the results of [8], it is easy to see that the Wide pipe and the HAIFA constructions are secure when the underlying primitive is a secure block cipher. Despite the aforementioned foolproof design strategies, it turns out that using a block cipher as the basic primitive of a hash function may not be the best alternative, for several reasons. (1) A hash function does not need both the encryption and the decryption function of a block cipher; one of them could be avoided. (2) The key schedule of a block cipher often turns out to be weak [3]. (3) Furthermore, the key schedule weaknesses of a block cipher render invalid the very common ideal cipher assumption under which the security of block-cipherbased hash functions is usually based; note that an ideal cipher assumption is stronger than an ideal permutation assumption since, in the former case, an extra assumption is that a huge number of ideal permutations need to be independent too. (3) The amount of memory needed to implement a wide block cipher is larger due to the extra key schedule than needed for an equally sized permutation. Permutation-based hash functions. The popularity of permutation-based hash functions has been on the rise since the discovery of weaknesses on the Merkle-Damgård mode. Sponge [4], Grøstl [14], JH [28], Luffa [11] and the Parazoa family [1] are some of them. We note that 9 out of 14 semi-finalist algorithms (3 out of 5 finalist algorithms) of the NIST SHA-3 hash function competition are based on permutations. Other notable example is MD6 [27]. In Table 1, we compare generic security and performance (measured in terms of rate) of various well known permutation-based hash modes. Our contribution FP mode. Our first contribution is to give a proposal for a new hash mode of operation FP based on a single wide pipe permutation (see Fig. 1). The FP mode is derived from the FWP (or Fast-wide pipe) mode designed by Nandi and Paul at Indocrypt 2010 [23]. The difference between the FWP and the FP mode is simple: the FP mode is obtained when the underlying hard-to-invert function

3 A Novel Permutation-Based Hash Mode of Operation FP 511 Table 1. Indifferentiability bounds of permutation-based hash modes, where the hash size is n-bit in each case. FP Ext1 is a natural variant of FP with parameters shown in the row. The ɛ is a small fraction due to the preimage attack on JH presented in [7]. Mode of Mesg-blk Size of π Rate Indiff. bound # of independent operation (l) (a) (l/a) lower upper permutations Hamsi [16] n/8 2n 0.07 n/2 n 1 Luffa [6] n/3 n 0.33 n/4 n 3 Sponge [5] n 3n 0.33 n n 1 Sponge [5] n 2n 0.5 n/2 n/2 1 JH [21] n 2n 0.5 n/2 n(1 ɛ) 1 Grøstl [14] n 2n 0.5 n/2 n 2 FP n 2n 0.5 n/2 n 1 MD6 [12] 6n 8n 0.75 n n 1 FP Ext1 6n 7n 0.85 n/2 n 1 m 1 m 2... m k IV IV π π π π hash Fig. 1. Diagram of the FP mode. The π is a permutation; all wires are n bits. See Fig. 3(a) for the description. f : {0, 1} m+n {0, 1} 2n of the FWP mode is replaced by an easy-to-invert permutation π : {0, 1} 2n {0, 1} 2n. 1 There are a number of practical reasons for switching from FWP to FP: (1) Easy-to-invert permutations are usually efficient, and such permutations with strong cryptographic properties are abundant in the literature (e.g. JH, Grøstl and Keccak permutations); (2) hard-to-invert functions either turn out to be weak [19], or they are inefficient. On the other hand, easy-to-invert permutations even though they are faster have some drawbacks; the most crucial of them is that they allow the attacker to use reverse queries in addition to forward queries, and, as a result, make the adversary inherently more powerful. Therefore, a good deal of caution is required to design a hash mode of operation that uses permutations. We show that the FP mode based on an ideal permutation is indifferentiable from a random oracle up to approximately 2 n/2 queries (forward and reverse together); this means that the FP mode is secure against all generic attacks including (multi) collision, 2nd preimage, herding attacks up to approximately 2 n/2 queries, under the assumption that the underlying permutation π is structurally strong. Moving further, a large number of experiments show that the indifferentiability security 1 FP is the shorthand for FWP with a permutation.

4 512 S. Paul, E. Homsirikamol, and K. Gaj of the FP mode could be improved optimally to n bits. Another important feature of our work is that the security guarantee is based on only one assumption like the Sponge and JH that the underlying permutation should not display any structural weaknesses; note that the security of many permutation-based hash functions (e.g. Grøstl and Luffa) requires additional assumptions such as independence of several ideal permutations. In Fig. 1, we compare the FP mode and a natural extension of it FP Ext1 with other permutation-based hash functions. It is noteworthy that the FP mode exhibits the best Rate-Security trade-off when the internal permutation size is fixed. Design and hardware implementation of the hash function SAMOSA. Our second contribution is establishing the practical usefulness of the FP mode. As an example, we design a concrete hash function family SAMOSA basedonthefp mode, where the internal primitives are the P -permutations of the Grøstl hash function. 2 We provide security analysis of SAMOSA, demonstrating its resistance against any known practical attacks. As demonstrated by the AES and the SHA-3 competitions, the security of a cryptographic algorithm alone is not sufficient to make it stand out from among multiple candidates competing to become a new American or international standard. Excellent performance in software and hardware is necessary to make a cryptographic protocol usable across platforms and commercial products. Assuring good performance in hardware is typically more challenging, since hardware design requires involved and specialized training, and, as it turns out, that the majority of designer groups lack experience and expertise in that area. In case of SAMOSA, the algorithm design and hardware evaluation have been performed side by side, leading to full understanding of all design decisions and their influence on hardware efficiency. In this paper, we present efficient highspeed architecture of SAMOSA, and show that this architecture outperforms the best known architecture of Grøstl in terms of the throughput to area ratio by a factor ranging between 24 and 51%. These results have been demonstrated using two representative FPGA families from two major vendors, Xilinx and Altera. As shown in [13], these results are also very likely to carry to any future implementations based on ASICs (Application Specific Integrated Circuits). Additionally, we demonstrate that SAMOSA consistently ranks above BLAKE, Skein and Grøstl in our FPGA implementations. Although it still loses to Keccak and JH, nevertheless, a relative distance to these algorithms substantially decreases compared to Grøstl, despite using the same underlying operations. This performance gain is accomplished without any known degradation of the security strength. Additionally, SAMOSA s dependence on many AES operations makes it suitable for software implementations that use general-purpose processors with AES instruction sets, such as AES-NI. Finally, in both software and hardware, SAMOSA seems to be an attractive choice for applications where both confidentiality and authentication are required to share AES components. One such example is IPSec, 2 SAMOSA isthenameofanindianfood.

5 A Novel Permutation-Based Hash Mode of Operation FP 513 protocol used for establishing Virtual Private Networks, which is one of the fundamental building blocks of secure electronic transactions over the Internet. Although SAMOSA comes too late for the current SHA-3 competition, it still has a chance to contribute to better understanding of the security and performance bottlenecks of modern hash functions, and to find niche platforms and applications in which it may outperform the existing and upcoming standards. Notation and Convention. This part has been moved to the full version of the paper [25]. Organization. The remainder of the paper is organized as follows. In Sect. 2 we define the new hash mode FP. In Sect. 4 we present our main indifferentiability theorem for the FP mode, and give a sketch for the proof. The proof is then elaborated in Sects. 5, 6 and 7. In Sect. 8, we propose a new concrete hash function named SAMOSA, and provide its security analysis. Finally, in Sect. 9, we give hardware implementation results for SAMOSA. 2 Definition of the FP Mode Suppose n 1. Let π : {0, 1} 2n {0, 1} 2n be the 2n-bit permutation used by the FP mode. The hash function FP π is a mapping from {0, 1} to {0, 1} n.the diagram and description of the FP transform are given in Figs. 1 and 3(a), where π is modeled as an ideal permutation. Below we define the padding function pad n ( ). Padding function pad n ( ). It is an injective mapping from {0, 1} to i 1 {0, 1} ni, where the message M {0, 1} is mapped into a string pad n (M) =m 1 m k 1 m k, such that m i = n for 1 i k. The function pad n (M) =M 1 0 t satisfies the above properties (t is the least non-negative integer such that M +1+t = 0modn). Note that k =. M +1 n In addition to the injectivity of pad n ( ), we will also require that there exists a function depad n ( ) that can efficiently compute M,givenpad n (M). Formally, the function depad n : i 1 {0, 1} in { } {0, 1} computes depad n (pad n (M)) = M, for all M {0, 1}, and otherwise depad n ( ) returns. The padding rule described above satisfies this property also. 3 Preliminaries: Introduction to the Indifferentiability Framework Definition 1 (Indifferentiability framework). [20,10] An interactive Turing machine (ITM) T with oracle access to an ideal primitive F is said to be (t A,t S,σ,ε)-indifferentiable from an ideal primitive G if there exists a simulator S such that, for any distinguisher A, the following equation is satisfied: Adv T,F def G,S (A) = Pr[A T,F 1] Pr[A G,S 1] ε.

6 514 S. Paul, E. Homsirikamol, and K. Gaj System 1 System 2 T F G S π/π 1 FP π/π 1 FP1 S1/S1 1 RO S/S 1 A (a) A A A G0 G1 G2 (b) Fig. 2. (a) Indifferentiability framework defined in Def. 1; (b) Schematic diagram for the security games used in the indifferentiability framework for FP (see Sect. 5). The arrows show the directions in which the queries are submitted. System 1 = (T,F) = G0 = (FP,π,π 1 ), and System 2 = (G, S) =G2=(RO, S, S 1 ). The simulator S is an ITM which has oracle access to G and runs in time at most t S. The distinguisher A runs in time at most t A. The number of queries used by A is at most σ. Hereε is a negligible function in the security parameter of T. See Fig. 2(a) for a pictorial representation. Due to page limitation, discussion on the indifferentiability framework has been moved to the full version of the paper [25]. 4 Main Theorem: n/2-bit Indifferentiability Security of the FP Mode Let RO: {0, 1} {0, 1} n and π : {0, 1} 2n {0, 1} 2n are a random oracle and an ideal permutation. Our indifferentiability framework uses three systems G0 =(FP,π,π 1 ), G1 = (FP1, S1, S1 1 ), and G2 = (RO, S, S 1 ) (see Fig. 2(b)). The correspondence between the entities of Figs. 2(a) and 2(b) are as follows: G = RO, T = FP and F =(π, π 1 ). The description of FP1, S, S 1, S1, and S1 1 will be provided in Sect. 5. Now we state our main theorem using Def. 1. Theorem 1 (Main Theorem). The hash function FP π (or FP π,π 1 )is(t A,t S, σ, ε)-indifferentiable from RO, wheret A =, t S = O ( σ 5),andσ K2 n/2, where K is a fixed constant derived from ε. In the next few sections, we will prove Theorem 1 by breaking it into several components. First, we briefly describe what the theorem means: it says that no adversary with unbounded running time can mount a nontrivial generic attack on the hash function FP π using at most K2 n/2 queries. The parameter K is an increasing function in ε, and is constant for all n>0. To reduce the notation complexity, we shall derive the indifferentiability bound assuming ε = 0.5 for which, we shall derive, K =1/ 56. Outline of the Proof. Proof of Theorem 1 consists of the following two components (see Def. 1): (1) Construction of a simulator S = (S, S 1 )withthe

7 A Novel Permutation-Based Hash Mode of Operation FP 515 worst-case running time t S = O ( σ 5). This is done in Sect. 5. (2) Showing that, for any adversary A with unbounded running time, Pr [ A G0 1 ] Pr [ A G2 1 ] 28σ 2 2 n, (1) where the systems G0 =(FP,π,π 1 )andg2 =(RO, S, S 1 ). 3 Proof of (1) is, again, composed of proofs of the following three (in)equations: In Sect. 5, we will concretely define the simulator pair (S, S 1 )andanew system G1. Using them we will show Pr [ A G0 1 ] =Pr [ A G1 1 ]. (2) In Sect. 6, we will appropriately define a set of events BAD i and GOOD i in the system G1, and will establish that Pr [ A G1 1 ] Pr [ A G2 1 ] σ Pr [ ] BAD i GOOD i 1. (3) i=1 In Sect. 7, we complete proof of (1) by establishing that where σ Pr [ ] 28σ 2 BAD i GOOD i 1 i=1 σ Pr [ ] BAD i GOOD i 1 ε =0.5. i=1 The next three sections are devoted to proving (2), (3), and (4). 2 n (4) 5 Proof of (2) This section has two parts. In the first part Sects. 5.1, 5.2, and 5.3 we define the simulator pair (S, S 1 ) of the indifferentiability framework for FP. This completes the description of systems G0 and G2 that are partially specified in Sect. 4. Then we describe a new system G1. In the second part Proposition 1 using the definitions of G0 and G1, we prove (2). In addition, using the definitions of G1 and G2, in Sect. 6, we will prove (3). The pseudocode for all the systems is given in Figs. 3 and 5. In the remainder of the section we explain the systems G0, G1, and G2 in detail with special emphasis on their usefulness in proving our main theorem. 3 Setting 28σ2 2 n ε =1/2, we get σ n/2.

8 516 S. Paul, E. Homsirikamol, and K. Gaj 5.1 Data Structures G0, G1, and G2 use several data structures. Due to limited space the definitions of oracle, query, round, global (and local) variable, reconstruction graphs T π and T s (built by G1 and G2 resp.), reconstructible message, and view have been moved to the full version of the paper [25]. 5.2 Description of the Main Systems G0 and G2 We recall from Sect. 4 that our main task, informally, is to estimate how difficult it is for an arbitrary adversary A to distinguish between the systems G0 and G2. Essentially, we need to design a simulator pair (S, S 1 ) for G2, such that it is hard to tell the systems apart. Although, G0 and G2 are partially defined in Sect. 4, we give the complete description here. The pseudocode is given in Fig. 3. Description of G0. Following the definition provided in Sect. 2, the system G0 implements the FP hash function using the ideal permutations π and π 1. Description of G2. The random oracle RO defined in Sect. 4 is implemented through lazy sampling. The only remaining part is to construct the simulator pair (S, S 1 ). Our design strategy for (S, S 1 ) is fairly straightforward and simple. Before going into the details, we first provide a high level intuition. Intuition behind the design of simulator pair (S, S 1 ). The purpose of the simulator pair (S, S 1 ) is two-fold: (1) to output values that are indistinguishable from the output from the ideal permutation (π, π 1 ), and (2) to respond in such awaythatfp π (M) andro(m) are identically distributed. It will easily follow that as long as the simulator pair (S, S 1 ) is able to output values satisfying the above conditions, no adversary can distinguish between G0 and G2. In order to serve the above purposes, the primary requirement is that the simulator S, for a distinct input x, be assigned a random value such that the distributions of S(x) andπ(x) are close. Similarly, the simulator S 1 for a distinct input r should ensure that the random variables S 1 (r) andπ 1 (r) follow statistically close distributions. Secondly, the simulator S maintains a reconstruction graph T s for D s ;this helps the simulator keep track of all FP-mode-compatible messages (more formally reconstructible messages for D s ) that can be formed using the s-queries and responses. This is done by a special subroutine FullGraph. Informally, a reconstruction graph helps the simulator assess the power of the adversary, since any adversary can construct the graph too. Intuitively, at the time of formation of a reconstructible message, the simulator needs to do some adjustment in its database, so that the outputs from G0 and G2 look the same to the adversary, no matter what query she submits. The pictorial representation of the reconstruction graph T s is given in Fig. 4. Given the current s-query x, the subroutine MessageRecon determines all the new reconstructible messages M by searching through all the branches between

9 A Novel Permutation-Based Hash Mode of Operation FP 517 FP(M) 01. If M Dom(D l) then return D l[m]; 02. m 1m 2...m k := pad n (M); 03. y 0 := IV, y 0 := IV ; 04. for (i := 1, 2,...k) y iy i := π(y i 1 m i) (y i 1 0); 05. r := π(y k y k); 06. D l[m] :=r[n, 2n 1]; 07. return D l[m]; π(x) 11. If x/ Dom(D π) $ then D π[x] {0, 1} 2n \ Rng(D π); 12. return D π[x]; π 1 (r) 21. If r/ Rng(D π) then Dπ 1 [r] 22. return Dπ 1 [r]; $ {0, 1} 2n \ Dom(D π); (a) System G0 = (FP, π, π 1 ). For all i, m i = y i = y i = r/2 = n. RO(M) 001. If M Dom(D l) then return D l[m]; $ 002. D l[m] {0, 1} n ; 003. return D l[m]; S 1 (r) 300. If x 1,x 2 Dom(D s) if D s[x 1]=D s[x 2]=r then return ; 301. if r Rng(D s) then return Ds 1 [r]; 302. if r/ Rng(D s) then x {0, $ 1} 2n ; 303. if x/ Dom(D s) then D s[x] :=r; 304. return x; S(x) 101. r $ {0, 1} 2n ; 102. M := MessageRecon(x); 103. if M =1then r[n, 2n 1] := RO(M); 104. D s[x] :=r; 105. FullGraph; 106. return r; MessageRecon(x) (b) System G2 = (RO, S, S 1 ) M := FindBranch(x); 202. M := {depad(x) X M }; 203. return M; Fig. 3. The main systems G0 and G2 y 0 y 0 = IV IV m 1 m a y 1 y 1 y a y a m 2 y 2 y 2 m 3 y 3 y 3 Fig. 4. The reconstruction graph T s (or T π)updatedbyfullgraph of G2 (or PartialGraph of G1)

10 518 S. Paul, E. Homsirikamol, and K. Gaj the nodes IV IV and x in the graph T s. Then the simulator makes this crucial adjustment: it assigns FP S (M) :=RO(M). It is fairly intuitive that, if S and π produce outputs according to statistically close distributions, then the distributions of FP S (M) andfp π (M) are also close. Since FP S (M) =RO(M), the distributions of RO(M) andfp π (M) are also close. Detailed description of the simulator pair (S, S 1 ). This part has been moved to the full version [25]. 5.3 Description of the Intermediate System G1 The pseudocode is provided in Fig. 5. Detailed description will appear in the full version [25]. Now we are well equipped to prove (2). Proposition 1. For any distinguishing adversary A, Pr [ A G0 1 ] =Pr [ A G1 1 ]. Proof. From the description of S1 and S1 1, we observe that, for all x {0, 1} 2n, S1(x) =π(x) ands1 1 (x) =π 1 (x). Likewise, from the descriptions of FP1 and FP, for all M {0, 1}, FP1(M) =FP(M). 6 Proof of (3) This section is broadly divided into three parts. In the first two parts we concretely define the Type0, Type1, Type2, Type3 and Type4 events of the system G1 (see Fig. 5), based on whether the current π/π 1 is a fresh or an old query. In the last part we prove (3), using the Type0-4 events. 6.1 Events Type0 and Type1: Current π/π 1 -Query Is Fresh Event Type0: Distance of Random Permutation from the Uniform. Consider three different scenarios: when a fresh π-query is an s-query; when afreshπ-query is the final π-query of a long query; when an s 1 -query is a fresh π 1 -query. Type0 event occurs when, in each of the above scenarios, the output of a fresh π/π 1 -query is distinguishable from the uniform distribution U[0, 2 2n 1]. Event Type1: Collision on T π. Due to limited space in this version we only provide the diagram for these events (Fig. 6). A discussion will be given in the full version [25].

11 A Novel Permutation-Based Hash Mode of Operation FP 519 FP1(M) 001. m 1m 2 m k 1m k := pad n (M); 002. y 0 := IV, y 0 := IV ; 003. for (i := 1,,k) { 004. r := π(y i 1m i); 005. y iy i := r (y i 1 0); 006. if y i 1m i is fresh then PartialGraph(y i 1m i,r);} 007. if Type3 then BAD := True ; 008. r := π(y ky k); 009. if Type0-b then BAD := True ; 010. if y ky k is fresh then PartialGraph(y ky k,r); 011. D l[m] :=r[n, 2n 1]; 012. return D l[m]; MessageRecon(x, T s) 201. M := FindBranch(x); 202. M := {depad(x) X M }; 203. return M; π(x) 301. if x/ Dom(D π) then $ D π[x] {0, 1} 2n \ Rng(D π); 302. return D π[x]; π 1 (r) 501. If r/ Rng(D π) then D 1 π $ 502. return D 1 π [r] {0, 1} 2n \ Dom(D π); [r]; S1(x) 100. If Type2 then BAD := True ; 101. r := π(x); 102. if Type0-a then BAD := True ; 103. M:=MessageRecon(x, T s); 104. if M =1 M / Dom(D l) then D l[m] :=r[n, 2n 1]; 105. D s[x] :=r; 106. if x is fresh then PartialGraph(x, r); 107. return r; S1 1 (r) 601. if Type4 then BAD := True ; 602. x := π 1 (r); 603. if Type0-c then BAD := True ; 604. if Type1-c then BAD := True ; 605. D s[x] :=r; 606. return x; PartialGraph(x, r) 401. x parse y cm; r parse y y ; 402. C := CreateCoset(y c); 403. E := {(y cy c,m,yy ) y := y y c,y cy c C}; 404. for e E { AddEdge(e); if Type1-a Type1-b then BAD := True ;} Fig. 5. System G1. m i = m = y i = y i = y c = y c = y = y = y = r/2 = n, for all i. 6.2 EventsType2,3and4:Currentπ/π 1 -Query Is Old Classification of Old Queries and the Branches of T π. Before we define the Type2, 3 and 4 events, we first classify all the old query-response pairs for the oracles π/π 1 stored in D π, according to its known and unknown parts. The known part of a query-response pair is the part that is present in the view of the system G1, or it can be derived from the view with probability 1; the unknown part is not present in the view, and it cannot be derived from the view with probability 1. We observe that there are six types of such a pair, and we denote them by Q0, Q1, Q2, Q3, Q4 and Q5 in Fig. 7(a); the head and tail nodes in each type denote the input and output, each 2n bits. Two-sided arrowhead indicates that the corresponding input-output pair is generated from either a π-query or a π 1 -query. The red and green circles denote the unknown and known parts, n bits each.

12 520 S. Paul, E. Homsirikamol, and K. Gaj y c y c y c y c m Fresh Old Fresh Old y y = = y y Old = Fresh Node collision (n bits) (Type1-a) Forward query collision (n bits) (Type1-b) Reverse query collision (n bits) (Type1-c) Fig. 6. Type1 events of G1. All arrows are n bits each. Red arrow denotes fresh n bits of output from the ideal permutation π/π 1. The symbol = denotes n-bit equality. In a similar way, the branches of T π canbeclassifiedintofourtypes,asshown in Fig 7(b). Event Type2: Current s-query is π-query of a Previous Long Query. Discussion on this event has been moved to the full version [25]. Event Type3: Current π-query of a red Branch is the Final Query for the Current Long Query. Several types of red branch (I), (II), and (III) are shown in Fig. 7(b)(I) to (III). There are three types of Type3 event: (Type3-a) if the current long query M with m 1 m 2 m k = pad n (M) formsared branch of type (I). 4 (Type3-b) if M is a red branch of type (II), and if the most significant n bits of output can be distinguished from the uniform distribution U[0, 2 n 1]. (Type3-c) if M is a red branch of type (III). Event Type4: Current s 1 -query Input Matches Output of a π-query of a Previous Long Query. The Type4 event occurs, if the current s 1 -query is equal to an old query of type Q1, Q2, Q3, Q4 or Q Proof of (3) With the help of the Type0 to 4 events described before, we are equipped to prove (3). First, we fix a few definitions in order for (3) to make sense. 4 Observe that this case implies a node collision in T π,sincethey k y k is the final π- query for two distinct long queries, the current M and also an old one. Therefore, if Type1 event did not occur in the previous rounds, this event is impossible in the current round.

13 A Novel Permutation-Based Hash Mode of Operation FP 521 Q0 Q1 Q2 Q3 Q4 Q5 (a) Q0, Q1, Q2, Q3, Q4, and Q5 denote six types of π/π 1 -query and response. IV IV IV IV IV IV IV IV Q0 Q0 y 1y 1 y 1y 1 Q1 Q2 Q3 Q4 Q5 y 1y 1 Q0 Q0 Q0 Q0 Q0 y ky k Q1/Q2/Q5 y ky k Q3/Q4 Q0 y ky k y ky k Q0 (I) (II) (III) (IV) (b) Several types of branch in T π.(i),(ii)and(ii)arecalledred branches. Fig. 7. Several types of old π/π 1 -queries and branches in T π Events GOOD i and BAD i. BAD i denotes the event when the variable BAD is set during round i of G1, that is, when Type0, Type1, Type2, Type3 or Type4 event occurs. Let the symbol GOOD i denote the event i j=1 BAD i.thesymbol GOOD 0 denotes the event when no queries are submitted. From a high level, the intuition behind the construction of the BAD i event is straightforward: we will show that if BAD i does not occur, and if GOOD i 1 did occur, then the views of G1 and G2 (after i rounds) are identically distributed for any attacker A. We move the entire proof, which is based on induction on the number of rounds, to the full version [25].

14 522 S. Paul, E. Homsirikamol, and K. Gaj 7 Proof of (4) To prove (4), we need to compute the probability of occurrence of Type0, Type1, Type2, Type3 and Type4 events described in the previous sections. Since we assume σ i=1 Pr[ ] BAD i GOOD i 1 ε =1/2, GOODi 1/2 for all 0 i σ. The Type1 events guarantee that GOOD i 1 implies T π has i nodes after i 1 rounds. We assume i 2 n/2 ;thisimplies(2 n i) 1 2 2n. Now from Fig. 6 we obtain, Pr [ ] Type0 i GOOD i 1 3/(2 2n i) 1 2 n, ] Pr [Type1 i GOOD i 1 3i/(2 n i) 6i 2 n. Using the definition of Type2, Type3, and Type4 events, it is straightforward to deduce: Pr [ Type2 i GOOD i 1 ] Pr [ Type2 i ] Pr [ GOOD i 1 ] 2 5i 2 n i 20i 2 n, Pr [ ] Pr [ ] Type3 Type3 i GOOD i 1 i Pr [ 2 ] 2 GOOD i 1 2 n i 8 2 n, Pr [ ] Pr [ ] Type4 Type4 i GOOD i 1 i Pr [ 5i ] 2 GOOD i 1 2 n i 20i 2 n. We conclude by combining the above bounds into the following inequality which holds for 1 i σ: σ Pr [ ] σ 55i BAD i GOOD i 1 2 n 28σ2 2 n. i=1 i=1 8 A New Hash Function Family SAMOSA Now we design a concrete hash function family SAMOSA basedonthefp mode defined in Sect. 2. In the subsequent sections, we also provide security analysis and hardware implementation results of SAMOSA. 8.1 Description of SAMOSA SAMOSA hash family is based on the FP mode and P-permutation of the Grøstl hash function family. Letting n denote the length of hash in bits (n = 256 and 512 bits), the complete description of the hash function SAMOSA-n is provided in Fig. 8. SAMOSA is composed of three components: (1) The FP mode and the padding rule pad n ( ) (see Section 2), (2) IV IV = 0 n n n, and (3) the Grøstl permutation P 2n (see [14]). The pseudocode for P 512 and P 1024 isgiveninthe full version [25]. Security Analysis of the SAMOSA Family. Discussion on this section will appear in the full version of the paper [25].

15 A Novel Permutation-Based Hash Mode of Operation FP 523 SAMOSA-256(M) 01. m 1m 2...m k 1m k := pad 256 (M); 02. y 0 y 0 := ; 03. for(i := 1, 2,...k) y i y i := P 512(y i 1 m i) (y i ); 04. r := P 512(y k y k); 05. return r[256, 511]; SAMOSA-512(M) 11. m 1m 2...m k 1m k := pad 512 (M); 12. y 0 y 0 := ; 13. for(i := 1, 2,...k) y i y i := P 1024(y i 1 m i) (y i ); 14. r := P 1024(y k y k); 15. return r[512, 1023]; Fig. 8. SAMOSA-256 and SAMOSA FPGA Implementations of SAMOSA-256 and SAMOSA Motivation and Previous Work In case the security of two competing cryptographic algorithms is the same or comparable, their performance in software and hardware decides which one of them get selected for use by standardization organizations and industry. In this section, we will analyze how SAMOSA compares to Grøstl, one of the five final SHA-3 candidates, from the point of view of performance in hardware. This comparison makes sense, because both algorithms share a very significant part, permutation P, but differ in terms of the mode of operation. The FP mode requires only a single permutation, so using permutation P is sufficient. The Grøstl mode relies on the use of two related permutations, P and Q, which can be executed in parallel. Our goal is to determine how much savings in terms of hardware area are introduced by replacing the Grøstl construction for hash function with the FP mode. We also would like to know whether these savings come at the expense of any significant throughput drop. Finally, we would like to analyze how significant is the improvement in terms of the throughput to area ratio, a primary metric used to evaluate the efficiency of hardware implementations in terms of a trade-off between speed and cost of the implementation. Among many implementations of Grøstl, the one by Latif et al. [24] is currently the most efficient on Virtex 5, this implementation relies on the use of low-level Xilinx FPGA primitives, and as a result is not portable to FPGAs of other vendors, such as Altera. Since our implementation of SAMOSA presented in this paper is fully portable, and does not use any low-level primitives, we compare it with the second best design of Grøstl reported earlier in the literature [13], which has the same features. This design is based on the quasi-pipelined basic iterative architecture denoted as x1 (P/Q). This way, we will be also able to provide comparison for an alternative FPGA family, Stratix III from Altera. 9.2 High-Speed Architectures of SAMOSA and Grøstl Due to the space constraint we move this useful section entirely to the full version of the paper [25].

16 524 S. Paul, E. Homsirikamol, and K. Gaj 9.3 Comparison of SAMOSA and Grøstl in Terms of the Hardware Performance Below, we compare SAMOSA and Grøstl in terms of three major hardware performance metrics: Area, Throughput, and Throughput to Area Ratio. The exact results of the comparison generated using Xilinx ISE v13.1 are shown in Table 2. In the full version of the paper [25], we also provide results generated using Altera Quartus II v11.1. Automated Tool for Hardware EvaluatioN (ATHENa) [2] was used to automate the optimization and result extraction process. No low-level primitives and no embedded resources (such as Block Memories or DSP units) were used in our implementations, which makes them fully portable among multiple FPGA families from various vendors. Each design has been implemented in two different versions: with and without padding unit. The designs with padding unit are more complete, while the designs without padding units are more suitable for comparison with hardware implementations presented in earlier academic papers on Grøstl and other SHA-3 candidates (as these implementations typically did not contain padding units). Comparison in Terms of Area. As shown in Table 2, for comparable hardware architectures, SAMOSA has significantly lower area requirements than Grøstl. For Xilinx FPGAs, the area reduction is between 27 and 35%; for Altera FPGAs, it is between 31 and 34%. This reduction is explained below. First, P round is simpler than P/Q round, as the relevant logic does not need to be switched from implementing P permutation to implementing Q permutation of Grøstl. Although both permutations are quite similar, they still differ in two out of four major operations: AddRoundConstant and ShiftBytes. Additional area requirements may result from inserting a pipeline register between two stages of the P/Q round. The total width of the multiplexers, outside of the P round in SAMOSA is 4h. The width of similar multiplexers outside of the P/Q round in Grøstl is 5b =10h. Finally, the number of the 2-input XOR gates in SAMOSA is h, while in Grøstl it is 3b =6h. Additionally, in the designs with padding unit, SAMOSA benefits from eliminating Block Counter from the padding logic. All these differences amount to a significant advantage of SAMOSA over Grøstl in terms of the circuit area. This advantage is particularly important considering one of the major weakness of Grøstl is its inherently large area in any high-speed hardware implementations. Comparison in Terms of Throughput. We move this material to the full version of the paper [25]. 9.4 Comparison of SAMOSA with the SHA-3 Finalists Table 3 presents the comparison between SAMOSA and the SHA-3 finalists using the best single-message architecture, i.e., architecture capable of processing only one message at a time (more results are available in the full version of the paper). All algorithms have been implemented without padding units, in two variants,

17 A Novel Permutation-Based Hash Mode of Operation FP 525 Table 2. Implementation results of Grøstl and SAMOSA for Xilinx Virtex 5. CLB stands for Configurable Logic Block. Grøstl Samosa Percentage Grøstl Samosa Percentage Difference [%] Difference [%] Without Padding Unit With Padding Unit 256-bit Frequency (MHz) Throughput (Mbit/s) Area (CLB slices) Throughput/Area ((Mbit/s)/CLB slices) 512-bit Frequency (MHz) Throughput (Mbit/s) Area (CLB slices) Throughput/Area ((Mbit/s)/CLB slices) Table 3. SAMOSA and the best single message architectures of the SHA-3 finalists for the 256-bit variants of hash functions Xilinx Virtex 5 Altera Stratix III Ranking Architecture Throughput Area TP/Area Ranking Architecture Throughput Area TP/Area (Mbits/s) (CLB slices) (Mbits/s) (ALUTs) Keccak x Keccak x JH x JH x SAMOSA x SAMOSA x Grøstl x1 (P/Q) Grøstl /2(v) (P/Q) Skein x Skein x BLAKE /4(v)/4(h) BLAKE /2(h) with 256-bit and 512-bit output, in Xilinx Virtex 5 and Altera Stratix III FPGAs. The primary metric used for comparison is throughput to area ratio. 10 Conclusion and Open Problems This paper gives proposal for a novel permutation based hash mode of operation named FP. Our indifferentiability security analysisestablishes thatthe new mode is secure against all generic attacks up to approximately 2 n/2 queries; more interestingly, our experimental results suggest that the security bound can be improved to nearly 2 n queries (n is the hash size in bits). We leave the proof of this improved result as an open problem. We also design a concrete hash function family SAMOSA based on the FP mode and the P permutations of the SHA-3 finalist Grøstl; we claim it is hard to attack SAMOSA with complexities significantly less than the brute force. Our FPGA hardware implementations of SAMOSA show remarkable improvement in the throughput to area ratio compared to the SHA-3 finalists Grøstl, BLAKE and Skein. It is still not known how efficient SAMOSA is in software. We leave the software implementations of SAMOSA as future work.

18 526 S. Paul, E. Homsirikamol, and K. Gaj Acknowledgment. The authors like to thank Dustin Moody and Daniel Smith- Tone for numerous helpful discussions. References 1. Andreeva, E., Mennink, B., Preneel, B.: The parazoa family: generalizing the sponge hash functions. Int. J. Inf. Sec. 11(3), (2012) (Cited on page 510.) 2. ATHENa Project Website, (Cited on page 524.) 3. Biryukov, A., Dunkelman, O., Keller, N., Khovratovich, D., Shamir, A.: Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds. In: Gilbert, H. (ed.) EUROCRYPT LNCS, vol. 6110, pp Springer, Heidelberg (2010) (Cited on page 510.) 4. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge Functions. In: ECRYPT 2007 (2007), (accessed March 2012) (Cited on page 510.) 5. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT LNCS, vol. 4965, pp Springer, Heidelberg (2008) (Cited on page 511.) 6. Bhattacharyya, R., Mandal, A.: On the Indifferentiability of Fugue and Luffa. In: Lopez, J., Tsudik, G. (eds.) ACNS LNCS, vol. 6715, pp Springer, Heidelberg (2011) (Cited on page 511.) 7. Bhattacharyya, R., Mandal, A., Nandi, M.: Security Analysis of the Mode of JH Hash Function. In: Hong, S., Iwata, T. (eds.) FSE LNCS, vol. 6147, pp Springer, Heidelberg (2010) (Cited on page 511.) 8. Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher- Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO LNCS, vol. 2442, pp Springer, Heidelberg (2002) (Cited on page 510.) 9. Blackburn, S.R., Stinson, D.R., Upadhyay, J.: On the complexity of the herding attack and some related attacks on hash functions. Des. Codes Cryptography 64(1-2), (2012) (Cited on page 510.) 10. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO LNCS, vol. 3621, pp Springer, Heidelberg (2005) (Cited on pages 510 and 513.) 11. De Cannière, C., Sato, H., Watanabe, D.: The Luffa Hash Function. In: The 1st SHA-3 Candidate Conference (Cited on page 510.) 12. Dodis, Y., Reyzin, L., Rivest, R.L., Shen, E.: Indifferentiability of Permutation- Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6. In: Dunkelman, O. (ed.) FSE LNCS, vol. 5665, pp Springer, Heidelberg (2009) (Cited on page 511.) 13. Gaj, K., Homsirikamol, E., Rogawski, M., Shahid, R., Sharif, M.U.: Comprehensive Evaluation of High-Speed and Medium-Speed Implementations of Five SHA- 3 Finalists Using Xilinx and Altera FPGAs. Cryptology eprint Archive, Report 2012/368 (2012), (Cited on pages 512 and 523.) 14. Gauravaram, P., Knudsen, L., Matusiewicz, K., Mendel, F., Rechberger, C., Schlaffer, M., Thomsen, S.: Groestl - a SHA-3 candidate. In: The 1st SHA-3 Candidate Conference (Cited on pages 510, 511 and 522.)

19 A Novel Permutation-Based Hash Mode of Operation FP Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO LNCS, vol. 3152, pp Springer, Heidelberg (2004) (Cited on page 510.) 16. Küçük, Ö.: Design and Analysis of Cryptographic Hash Functions. PhD thesis, KU Leuven (2012), (Cited on page 511.) 17. Kelsey, J., Kohno, T.: Herding Hash Functions and the Nostradamus Attack. In: Vaudenay, S. (ed.) EUROCRYPT LNCS, vol. 4004, pp Springer, Heidelberg (2006) (Cited on page 510.) 18. Kelsey, J., Schneier, B.: Second Preimages on n-bit Hash Functions for Much Less than 2 n Work. In: Cramer, R. (ed.) EUROCRYPT LNCS, vol. 3494, pp Springer, Heidelberg (2005) (Cited on page 510.) 19. Matusiewicz, K., Naya-Plasencia, M., Nikolić, I., Sasaki, Y., Schläffer, M.: Rebound Attack on the Full Lane Compression Function. In: Matsui, M. (ed.) ASI- ACRYPT LNCS, vol. 5912, pp Springer, Heidelberg (2009) (Cited on page 511.) 20. Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC LNCS, vol. 2951, pp Springer, Heidelberg (2004) (Cited on page 513.) 21. Moody, D., Paul, S., Smith-Tone, D.: Improved Indifferentiability Security Bound for the JH Mode. In: 3rd SHA-3 Candidate Conference (2012) (Cited on page 511.) 22. NIST. Secure hash standard. In: Federal Information Processing Standard, FIPS (April 1995) (Cited on page 509.) 23. Nandi, M., Paul, S.: Speeding Up the Wide-Pipe: Secure and Fast Hashing. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT LNCS, vol. 6498, pp Springer, Heidelberg (2010) (Cited on page 510.) 24. Latif, K., Rao, M.M., Aziz, A., Mahboob, A.: Efficient Hardware Implementations and Hardware Performance Evaluation of SHA-3 Finalists. In: The Third SHA-3 Candidate Conference, Washington D.C., March (2012) (Cited on page 523.) 25. Paul, S., Homsirikamol, E., Gaj, K.: A Novel Permutation-based Hash Mode of Operation FP and The Hash Function SAMOSA. Full version will appear in IACR eprint Archive (Cited on pages 513, 514, 516, 518, 520, 521, 522, 523 and 524.) 26. Rivest, R.: The MD5 message-digest algorithm. IETF RFC 1321 (1992) (Cited on page 509.) 27. Rivest, R.: The MD6 Hash Function (Cited on page 510.) 28. Wu, H.: The JH Hash Function. In: The 1st SHA-3 Candidate Conference (2009) (Cited on page 510.)