Cryptography Reference
In-Depth Information
Using the AES components [18], the function Q is defined as follows:
Q = MixColumns
SubBytes .
The SubBytes transformation is a non-linear byte substitution that takes 4
bytes s 0 ,s 1 ,s 2 ,s 3 as input and operates independently on each byte by using
the AES S-box. It proceeds as follows:
s i =S-box( s i ) or0
i< 4 .
The MixColumns step is a bytewise operation that takes 4 bytes s 0 ,s 1 ,s 2 ,s 3 as
input. The MixColumns step is given by the AES MDS matrix multiplication
defined over GF(2 8 ) as follows:
s 0
s 1
s 2
s 3
s 0
s 1
s 2
s 3
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
=
.
For a 64-bit input s = s 0
s 1
s 2
s 3
s 4
s 5
s 6
s 7 , the function R ( s )is
defined as follows: R ( s )= s 4
s 7 .
One round of the key scheduling function consists of the following two steps:
Firstly, it generates the r -th round-key K ( r ) = k ( r ) 0 .
Secondly, it updates the intermediate state in the following manner:
k ( r +1)
0
s 5
s 2
s 3
s 0
s 1
s 6
= k ( r )
3
k ( r 2 ) ,
( r +1)
1
= k ( r 0 ,
( r +1)
2
= k ( r 1 ,
( r +1)
3
= k ( r )
2
Q ( C ( r )
,
where the 32-bit round constants C ( r ) are defined in Appendix A.
4 Provable Security
In this section, it is assumed that Lesamnta-LW consists of a block cipher with
its key length n and its block length 2 n ; specifically, n = 128.
4.1
Collision Resistance
The collision resistance of Lesamnta-LW can be proved in the ideal cipher model
using the technique by Black et al. in [10]. Lesamnta-LW has a claimed security
level of at least 2 120 block-cipher operations against collision attacks.
Definition. Let
( κ, ν )bethesetofall( κ, ν ) block ciphers, where κ and ν
represents their key size and block size, respectively. Let H [ E ] be a hash function
using a block cipher E .Let A be an adversary trying to find a collision for H [ E ].
The col-advantage of A against H [ E ], Adv col
BC
H [ E ] ( A ), is given by
Pr A E =( M, M )
( κ, ν ) ,
= M
H [ E ]( M )= H [ E ]( M )
E $
M
|
←BC
where the probabilities are taken over the coin tosses by A and the uniform
distribution on
( κ, ν ). H [ E ] is said to be collision-resistant if Adv col
BC
H [ E ] ( A )is
negligible for any ecient A .
 
Search WWH ::




Custom Search