Cryptography Reference
In-Depth Information
3. Lesamnta-LW is designed to provide at least 2
120
security levels against
both collision and (second-)preimage attacks, where 2
120
=2
n
/
(
n
+1)with
n
= 128. Actually, it is easy to see that a meet-in-the-middle attack can find
a preimage of Lesamnta-LW with complexity at most 2
128
.
For the security levels, an ideal 256-bit hash function would provide the 2
256
security level against preimage attacks. However, the 2
120
security level is suf-
ficient for most applications, especially on small devices. We give preference to
the hardware cost over the preimage resistance in the design of Lesamnta-LW.
The security and the cost do not go together generally.
As an important application of Lesamnta-LW, we consider the key-prefix (KP)
mode which is similar to HMAC but more ecient. The KP mode of a hash
function is required in PPP Challenge Handshake Authentication Protocol [42].
We give a security reduction for this mode.
The outline of this paper is as follows. In Sect. 2, we explain our design
strategy. In Sect. 3, we give the specification of the Lesamnta-LW hash function.
In Sect. 4, we discuss the provable security of Lesamnta-LW. In Sect. 5, we
evaluate the security of Lesamnta-LW against all relevant attacks. Section 6
presents implementation results. Section 7 concludes the paper.
2 Design Principle
Our main design goal is to develop a secure 256-bit hash function which achieves
small hardware/software implementations. More specifically, the most important
aspects are to have security proofs, to have a small footprint for hardware, and
to have low working memory (RAM) requirement for software. Our next target
is to achieve fairly fast speed, considering the ways hash functions are used: the
processing message length and the modes of operation, etc. This is because the
required eciency could include speed on very short messages such as IDs or
speed of the pseudorandom function from a hash function such as HMAC or
Key-Prefix mode as discussed in this paper.
2.1
Padding Method
For the padding method of Lesamnta-LW, the last block does not contain any
part of the message input. It only contains the length of the message input. This
property is required to guarantee preimage resistance of Lesamnta-LW.
2.2
LW1 Mode
Sophisticated designs and attacks on block ciphers were presented in the AES
competition. Knowledge on block ciphers is useful in designing secure hash func-
tions. This is why Lesamnta-LW is designed as a block-cipher-based hash func-
tion. A few reasons for choosing the LW1 mode are also listed below. First, from
the viewpoint of attacks on a block cipher, recent collision attacks use the fact
Search WWH ::
Custom Search