Cryptography Reference
In-Depth Information
any serious library: they can be used in applications such as digital signatures,
certificates, MAC algorithms, randomness extraction, and public key encryp-
tion (e.g., RSA-OAEP), etc. During the last years, there has been substantial
progress in cryptanalysis [46,47] of widely-used hash functions such as MD5 [39]
and SHA-1 [37]. In response, NIST started the SHA-3 competition in 2007
[38], and selected 14 hash functions as Round-2 candidates in last July. Thus,
lightweight software/hardware implementations could use SHA-256 [37] or the
SHA-3 Round-2 candidates. However, most of these hash functions could be too
expensive for small devices since they are designed for generic purpose; they are
fast on high-end 32/64-bit CPUs and have in general a large internal state for
the resistance against multi-collision-type of attacks [29,30].
We argue that there is an increasing demand for lightweight hash functions
providing a high security level. A reasonable application would be code signing
for small but highly sensitive devices which can be targeted at medical appli-
cations or car electronics. Code signing requires hashing and public key cryp-
tography (PKC). Some recent works [3,22] have shown that implementations of
elliptic curve cryptography (ECC) can be so compact that implementations of
ECC are targeted at wireless sensor networks (WSN). Therefore it would be a
nice challenge to fit ECC and hashing in a small area such as 25 Kgates.
In addition, applications using small portable electronic devices employing
low-cost 8-bit CPUs have gained increasing attention. It has been reported
that about 55 % of all CPUs sold in the world are 8-bit microcontrollers and
microprocessors and over 4 billion 8-bit controllers were sold in 2006 [48,40].
Since the memory size of devices employing low-cost CPUs are often very small,
RAM/ROM requirements are an important factor for implementations.
This paper proposes a 256-bit lightweight hash function,
Lesamnta-LW
.Its
domain extension is the strengthened Merkle-Damgard construction and its un-
derlying component is an AES-based block cipher taking a 256-bit plaintext
and a 128-bit key. Note that Lesamnta-LW is somewhat a lightweight version
of Lesamnta [25] that was submitted to the SHA-3 competition. The feature of
Lesamnta-LW is summarized below.
1. Lesamnta-LW can be implemented eciently on both of a dedicated hard-
ware and 8-bit CPUs. In hardware, it only requires 8.24 Kgates on 90 nm
technology, which is substantially smaller than those of most of Round-2
SHA-3 candidates. In software, it gains clear advantages over SHA-256 with
respect to speed on short messages and RAM requirements for 8-bit CPUs.
2. The compression function is a new mode of a block cipher, called the
LW1
mode
. Notice that the PGV mode cannot be used because Lesamnta-LW
uses the block cipher such that the key size is smaller than the block size
in order to achieve the ecient implementation. Unlike the DM mode and
the MMO mode, the LW1 mode does not have the feedforward of inputs,
which contributes to reduction of the size of required memory. This structure
enables us to provide proofs reducing the security of Lesamnta-LW to that of
the underlying block cipher which has also been designed to offer adequate
security against all relevant known attacks.
Search WWH ::
Custom Search