Cryptography Reference
In-Depth Information
that an attacker can directly control the key of a block cipher. In contrast, the
LW1 mode does not allow attackers to control the key of the block cipher di-
rectly. Second, the LW1 mode is theoretically analyzed. It enables us to reduce
the security of Lesamnta-LW to that of the underlying block cipher to a greater
extent than the popular DM mode used by the SHA family.
2.3
Block Cipher
The block cipher is designed to meet the following requirements:
-
The security analysis should be simple to have confidence in the design.
-
It should be compact in software/hardware.
-
It should offer a reasonable speed on high-end/low-end CPUs.
For this purpose, the block cipher is an AES-based design such that Lesamnta-
LW can gain certain clear advantages over know block-cipher based designs such
as SHA-256 and MAME. The key scheduling function ensures a strong non-
linearity and an excellent diffusion property by re-using the 32-bit permutation
of the mixing function; this reduces the hardware complexity since a part of
the hardware can be reused. The round constants sequentially generated from a
linear feedback shift register introduce randomness and asymmetry into the key
scheduling function.
3Sp ifi on
3.1
Message Padding
The first step of the hash computation is the padding of the message. The pur-
pose of the padding is to ensure that the input consists of a multiple of 128 bits.
Suppose that the length of a message
M
is
l
bits. Append the bit “1” to the end
of the message, followed by
k
+ 63 zero bits, where
k
is the smallest non-negative
integer such that
l
+
k
0 (mod 128). Then, append a 64-bit block equal to
the number
l
as expressed in binary representation. The length of the padded
message should now be a multiple of 128 bits.
≡
3.2
Compression Function and Domain Extension
Lesamnta-LW is a Merkle-Damg ard iterated hash function [19,36] using the com-
pression function operates as follows on the 128-bit words
H
(
i−
1)
0
,
H
(
i−
1)
1
,and
M
(
i
)
:
h
(
H
(
i−
1)
,M
(
i
)
)=
E
(
H
(
i−
1)
0
H
(
i−
1)
1
,M
(
i
)
)
,
=
H
(
i−
1)
0
H
(
i−
1)
1
where
H
(
i−
1)
) is a 256-bit block cipher with a
128-bit key
K
. We call this method to construct a compression function the LW1
mode, which is illustrated in Fig. 1.
and
E
(
K,
·
Search WWH ::
Custom Search