AURORA: A Cryptographic Hash Algorithm Family

Similar documents
The Advanced Encryption Standard

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

The Hash Function JH 1

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Improved S-Box Construction from Binomial Power Functions

The Hash Function Fugue

Cryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway

Practical Free-Start Collision Attacks on full SHA-1

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

The Rijndael Block Cipher

ARIRANG. Designed by CIST ARIRANG. Designed by CIST. Algorithm Name : ARIRANG

Introduction to Information Security

Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Cryptanalysis of Edon-R

Week 12: Hash Functions and MAC

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Invariant Subspace Attack Against Full Midori64

MASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Pseudo-cryptanalysis of the Original Blue Midnight Wish

4.3 Analog Value Representation

Lecture 14: Cryptographic Hash Functions

Avoiding collisions Cryptographic hash functions. Table of contents

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

A Composition Theorem for Universal One-Way Hash Functions

Attacks on hash functions. Birthday attacks and Multicollisions

Type 1.x Generalized Feistel Structures

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

CPSC 467: Cryptography and Computer Security

Cryptographic Hash Function

Unit 3. Digital encoding

An Improved Fast and Secure Hash Algorithm

Message Authentication Codes (MACs)

New Attacks on the Concatenation and XOR Hash Combiners

SMASH - A Cryptographic Hash Function

Public-key Cryptography: Theory and Practice

Keccak sponge function family main document

Cryptographic Hash Functions

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

From 5-pass MQ-based identification to MQ-based signatures

ECS 189A Final Cryptography Spring 2011

Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration

New attacks on Keccak-224 and Keccak-256

A B CDE F B FD D A C AF DC A F

CPSC 467: Cryptography and Computer Security

Sponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1

Specification on a Block Cipher : Hierocrypt L1

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

STRIBOB : Authenticated Encryption

Security Analysis of the Compression Function of Lesamnta and its Impact

Security II: Cryptography exercises

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

ACCRS/QUALITY CORE CORRELATION DOCUMENT: ALGEBRA I

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512

Preimage Attacks on Reduced Tiger and SHA-2

An introduction to Hash functions

2: Iterated Cryptographic Hash Functions

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Complementing Feistel Ciphers

Breaking H 2 -MAC Using Birthday Paradox

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

On High-Rate Cryptographic Compression Functions

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Algebraic properties of SHA-3 and notable cryptanalysis results

Leftovers from Lecture 3

SMASH - A Cryptographic Hash Function

Introduction to Cybersecurity Cryptography (Part 4)

Cryptographic Hash Functions Part II

Some Attacks on Merkle-Damgård Hashes

Evaluation Report. Security Level of Cryptography SHA-384 and SHA- 512

Beyond the MD5 Collisions

Practical Free-Start Collision Attacks on 76-step SHA-1

The MD6 hash function

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Security Properties of Domain Extenders for Cryptographic Hash Functions

Developing a Distributed Java-based Speech Recognition Engine

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Introduction to Cybersecurity Cryptography (Part 4)

Selma City Schools Curriculum Pacing Guide Grades Subject: Algebra II Effective Year:

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

1 Cryptographic hash functions

How (not) to efficiently dither blockcipher-based hash functions?

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Provable Chosen-Target-Forced-Midx Preimage Resistance

The MD6 hash function A proposal to NIST for SHA-3

Methods and Tools for Analysis of Symmetric Cryptographic Primitives

Cryptography and Security Final Exam

The Security of Abreast-DM in the Ideal Cipher Model

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

CS533 Fall 2017 HW5 Solutions. CS533 Information Retrieval Fall HW5 Solutions

Transcription:

AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita 1 January 9, 2009

2

Executive Summary We present a new hash function family AURORA as a candidate for a new cryptographic hash algorithm (SHA-3) family. The hash function family AURORA consists of the algorithms: AURORA- 224, AURORA-, AURORA-34, AURORA-512, AURORA-224M, and AURORA-M, where AURORA-224M and AURORA-M are optional instances that are designed to have multicollision resistance. AURORA-224 and AURORA- are constructed from the secure and efficient compression function using a security-enhanced Merkle-Damgård transform, i.e., the strengthened Merkle- Damgård transform with the finalization function. The compression function is designed based on the well-established design techniques for blockciphers, and uses the Davies-Meyer construction. Since most of existing attacks on hash functions exploited simplicity of message scheduling, we employ a secure message scheduling, which is a different design philosophy from the MDx family including SHA-2. AURORA-34 and AURORA-512 employ a novel domain extension transform called the Double- Mix Merkle-Damgård (DMMD) transform. The DMMD transform consists of two parallel lines of the compression functions and the mixing functions inserted at intervals. This domain extension transform enables an efficient collision-resistant construction for double length hash functions. Furthermore, the combination of the compression function and the DMMD transform achieves further efficiency by sharing the message scheduling of two compression functions. The overall structure of AURORA-224M and AURORA-M is the same as AURORA- 34/512 except constants and the final mixing function. The DMMD transform also opens a new efficient way of providing multi-collision resistance. By using the DMMD transform, AURORA- 224M and AURORA-M efficiently achieve multi-collision resistance. As a result, the AURORA family achieves consistency of the design, because all algorithms use similar -bit compression functions as building blocks. Moreover, the AURORA family achieves high efficiency on many platforms. In software implementation on the NIST reference platform (64-bit), AURORA- achieves 15.4 cycles/byte and AURORA-512 achieves 27.4 cycles/byte. Also, AURORA shows good performance across a variety of platforms, because it uses platform-independent operations. In hardware implementation, AU- RORA enables a variety of implementations, from high-speed to area-restricted implementations. Using a 0.13µm CMOS ASIC library, AURORA- can be implemented with only 11.1 Kgates in an area-optimized implementation. In a speed-optimized implementation, AURORA- achieves the highest throughput of 10.4 Gbps. For AURORA-512, the smallest size is 14.6 Kgates and the highest throughput is 9.1 Gbps. These good performance both in hardware and in software in a single algorithm family which is based on the above design techniques makes a clear distinction between the AURORA family and the SHA-2 family. 3

4

Contents 1 Introduction 7 2 Specification of AURORA 11 2.1 Notation.......................................... 11 2.2 Building Blocks...................................... 13 2.2.1 Message Scheduling Module: MSM....................... 13 2.2.2 Chaining Value Processing Module: CPM................... 13 2.2.3 Byte Diffusion Function: BD.......................... 15 2.2.4 F-Functions: F 0, F 1, F 2, and F 3........................ 17 2.2.5 Data Rotating Function: DR.......................... 19 2.3 Specification of AURORA-.............................. 21 2.3.1 Overall Structure................................. 21 2.3.2 Compression Function: CF........................... 21 2.3.3 Finalization Function: FF............................ 23 2.3.4 Alternate Method for Computing CF and FF................. 25 2.4 Specification of AURORA-224.............................. 27 2.5 Specification of AURORA-512.............................. 2 2.5.1 Overall Structure................................. 2 2.5.2 Compression Functions: CF 0, CF 1,..., CF 7.................. 2 2.5.3 Mixing Function: MF.............................. 30 2.5.4 Mixing Function for Finalization: MFF.................... 32 2.6 Specification of AURORA-34.............................. 34 2.7 Specification of AURORA-M (optional)...................... 35 2.7.1 Overall Structure................................. 35 2.7.2 Compression Functions: CF M 0, CF M 1,..., CF M 7................ 35 2.7.3 Mixing Function: MF M............................. 37 2.7.4 Mixing Function for Finalization: MFF M................... 37 2. Specification of AURORA-224M (optional)...................... 40 2.9 Constant Values..................................... 41 2.9.1 Constant Values for AURORA-224/.................... 41 2.9.2 Constant Values for AURORA-34/512.................... 42 2.9.3 Constant Values for AURORA-224M/M.................. 43 2.9.4 List of Constant Values............................. 44 2.10 Pseudocodes........................................ 47 2.11 AURORA Examples................................... 53 3 Design Rationale of AURORA 55 3.1 AURORA-....................................... 55 3.1.1 Domain Extension................................ 55 3.1.2 Compression Function.............................. 56 3.2 AURORA-512....................................... 56 3.2.1 Domain Extension Double-Mix Merkle-Damgård transform........ 56 5

3.2.2 Compression Function.............................. 5 3.3 AURORA-M..................................... 5 3.3.1 Domain Extension................................ 5 3.3.2 Compression Function.............................. 59 3.4 Components and Constants............................... 59 3.4.1 AURORA Structure............................... 59 3.4.2 F-function..................................... 60 3.4.3 Data Rotating Function............................. 63 3.4.4 Truncation Functions.............................. 63 3.4.5 Constant Generation............................... 64 3.4.6 Initial Value.................................... 65 4 Security of AURORA 67 4.1 Expected Strength.................................... 67 4.2 Security Argument.................................... 67 4.2.1 Security of HMAC using AURORA....................... 67 4.2.2 Security Proofs of DMMD Transform..................... 69 4.2.3 Security Properties of AURORA structure................... 2 4.3 Algorithm Analysis.................................... 4 4.3.1 Collision Attacks................................. 4 4.3.2 Preimage Attacks................................. 7 4.3.3 Second Preimage Attacks............................ 9 4.3.4 Length-Extension Attack............................ 90 4.3.5 Multicollision Attack............................... 90 4.3.6 Slide Attacks................................... 90 4.4 Tunable Security Parameters.............................. 91 4.4.1 Number of Rounds................................ 91 4.4.2 Variable Hash Size................................ 91 5 Efficient Implementation of AURORA 93 5.1 Software Implementation................................. 93 5.1.1 Implementation Types.............................. 93 5.1.2 Evaluation Results................................ 99 5.2 Hardware Implementation................................ 107 5.2.1 Optimization Techniques of F-functions.................... 107 5.2.2 Data Path Architectures............................. 10 5.2.3 Evaluation Results................................ 116 6 Applications of AURORA 119 6.1 Digital Signature..................................... 119 6.2 Keyed-Hash Message Authentication Code (HMAC)................. 119 6.3 Key Establishment Schemes Using Discrete Logarithm Cryptography........ 120 6.4 Random Number Generation Using Deterministic Random Bit Generators..... 120 7 Advantages and Limitations 121 6

Chapter 1 Introduction This document describes the algorithm specifications and supporting documentation including design rationale, security, efficient implementation, applications, advantages and limitations of the hash function family AURORA, which we submit as a candidate for a new cryptographic hash algorithm (SHA-3) family. Since SHA-3 is expected to provide a substitute of the SHA-2 family, AURORA is designed to preserve certain properties of the SHA-2 family including the input parameters, the output sizes, collision resistance, preimage resistance, second-preimage resistance, and the one-pass streaming mode of execution, according to the requirements for SHA-3 candidates [3]. Moreover, AURORA is designed to offer features that exceed the SHA-2 family. AURORA is designed based on the following design philosophy: Security: Its security level should be guaranteed by security proofs or security arguments as far as possible. There is no known structural weakness in the design of the domain extension transform, and the security of the hash function is supported by security proofs. In the design of a compression function, the structure and the components should be chosen to facilitate analysis and to utilize the well-established techniques for blockcipher design and analysis. It should be designed based on different design criteria from the MDx family including SHA-2 so that a possibly successful attack on SHA-2 is unlikely to be applicable to it. Implementation Efficiency and Flexibility: It should be designed to have better efficiency than the SHA-2 family on many platforms. Also, it should be designed to be less platform-specific. It should be implemented efficiently in a wide range of software platforms (32-bit, 64- bit and -bit processors with various compilers and operating systems) without too dedicated optimization techniques for specific processors. It should be suitable to flexible hardware implementations with wide variety of area/speed trade-offs. Originality: It should contain technical breakthroughs to improve security and/or efficiency, not just a combination of existing techniques. Similarity among the Algorithm Family: According to the NIST requirements [3] (NIST does not intend to select a wholly distinct algorithm for each of the minimally required message digest sizes), all the hash function instances with hash sizes of 224,, 34, and 512 bits should be designed under a consistent design philosophy. Concretely, by using the same structure and components, e.g., S-boxes and matrices, they should provide security arguments and performance evaluation in a unified framework. 7

Table 1.1: AURORA family. Name max. message message block chaining value hash size size (bits) size (bits) size (bits) (bits) AURORA-224 512 (2 64 1) 512 224 AURORA- 512 (2 64 1) 512 AURORA-34 512 (2 64 1) 512 512 34 AURORA-512 512 (2 64 1) 512 512 512 optional instances AURORA-224M 512 (2 64 1) 512 512 224 AURORA-M 512 (2 64 1) 512 512 The hash function family AURORA. To practice the design philosophy, we designed the hash function family AURORA which consists of the algorithms called AURORA-224, AURORA-, AURORA-34, AURORA-512, AURORA-224M, and AURORA-M. AURORA-224, AURORA-, AURORA-34 and AURORA-512 support hash sizes of 224,, 34, and 512 bits, respectively. AURORA-224M and AURORA-M support hash sizes of 224 and bits, respectively. They are optional instances that are designed to have multi-collision resistance by increasing the internal chaining value size ( M means multi-collision resistance). Every instance of the AURORA family supports a maximum message length of 512 (2 64 1) bits, which meets the minimum acceptability requirement regarding the maximum message length. Table 1.1 presents the basic properties of the AURORA family. AURORA-224 and AURORA- are constructed from the secure and efficient compression function using a security-enhanced Merkle-Damgård transform, i.e., the strengthened Merkle- Damgård transform with the finalization function. The compression function is designed based on the well-established design techniques for blockciphers, and uses the Davies-Meyer construction. Since most of existing attacks on hash functions exploited simplicity of message scheduling, we employ a secure message scheduling, which is a different design philosophy from the MDx family including SHA-2. AURORA-34 and AURORA-512 employ a novel domain extension transform called the Double- Mix Merkle-Damgård (DMMD) transform. The DMMD transform consists of two parallel lines of the compression functions and the mixing functions inserted at intervals. This domain extension transform enables an efficient collision-resistant construction for double length hash functions. Furthermore, the combination of the compression function of AURORA and the DMMD transform achieves further efficiency by sharing the message scheduling of two compression functions. The overall structure of AURORA-224M and AURORA-M is the same as AURORA- 34/512 except constants and the final mixing function. The DMMD transform also opens a new efficient way of providing multi-collision resistance. By using the DMMD transform, AURORA- 224M and AURORA-M efficiently achieve multi-collision resistance. As a result, the AURORA family achieves consistency of the design, because all algorithms use similar -bit compression functions as building blocks. Moreover, the AURORA family achieves high efficiency on many platforms. In software implementation on the NIST reference platform (64-bit), AURORA- achieves 15.4 cycles/byte and AURORA-512 achieves 27.4 cycles/byte. Also, AURORA shows good performance across a variety of platforms, because it uses platform-independent operations. In hardware implementation, AU- RORA enables a variety of implementations, from high-speed to area-restricted implementations. Using a 0.13µm CMOS ASIC library, AURORA- can be implemented with only 11.1 Kgates in an area-optimized implementation. In a speed-optimized implementation, AURORA- achieves the highest throughput of 10.4 Gbps. For AURORA-512, the smallest size is 14.6 Kgates and the highest throughput is 9.1 Gbps.

Organization of the document. This document is organized as follows: Chapter 2 describes the specification of the AURORA family. Chapter 3 provides the design rationale. Chapter 4 explains all aspects of security: security argument and algorithm analysis. Chapter 5 shows efficient implementation results of AURORA. Chapter 6 describes the usage of AURORA in important applications. Finally, AURORA s advantages and limitations are described in Chapter 7. 9

10

Chapter 2 Specification of AURORA 2.1 Notation We first describe notation, conventions and symbols used throughout this document. We use the prefix 0x to denote hexadecimal numbers. A bit string x with the suffix, x (n), indicates that x is n bits. This suffix is omitted if there is no ambiguity. For bit strings x and y, x y or (x, y) is their concatenation. For bit strings x and y, x y means that the bit string x is updated by the bit string y. For an nl-bit x, we write (x 0 (n), x 1 (n),..., x l 1 (n) ) x (nl) to mean that x is divided into (x 0, x 1,..., x l ), where (x 0 (n) x 1 (n) x l 1 (n) ) = x (nl). For a bit string x (n) and an integer l, x n l is the l-bit left cyclic shift of x, and x n l is the l-bit right cyclic shift of x. For bit strings x 0, x 1,..., x n 1, {x j } 0 j<n is a shorthand for (x 0, x 1,..., x n 1 ). For an integer l, 0 l is the l times repetition of zero bits and 1 l is the l times repetition of one bits. For a bit string x, x is the bit-wise complement of x. For an element of GF(2 n ) represented as a polynomial x n 1 α n 1 + x n 2 α n 2 +... + x 1 α + x 0 where α is a root of an irreducible polynomial, x n 1 x n 2... x 1 x 0 denotes the bit representation of the polynomial. 11

Following variables and symbols have specific meanings. M The input message. M i The i-th block of the message (after the padding). m The length of M in blocks (after the padding). H i The i-th chaining value. MSM The Message Scheduling Module. CPM The Chaining value Processing Module. BD The Byte Diffusion function. DR The Data Rotating function. PROTL The Partial ROTating Left function. PROTR The Partial ROTating Right function. Pad The Padding function. Len n The Length of the input message in blocks encoded into n bits. TF n The Truncation Function that outputs n bits. F 0, F 1, F 2, and F 3 The F-Functions. M 0, M 1, M 2, and M 3 The matrices used in the F-functions. S The S-box. Following symbols are used for AURORA-224/. CF The Compression Function for AURORA-224/. MS L and MS R The Message Scheduling functions for CF. CP The Chaining value Processing function for CF. FF The Finalization Function for AURORA-224/. MSF L and MSF R The Message Scheduling functions for Finalization for FF. CPF The Chaining value Processing function for Finalization for FF. CONM L,j and CONM R,j The CONstants for MS L, MS R, MSF L, and MSF R. CONC j The CONstant for CP and CPF. Following symbols are used for AURORA-34/512. CF 0, CF 1,..., CF 7 The Compression Functions for AURORA-34/512. MF The Mixing Function for AURORA-34/512. MFF The Mixing Function for Finalization for AURORA-34/512. MS L,s and MS R,s The Message Scheduling functions for CF s (0 s 7), MF (s = ), and MFF (s = 9). CP L,s and CP R,s The Chaining value Processing functions for CF s (0 s 7), MF (s = ), and MFF (s = 9). CONM L,s,j and CONM R,s,j The CONstants used in MS L,s and MS R,s, respectively. CONC L,s,j and CONC R,s,j The CONstants used in CP L,s and CP R,s, respectively. Following symbols are used for AURORA-224M/M. CF M 0, CF M 1,..., CF M 7 The Compression Functions for AURORA-224M/M. MF M The Mixing Function for AURORA-224M/M. MFF M The Mixing Function for Finalization for AURORA-224M/M. MS M L,s and MS M R,s The Message Scheduling functions for CF M s (0 s 7), MF M (s = ), and MFF M (s = 9). CP M L,s and CP M R,s The Chaining value Processing functions for CF M s (0 s 7), MF M (s = ), and MFF M (s = 9). CONM M L,s,j and CONM M R,s,j The CONstants used in MS M L,s and MS M R,s, respectively. CONC M L,s,j and CONC M R,s,j The CONstants used in CP M L,s and CP M R,s, respectively. 12

2.2 Building Blocks In this section, specifications of the essential building blocks for constructing AURORA algorithms are described. 2.2.1 Message Scheduling Module: MSM The message scheduling module, MSM, takes the following two inputs; a bit string X (), and a set of bit strings {Y j (32) } 0 j<32. The output is a set of bit strings {Z j (32) } 0 j<72. MSM internally uses a byte diffusion function BD : ({0, 1} 32 ) ({0, 1} 32 ), which is a permutation over ({0, 1} 32 ) and is defined in Sec. 2.2.3. MSM is parameterized by two functions F and F, where { F : {0, 1} 32 {0, 1} 32, F : {0, 1} 32 {0, 1} 32 (2.1). We write MSM [F, F ] when we emphasize that it is parameterized by functions F and F. We now describe the specification of MSM [F, F ]. Step 1. Let (X 0 (32), X 1 (32),..., X 7 (32) ) X (). Step 2. Let (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (Y 0, Y 1, Y 2, Y 3 ). Step 3. Let (Z 0, Z 1,..., Z 7 ) (X 0, X 1,..., X 7 ). Step 4. (7 round iterations) The following operations are iterated for i = 1 to 7. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (Y 4i, Y 4i+1, Y 4i+2, Y 4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (Z i, Z i+1,..., Z i+7 ) (X 0, X 1,..., X 7 ) Step 5. (-th round) Then the following operations are executed. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (Z 64, Z 65,..., Z 71 ) (X 0, X 1,..., X 7 ) Step 6. Finally, the output is {Z j (32) } 0 j<72. See Fig. 2.1 for an illustration and Fig. 2.13 for a pseudocode. 2.2.2 Chaining Value Processing Module: CPM The chaining value processing module, CPM, takes the following three inputs; a bit string X (), a set of bit strings {Y j (32) } 0 j<144, and a set of bit strings {W j (32) } 0 j<6. 13

X X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 Y 0 Y 1 Y 2 Y 3 Z 0 Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 BD F Y 4 F Y 5 F Y 6 F Y 7 Z Z 9 Z 10 Z 11 Z 12 Z 13 Z 14 Z 15 BD F Y F Y 9 F Y 10 F Y 11 Z 16 Z 17 Z 1 Z 19 Z 20 Z 21 Z 22 Z 23 BD F Y 4i F Y 4i+1 F Y 4i+2 F Y 4i+3 Z i Z i+1 Z i+2 Z i+3 Z i+4 Z i+5 Z i+6 Z i+7 BD F Y 2 F Y 29 F Y 30 F Y 31 Z 56 Z 57 Z 5 Z 59 Z 60 Z 61 Z 62 Z 63 BD F F F F Z 64 Z 65 Z 66 Z 67 Z 6 Z 69 Z 70 Z 71 Figure 2.1: {Z j (32) } 0 j<72 MSM [F, F ](X (), {Y j (32) } 0 j<32 ). 14

The output is a bit string Z (). CPM internally uses a byte diffusion function BD, which is also used in MSM, and is defined in Sec. 2.2.3. As with MSM, CPM is parameterized by two functions F and F over {0, 1} 32, and we write CPM [F, F ] when we use functions F and F. We now describe the specification of CPM [F, F ]. Step 1. Let (X 0 (32), X 1 (32),..., X 7 (32) ) X (). Step 2. Let (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (W 0, W 1, W 2, W 3 ). Step 3. Let (X 0, X 1,..., X 7 ) (X 0, X 1,..., X 7 ) (Y 0, Y 1,..., Y 7 ). Step 4. (16 round iterations) The following operations are iterated for i = 1 to 16. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (W 4i, W 4i+1, W 4i+2, W 4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (X 0, X 1,..., X 7 ) (X 0, X 1,..., X 7 ) (Y i, Y i+1,..., Y i+7 ) Step 5. (17-th round) Then the following operations are executed. (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F (X 0 ), F (X 2 ), F (X 4 ), F (X 6 )) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) (X 0, X 1,..., X 7 ) (X 0, X 1,..., X 7 ) (Y 136, Y 137,..., Y 143 ) Step 6. Finally, the output is Z () (X 0 (32) X 1 (32) X 7 (32) ). See Fig. 2.2 for an illustration and Fig. 2.14 for a pseudocode. 2.2.3 Byte Diffusion Function: BD The byte diffusion function, BD, takes a bit string (X 0 (32), X 1 (32),..., X 7 (32) ) as the input, and outputs the updated bit string (X 0 (32), X 1 (32),..., X 7 (32) ). It works as follows. Step 1. For i = 0, 1,..., 7, X i (32) is divided into a 4-byte sequence as (x 4i (), x 4i+1 (), x 4i+2 (), x 4i+3 () ) X i (32), and (X 0 (32), X 1 (32),..., X 7 (32) ) is now regarded as a sequence of bytes; (x 0 (), x 1 (),..., x 31 () ) = (X 0 (32), X 1 (32),..., X 7 (32) ). Step 2. Next we permute (x 0, x 1,..., x 31 ) according to the permutation π defined in Fig. 2.3, where the i-th byte x i is moved to the π(i)-th byte. In other words, let x π(i) = x i for i = 0, 1,..., 31. Then (x 0, x 1,..., x 31) is the result of the permutation. For example, x 0 = x 4, x 1 = x 29, and so on. Step 3. For i = 0, 1,..., 7, the 4-byte sequence (x 4i (), x 4i+1 (), x 4i+2 (), x 4i+3 ()) is concatenated to form the updated X i (32) = (x 4i () x 4i+1 () x 4i+2 () x 4i+3 ()), and the output is (X 0 (32), X 1 (32),..., X 7 (32) ). See Fig. 2.4 for an illustration and Fig. 2.15 for a pseudocode. 15

X X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 W 0 W 1 W 2 W 3 Y 0 Y 1 Y 2 Y 3 Y 4 Y 5 Y 6 Y 7 BD F W 4 F W 5 F W 6 F W 7 Y Y 9 Y 10 Y 11 Y 12 Y 13 Y 14 Y 15 BD F W F W 9 F W 10 F W 11 Y 16 Y 17 Y 1 Y 19 Y 20 Y 21 Y 22 Y 23 BD F W 4i F W 4i+1 F W 4i+2 F W 4i+3 Y i Y i+1 Y i+2 Y i+3 Y i+4 Y i+5 Y i+6 Y i+7 BD F W 64 F W 65 F W 66 F W 67 Y Y 129 Y 130 Y 131 Y 132 Y 133 Y 134 Y 135 BD F F F F Y 136 Y 137 Y 13 Y 139 Y 140 Y 141 Y 142 Y 143 Z 0 Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 Z Figure 2.2: Z () CPM [F, F ](X (), {Y j (32) } 0 j<144, {W j (32) } 0 j<6 ). 16

i 0 1 2 3 4 5 6 7 9 10 11 12 13 14 15 π(i) 2 29 30 31 0 9 1 27 4 5 6 7 17 26 3 i 16 17 1 19 20 21 22 23 24 25 26 27 2 29 30 31 π(i) 12 13 14 15 16 25 2 11 20 21 22 23 24 1 10 19 Figure 2.3: Definition of the permutation π( ) : {0, 1,..., 31} {0, 1,..., 31}. X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 Figure 2.4: (X 0 (32), X 1 (32),..., X 7 (32) ) BD(X 0 (32), X 1 (32),..., X 7 (32) ). 2.2.4 F-Functions: F 0, F 1, F 2, and F 3 We use four F-functions, F 0, F 1, F 2, and F 3, where they take 32-bit input X as input and produce 32-bit output Y. Each function is used as an instantiation of a parameter functions F or F in MSM and CPM. Before defining these F-functions, we first define the S-box S : {0, 1} {0, 1}, and four 4 4 matrices, M 0, M 1, M 2 and M 3. The S-box S : x () y () is defined as follows. y = { g(f(x) 1 ) if f(x) 0 g(0) if f(x) = 0. The inverse function is performed in GF((2 4 ) 2 ) defined by an irreducible polynomial z 2 +z + {1001} for which the underlying GF(2 4 ) is defined by an irreducible polynomial z 4 + z + 1. Moreover, f : x () y () and g : x () y () are affine transformations over GF(2), which are defined as f : y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 = 0 0 0 0 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 17 x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 + 0 1 1 1 0 1 0 0, (2.2)

Table 2.1: S.0.1.2.3.4.5.6.7..9.a.b.c.d.e.f 0. d9 dc d3 69 bd 00 4d eb 02 24 57 c2 b 5d b7 6d 1. f5 40 37 4e 19 d 64 62 9d 34 0f 7c ec ce 94 04 2. d1 a 74 fb e7 7 12 23 b5 5c 1a bb 42 49 1 5 3. 11 46 0d 71 67 f c6 50 5 fd 4b a4 cd e 99 1f 4. ad 63 c9 6b f7 2 9f 65 2f 5f 61 73 3d b 0e 1b 5. 33 e0 ac 26 a1 e3 f3 2 3 75 44 90 13 af f0 07 6. 96 21 f 3f a2 9 9a a3 91 4c 7f 92 97 ea 01 1c 7. 1e 2d 9 39 e6 9c 0a 54 0c 51 6c 43 ae db 53 59. a6 f4 06 da e2 7 1d 29 30 e1 35 fc ed bc 47 d5 9. c0 ab cc a 0 2b 09 b0 93 d4 c5 b3 d0 df a9 aa a. 7a 36 2a d6 b2 fa e b1 a0 6 5a 1 4 0 17 c7 b. fe 76 bf c4 f2 3e 4a 0b 10 14 f1 ef a7 27 e5 c c. de 9b d 3c 56 d7 c 60 6a 79 ee a5 31 2e 77 41 d. ff 95 dd 25 3b 55 ca 52 9e 2c 15 4f e4 16 70 7d e. 72 3a 7b 4 f6 32 6 03 b4 3 6f b9 c1 45 e9 f. ba b6 6e 5e be 7e 20 f9 22 66 05 d2 cb c3 cf 5b and g : y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 = 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 + 1 0 1 1 0 0 1 0 (2.3) where (x 0(1) x 1(1) x 2(1) x 3(1) x 4(1) x 5(1) x 6(1) x 7(1) ) x () and (y 0(1) y 1(1) y 2(1) y 3(1) y 4(1) y 5(1) y 6(1) y 7(1) ) y (). Table 2.1 shows the output values of S. The four matrices are defined as follows. 0x01 0x02 0x02 0x03 M 0 = 0x03 0x01 0x02 0x02 0x02 0x03 0x01 0x02, (2.4) 0x02 0x02 0x03 0x01 0x01 0x06 0x0 0x02 M 1 = 0x02 0x01 0x06 0x0 0x0 0x02 0x01 0x06, (2.5) 0x06 0x0 0x02 0x01 0x03 0x01 0x02 0x02 M 2 = 0x02 0x03 0x01 0x02 0x02 0x02 0x03 0x01, (2.6) 0x01 0x02 0x02 0x03 0x06 0x0 0x02 0x01 M 3 = 0x01 0x06 0x0 0x02 0x02 0x01 0x06 0x0. (2.7) 0x0 0x02 0x01 0x06 1

Multiplications are operated over GF(2 ) defined by an irreducible polynomial z +z 4 +z 3 +z 2 +1. Now we describe F-functions. Step 1. Let (x 0 (), x 1 (), x 2 (), x 3 () ) X (32). Step 2. Let (x 0, x 1, x 2, x 3 ) (S(x 0 ), S(x 1 ), S(x 2 ), S(x 3 )). Step 3. For i {0, 1, 2, 3}, the output of F i is Y (32) = (y 0 () y 1 () y 2 () y 3 () ), where y 0 y 1 y 2 y 3 2.2.5 Data Rotating Function: DR = M i x 0 x 1 x 2 x 3. The data rotating function, DR, takes the following two inputs; a set of bit strings {X j (32) } 0 j<72, and a set of bit strings {Y j (32) } 0 j<72. The output is a set of bit strings {Z j (32) } 0 j<144. DR uses the following two functions; { PROTL : ({0, 1} 32 ) ({0, 1} 32 ), PROTR : ({0, 1} 32 ) ({0, 1} 32 ), which we define as PROTL(X 0 (32), X 1 (32),..., X 7 (32) ) = (X 0 (32), X 1 (32),..., X 7 (32)), (2.) where X i = X i for i = 0, 2, 4, 5, 6, 7, and (X 1 X 3) = (X 1 X 3 ) 64 1. Similarly, we define PROTR(X 0 (32), X 1 (32),..., X 7 (32) ) = (X 0 (32), X 1 (32),..., X 7 (32)), (2.9) where X i = X i for i = 0, 2, 4, 5, 6, 7, and (X 1 X 3) = (X 1 X 3 ) 64 1. In other words, they rotate the two words by one bit, where these words are concatenated and regarded as one 64 bit string. Now DR works as follows. Step 1. For inputs {X j (32) } 0 j<72 and {Y j (32) } 0 j<72, we define {Z j (32) } 0 j<144 by iterating the following operations for i = 0 to. { (Z16i, Z 16i+1,..., Z 16i+7 ) PROTL(X i, X i+1,..., X i+7 ) (Z 16i+, Z 16i+9,..., Z 16i+15 ) PROTR(Y i, Y i+1,..., Y i+7 ) Step 2. The output is {Z j (32) } 0 j<144 defined in the above operations. See Fig. 2.5 for an illustration and Fig. 2.16 for a pseudocode. 19

X 0 X 1 X 7 (Z 1 Z 3 ) (X 1 X 3 ) 64 1 Z 0 Z 1 Z 7 Y 0 Y 1 Y 7 (Z 9 Z 11 ) (Y 1 Y 3 ) 64 1 Z Z 9 Z 15 X X 9 X 15 (Z 17 Z 19 ) (X 9 X 11 ) 64 1 Z 16 Z 17 Z 23 Y Y 9 Y 15 (Z 25 Z 27 ) (Y 9 Y 11 ) 64 1 Z 24 Z 25 Z 31 X 16 X 17 X 23 (Z 33 Z 35 ) (X 17 X 19 ) 64 1 Z 32 Z 33 Z 39 Y 16 Y 17 Y 23 (Z 41 Z 43 ) (Y 17 Y 19 ) 64 1 Z 40 Z 41 Z 47.... X 64 X 65 X 71 (Z 129 Z 131 ) (X 65 X 67 ) 64 1 Z Z 129 Z 135 Y 64 Y 65 Y 71 (Z 137 Z 139 ) (Y 65 Y 67 ) 64 1 Z 136 Z 137 Z 143 Figure 2.5: {Z j (32) } 0 j<144 DR({X j (32) } 0 j<72, {Y j (32) } 0 j<72 ).... 20

2.3 Specification of AURORA- 2.3.1 Overall Structure AURORA- takes the input message of length at most 512 (2 64 1) = 2 73 512 bits, and outputs the hash value of bits. It internally uses a compression function CF and a finalization function FF, where { CF (, ) : {0, 1} {0, 1} 512 {0, 1}, FF (, ) : {0, 1} {0, 1} 512 {0, 1}. The compression function CF is defined in Sec. 2.3.2 and a finalization function FF is defined in Sec. 2.3.3. Now AURORA- works as follows. Step 1. The input message M is padded with the following padding function Pad( ); Pad(M) = M 1 0 b Len 64, (2.10) where b is the minimum non-negative integer (possibly zero) such that M + b + 65 = 512m for some integer m, and Len 64 is an encoding of M /512 in 64-bit string. That is, Len 64 is the length of M in blocks, where a partial block counts for one block, and b is the minimal integer such that the total length of Pad(M) is a multiple of 512 bits. Then Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., we let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Let H 0 () = 0, and compute H 1 (), H 2 (),..., H m 1 () by iterating for i = 0 to m 2. H i+1 CF (H i, M i ) Note that when Pad(M) has one block (i.e., when m = 1 and Pad(M) = M 0 ), then Step 2 is not executed. Step 3. Finally, let H m FF (H m 1, M m 1 ), and the output is H m (). See Fig. 2.6 for an illustration and Fig. 2.17 for a pseudocode. M 0 M 1 M 2 M m 2 M m 1 H 0 CF CF CF CF FF H m H 1 H 2 H 3 H m 2 H m 1 Figure 2.6: AURORA-. 2.3.2 Compression Function: CF The compression function, CF, takes the chaining value H i of bits and the input message block M i of 512 bits, and outputs the chaining value H i+1 of bits. 21

It internally uses two message scheduling functions MS L and MS R, a data rotating function DR, and a chaining value processing function CP, where These functions are described below. MS L ( ) : {0, 1} ({0, 1} 32 ) 72, MS R ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CP(, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. Components of CF MS L is an instance of MSM described in Sec. 2.2.1, and for any X {0, 1}, it is defined as MS L (X) = MSM [F 0, F 1 ](X, {CONM L,j (32) } 0 j<32 ), (2.11) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONM L,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. Similarly, for any X {0, 1}, MS R is defined as MS R (X) = MSM [F 2, F 3 ](X, {CONM R,j (32) } 0 j<32 ), (2.12) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONM R,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. DR is the data rotating function defined in Sec. 2.2.5. CP is an instance of CPM described in Sec. 2.2.2, and for any X {0, 1} and Y ({0, 1} 32 ) 144, it is defined as CP(X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC j (32) } 0 j<6 ), (2.13) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONC j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. Specification of CF Now we present the specification of CF. Step 1. Let (M L (), M R () ) M i (512), and let X () H i (). Step 2. Let {T L,j (32) } 0 j<72 MS L (M L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R (M R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y () CP(X (), {U j (32) } 0 j<144 ). Step 6. Finally, the output is H i+1 () Y () X (). See Fig. 2.7 for an illustration and Fig. 2.1 for a pseudocode. 22

M i M L M R X H i T L,0 T L,1 T L,7 T R,0 T R,1 T R,7 U 0 U 1 U 7 U U 9 U 15 T L, T L,9 T L,15 U 16 U 17 U 23 MS L T R, T R,9 T R,15 DR U 24 U 25 U 31 CP MS R T L,64 T L,65 T L,71 T R,64 T R,65 T R,71 U U 129 U 135 U 136 U 137 U 143 Y H i+1 Figure 2.7: H i+1 () CF (H i (), M i (512) ). 2.3.3 Finalization Function: FF The finalization function, FF, is used at the last step of the hash value computation. It takes the chaining value H m 1 of bits and the last input message block M m 1 of 512 bits, and outputs the final hash value H m of bits. FF is structurally equivalent to CF, and the only difference is the constants used in the components. FF internally uses message scheduling functions for finalization, MSF L and MSF R, a data rotating function DR, and a chaining value processing function for finalization, CPF. They have the following syntax. These functions are described below. Components of FF MSF L ( ) : {0, 1} ({0, 1} 32 ) 72, MSF R ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CPF (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. For any X {0, 1}, MSF L is defined as (2.14) MSF L (X) = MSM [F 0, F 1 ](X, {CONM L,j (32) } 32 j<64 ), (2.15) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONM L,j (32) } 32 j<64 is the set of constants defined in Sec. 2.9. For any X {0, 1}, MSF R is defined as MSF R (X) = MSM [F 2, F 3 ](X, {CONM R,j (32) } 32 j<64 ), (2.16) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONM R,j (32) } 32 j<64 is the set of constants defined in Sec. 2.9. 23

DR is the data rotating function defined in Sec. 2.2.5. For any X {0, 1} and Y ({0, 1} 32 ) 144, CPF is defined as CPF (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC j (32) } 6 j<136 ), (2.17) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONC j (32) } 6 j<136 is the set of constants defined in Sec. 2.9. Specification of FF Now the finalization function FF works as follows. Step 1. Let (M L (), M R () ) M m 1 (512), and let X () H m 1 (). Step 2. Let {T L,j (32) } 0 j<72 MSF L (M L () ). Step 3. Let {T R,j (32) } 0 j<72 MSF R (M R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y () CPF (X (), {U j (32) } 0 j<144 ). Step 6. Finally, the output is H m () Y () X (). See Fig. 2.19 for a pseudocode. 24

2.3.4 Alternate Method for Computing CF and FF The compression function CF and the finalization function FF, components of AURORA- hash computation method, are described in an alternative way which requires less memory space in implementation. Firstly, three component functions RoundC, RoundM L and RoundM R are defined here for an alternate computation method. Components RoundC, RoundM L and RoundM R RoundC (i) ( ) : ({0, 1} 32 ) ({0, 1} 32 ) is a round function of the structure for CP. present the computation steps of RoundC (i) ( ). Now we RoundC (i) (X 0, X 1,..., X 7 ) : (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F 1 (X 0 ), F 0 (X 2 ), F 1 (X 4 ), F 0 (X 6 )) If i 17, do the following line (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONC 4i, CONC 4i+1, CONC 4i+2, CONC 4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) Output (X 0, X 1,..., X 7 ) Similarly, round functions RoundM L and RoundM R for MS L and MS R are defined by replacing F-functions and constants as follows. RoundM (i) L (X 0, X 1,..., X 7 ) : (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F 0 (X 0 ), F 1 (X 2 ), F 0 (X 4 ), F 1 (X 6 )) If i, do the following line (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONM L,4i, CONM L,4i+1, CONM L,4i+2, CONM L,4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) Output (X 0, X 1,..., X 7 ) RoundM (i) R (X 0, X 1,..., X 7 ) : (X 0, X 1,..., X 7 ) BD(X 0, X 1,..., X 7 ) (X 0, X 2, X 4, X 6 ) (F 2 (X 0 ), F 3 (X 2 ), F 2 (X 4 ), F 3 (X 6 )) If i, do the following line (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONM R,4i, CONM R,4i+1, CONM R,4i+2, CONM R,4i+3 ) (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (X 0, X 2, X 4, X 6 ) Output (X 0, X 1,..., X 7 ) Alternative Specification of CF Now we present an alternative computation method of CF. Step 1. Initialize input values. { (X0(32), X 1(32),..., X 7(32), Y 0(32), Y 1(32),..., Y 7(32) ) M i(512) (Z 0(32), Z 1(32),..., Z 7(32) ) H i () Step 2. Add constant values to the initial values. (X 1, X 3, X 5, X 7 ) (X 1, X 3, X 5, X 7 ) (CONM L,0, CONM L,1, CONM L,2, CONM L,3 ) (Y 1, Y 3, Y 5, Y 7 ) (Y 1, Y 3, Y 5, Y 7 ) (CONM R,0, CONM R,1, CONM R,2, CONM R,3 ) (Z 1, Z 3, Z 5, Z 7 ) (Z 1, Z 3, Z 5, Z 7 ) (CONC 0, CONC 1, CONC 2, CONC 3 ) 25

Step 3. Do the first round function. (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (X 0, X 1, X 2, X 3, X 4, X 5, X 6, X 7 ) (Z 0, Z 1,..., Z 7 ) RoundC (1) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Y 0, Y 1, Y 2, Y 3, Y 4, Y 5, Y 6, Y 7 ) Step 4. The following operations are iterated for j = 1 to. (X 0, X 1,..., X 7 ) RoundM (j) L (X 0, X 1,..., X 7 ) (Y 0, Y 1,..., Y 7 ) RoundM (j) R (Y 0, Y 1,..., Y 7 ) (Z 0, Z 1,..., Z 7 ) RoundC (2j) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (X 0, X 1, X 2, X 3, X 4, X 5, X 6, X 7 ) (Z 0, Z 1,..., Z 7 ) RoundC (2j+1) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Z 0, Z 1,..., Z 7 ) (Y 0, Y 1, Y 2, Y 3, Y 4, Y 5, Y 6, Y 7 ) Step 5. Finally, the output is H i+1 () (Z 0, Z 1,..., Z 7 ) H i. In the above specification, X 1, X 3, Y 1 and Y 3 are defined as (X 1 X 3) = (X 1 X 3 ) 64 1 and (Y 1 Y 3) = (Y 1 Y 3 ) 64 1. Alternative Specification of FF An alternative specification of FF is obtained by replacing constants in the specification of CF as CONC j CONC j+32, CONM L,j CONM L,j+32 and CONM R,j CONM R,j+32. 26

2.4 Specification of AURORA-224 AURORA-224 takes the input message of length at most 512 (2 64 1) = 2 73 512 bits, and outputs the hash value of 224 bits. It uses the same padding function Pad, the compression function CF, and the finalization function FF as AURORA- defined in Sec. 2.3. The difference is that AURORA-224 uses H 0 = 1 as the initial value, and the output of FF is truncated to 224 bits by the truncation function TF 224. The truncation function, TF 224 ( ) : {0, 1} {0, 1} 224, first parses the input H m () into a sequence of bytes H m () = (m 0 (), m 1 (),..., m 31 () ) and drops m 7, m 15, m 23, and m 31 to produce the 224-bit hash value H m (224) = (m 0 (), m 1 (),..., m 27 ()). That is, for the -bit input H m () = (m 0 (), m 1 (),..., m 31 () ), the 224-bit output is H m (224) = (m 0 (), m 1 (),..., m 27 () ), where m i = m i for 0 i 6 m i = m i+1 for 7 i 13 m i = m i+2 for 14 i 20 m i = m i+3 for 21 i 27 Now we describe the specification of AURORA-224. Step 1. The input message M is first padded with Pad( ) in (2.10), and the result of Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Let H 0 () = 1, and compute H 1 (), H 2 (),..., H m 1 () by iterating for i = 0 to m 2. H i+1 CF (H i, M i ) Note that when Pad(M) has one block (i.e., when m = 1 and Pad(M) = M 0 ), then Step 2 is not executed. Step 3. Let H m FF (H m 1, M m 1 ), and the output is H m (224) TF 224(H m () ). See Fig. 2.20 for a pseudocode. 27

2.5 Specification of AURORA-512 2.5.1 Overall Structure AURORA-512 takes the input message of length at most 512 (2 64 1) = 2 73 512 bits, and outputs the hash value of 512 bits. It internally uses eight compression functions CF 0, CF 1,..., CF 7, a mixing function MF, and a mixing function for finalization MFF, where CF s (, ) : {0, 1} 512 {0, 1} 512 {0, 1} 512 for s {0, 1,..., 7}, MF ( ) : {0, 1} 512 {0, 1} 512, MFF ( ) : {0, 1} 512 {0, 1} 512. The compression functions CF 0, CF 1,..., CF 7 are defined in Sec. 2.5.2, the mixing function MF is defined in Sec. 2.5.3, and the mixing function for finalization MFF is defined in Sec. 2.5.4. Now we describe the specification of AURORA-512. Step 1. The input message M is padded with the padding function Pad( ) in (2.10), and Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Now let H 0 (512) 0 512. Then compute H 1 (512), H 2 (512),..., H m (512) by iterating the following operations for i = 0 to m 1. { Hi+1 CF i mod (H i, M i ) if (0 < i < m 1) (i mod = 7) then H i+1 MF (H i+1 ) Step 3. Finally, the output is H m (512) MFF (H m (512) ). See Fig. 2. for an illustration and Fig. 2.21 for a pseudocode. 2.5.2 Compression Functions: CF 0, CF 1,..., CF 7 The compression function, CF s, where s {0, 1,..., 7}, takes the chaining value H i of 512 bits and the input message block M i of 512 bits, and outputs the chaining value H i+1 of 512 bits. For each s {0, 1,..., 7}, CF s internally uses two message scheduling functions MS L,s and MS R,s, a data rotating function DR, and two chaining value processing functions CP L,s and CP R,s, where MS L,s ( ) : {0, 1} ({0, 1} 32 ) 72, MS R,s ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CP L,s (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}, CP R,s (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. These functions are defined below. Components of CF 0, CF 1,..., CF 7 For any X {0, 1}, MS L,s is defined as MS L,s (X) = MSM [F 0, F 1 ](X, {CONM L,s,j (32) } 0 j<32 ), (2.1) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONM L,s,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. 2

M 0 M 1 M 7 H 0 CF 0 CF 1 CF 7 MF H 1 H 2 H 7 H H times M M 9 M 15 CF 0 CF 1 CF 7 MF H H 9 H 10 H 15 H 16 H 16 times M m 2 M m 1 CF l 2 CF l 1 MFF H m H m 2 H m 1 H m Figure 2.: AURORA-512, where l = m mod. 29

For any X {0, 1}, MS R,s is defined as MS R,s (X) = MSM [F 2, F 3 ](X, {CONM R,s,j (32) } 0 j<32 ), (2.19) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONM R,s,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. DR is the data rotating function defined in Sec. 2.2.5. For any X {0, 1} and Y ({0, 1} 32 ) 144, CP L,s is defined as CP L,s (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC L,s,j (32) } 0 j<6 ), (2.20) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONC L,s,j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. For any X {0, 1} and Y ({0, 1} 32 ) 144, CP R,s is defined as CP R,s (X, Y ) = CPM [F 3, F 2 ](X, Y, {CONC R,s,j (32) } 0 j<6 ), (2.21) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONC R,s,j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. Specification of CF 0, CF 1,..., CF 7 Now the compression function CF s works as follows. Step 1. Let (M L (), M R () ) M i (512), and (X L (), X R () ) H i (512). Step 2. Let {T L,j (32) } 0 j<72 MS L,s (M L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R,s (M R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y L () CP L,s (X L (), {U j (32) } 0 j<144 ). Step 6. Let Y R () CP R,s (X R (), {U j (32) } 0 j<144 ). Step 7. Finally, the output is H i+1 (512) (Y L () X L () Y R () X R () ). See Fig. 2.9 for an illustration and Fig. 2.22 for a pseudocode. 2.5.3 Mixing Function: MF The mixing function MF is used to mix the chaining values every after eight calls of CF s. It takes the chaining value H i of 512 bits and outputs the updated chaining value H i of 512 bits. It internally uses two message scheduling functions MS L, and MS R,, a data rotating function DR, and two chaining value processing functions CP L, and CP R,, where These functions are defined below. MS L, ( ) : {0, 1} ({0, 1} 32 ) 72, MS R, ( ) : {0, 1} ({0, 1} 32 ) 72, DR(, ) : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, CP L, (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}, CP R, (, ) : {0, 1} ({0, 1} 32 ) 144 {0, 1}. 30

M i H i M L M R X L X R T L,0 T L,1 T L,7 U 0 U 1 U 7 T R,0 T R,1 T R,7 U U 9 U 15 T L, T L,9 T L,15 U 16 U 17 U 23 MS L,s MS R,s T R, T R,9 T R,15 DR U 24 U 25 U 31 CP L,s CP R,s T L,64 T L,65 T L,71 U U 129 U 135 T R,64 T R,65 T R,71 U 136 U 137 U 143 Y L Y R Z L Z R H i+1 Figure 2.9: H i+1 (512) CF s (H i (512), M i (512) ). Components of MF For any X {0, 1}, MS L, is defined as MS L, (X) = MSM [F 0, F 1 ](X, {CONM L,,j (32) } 0 j<32 ), (2.22) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONM L,,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. For any X {0, 1}, MS R, is defined as MS R, (X) = MSM [F 2, F 3 ](X, {CONM R,,j (32) } 0 j<32 ), (2.23) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONM R,,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. DR is the data rotating function defined in Sec. 2.2.5. For any X {0, 1} and Y ({0, 1} 32 ) 144, CP L, is defined as CP L, (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC L,,j (32) } 0 j<6 ), (2.24) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONC L,,j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. For any X {0, 1} and Y ({0, 1} 32 ) 144, CP R, is defined as CP R, (X, Y ) = CPM [F 3, F 2 ](X, Y, {CONC R,,j (32) } 0 j<6 ), (2.25) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONC R,,j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. 31

Specification of MF Now we describe the specification of MF. Step 1. Let (X L (), X R () ) H i (512). Step 2. Let {T L,j (32) } 0 j<72 MS L, (X L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R, (X R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y L () CP L, (X L (), {U j (32) } 0 j<144 ). Step 6. Let Y R () CP R, (X R (), {U j (32) } 0 j<144 ). Step 7. Finally, the output is H i (512) (Y L () X L () Y R () X R () ). See Fig. 2.10 for an illustration and Fig. 2.23 for a pseudocode. H i X L X R T L,0 T L,1 T L,7 U 0 U 1 U 7 T R,0 T R,1 T R,7 U U 9 U 15 MS L, MS R, T L, T L,9 T L,15 T R, T R,9 T R,15 DR U 16 U 17 U 23 U 24 U 25 U 31 CP L, CP R, T L,64 T L,65 T L,71 U U 129 U 135 T R,64 T R,65 T R,71 U 136 U 137 U 143 Y L Y R Z L Z R H i Figure 2.10: H i (512) MF (H i (512) ). 2.5.4 Mixing Function for Finalization: MFF The mixing function for finalization MFF is used at the last computation of the final hash value. MFF is structurally equivalent to MF, and the only difference is the constants used in the components. It takes the last chaining value H m of 512 bits and outputs the updated value H m of 512 bits, which is the final hash value. It internally uses two message scheduling functions MS L,9 32

and MS R,9, a data rotating function DR, and two chaining value processing functions CP L,9 and CP R,9, where MS L,9 : {0, 1} ({0, 1} 32 ) 32 ({0, 1} 32 ) 72, MS R,9 : {0, 1} ({0, 1} 32 ) 32 ({0, 1} 32 ) 72, DR : ({0, 1} 32 ) 72 ({0, 1} 32 ) 72 ({0, 1} 32 ) 144, (2.26) CP L,9 : {0, 1} ({0, 1} 32 ) 144 ({0, 1} 32 ) 6 {0, 1}, CP R,9 : {0, 1} ({0, 1} 32 ) 144 ({0, 1} 32 ) 6 {0, 1}. These functions are defined below. Components of MFF For any X {0, 1}, MS L,9 is defined as MS L,9 (X) = MSM [F 0, F 1 ](X, {CONM L,9,j (32) } 0 j<32 ), (2.27) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONM L,9,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. Similarly, for any X {0, 1}, MS R,9 is defined as MS R,9 (X) = MSM [F 2, F 3 ](X, {CONM R,9,j (32) } 0 j<32 ), (2.2) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONM R,9,j (32) } 0 j<32 is the set of constants defined in Sec. 2.9. DR is the data rotating function defined in Sec. 2.2.5. For any X {0, 1} and Y ({0, 1} 32 ) 144, CP L,9 is defined as CP L,9 (X, Y ) = CPM [F 1, F 0 ](X, Y, {CONC L,9,j (32) } 0 j<6 ), (2.29) where F 0 and F 1 are F-functions defined in Sec. 2.2.4, and {CONC L,9,j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. For any X {0, 1} and Y ({0, 1} 32 ) 144, CP R,9 is defined as CP R,9 (X, Y ) = CPM [F 3, F 2 ](X, Y, {CONC R,9,j (32) } 0 j<6 ), (2.30) where F 2 and F 3 are F-functions defined in Sec. 2.2.4, and {CONC R,9,j (32) } 0 j<6 is the set of constants defined in Sec. 2.9. Specification of MFF Now we describe the specification of MFF. Step 1. Let (X L (), X R () ) H m (512). Step 2. Let {T L,j (32) } 0 j<72 MS L,9 (X L () ). Step 3. Let {T R,j (32) } 0 j<72 MS R,9 (X R () ). Step 4. Let {U j (32) } 0 j 144 DR({T L,j (32) } 0 j<72, {T R,j (32) } 0 j<72 ). Step 5. Let Y L () CP L,9 (X L (), {U j (32) } 0 j<144 ). Step 6. Let Y R () CP R,9 (X R (), {U j (32) } 0 j<144 ). Step 7. Finally, the output is H m (512) (Y L () X L () Y R () X R () ). See Fig. 2.24 for a pseudocode. 33

2.6 Specification of AURORA-34 AURORA-34 takes the input message of length at most 512 (2 64 1) = 2 73 512 bits, and outputs the hash value of 34 bits. It uses the same padding function Pad, the compression functions CF 0, CF 1,..., CF 7, the mixing function MF, and the mixing function for finalization MFF as AURORA-512 defined in Sec. 2.5. The difference is that AURORA-34 uses H 0 = 1 512 as the initial value, and the output of MFF is truncated to 34 bits by the truncation function TF 34. The truncation function, TF 34 ( ) : {0, 1} 512 {0, 1} 34, first parses the input H m (512) into a sequence of bytes H m (512) = (m 0 (), m 1 (),..., m 63 () ) and drops the following bytes; m 6, m 7, m 14, m 15, m 22, m 23, m 30, m 31, m 3, m 39, m 46, m 47, m 54, m 55, m 62, m 63, to produce the 34-bit hash value H m (34) = (m 0 (), m 1 (),..., m 47 () ). That is, for the 512-bit input H m (512) = (m 0 (), m 1 (),..., m 63 () ), the 34-bit output is H m (34) = (m 0 (), m 1 (),..., m 47 ()), where m i = m i for 0 i 5 m i = m i+2 for 6 i 11 m i = m i+4 for 12 i 17 m i = m i+6 for 1 i 23 m i = m i+ for 24 i 29 m i = m i+10 for 30 i 35 m i = m i+12 for 36 i 41 m i = m i+14 for 42 i 47 Now we describe the specification of AURORA-34. Step 1. The input message M is first padded with Pad( ) in (2.10), and the result of Pad(M) is divided into blocks M 0, M 1,..., M m 1 each of length 512 bits, i.e., let (M 0 (512), M 1 (512),..., M m 1 (512) ) Pad(M). Step 2. Let H 0 (512) = 1 512, and compute H 1 (512), H 2 (512),..., H m (512) by iterating for i = 0 to m 1. { Hi+1 CF i mod (H i, M i ) if (0 < i < m 1) (i mod = 7) then H i+1 MF (H i+1 ) Step 3. Let H m (512) MFF (H m (512) ), and output H m (34) TF 34(H m (512) ). See Fig. 2.25 for a pseudocode. 34

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback