Cryptography Reference
In-Depth Information
Using the AES components [18], the function
Q
is defined as follows:
Q
=
MixColumns
◦
SubBytes
.
The
SubBytes
transformation is a non-linear byte substitution that takes 4
bytes
s
0
,s
1
,s
2
,s
3
as input and operates independently on each byte by using
the AES S-box. It proceeds as follows:
s
i
=S-box(
s
i
) or0
≤
i<
4
.
The
MixColumns
step is a bytewise operation that takes 4 bytes
s
0
,s
1
,s
2
,s
3
as
input. The
MixColumns
step is given by the AES MDS matrix multiplication
defined over GF(2
8
) as follows:
⎡
⎤
⎡
⎤
⎡
⎤
s
0
s
1
s
2
s
3
s
0
s
1
s
2
s
3
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
⎣
⎦
⎣
⎦
⎣
⎦
=
.
For a 64-bit input
s
=
s
0
s
1
s
2
s
3
s
4
s
5
s
6
s
7
, the function
R
(
s
)is
defined as follows:
R
(
s
)=
s
4
s
7
.
One round of the key scheduling function consists of the following two steps:
Firstly, it generates the
r
-th round-key
K
(
r
)
=
k
(
r
)
0
.
Secondly, it updates the intermediate state in the following manner:
k
(
r
+1)
0
s
5
s
2
s
3
s
0
s
1
s
6
=
k
(
r
)
3
k
(
r
2
)
,
(
r
+1)
1
=
k
(
r
0
,
(
r
+1)
2
=
k
(
r
1
,
(
r
+1)
3
=
k
(
r
)
2
Q
(
C
(
r
)
⊕
⊕
,
where the 32-bit round constants
C
(
r
)
are defined in Appendix A.
4 Provable Security
In this section, it is assumed that Lesamnta-LW consists of a block cipher with
its key length
n
and its block length 2
n
; specifically,
n
= 128.
4.1
Collision Resistance
The collision resistance of Lesamnta-LW can be proved in the ideal cipher model
using the technique by Black et al. in [10]. Lesamnta-LW has a claimed security
level of at least 2
120
block-cipher operations against collision attacks.
Definition.
Let
(
κ, ν
)bethesetofall(
κ, ν
) block ciphers, where
κ
and
ν
represents their key size and block size, respectively. Let
H
[
E
] be a hash function
using a block cipher
E
.Let
A
be an adversary trying to find a collision for
H
[
E
].
The col-advantage of
A
against
H
[
E
], Adv
col
BC
H
[
E
]
(
A
), is given by
Pr
A
E
=(
M, M
)
(
κ, ν
)
,
=
M
∧
H
[
E
](
M
)=
H
[
E
](
M
)
E
$
∧
M
|
←BC
where the probabilities are taken over the coin tosses by
A
and the uniform
distribution on
(
κ, ν
).
H
[
E
] is said to be collision-resistant if Adv
col
BC
H
[
E
]
(
A
)is
negligible for any ecient
A
.
Search WWH ::
Custom Search