AURORA: A Cryptographic Hash Algorithm Family

Transcription

1 AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita 1 January 9, 2009

2 2

3 Executive Summary We present a new hash function family AURORA as a candidate for a new cryptographic hash algorithm (SHA-3) family. The hash function family AURORA consists of the algorithms: AURORA- 224, AURORA-, AURORA-34, AURORA-512, AURORA-224M, and AURORA-M, where AURORA-224M and AURORA-M are optional instances that are designed to have multicollision resistance. AURORA-224 and AURORA- are constructed from the secure and efficient compression function using a security-enhanced Merkle-Damgård transform, i.e., the strengthened Merkle- Damgård transform with the finalization function. The compression function is designed based on the well-established design techniques for blockciphers, and uses the Davies-Meyer construction. Since most of existing attacks on hash functions exploited simplicity of message scheduling, we employ a secure message scheduling, which is a different design philosophy from the MDx family including SHA-2. AURORA-34 and AURORA-512 employ a novel domain extension transform called the Double- Mix Merkle-Damgård (DMMD) transform. The DMMD transform consists of two parallel lines of the compression functions and the mixing functions inserted at intervals. This domain extension transform enables an efficient collision-resistant construction for double length hash functions. Furthermore, the combination of the compression function and the DMMD transform achieves further efficiency by sharing the message scheduling of two compression functions. The overall structure of AURORA-224M and AURORA-M is the same as AURORA- 34/512 except constants and the final mixing function. The DMMD transform also opens a new efficient way of providing multi-collision resistance. By using the DMMD transform, AURORA- 224M and AURORA-M efficiently achieve multi-collision resistance. As a result, the AURORA family achieves consistency of the design, because all algorithms use similar -bit compression functions as building blocks. Moreover, the AURORA family achieves high efficiency on many platforms. In software implementation on the NIST reference platform (64-bit), AURORA- achieves 15.4 cycles/byte and AURORA-512 achieves 27.4 cycles/byte. Also, AURORA shows good performance across a variety of platforms, because it uses platform-independent operations. In hardware implementation, AU- RORA enables a variety of implementations, from high-speed to area-restricted implementations. Using a 0.13µm CMOS ASIC library, AURORA- can be implemented with only 11.1 Kgates in an area-optimized implementation. In a speed-optimized implementation, AURORA- achieves the highest throughput of 10.4 Gbps. For AURORA-512, the smallest size is 14.6 Kgates and the highest throughput is 9.1 Gbps. These good performance both in hardware and in software in a single algorithm family which is based on the above design techniques makes a clear distinction between the AURORA family and the SHA-2 family. 3

4 4

5 Contents 1 Introduction 7 2 Specification of AURORA Notation Building Blocks Message Scheduling Module: MSM Chaining Value Processing Module: CPM Byte Diffusion Function: BD F-Functions: F 0, F 1, F 2, and F Data Rotating Function: DR Specification of AURORA Overall Structure Compression Function: CF Finalization Function: FF Alternate Method for Computing CF and FF Specification of AURORA Specification of AURORA Overall Structure Compression Functions: CF 0, CF 1,..., CF Mixing Function: MF Mixing Function for Finalization: MFF Specification of AURORA Specification of AURORA-M (optional) Overall Structure Compression Functions: CF M 0, CF M 1,..., CF M Mixing Function: MF M Mixing Function for Finalization: MFF M Specification of AURORA-224M (optional) Constant Values Constant Values for AURORA-224/ Constant Values for AURORA-34/ Constant Values for AURORA-224M/M List of Constant Values Pseudocodes AURORA Examples Design Rationale of AURORA AURORA Domain Extension Compression Function AURORA Domain Extension Double-Mix Merkle-Damgård transform

6 3.2.2 Compression Function AURORA-M Domain Extension Compression Function Components and Constants AURORA Structure F-function Data Rotating Function Truncation Functions Constant Generation Initial Value Security of AURORA Expected Strength Security Argument Security of HMAC using AURORA Security Proofs of DMMD Transform Security Properties of AURORA structure Algorithm Analysis Collision Attacks Preimage Attacks Second Preimage Attacks Length-Extension Attack Multicollision Attack Slide Attacks Tunable Security Parameters Number of Rounds Variable Hash Size Efficient Implementation of AURORA Software Implementation Implementation Types Evaluation Results Hardware Implementation Optimization Techniques of F-functions Data Path Architectures Evaluation Results Applications of AURORA Digital Signature Keyed-Hash Message Authentication Code (HMAC) Key Establishment Schemes Using Discrete Logarithm Cryptography Random Number Generation Using Deterministic Random Bit Generators Advantages and Limitations 121 6

7 Chapter 1 Introduction This document describes the algorithm specifications and supporting documentation including design rationale, security, efficient implementation, applications, advantages and limitations of the hash function family AURORA, which we submit as a candidate for a new cryptographic hash algorithm (SHA-3) family. Since SHA-3 is expected to provide a substitute of the SHA-2 family, AURORA is designed to preserve certain properties of the SHA-2 family including the input parameters, the output sizes, collision resistance, preimage resistance, second-preimage resistance, and the one-pass streaming mode of execution, according to the requirements for SHA-3 candidates [3]. Moreover, AURORA is designed to offer features that exceed the SHA-2 family. AURORA is designed based on the following design philosophy: Security: Its security level should be guaranteed by security proofs or security arguments as far as possible. There is no known structural weakness in the design of the domain extension transform, and the security of the hash function is supported by security proofs. In the design of a compression function, the structure and the components should be chosen to facilitate analysis and to utilize the well-established techniques for blockcipher design and analysis. It should be designed based on different design criteria from the MDx family including SHA-2 so that a possibly successful attack on SHA-2 is unlikely to be applicable to it. Implementation Efficiency and Flexibility: It should be designed to have better efficiency than the SHA-2 family on many platforms. Also, it should be designed to be less platform-specific. It should be implemented efficiently in a wide range of software platforms (32-bit, 64- bit and -bit processors with various compilers and operating systems) without too dedicated optimization techniques for specific processors. It should be suitable to flexible hardware implementations with wide variety of area/speed trade-offs. Originality: It should contain technical breakthroughs to improve security and/or efficiency, not just a combination of existing techniques. Similarity among the Algorithm Family: According to the NIST requirements [3] (NIST does not intend to select a wholly distinct algorithm for each of the minimally required message digest sizes), all the hash function instances with hash sizes of 224,, 34, and 512 bits should be designed under a consistent design philosophy. Concretely, by using the same structure and components, e.g., S-boxes and matrices, they should provide security arguments and performance evaluation in a unified framework. 7

8 Table 1.1: AURORA family. Name max. message message block chaining value hash size size (bits) size (bits) size (bits) (bits) AURORA (2 64 1) AURORA- 512 (2 64 1) 512 AURORA (2 64 1) AURORA (2 64 1) optional instances AURORA-224M 512 (2 64 1) AURORA-M 512 (2 64 1) The hash function family AURORA. To practice the design philosophy, we designed the hash function family AURORA which consists of the algorithms called AURORA-224, AURORA-, AURORA-34, AURORA-512, AURORA-224M, and AURORA-M. AURORA-224, AURORA-, AURORA-34 and AURORA-512 support hash sizes of 224,, 34, and 512 bits, respectively. AURORA-224M and AURORA-M support hash sizes of 224 and bits, respectively. They are optional instances that are designed to have multi-collision resistance by increasing the internal chaining value size ( M means multi-collision resistance). Every instance of the AURORA family supports a maximum message length of 512 (2 64 1) bits, which meets the minimum acceptability requirement regarding the maximum message length. Table 1.1 presents the basic properties of the AURORA family. AURORA-224 and AURORA- are constructed from the secure and efficient compression function using a security-enhanced Merkle-Damgård transform, i.e., the strengthened Merkle- Damgård transform with the finalization function. The compression function is designed based on the well-established design techniques for blockciphers, and uses the Davies-Meyer construction. Since most of existing attacks on hash functions exploited simplicity of message scheduling, we employ a secure message scheduling, which is a different design philosophy from the MDx family including SHA-2. AURORA-34 and AURORA-512 employ a novel domain extension transform called the Double- Mix Merkle-Damgård (DMMD) transform. The DMMD transform consists of two parallel lines of the compression functions and the mixing functions inserted at intervals. This domain extension transform enables an efficient collision-resistant construction for double length hash functions. Furthermore, the combination of the compression function of AURORA and the DMMD transform achieves further efficiency by sharing the message scheduling of two compression functions. The overall structure of AURORA-224M and AURORA-M is the same as AURORA- 34/512 except constants and the final mixing function. The DMMD transform also opens a new efficient way of providing multi-collision resistance. By using the DMMD transform, AURORA- 224M and AURORA-M efficiently achieve multi-collision resistance. As a result, the AURORA family achieves consistency of the design, because all algorithms use similar -bit compression functions as building blocks. Moreover, the AURORA family achieves high efficiency on many platforms. In software implementation on the NIST reference platform (64-bit), AURORA- achieves 15.4 cycles/byte and AURORA-512 achieves 27.4 cycles/byte. Also, AURORA shows good performance across a variety of platforms, because it uses platform-independent operations. In hardware implementation, AU- RORA enables a variety of implementations, from high-speed to area-restricted implementations. Using a 0.13µm CMOS ASIC library, AURORA- can be implemented with only 11.1 Kgates in an area-optimized implementation. In a speed-optimized implementation, AURORA- achieves the highest throughput of 10.4 Gbps. For AURORA-512, the smallest size is 14.6 Kgates and the highest throughput is 9.1 Gbps.

9 Organization of the document. This document is organized as follows: Chapter 2 describes the specification of the AURORA family. Chapter 3 provides the design rationale. Chapter 4 explains all aspects of security: security argument and algorithm analysis. Chapter 5 shows efficient implementation results of AURORA. Chapter 6 describes the usage of AURORA in important applications. Finally, AURORA s advantages and limitations are described in Chapter 7. 9

10 10

11 Chapter 2 Specification of AURORA 2.1 Notation We first describe notation, conventions and symbols used throughout this document. We use the prefix 0x to denote hexadecimal numbers. A bit string x with the suffix, x (n), indicates that x is n bits. This suffix is omitted if there is no ambiguity. For bit strings x and y, x y or (x, y) is their concatenation. For bit strings x and y, x y means that the bit string x is updated by the bit string y. For an nl-bit x, we write (x 0 (n), x 1 (n),..., x l 1 (n) ) x (nl) to mean that x is divided into (x 0, x 1,..., x l ), where (x 0 (n) x 1 (n) x l 1 (n) ) = x (nl). For a bit string x (n) and an integer l, x n l is the l-bit left cyclic shift of x, and x n l is the l-bit right cyclic shift of x. For bit strings x 0, x 1,..., x n 1, {x j } 0 j<n is a shorthand for (x 0, x 1,..., x n 1 ). For an integer l, 0 l is the l times repetition of zero bits and 1 l is the l times repetition of one bits. For a bit string x, x is the bit-wise complement of x. For an element of GF(2 n ) represented as a polynomial x n 1 α n 1 + x n 2 α n x 1 α + x 0 where α is a root of an irreducible polynomial, x n 1 x n 2... x 1 x 0 denotes the bit representation of the polynomial. 11

12 Following variables and symbols have specific meanings. M The input message. M i The i-th block of the message (after the padding). m The length of M in blocks (after the padding). H i The i-th chaining value. MSM The Message Scheduling Module. CPM The Chaining value Processing Module. BD The Byte Diffusion function. DR The Data Rotating function. PROTL The Partial ROTating Left function. PROTR The Partial ROTating Right function. Pad The Padding function. Len n The Length of the input message in blocks encoded into n bits. TF n The Truncation Function that outputs n bits. F 0, F 1, F 2, and F 3 The F-Functions. M 0, M 1, M 2, and M 3 The matrices used in the F-functions. S The S-box. Following symbols are used for AURORA-224/. CF The Compression Function for AURORA-224/. MS L and MS R The Message Scheduling functions for CF. CP The Chaining value Processing function for CF. FF The Finalization Function for AURORA-224/. MSF L and MSF R The Message Scheduling functions for Finalization for FF. CPF The Chaining value Processing function for Finalization for FF. CONM L,j and CONM R,j The CONstants for MS L, MS R, MSF L, and MSF R. CONC j The CONstant for CP and CPF. Following symbols are used for AURORA-34/512. CF 0, CF 1,..., CF 7 The Compression Functions for AURORA-34/512. MF The Mixing Function for AURORA-34/512. MFF The Mixing Function for Finalization for AURORA-34/512. MS L,s and MS R,s The Message Scheduling functions for CF s (0 s 7), MF (s = ), and MFF (s = 9). CP L,s and CP R,s The Chaining value Processing functions for CF s (0 s 7), MF (s = ), and MFF (s = 9). CONM L,s,j and CONM R,s,j The CONstants used in MS L,s and MS R,s, respectively. CONC L,s,j and CONC R,s,j The CONstants used in CP L,s and CP R,s, respectively. Following symbols are used for AURORA-224M/M. CF M 0, CF M 1,..., CF M 7 The Compression Functions for AURORA-224M/M. MF M The Mixing Function for AURORA-224M/M. MFF M The Mixing Function for Finalization for AURORA-224M/M. MS M L,s and MS M R,s The Message Scheduling functions for CF M s (0 s 7), MF M (s = ), and MFF M (s = 9). CP M L,s and CP M R,s The Chaining value Processing functions for CF M s (0 s 7), MF M (s = ), and MFF M (s = 9). CONM M L,s,j and CONM M R,s,j The CONstants used in MS M L,s and MS M R,s, respectively. CONC M L,s,j and CONC M R,s,j The CONstants used in CP M L,s and CP M R,s, respectively. 12

13 2.2 Building Blocks In this section, specifications of the essential building blocks for constructing AURORA algorithms are described Message Scheduling Module: MSM The message scheduling module, MSM, takes the following two inputs; a bit string X (), and a set of bit strings {Y j (32) } 0 j<32. The output is a set of bit strings {Z j (32) } 0 j<72. MSM internally uses a byte diffusion function BD : ({0, 1} 32 ) ({0, 1} 32 ), which is a permutation over ({0, 1} 32 ) and is defined in Sec MSM is parameterized by two functions F and F, where { F : {0, 1} 32 {0, 1} 32, F : {0, 1} 32 {0, 1} 32 (2.1). We write MSM [F, F ] when we emphasize that it is parameterized by functions F and F. We now describe the specification of MSM [F, F ]. Step 1. Let (X 0 (32), X 1 (32),..., X 7 (32) ) X (). Step 2. Let (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (Y 0, Y 1, Y 2, Y 3 ). Step 3. Let (Z 0, Z 1,..., Z 7 ) (X 0, X 1,..., X 7 ). Step 4. (7 round iterations) The following operations are iterated for i = 1 to 7. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (Y 4i, Y 4i+1, Y 4i+2, Y 4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (Z i, Z i+1,..., Z i+7 ) (X 0, X 1,..., X 7 ) Step 5. (-th round) Then the following operations are executed. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (Z 64, Z 65,..., Z 71 ) (X 0, X 1,..., X 7 ) Step 6. Finally, the output is {Z j (32) } 0 j<72. See Fig. 2.1 for an illustration and Fig for a pseudocode Chaining Value Processing Module: CPM The chaining value processing module, CPM, takes the following three inputs; a bit string X (), a set of bit strings {Y j (32) } 0 j<144, and a set of bit strings {W j (32) } 0 j<6. 13

14 X X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 Y 0 Y 1 Y 2 Y 3 Z 0 Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 BD F Y 4 F Y 5 F Y 6 F Y 7 Z Z 9 Z 10 Z 11 Z 12 Z 13 Z 14 Z 15 BD F Y F Y 9 F Y 10 F Y 11 Z 16 Z 17 Z 1 Z 19 Z 20 Z 21 Z 22 Z 23 BD F Y 4i F Y 4i+1 F Y 4i+2 F Y 4i+3 Z i Z i+1 Z i+2 Z i+3 Z i+4 Z i+5 Z i+6 Z i+7 BD F Y 2 F Y 29 F Y 30 F Y 31 Z 56 Z 57 Z 5 Z 59 Z 60 Z 61 Z 62 Z 63 BD F F F F Z 64 Z 65 Z 66 Z 67 Z 6 Z 69 Z 70 Z 71 Figure 2.1: {Z j (32) } 0 j<72 MSM [F, F ](X (), {Y j (32) } 0 j<32 ). 14

15 The output is a bit string Z (). CPM internally uses a byte diffusion function BD, which is also used in MSM, and is defined in Sec As with MSM, CPM is parameterized by two functions F and F over {0, 1} 32, and we write CPM [F, F ] when we use functions F and F. We now describe the specification of CPM [F, F ]. Step 1. Let (X 0 (32), X 1 (32),..., X 7 (32) ) X (). Step 2. Let (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (W 0, W 1, W 2, W 3 ). Step 3. Let (X 0, X 1,..., X 7 ) (X 0, X 1,..., X 7 ) (Y 0, Y 1,..., Y 7 ). Step 4. (16 round iterations) The following operations are iterated for i = 1 to 16. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (W 4i, W 4i+1, W 4i+2, W 4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (X 0, X 1,..., X 7 ) (X 0, X 1,..., X 7 ) (Y i, Y i+1,..., Y i+7 ) Step 5. (17-th round) Then the following operations are executed. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (X 0, X 1,..., X 7 ) (X 0, X 1,..., X 7 ) (Y 136, Y 137,..., Y 143 ) Step 6. Finally, the output is Z () (X 0 (32) X 1 (32) X 7 (32) ). See Fig. 2.2 for an illustration and Fig for a pseudocode Byte Diffusion Function: BD The byte diffusion function, BD, takes a bit string (X 0 (32), X 1 (32),..., X 7 (32) ) as the input, and outputs the updated bit string (X 0 (32), X 1 (32),..., X 7 (32) ). It works as follows. Step 1. For i = 0, 1,..., 7, X i (32) is divided into a 4-byte sequence as (x 4i (), x 4i+1 (), x 4i+2 (), x 4i+3 () ) X i (32), and (X 0 (32), X 1 (32),..., X 7 (32) ) is now regarded as a sequence of bytes; (x 0 (), x 1 (),..., x 31 () ) = (X 0 (32), X 1 (32),..., X 7 (32) ). Step 2. Next we permute (x 0, x 1,..., x 31 ) according to the permutation π defined in Fig. 2.3, where the i-th byte x i is moved to the π(i)-th byte. In other words, let x π(i) = x i for i = 0, 1,..., 31. Then (x 0, x 1,..., x 31) is the result of the permutation. For example, x 0 = x 4, x 1 = x 29, and so on. Step 3. For i = 0, 1,..., 7, the 4-byte sequence (x 4i (), x 4i+1 (), x 4i+2 (), x 4i+3 ()) is concatenated to form the updated X i (32) = (x 4i () x 4i+1 () x 4i+2 () x 4i+3 ()), and the output is (X 0 (32), X 1 (32),..., X 7 (32) ). See Fig. 2.4 for an illustration and Fig for a pseudocode. 15

16 X X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 W 0 W 1 W 2 W 3 Y 0 Y 1 Y 2 Y 3 Y 4 Y 5 Y 6 Y 7 BD F W 4 F W 5 F W 6 F W 7 Y Y 9 Y 10 Y 11 Y 12 Y 13 Y 14 Y 15 BD F W F W 9 F W 10 F W 11 Y 16 Y 17 Y 1 Y 19 Y 20 Y 21 Y 22 Y 23 BD F W 4i F W 4i+1 F W 4i+2 F W 4i+3 Y i Y i+1 Y i+2 Y i+3 Y i+4 Y i+5 Y i+6 Y i+7 BD F W 64 F W 65 F W 66 F W 67 Y Y 129 Y 130 Y 131 Y 132 Y 133 Y 134 Y 135 BD F F F F Y 136 Y 137 Y 13 Y 139 Y 140 Y 141 Y 142 Y 143 Z 0 Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 Z Figure 2.2: Z () CPM [F, F ](X (), {Y j (32) } 0 j<144, {W j (32) } 0 j<6 ). 16

17 i π(i) i π(i) Figure 2.3: Definition of the permutation π( ) : {0, 1,..., 31} {0, 1,..., 31}. X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 Figure 2.4: (X 0 (32), X 1 (32),..., X 7 (32) ) BD(X 0 (32), X 1 (32),..., X 7 (32) ) F-Functions: F 0, F 1, F 2, and F 3 We use four F-functions, F 0, F 1, F 2, and F 3, where they take 32-bit input X as input and produce 32-bit output Y. Each function is used as an instantiation of a parameter functions F or F in MSM and CPM. Before defining these F-functions, we first define the S-box S : {0, 1} {0, 1}, and four 4 4 matrices, M 0, M 1, M 2 and M 3. The S-box S : x () y () is defined as follows. y = { g(f(x) 1 ) if f(x) 0 g(0) if f(x) = 0. The inverse function is performed in GF((2 4 ) 2 ) defined by an irreducible polynomial z 2 +z + {1001} for which the underlying GF(2 4 ) is defined by an irreducible polynomial z 4 + z + 1. Moreover, f : x () y () and g : x () y () are affine transformations over GF(2), which are defined as f : y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 = x 0 x 1 x 2 x 3 x 4 x 5 x 6 x , (2.2)

18 Table 2.1: S a.b.c.d.e.f 0. d9 dc d3 69 bd 00 4d eb c2 b 5d b7 6d 1. f e 19 d d 34 0f 7c ec ce d1 a 74 fb e b5 5c 1a bb d f c fd 4b a4 cd e 99 1f 4. ad 63 c9 6b f7 2 9f 65 2f 5f d b 0e 1b e0 ac 26 a1 e3 f af f f 3f a2 9 9a a3 91 4c 7f ea 01 1c 7. 1e 2d 9 39 e6 9c 0a 54 0c 51 6c 43 ae db a6 f4 06 da e2 7 1d e1 35 fc ed bc 47 d5 9. c0 ab cc a 0 2b 09 b0 93 d4 c5 b3 d0 df a9 aa a. 7a 36 2a d6 b2 fa e b1 a0 6 5a c7 b. fe 76 bf c4 f2 3e 4a 0b f1 ef a7 27 e5 c c. de 9b d 3c 56 d7 c 60 6a 79 ee a5 31 2e d. ff 95 dd 25 3b 55 ca 52 9e 2c 15 4f e d e. 72 3a 7b 4 f b4 3 6f b9 c1 45 e9 f. ba b6 6e 5e be 7e 20 f d2 cb c3 cf 5b and g : y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 = x 0 x 1 x 2 x 3 x 4 x 5 x 6 x (2.3) where (x 0(1) x 1(1) x 2(1) x 3(1) x 4(1) x 5(1) x 6(1) x 7(1) ) x () and (y 0(1) y 1(1) y 2(1) y 3(1) y 4(1) y 5(1) y 6(1) y 7(1) ) y (). Table 2.1 shows the output values of S. The four matrices are defined as follows. 0x01 0x02 0x02 0x03 M 0 = 0x03 0x01 0x02 0x02 0x02 0x03 0x01 0x02, (2.4) 0x02 0x02 0x03 0x01 0x01 0x06 0x0 0x02 M 1 = 0x02 0x01 0x06 0x0 0x0 0x02 0x01 0x06, (2.5) 0x06 0x0 0x02 0x01 0x03 0x01 0x02 0x02 M 2 = 0x02 0x03 0x01 0x02 0x02 0x02 0x03 0x01, (2.6) 0x01 0x02 0x02 0x03 0x06 0x0 0x02 0x01 M 3 = 0x01 0x06 0x0 0x02 0x02 0x01 0x06 0x0. (2.7) 0x0 0x02 0x01 0x06 1

19 Multiplications are operated over GF(2 ) defined by an irreducible polynomial z +z 4 +z 3 +z Now we describe F-functions. Step 1. Let (x 0 (), x 1 (), x 2 (), x 3 () ) X (32). Step 2. Let (x 0, x 1, x 2, x 3 ) (S(x 0 ), S(x 1 ), S(x 2 ), S(x 3 )). Step 3. For i {0, 1, 2, 3}, the output of F i is Y (32) = (y 0 () y 1 () y 2 () y 3 () ), where y 0 y 1 y 2 y Data Rotating Function: DR = M i x 0 x 1 x 2 x 3. The data rotating function, DR, takes the following two inputs; a set of bit strings {X j (32) } 0 j<72, and a set of bit strings {Y j (32) } 0 j<72. The output is a set of bit strings {Z j (32) } 0 j<144. DR uses the following two functions; { PROTL : ({0, 1} 32 ) ({0, 1} 32 ), PROTR : ({0, 1} 32 ) ({0, 1} 32 ), which we define as PROTL(X 0 (32), X 1 (32),..., X 7 (32) ) = (X 0 (32), X 1 (32),..., X 7 (32)), (2.) where X i = X i for i = 0, 2, 4, 5, 6, 7, and (X 1 X 3) = (X 1 X 3 ) Similarly, we define PROTR(X 0 (32), X 1 (32),..., X 7 (32) ) = (X 0 (32), X 1 (32),..., X 7 (32)), (2.9) where X i = X i for i = 0, 2, 4, 5, 6, 7, and (X 1 X 3) = (X 1 X 3 ) In other words, they rotate the two words by one bit, where these words are concatenated and regarded as one 64 bit string. Now DR works as follows. Step 1. For inputs {X j (32) } 0 j<72 and {Y j (32) } 0 j<72, we define {Z j (32) } 0 j<144 by iterating the following operations for i = 0 to. { (Z16i, Z 16i+1,..., Z 16i+7 ) PROTL(X i, X i+1,..., X i+7 ) (Z 16i+, Z 16i+9,..., Z 16i+15 ) PROTR(Y i, Y i+1,..., Y i+7 ) Step 2. The output is {Z j (32) } 0 j<144 defined in the above operations. See Fig. 2.5 for an illustration and Fig for a pseudocode. 19

20 X 0 X 1 X 7 (Z 1 Z 3 ) (X 1 X 3 ) 64 1 Z 0 Z 1 Z 7 Y 0 Y 1 Y 7 (Z 9 Z 11 ) (Y 1 Y 3 ) 64 1 Z Z 9 Z 15 X X 9 X 15 (Z 17 Z 19 ) (X 9 X 11 ) 64 1 Z 16 Z 17 Z 23 Y Y 9 Y 15 (Z 25 Z 27 ) (Y 9 Y 11 ) 64 1 Z 24 Z 25 Z 31 X 16 X 17 X 23 (Z 33 Z 35 ) (X 17 X 19 ) 64 1 Z 32 Z 33 Z 39 Y 16 Y 17 Y 23 (Z 41 Z 43 ) (Y 17 Y 19 ) 64 1 Z 40 Z 41 Z X 64 X 65 X 71 (Z 129 Z 131 ) (X 65 X 67 ) 64 1 Z Z 129 Z 135 Y 64 Y 65 Y 71 (Z 137 Z 139 ) (Y 65 Y 67 ) 64 1 Z 136 Z 137 Z 143 Figure 2.5: {Z j (32) } 0 j<144 DR({X j (32) } 0 j<72, {Y j (32) } 0 j<72 )

21 2.3 Specification of AURORA Overall Structure AURORA- takes the input message of length at most 512 (2 64 1) = bits, and outputs the hash value of bits. It internally uses a compression function CF and a finalization function FF, where { CF (, ) : {0, 1} {0, 1} 512 {0, 1}, FF (, ) : {0, 1} {0, 1} 512 {0, 1}. The compression function CF is defined in Sec and a finalization function FF is defined in Sec Now AURORA- works as follows. Step 1. The input message M is padded with the following padding function Pad( ); Pad(M) = M 1 0 b Len 64, (2.10) where b is the minimum non-negative integer (possibly zero) such that M + b + 65 = 512m for some integer m, and Len 64 is an encoding of M /512 in 64-bit string. That is, Len 64 is the length of M in blocks, where a partial block counts for one block, and b is the minimal integer such that the total length of Pad(M) is a multiple of 512 bits. Then Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., we let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Let H 0 () = 0, and compute H 1 (), H 2 (),..., H m 1 () by iterating for i = 0 to m 2. H i+1 CF (H i, M i ) Note that when Pad(M) has one block (i.e., when m = 1 and Pad(M) = M 0 ), then Step 2 is not executed. Step 3. Finally, let H m FF (H m 1, M m 1 ), and the output is H m (). See Fig. 2.6 for an illustration and Fig for a pseudocode. M 0 M 1 M 2 M m 2 M m 1 H 0 CF CF CF CF FF H m H 1 H 2 H 3 H m 2 H m 1 Figure 2.6: AURORA Compression Function: CF The compression function, CF, takes the chaining value H i of bits and the input message block M i of 512 bits, and outputs the chaining value H i+1 of bits. 21

22 It internally uses two message scheduling functions MS L and MS R, a data rotating function DR, and a chaining value processing function CP, where These functions are described below. MS L ( ) : {0, 1} ({0, 1} 32 ) 72, MS R ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CP(, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. Components of CF MS L is an instance of MSM described in Sec , and for any X {0, 1}, it is defined as MS L (X) = MSM [F 0, F 1 ](X, {CONM L,j (32) } 0 j<32 ), (2.11) where F 0 and F 1 are F-functions defined in Sec , and {CONM L,j (32) } 0 j<32 is the set of constants defined in Sec Similarly, for any X {0, 1}, MS R is defined as MS R (X) = MSM [F 2, F 3 ](X, {CONM R,j (32) } 0 j<32 ), (2.12) where F 2 and F 3 are F-functions defined in Sec , and {CONM R,j (32) } 0 j<32 is the set of constants defined in Sec DR is the data rotating function defined in Sec CP is an instance of CPM described in Sec , and for any X {0, 1} and Y ({0, 1} 32 ) 144, it is defined as CP(X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC j (32) } 0 j<6 ), (2.13) where F 0 and F 1 are F-functions defined in Sec , and {CONC j (32) } 0 j<6 is the set of constants defined in Sec Specification of CF Now we present the specification of CF. Step 1. Let (M L (), M R () ) M i (512), and let X () H i (). Step 2. Let {T L,j (32) } 0 j<72 MS L (M L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R (M R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y () CP(X (), {U j (32) } 0 j<144 ). Step 6. Finally, the output is H i+1 () Y () X (). See Fig. 2.7 for an illustration and Fig. 2.1 for a pseudocode. 22

23 M i M L M R X H i T L,0 T L,1 T L,7 T R,0 T R,1 T R,7 U 0 U 1 U 7 U U 9 U 15 T L, T L,9 T L,15 U 16 U 17 U 23 MS L T R, T R,9 T R,15 DR U 24 U 25 U 31 CP MS R T L,64 T L,65 T L,71 T R,64 T R,65 T R,71 U U 129 U 135 U 136 U 137 U 143 Y H i+1 Figure 2.7: H i+1 () CF (H i (), M i (512) ) Finalization Function: FF The finalization function, FF, is used at the last step of the hash value computation. It takes the chaining value H m 1 of bits and the last input message block M m 1 of 512 bits, and outputs the final hash value H m of bits. FF is structurally equivalent to CF, and the only difference is the constants used in the components. FF internally uses message scheduling functions for finalization, MSF L and MSF R, a data rotating function DR, and a chaining value processing function for finalization, CPF. They have the following syntax. These functions are described below. Components of FF MSF L ( ) : {0, 1} ({0, 1} 32 ) 72, MSF R ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CPF (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. For any X {0, 1}, MSF L is defined as (2.14) MSF L (X) = MSM [F 0, F 1 ](X, {CONM L,j (32) } 32 j<64 ), (2.15) where F 0 and F 1 are F-functions defined in Sec , and {CONM L,j (32) } 32 j<64 is the set of constants defined in Sec For any X {0, 1}, MSF R is defined as MSF R (X) = MSM [F 2, F 3 ](X, {CONM R,j (32) } 32 j<64 ), (2.16) where F 2 and F 3 are F-functions defined in Sec , and {CONM R,j (32) } 32 j<64 is the set of constants defined in Sec

24 DR is the data rotating function defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CPF is defined as CPF (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC j (32) } 6 j<136 ), (2.17) where F 0 and F 1 are F-functions defined in Sec , and {CONC j (32) } 6 j<136 is the set of constants defined in Sec Specification of FF Now the finalization function FF works as follows. Step 1. Let (M L (), M R () ) M m 1 (512), and let X () H m 1 (). Step 2. Let {T L,j (32) } 0 j<72 MSF L (M L () ). Step 3. Let {T R,j (32) } 0 j<72 MSF R (M R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y () CPF (X (), {U j (32) } 0 j<144 ). Step 6. Finally, the output is H m () Y () X (). See Fig for a pseudocode. 24

25 2.3.4 Alternate Method for Computing CF and FF The compression function CF and the finalization function FF, components of AURORA- hash computation method, are described in an alternative way which requires less memory space in implementation. Firstly, three component functions RoundC, RoundM L and RoundM R are defined here for an alternate computation method. Components RoundC, RoundM L and RoundM R RoundC (i) ( ) : ({0, 1} 32 ) ({0, 1} 32 ) is a round function of the structure for CP. present the computation steps of RoundC (i) ( ). Now we RoundC (i) (X 0, X 1,..., X 7 ) : (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F 1 (X 0 ), F 0 (X 2 ), F 1 (X 4 ), F 0 (X 6 )) If i 17, do the following line (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONC 4i, CONC 4i+1, CONC 4i+2, CONC 4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) Output (X 0, X 1,..., X 7 ) Similarly, round functions RoundM L and RoundM R for MS L and MS R are defined by replacing F-functions and constants as follows. RoundM (i) L (X 0, X 1,..., X 7 ) : (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F 0 (X 0 ), F 1 (X 2 ), F 0 (X 4 ), F 1 (X 6 )) If i, do the following line (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONM L,4i, CONM L,4i+1, CONM L,4i+2, CONM L,4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) Output (X 0, X 1,..., X 7 ) RoundM (i) R (X 0, X 1,..., X 7 ) : (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F 2 (X 0 ), F 3 (X 2 ), F 2 (X 4 ), F 3 (X 6 )) If i, do the following line (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONM R,4i, CONM R,4i+1, CONM R,4i+2, CONM R,4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) Output (X 0, X 1,..., X 7 ) Alternative Specification of CF Now we present an alternative computation method of CF. Step 1. Initialize input values. { (X0(32), X 1(32),..., X 7(32), Y 0(32), Y 1(32),..., Y 7(32) ) M i(512) (Z 0(32), Z 1(32),..., Z 7(32) ) H i () Step 2. Add constant values to the initial values. (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONM L,0, CONM L,1, CONM L,2, CONM L,3 ) (Y 1, Y 3, Y 5, Y 7 ) (Y 1, Y 3, Y 5, Y 7 ) (CONM R,0, CONM R,1, CONM R,2, CONM R,3 ) (Z 1, Z 3, Z 5, Z 7 ) (Z 1, Z 3, Z 5, Z 7 ) (CONC 0, CONC 1, CONC 2, CONC 3 ) 25

26 Step 3. Do the first round function. (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (X 0, X 1, X 2, X 3, X 4, X 5, X 6, X 7 ) (Z 0, Z 1,..., Z 7 ) RoundC (1) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Y 0, Y 1, Y 2, Y 3, Y 4, Y 5, Y 6, Y 7 ) Step 4. The following operations are iterated for j = 1 to. (X 0, X 1,..., X 7 ) RoundM (j) L (X 0, X 1,..., X 7 ) (Y 0, Y 1,..., Y 7 ) RoundM (j) R (Y 0, Y 1,..., Y 7 ) (Z 0, Z 1,..., Z 7 ) RoundC (2j) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (X 0, X 1, X 2, X 3, X 4, X 5, X 6, X 7 ) (Z 0, Z 1,..., Z 7 ) RoundC (2j+1) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Y 0, Y 1, Y 2, Y 3, Y 4, Y 5, Y 6, Y 7 ) Step 5. Finally, the output is H i+1 () (Z 0, Z 1,..., Z 7 ) H i. In the above specification, X 1, X 3, Y 1 and Y 3 are defined as (X 1 X 3) = (X 1 X 3 ) 64 1 and (Y 1 Y 3) = (Y 1 Y 3 ) Alternative Specification of FF An alternative specification of FF is obtained by replacing constants in the specification of CF as CONC j CONC j+32, CONM L,j CONM L,j+32 and CONM R,j CONM R,j

27 2.4 Specification of AURORA-224 AURORA-224 takes the input message of length at most 512 (2 64 1) = bits, and outputs the hash value of 224 bits. It uses the same padding function Pad, the compression function CF, and the finalization function FF as AURORA- defined in Sec The difference is that AURORA-224 uses H 0 = 1 as the initial value, and the output of FF is truncated to 224 bits by the truncation function TF 224. The truncation function, TF 224 ( ) : {0, 1} {0, 1} 224, first parses the input H m () into a sequence of bytes H m () = (m 0 (), m 1 (),..., m 31 () ) and drops m 7, m 15, m 23, and m 31 to produce the 224-bit hash value H m (224) = (m 0 (), m 1 (),..., m 27 ()). That is, for the -bit input H m () = (m 0 (), m 1 (),..., m 31 () ), the 224-bit output is H m (224) = (m 0 (), m 1 (),..., m 27 () ), where m i = m i for 0 i 6 m i = m i+1 for 7 i 13 m i = m i+2 for 14 i 20 m i = m i+3 for 21 i 27 Now we describe the specification of AURORA-224. Step 1. The input message M is first padded with Pad( ) in (2.10), and the result of Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Let H 0 () = 1, and compute H 1 (), H 2 (),..., H m 1 () by iterating for i = 0 to m 2. H i+1 CF (H i, M i ) Note that when Pad(M) has one block (i.e., when m = 1 and Pad(M) = M 0 ), then Step 2 is not executed. Step 3. Let H m FF (H m 1, M m 1 ), and the output is H m (224) TF 224(H m () ). See Fig for a pseudocode. 27

28 2.5 Specification of AURORA Overall Structure AURORA-512 takes the input message of length at most 512 (2 64 1) = bits, and outputs the hash value of 512 bits. It internally uses eight compression functions CF 0, CF 1,..., CF 7, a mixing function MF, and a mixing function for finalization MFF, where CF s (, ) : {0, 1} 512 {0, 1} 512 {0, 1} 512 for s {0, 1,..., 7}, MF ( ) : {0, 1} 512 {0, 1} 512, MFF ( ) : {0, 1} 512 {0, 1} 512. The compression functions CF 0, CF 1,..., CF 7 are defined in Sec , the mixing function MF is defined in Sec , and the mixing function for finalization MFF is defined in Sec Now we describe the specification of AURORA-512. Step 1. The input message M is padded with the padding function Pad( ) in (2.10), and Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Now let H 0 (512) Then compute H 1 (512), H 2 (512),..., H m (512) by iterating the following operations for i = 0 to m 1. { Hi+1 CF i mod (H i, M i ) if (0 < i < m 1) (i mod = 7) then H i+1 MF (H i+1 ) Step 3. Finally, the output is H m (512) MFF (H m (512) ). See Fig. 2. for an illustration and Fig for a pseudocode Compression Functions: CF 0, CF 1,..., CF 7 The compression function, CF s, where s {0, 1,..., 7}, takes the chaining value H i of 512 bits and the input message block M i of 512 bits, and outputs the chaining value H i+1 of 512 bits. For each s {0, 1,..., 7}, CF s internally uses two message scheduling functions MS L,s and MS R,s, a data rotating function DR, and two chaining value processing functions CP L,s and CP R,s, where MS L,s ( ) : {0, 1} ({0, 1} 32 ) 72, MS R,s ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CP L,s (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}, CP R,s (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. These functions are defined below. Components of CF 0, CF 1,..., CF 7 For any X {0, 1}, MS L,s is defined as MS L,s (X) = MSM [F 0, F 1 ](X, {CONM L,s,j (32) } 0 j<32 ), (2.1) where F 0 and F 1 are F-functions defined in Sec , and {CONM L,s,j (32) } 0 j<32 is the set of constants defined in Sec

29 M 0 M 1 M 7 H 0 CF 0 CF 1 CF 7 MF H 1 H 2 H 7 H H times M M 9 M 15 CF 0 CF 1 CF 7 MF H H 9 H 10 H 15 H 16 H 16 times M m 2 M m 1 CF l 2 CF l 1 MFF H m H m 2 H m 1 H m Figure 2.: AURORA-512, where l = m mod. 29

30 For any X {0, 1}, MS R,s is defined as MS R,s (X) = MSM [F 2, F 3 ](X, {CONM R,s,j (32) } 0 j<32 ), (2.19) where F 2 and F 3 are F-functions defined in Sec , and {CONM R,s,j (32) } 0 j<32 is the set of constants defined in Sec DR is the data rotating function defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CP L,s is defined as CP L,s (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC L,s,j (32) } 0 j<6 ), (2.20) where F 0 and F 1 are F-functions defined in Sec , and {CONC L,s,j (32) } 0 j<6 is the set of constants defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CP R,s is defined as CP R,s (X, Y ) = CPM [F 3, F 2 ](X, Y, {CONC R,s,j (32) } 0 j<6 ), (2.21) where F 2 and F 3 are F-functions defined in Sec , and {CONC R,s,j (32) } 0 j<6 is the set of constants defined in Sec Specification of CF 0, CF 1,..., CF 7 Now the compression function CF s works as follows. Step 1. Let (M L (), M R () ) M i (512), and (X L (), X R () ) H i (512). Step 2. Let {T L,j (32) } 0 j<72 MS L,s (M L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R,s (M R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y L () CP L,s (X L (), {U j (32) } 0 j<144 ). Step 6. Let Y R () CP R,s (X R (), {U j (32) } 0 j<144 ). Step 7. Finally, the output is H i+1 (512) (Y L () X L () Y R () X R () ). See Fig. 2.9 for an illustration and Fig for a pseudocode Mixing Function: MF The mixing function MF is used to mix the chaining values every after eight calls of CF s. It takes the chaining value H i of 512 bits and outputs the updated chaining value H i of 512 bits. It internally uses two message scheduling functions MS L, and MS R,, a data rotating function DR, and two chaining value processing functions CP L, and CP R,, where These functions are defined below. MS L, ( ) : {0, 1} ({0, 1} 32 ) 72, MS R, ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CP L, (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}, CP R, (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. 30

31 M i H i M L M R X L X R T L,0 T L,1 T L,7 U 0 U 1 U 7 T R,0 T R,1 T R,7 U U 9 U 15 T L, T L,9 T L,15 U 16 U 17 U 23 MS L,s MS R,s T R, T R,9 T R,15 DR U 24 U 25 U 31 CP L,s CP R,s T L,64 T L,65 T L,71 U U 129 U 135 T R,64 T R,65 T R,71 U 136 U 137 U 143 Y L Y R Z L Z R H i+1 Figure 2.9: H i+1 (512) CF s (H i (512), M i (512) ). Components of MF For any X {0, 1}, MS L, is defined as MS L, (X) = MSM [F 0, F 1 ](X, {CONM L,,j (32) } 0 j<32 ), (2.22) where F 0 and F 1 are F-functions defined in Sec , and {CONM L,,j (32) } 0 j<32 is the set of constants defined in Sec For any X {0, 1}, MS R, is defined as MS R, (X) = MSM [F 2, F 3 ](X, {CONM R,,j (32) } 0 j<32 ), (2.23) where F 2 and F 3 are F-functions defined in Sec , and {CONM R,,j (32) } 0 j<32 is the set of constants defined in Sec DR is the data rotating function defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CP L, is defined as CP L, (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC L,,j (32) } 0 j<6 ), (2.24) where F 0 and F 1 are F-functions defined in Sec , and {CONC L,,j (32) } 0 j<6 is the set of constants defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CP R, is defined as CP R, (X, Y ) = CPM [F 3, F 2 ](X, Y, {CONC R,,j (32) } 0 j<6 ), (2.25) where F 2 and F 3 are F-functions defined in Sec , and {CONC R,,j (32) } 0 j<6 is the set of constants defined in Sec

32 Specification of MF Now we describe the specification of MF. Step 1. Let (X L (), X R () ) H i (512). Step 2. Let {T L,j (32) } 0 j<72 MS L, (X L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R, (X R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y L () CP L, (X L (), {U j (32) } 0 j<144 ). Step 6. Let Y R () CP R, (X R (), {U j (32) } 0 j<144 ). Step 7. Finally, the output is H i (512) (Y L () X L () Y R () X R () ). See Fig for an illustration and Fig for a pseudocode. H i X L X R T L,0 T L,1 T L,7 U 0 U 1 U 7 T R,0 T R,1 T R,7 U U 9 U 15 MS L, MS R, T L, T L,9 T L,15 T R, T R,9 T R,15 DR U 16 U 17 U 23 U 24 U 25 U 31 CP L, CP R, T L,64 T L,65 T L,71 U U 129 U 135 T R,64 T R,65 T R,71 U 136 U 137 U 143 Y L Y R Z L Z R H i Figure 2.10: H i (512) MF (H i (512) ) Mixing Function for Finalization: MFF The mixing function for finalization MFF is used at the last computation of the final hash value. MFF is structurally equivalent to MF, and the only difference is the constants used in the components. It takes the last chaining value H m of 512 bits and outputs the updated value H m of 512 bits, which is the final hash value. It internally uses two message scheduling functions MS L,9 32

33 and MS R,9, a data rotating function DR, and two chaining value processing functions CP L,9 and CP R,9, where MS L,9 : {0, 1} ({0, 1} 32 ) 32 ({0, 1} 32 ) 72, MS R,9 : {0, 1} ({0, 1} 32 ) 32 ({0, 1} 32 ) 72, DR : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, (2.26) CP L,9 : {0, 1} ({0, 1} 32 ) 144 ({0, 1} 32 ) 6 {0, 1}, CP R,9 : {0, 1} ({0, 1} 32 ) 144 ({0, 1} 32 ) 6 {0, 1}. These functions are defined below. Components of MFF For any X {0, 1}, MS L,9 is defined as MS L,9 (X) = MSM [F 0, F 1 ](X, {CONM L,9,j (32) } 0 j<32 ), (2.27) where F 0 and F 1 are F-functions defined in Sec , and {CONM L,9,j (32) } 0 j<32 is the set of constants defined in Sec Similarly, for any X {0, 1}, MS R,9 is defined as MS R,9 (X) = MSM [F 2, F 3 ](X, {CONM R,9,j (32) } 0 j<32 ), (2.2) where F 2 and F 3 are F-functions defined in Sec , and {CONM R,9,j (32) } 0 j<32 is the set of constants defined in Sec DR is the data rotating function defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CP L,9 is defined as CP L,9 (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC L,9,j (32) } 0 j<6 ), (2.29) where F 0 and F 1 are F-functions defined in Sec , and {CONC L,9,j (32) } 0 j<6 is the set of constants defined in Sec For any X {0, 1} and Y ({0, 1} 32 ) 144, CP R,9 is defined as CP R,9 (X, Y ) = CPM [F 3, F 2 ](X, Y, {CONC R,9,j (32) } 0 j<6 ), (2.30) where F 2 and F 3 are F-functions defined in Sec , and {CONC R,9,j (32) } 0 j<6 is the set of constants defined in Sec Specification of MFF Now we describe the specification of MFF. Step 1. Let (X L (), X R () ) H m (512). Step 2. Let {T L,j (32) } 0 j<72 MS L,9 (X L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R,9 (X R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y L () CP L,9 (X L (), {U j (32) } 0 j<144 ). Step 6. Let Y R () CP R,9 (X R (), {U j (32) } 0 j<144 ). Step 7. Finally, the output is H m (512) (Y L () X L () Y R () X R () ). See Fig for a pseudocode. 33

34 2.6 Specification of AURORA-34 AURORA-34 takes the input message of length at most 512 (2 64 1) = bits, and outputs the hash value of 34 bits. It uses the same padding function Pad, the compression functions CF 0, CF 1,..., CF 7, the mixing function MF, and the mixing function for finalization MFF as AURORA-512 defined in Sec The difference is that AURORA-34 uses H 0 = as the initial value, and the output of MFF is truncated to 34 bits by the truncation function TF 34. The truncation function, TF 34 ( ) : {0, 1} 512 {0, 1} 34, first parses the input H m (512) into a sequence of bytes H m (512) = (m 0 (), m 1 (),..., m 63 () ) and drops the following bytes; m 6, m 7, m 14, m 15, m 22, m 23, m 30, m 31, m 3, m 39, m 46, m 47, m 54, m 55, m 62, m 63, to produce the 34-bit hash value H m (34) = (m 0 (), m 1 (),..., m 47 () ). That is, for the 512-bit input H m (512) = (m 0 (), m 1 (),..., m 63 () ), the 34-bit output is H m (34) = (m 0 (), m 1 (),..., m 47 ()), where m i = m i for 0 i 5 m i = m i+2 for 6 i 11 m i = m i+4 for 12 i 17 m i = m i+6 for 1 i 23 m i = m i+ for 24 i 29 m i = m i+10 for 30 i 35 m i = m i+12 for 36 i 41 m i = m i+14 for 42 i 47 Now we describe the specification of AURORA-34. Step 1. The input message M is first padded with Pad( ) in (2.10), and the result of Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Let H 0 (512) = 1 512, and compute H 1 (512), H 2 (512),..., H m (512) by iterating for i = 0 to m 1. { Hi+1 CF i mod (H i, M i ) if (0 < i < m 1) (i mod = 7) then H i+1 MF (H i+1 ) Step 3. Let H m (512) MFF (H m (512) ), and output H m (34) TF 34(H m (512) ). See Fig for a pseudocode. 34