Parameterized Hash Functions

– In this paper we describe a family of highly parameterized hash functions. This param-eterization results in great ﬂexibility between performance and security of the algorithm. The three basic functions, HaF-256, HaF-512 and HaF-1024 constitute this hash function family. Lengths of message digests are 256, 512 and 1024 bits respectively. The paper discusses the details of functions structure. The method used to generate function S-box is also described in detail.


Introduction
Hash functions are used to generate a short form of an original message of any size. This short form is called a hash of a message or a message digest and is used in many cryptographic applications including message integrity verification and message authentication, in which case a keyed hash function is used.
Hash function h operates on a message m of an arbitrary length. The result is a hash value h(m) which has a fixed size.
A lot of recent cryptographic research has been devoted to methods of generating new hash functions which resulted for example in 64 proposals being submitted to the NIST SHA-3 competition for a new hash function in 2008 [1].
The objective while designing the HaF family of hash function was obviously the highest security while maintaining the best possible performance, however, at the same time the function should allow a flexible balance between security and performance which was achieved through parameterization.

Parameterized Hash Functions
The organization of this paper is the following: In Section 2 we describe the family of the HaF hash functions in general. In Section 3 we concentrate on the details of S-box generation along with our reasoning for designing and choosing this particular method. Reference implementation is briefly described in Section 4. Finally Section 5 contains the concluding remarks.
2 Parameterized family HaF of hash functions

Design Principles
The following assumptions were taken into account during the design process: • family should be parameterized; • message digest length should be selectable; • flexibility between performance and security should be guaranteed; • iteration structure and compression function should be resistant to known attacks; • its iteration mode should be HAIFA (it provides resistance to long message second preimage attacks, and handles hashing with a salt) [2,3].

Description of HaF
The HaF family is formed of the three hash functions: HaF-256, HaF-512 and HaF-1024, producing hash values (message digests) with the length equal to 256, 512 and 1024 bits, respectively. The general model of HaF family is presented in (Fig. 1). After formatting the original message m we have the message M . We divide M into blocks M 0 ,M 1 ,...,M k˘1 , k ∈{1, 2,...}, and each block M i is processed with the salt s by the iterative compression function ϕ [2]. The output H k is the final result of the function.

Notation
In the paper we use the following notation: a ⊙ b -multiplication mod (2 n +1) of n-bit non-zero integers a and b; A r -working variable, r =0, 1,...,15; F j -step function, j =0, 1,...,15; GF (2) -Galois field of characteristic 2; length -bitstring representing the length of the original message m, |length| = 128; lsb q (v)q least significant bits of the string v; IV -initial value; m -original message, |m| < 2 128 ; M -formatted message; n -length of the working variable A r (16 or 32 or 64 bits); s -salt, |s| =16n; |v| -length in bits of a string v; v ≪ tt-bit left rotation of a string v, |v| =16n; v ⊕ w -bitwise XOR of strings v and w, |v| = |w|; v w -addition mod 2 n of integers represented (in base 2) by strings v and w; p 1 (x) ⊗ p 2 (x) -multiplication of polynomials p 1 and p 2 modulo an irreducible polynomial R(x); x q -bitstring of the length q; x 0 means the empty string; ϕ -compression function; -concatenation of bitstrings.

Message Padding
The original message m has to be formatted before hash value computation begins. The length of formatted message should be a multiple of 16n bits. The message m is formatted by appending to it a single 1-bit and as few 0-bits as necessary to obtain a string whose bit-length increased by 128 bits is a multiple of 16n. Finally, we must additionally append the original message length. As a result, we obtain the formatted message M = M 0 M 1 ... M k˘1 for some positive integer k, where M i is a block of M .
The block M i is processed in two rounds. The length of the block equals 16n bits, where n is a parameter depending on the hash value we want to obtain. For HaF-256, HaF-512 and HaF-1024 the parameter n equals 16, 32 and 64 bits, respectively. The parameter n indicates, in fact, the length of the working variable A r used in the step function.
The method of one block processing is presented in Fig. 2. M i , H i and s are the inputs for ϕ. Before processing in round #l, l =1or 2, the block M i is modified. In the round #1 four least significant bits of N i = M i ⊕ s indicate the number of bits the string N i is rotated to the left: Before processing in the round #2, the blocks are permuted: N i = H * i and H i = N * i . After two rounds, the value H * i of chaining variable is split into 16 subblocks A 0 ,A 1 ,...,A 15 of equal lengths. Each of them is modified by adding (mod 2 n ) the respective input subblock of H i which is the input to the round #1. Next, all subblocks A 0 ,A 1 ,...,A 15 are concatenated giving

Round Function
The round function (Fig. 3) has two inputs N i , H i and two outputs N * i , H * i . The input block N i is rotated by the number of bits corresponding to lsb 4 (N i ) and added (mod 2 of respective bits) to H i . Next the block H i ⊕ (N i ≪ lsb 4 (Ni ) ) is divided into 16 subblocks of equal length: A 0 ,A 1 ,...,A 15 . They are processed Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 07/11/2022 04:09:35 by a step function. After processing they are concatenated giving H * i . The output

Step Function
The essential part of the round is the step function F j (Fig. 4). In each round the step function is executed 16 times, for j =0, 1,...,15.
We define two operations on polynomials, addition (⊕) and multiplication (⊗): is a reduction polynomial of degree n. In the construction of the step function, the multiplication of polynomials is performed four times: a 0 ⊗ A 0 , a 2 ⊗ A 2 , a 3 ⊗ A 3 , and a 5 ⊗ A 5 . The polynomials a 0 , a 2 , a 3 and a 5 , presented in the hexadecimal form, are given in Table 1. The reduction polynomials must be irreducible; they are presented in Table 2. After performing multiplications of polynomials, a few additions modulo 2 (⊕) and additions modulo 2 n ( ) are done (Fig. 4). In each step the masking constant c = 3236B539391FD066 (in the hexadecimal representation) is used. The particular value of c depends on n and j, and is indicated by a window of the length n sliding (cyclically, if necessary) from left to right on bits of c. For example, if n =1 6and j =0then c = 3236;i fn =3 2and j =3 1then c = 391FD066;i fn =6 4and j =5then c =6D6A72723FA0CD9 (cyclic rotation of c to the left by 5 bits).
In each step a substitution S The multiplication modulo 2 n +1 of n-bit integers with the zero block corresponding to 2 n is denoted by ⊙ [4]. Table 3. Initial values of chaining variable.
The initial values H 0 = h 0 h 1 h 2 ... h 15 of chaining variable (depending on n) are given in Table 3 (H 0 for n =6 4is obtained as the hexadecimal form of consecutive 512 decimal places after the decimal point of π broken up into groups of 32). Before processing they must be assigned to A 0 A 1 A 2 ... A 15 in such a way that h r = A r , r =0, 1,...,15.

Security Considerations
The round function composed of 16 steps can be represented in the equivalent form as a linear shift register (FSR) over GF (2 n ) generating maximum length sequences, additionally equipped with nonlinear feedback, and clocked 16 times [3]. The corresponding approach dealing with the use of feedback shift registers (over GF (2))i nt h e construction of hash functions has been presented in [5]. The function defined by the nonlinear circuit is a nonlinear 8n-argument function, n =16or 32 or 64. For the function with such a number of arguments (128, 256 and 512, respectively), it is difficult, from the computational point of view, to perform the best affine approximation attack [6]. The time needed for the attack is equal to that of the birthday attack, i.e. O(2 8n ).
The sequence produced by the nonlinear circuit is resistant to correlation attack [6]. Let F 2 be the Galois field GF (2) and F n 2 be the n-dimensional vector space over F 2 . A substitution operation or an n × n S-box (or S-box of the size n × n) is a mapping: where n is a fixed positive integer, n ≥ 2.A n n-argument Boolean function is a mapping: An S-box S can be decomposed into the sequence S =(f 1 ,f 2 ,...,f n ) of the Boolean functions such that S(x 1 ,x 2 ,...,x n )=( f 1 (x 1 ,x 2 ,...,x n ),f 2 (x 1 ,x 2 ,...,x n ),..., f n (x 1 ,x 2 ,...,x n )). We say that the functions f 1 ,f 2 ,...,f n are component functions of S.
In the case of HaF's S-box n =16. HaF's S-box therefore is a function that takes 16 input bits and outputs also 16 bits -it is a 16 × 16 S-box. Additionally, it is generated in such a way that it is its own inverse, i.e., S −1 = S.
HaF's S-box has been generated using the multiplicative inverse procedure similar to AES [7] with randomly chosen primitive polynomial defining the Galois field. Nonlinearity of this S-box is 32510 and its nonlinear degree is 15. Sixteen Boolean functions that constitute this S-box have nonlinearities equal to 32510 or 32512. The degree of each function is equal to 15.
To simplify the description of S-box generation let us consider a smaller S-box of the size 8 × 8. For presentation convenience such S-box can be displayed as a 2-dimensional table ( Table 4). The input represented as a two digit hexadecimal number HL is divided -the low order digit (L) is on the horizontal axis and the high order digit (H) is on the vertical axis. For example, to see what is the S-box output at input 6F take 6 on the vertical axis and F on the horizontal axis. The S-box output is DA.
Cryptographically a strong S-box should possess some properties that are universally agreed upon among researchers. Such S-box should be balanced, highly nonlinear, have the lowest maximum value in its XOR profile (difference distribution table), have complex algebraic description (especially it should be of high degree). The above criteria are dictated by linear and differential cryptanalyses and algebraic attacks.
It is a well-known fact that S-boxes generated using finite field inversion mapping fulfill these criteria to a very high extent. However, they are susceptible to (theoretical) algebraic attacks. To resist algebraic attacks, multiplicative inverse mapping used to construct an S-box is composed of an additional invertible affine transformation. This affine transformation does not affect the nonlinearity of the S-box, its XOR profile nor  its algebraic degree. The best known example of such an S-box is the S-box of AES. It has been publicly known and it does not affect its security.
The algorithm used for generating the S-box for the purpose of HaF function presented in this paper uses a similar method of generating S-boxes. Additionally, it takes into account the results of some recent studies [8,9] and incorporates changes in the S-box generating procedure to make it even more secure.

Generating Inverse Mapping
HaF S-box is based on the so called inverse mapping x → x −1 , where x −1 denotes the multiplicative inverse in a finite field GF (2 n ): As mentioned earlier, inversion mapping can be used to generate cryptographically strong S-boxes.
For any prime integer p and any integer n (n =1, 2,...), there is a unique field with p n elements, denoted GF (p n ). In cryptography p almost always takes the value of 2. To generate an inverse mapping in GF (2 n ) we need an irreducible polynomial that defines a Galois field and another polynomial that would be the so called generator (see below). A polynomial is said to be irreducible if it cannot be factored into nontrivial polynomials over the same field. The n-bit elements of the Galois field are treated as polynomials with coefficients in F 2 . For example, in the case of AES, where S-box is of the size 8 × 8 we operate mostly on bytes represented as b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 which corresponds to the following polynomial: Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 07/11/2022 04:09:35 An irreducible polynomial mentioned above is used to calculate a multiplication in GF (2 n ). When two polynomials are multiplied, the resulting product is a polynomial of degree at most 2(n˘1) -too much to fit into the n-bit data word that represents polynomials in GF (2 n ), so the intermediate product of this multiplication is divided by the irreducible polynomial and the remainder of this division is the result of the multiplication. For GF (2 n ) an irreducible polynomial should be of degree n.F o r example, in AES (with GF (2 8 )) an irreducible polynomial selected for construction of the S-box is 11B (in the hexadecimal notation).
A generator in the Galois field is a polynomial whose successive powers take on every element except zero. Which polynomials are generators in a particular Galois field depends on the irreducible polynomial selected. So say the polynomial 03 is a generator in GF (2 8 ) with the irreducible polynomial 11B (as in AES), but it is not a generator in GF (2 8 ) with the irreducible polynomial 1BD, for which the generator is for example 07.
For n =8the nonlinearity of this mapping treated as an S-box is 112. For n =16it is 32512. In a general case, the nonlinearity of such a mapping is 2 n−1 − 2 n/2 .
However, such an S-box would always have 0 and 1 as the first two entries. This is because for x =0, x −1 =0and for x =1, x −1 =1. These would be undesirable fixed points of an S-box. We remove them in the next step.

Affine Transformation
To avoid algebraic attacks (given multiplicative inversion simple algebraic form) every element of the table of multiplicative inverses is changed using an affine transformation. Such transformation has to be a full permutation, so every element is changed and all possible elements are represented as the result of a change, so that no two different bytes are changed to the same byte. After applying this transformation, the table is still a bijective mapping which is inversible and that is a prerequisite for most applications of S-boxes. In the case of AES cipher, this affine transformation is given by the following equation: where c is an 8-bit constant (in the case of AES, it equals 63 in the hexadecimal notation). i is the bit position. This transformation can be also represented as the matrix multiplication: The algorithm used for generating S-box S of HaF function in this paper uses the same transformation, however, adopted for the 16×16 S-box size and with the constant part of this transformation (namely c i ) taken at random so that the resulting S-box does not have fixed points (such that S(x)=x). Particularly, the two fixed points mentioned in the previous paragraph (0 and 1) are removed by this transformation.

Removing Cycles
One of the requirements for the HaF S-box is the absence of cycles. A cycle is such a sequence of S-box values S 0 ,S 1 ,...,S k−1 where S (i+1) mod k = S(S i ). HaF S-box should have only one such cycle containing all the values of the S-box (a cycle for which k =2 n ).
The affine transformation described in the previous paragraph changes the number of cycles in an S-box, without changing its nonlinear properties. Note that the fixed points are also short cycles where k =1.
The cycles are removed in a procedure with two steps. The first step is actually the aforementioned affine transformation. It is applied repeatedly with a random value of c until the S-box with only 2 cycles is found. This might not always be possible. In such a case, a new S-box has to be generated with another randomly chosen primitive polynomial using the inverse mapping as described earlier.
When the 2-cycle S-box is found, we move on to the next step, which is performed together with removing the affine equivalence.

Removing Affine Equivalence
According to [8,9], S-boxes based on the multiplicative inverse in a finite field have such a peculiar property that all component functions of the S-box are from the same affine equivalence class (all the output functions of the S-box can be mapped onto one another using the affine transformations). The HaF's S-box has been processed to remove this linear redundancy, so that all Boolean functions are now from different affine equivalence classes, while still maintaining exceptionally high nonlinearity of the inverse mapping. The proposed S-box has the maximum XOR difference distribution table value of 6, which is extremely good.
Removing this linear redundancy in the 2-cycle S-box is carried out in such a way that at the same time it will reduce the number of cycles to only 1. It is done by Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 07/11/2022 04:09:35 U M C S HaF can be easily implemented for 32, and 64-bit processors. Here we present tentative evaluation of HaF performance. The results were obtained for reference (nonoptimized) implementations in ANSI C for HaF-256, HaF-512, and HaF-1024. We compiled our programs with Intel C++ Compiler Professional 11.1 for Windows.
Both 32-bit and 64-bit codes were generated. Then the programs were executed on a PC computer with the 2.2 GHz Athlon-64 processor. We measured processing time for 20MB text file. The results are presented in Tables 5 and 6 respectively. Table 5. HaF family performance -32-bit code. Table 6. HaF family performance -64-bit code.
As we can see in Tables 5 and 6, the best performance is achieved for HaF-512. For HaF-1024, 64-bit code performs much better than 32-bit code (speed up to 150%). The measured processing speed is relatively slow. But we expect substantially better performance for optimized implementations.

Conclusions
Most cryptographic hash functions designers focus on high processing speed. Therefore relatively simple algorithms are preferred. Implementations of these algorithms may be vulnerable to fault attack and side channel attack.
In the HaF hash functions the family processing scheme is more elaborated and we use relatively big 16 × 16 S-boxes. It leads to more complex implementation.
We expect it to give greater robustness against fault attack and side channel attack. The processing speed is relatively small. But we expect that optimised implementation will perform substantially better. Especially, multithreaded implementation exploiting parallelism of the algorithm.