The Lane hash function by Indesteege, Sebastiaan et al.
The Lane hash function
Extended Abstract
Sebastiaan Indesteege, Elena Andreeva, Christophe De Cannie`re, Orr
Dunkelman, Emilia Ka¨sper, Svetla Nikova, Bart Preneel, and Elmar
Tischhauser
1 Department of Electrical Engineering ESAT/SCD-COSIC, Katholieke Universiteit
Leuven. Kasteelpark Arenberg 10, B-3001 Heverlee, Belgium.
sebastiaan.indesteege@esat.kuleuven.be
2 Interdisciplinary Institute for BroadBand Technology (IBBT), Belgium.
Abstract. In this document, we propose the cryptographic hash func-
tion Lane as a candidate for the SHA-3 competition [11] organised by
NIST. Lane is an iterated hash function supporting multiple digest sizes.
Components of the AES block cipher [3,9] are reused as building blocks.
Lane aims to be secure, easy to understand, elegant and flexible in im-
plementation.
We give the specification of Lane, and the rationale behind the impor-
tant design choices. For a more extended specification, security analysis
and a discussion of the implementation aspects, we refer to the Lane
submission document [6].
Key words: Lane, SHA-3 candidate, hash function.
1 Introduction
Lane is an iterated cryptographic hash function, supporting digest sizes of 224,
256, 384 and 512 bits. These four variants of Lane are referred to as Lane-
224, Lane-256, Lane-384 and Lane-512, respectively. The Lane hash functions
reuse components from the AES block cipher [3,9]. These, and other building
blocks are described in Sect. 3.
Lane supports the use of a salt value, if this is desirable for the application.
A well-known example of such an application is password hashing. If a different
salt is used for every stored password, it is no longer possible to attack multiple
targets in parallel in a dictionary attack or an exhaustive search. Digital signa-
tures are another application where a salt provides a benefit. This is referred to
as randomised hashing, after the work of Halevi and Krawczyk [5].
Hashing a message with Lane is performed in three steps. In the first step,
which is described in Sect. 4, the message is padded and split into message blocks
of equal length. Also, the initial chaining value H−1 is set to the initial value
IVn,S , which depends on the digest size n and the (optional) salt value S.
In the second step, a compression function f(·, ·, ·) is applied iteratively:
Hi = f (Hi−1,Mi, Ci) . (1)
Dagstuhl Seminar Proceedings 09031 
Symmetric Cryptography  
http://drops.dagstuhl.de/opus/volltexte/2009/1952
1
Each compression function call uses a message block Mi to update the chaining
value Hi−1 to Hi. A counter Ci, which indicates the number of message bits
processed so far, including the message bits in the block Mi which is currently
being processed, is also input into the compression function. The compression
function of Lane is described in Sect. 5.
The third and final step is the output transformation, described in Sect. 6. In
this step, the digest is derived from the final chaining value, using the message
length l and the (optional) salt value S as additional inputs. It consists of a single
compression function call and, depending on the digest length, a truncation of
the result.
The iteration mode used in Lane was designed to be easy to understand and
implement. It is based on the well-known Merkle-Damg˚ard construction [4,8]. For
this construction, it can be proven that if the compression function is collision
resistant, so is the iterated hash function built on it.
2 Conventions
Throughout the specification of Lane, the big-endian convention is used, i.e.,
the first (or leftmost) bit of a bit string is the most significant bit. Also for
sequences of bytes, this convention is used.
As Lane reuses components of the AES block cipher [3,9], it is required to
map a sequence of bytes into an AES state, a 4 × 4 array of bytes, and vice
versa. This is done in the same way as for the AES, i.e., the sequence of 16 bytes
y0 || · · · || y15 is mapped to the AES state


y0 y4 y8 y12
y1 y5 y9 y13
y2 y6 y10 y14
y3 y7 y11 y15

 . (2)
A Lane state is the state used inside the Lane compression function. In
Lane-224 and Lane-256, a state of 256 bits is used, which corresponds to two
AES states. In Lane-384 and Lane-512, the state is 512 bits in size, correspond-
ing to four AES states. A sequence of 32 or 64 bytes can be mapped to two or
four AES states, depending on the Lane variant, where the first (leftmost) 16
bytes map into the first (leftmost) AES state, and so on.
3 Building blocks
The Lane hash function reuses several components from the AES block ci-
pher [3,9]. In particular, the SubBytes, ShiftRows and MixColumns transforma-
tions are also part of Lane. In Lane, however, they are used several times in
parallel, due to the larger state size.
2
S-box
S-box
Fig. 1. The SubBytes transformation in Lane-224 and Lane-256.
rot. left
0 bytes
rot. left
2 bytes
rot. left
1 byte rot. left
3 bytes
Fig. 2. The ShiftRows transformation in Lane-224 and Lane-256.
3.1 SubBytes
The SubBytes transformation in Lane is identical to the corresponding compo-
nent of the AES block cipher, except that it operates on a larger state. Figure 1
illustrates this for Lane-224 and Lane-256. The same non-linear substitution
(S-box) is applied to each of the state bytes independently. This S-box is the
same as the S-box used in the AES block cipher [3,9]. For an exact definition of
the S-box, we refer to the Lane specification document [6] or to [3,9].
3.2 ShiftRows
The ShiftRows transformation cyclically shifts the bytes of the rows of each
of the AES states that comprise the Lane state. The first, i.e., topmost row
is not shifted. The second, third and fourth row are cyclically shifted to the
left over one, two and three byte positions, respectively. This is identical to the
ShiftRows transformation in the AES block cipher, except that it is applied two
or four times in parallel, depending on the Lane variant. Figure 2 illustrates
ShiftRows for Lane-224 and Lane-256.
3.3 MixColumns
The MixColumns transformation operates on the columns of the state. Each
column is viewed as a polynomial over GF(28), i.e., a polynomial of degree three
with coefficients in GF(28). Then, this polynomial is multiplied modulo Y 4 + 1
3
⊗ c(Y ) ⊗ c(Y )
Fig. 3. The MixColumns transformation in Lane-224 and Lane-256.
1: k0 ← 07fc703dx
2: for i = 1 to 272 (resp. 768 for Lane-384 and Lane-512) do
3: ki = ki−1 ≫ 1
4: if ki−1 ∧ 00000001x then
5: ki = ki ⊕ d0000001x
6: end if
7: end for
Fig. 4. Pseudocode for generating the Lane constants.
with the fixed polynomial c(Y ) = 03Y 3 + 01Y 2 + 01Y + 02. Equivalently, this
operation can be written as a matrix multiplication


y′0
y′1
y′2
y′3

 =


02x 03x 01x 01x
01x 02x 03x 01x
01x 01x 02x 03x
03x 01x 01x 02x

 ·


y0
y1
y2
y3

 . (3)
Again, this is identical to the MixColumns transformation used in the AES block
cipher. Figure 3 illustrates MixColumns for Lane-224 and Lane-256.
3.4 AddConstants
The AddConstants transformation adds a 32-bit constant ki to each column of
the state. These constants ki are generated using a linear feedback shift register
(LFSR), which is described in pseudocode in Figure 4.
Which constants are added to the state depends on the full round number r,
which is given as a parameter to AddConstants. For Lane-224 and Lane-256,
AddConstants is defined as
AddConstants (r, x0 ||x1 || · · · ||x7) =
x0 ⊕ k8r ||x1 ⊕ k8r+1 || · · · ||x7 ⊕ k8r+7 . (4)
For Lane-384 and Lane-512, AddConstants is similarly defined as
AddConstants (r, x0 ||x1 || · · · ||x15) =
x0 ⊕ k16r ||x1 ⊕ k16r+1 || · · · ||x15 ⊕ k16r+15 . (5)
4
++
+
+
+
+
+
+
k8i
k8i+1
k8i+2
k8i+3
k8i+4
k8i+5
k8i+6
k8i+7
Fig. 5. The AddConstants transformation in Lane-224 and Lane-256.
Figure 5 shows the AddConstants transformation for Lane-224 and Lane-256.
Note that the constants can either be stored in a lookup table, or generated
on-the-fly. The latter avoids the need for large tables of constants in implemen-
tations where memory is limited. A linear feedback shift register (LFSR) is a
natural choice for generating constants. It is simple, and can be implemented
using only very limited resources.
3.5 AddCounter
The AddCounter transformation adds part of the counter to the state. The 64-bit
counter C is split into two 32-bit words c0 and c1, where c0 is the most significant
and c1 the least significant word, i.e., following the big endian convention.
Depending on the round parameter r, AddCounter adds one of these words
to the fourth column of the first AES state. More formally, for Lane-224 and
Lane-256 it is given by
AddCounter (r, x0 ||x1 || · · · ||x3 || · · · ||x7) =
x0 ||x1 || · · · ||x3 ⊕ cr mod 2 || · · · ||x7 . (6)
Figure 6 shows the AddCounter transformation for Lane-224 and Lane-256.
For Lane-384 and Lane-512, AddCounter is defined by
AddCounter (r, x0 ||x1 || · · · ||x3 || · · · ||x15) =
x0 ||x1 || · · · ||x3 ⊕ cr mod 2 || · · · ||x15 . (7)
3.6 SwapColumns
The SwapColumns transformation takes a Lane state, and reorders the columns.
It ensures that the AES states that comprise the Lane state are mixed among
themselves. For Lane-224 and Lane-256 it is given by
SwapColumns (x0 ||x1 || · · · ||x7) = x0 ||x1 ||x4 ||x5 ||x2 ||x3 ||x6 ||x7 . (8)
Figure 7 shows the SwapColumns transformation for Lane-224 and Lane-256. It
can be viewed as a matrix transposition of a 2×2 matrix, where the elements are
5
+ci mod 2
Fig. 6. The AddCounter transformation in Lane-224 and Lane-256.
Fig. 7. The SwapColumns transformation in Lane-224 and Lane-256.
formed by pairs of state columns. For Lane-384 and Lane-512, SwapColumns
is defined by
SwapColumns (x0 ||x1 || · · · ||x15) =
x0 ||x4 ||x8 ||x12 ||x1 ||x5 ||x9 ||x13 ||x2 ||x6 ||x10 ||x14 ||x3 ||x7 ||x11 ||x15 .
(9)
Figure 8 shows the SwapColumns transformation for Lane-384 and Lane-512.
Similar to Lane-256 and Lane-224, SwapColumns can be seen as a matrix
transposition, now of a 4× 4 matrix, where the elements are the columns of the
state.
4 Preprocessing
Before hashing a message using Lane, two preprocessing steps are carried out:
message padding, and setting the initial chaining value.
4.1 Message padding
Lane processes a message in blocks of a fixed size, the blocksize. For Lane-
224 and Lane-256, the blocksize is 512 bits, and for Lane-384 and Lane-512,
the blocksize is 1024 bits. To support any message length up to 264 − 1 bits
(included), zero bits are appended to the message until its length is an integer
multiple of the blocksize. This ensures that the padded message can be split into
an integer number of blocks of b bits. Note that, if the message length l already
is an integer multiple of the blocksize b, no padding bits are added.
6
Fig. 8. The SwapColumns transformation in Lane-384 and Lane-512.
Table 1. Parameters of the Lane hash functions.
Lane-224 Lane-256 Lane-384 Lane-512
Digest length n 224 bits 256 bits 384 bits 512 bits
Blocksize b 512 bits 512 bits 1024 bits 1024 bits
Size of chaining value 256 bits 256 bits 512 bits 512 bits
Salt length |S| 256 bits 256 bits 512 bits 512 bits
This message padding rule is simpler than the one used in plain Merkle-
Damg˚ard, as used in the SHA family of hash functions [10]. As Lane uses an
extra compression function call as an output transformation, see Sect. 6, it is
natural to include the message length, i.e., the Merkle-Damg˚ard strengthening,
in this extra block.
4.2 Setting the initial chaining value
Every digest size supported by Lane uses a different initial value IVn,S , which
also depends on the (optional) salt. These are defined using the Lane compres-
sion function f(H,M,C) itself, which will be defined in detail in Sect. 5.
Let n be the digest size in bits, i.e., n is 224, 256, 384 or 512. Let S be the
salt value, or zero if no salt is used. The initial value IVn,S is then given by
IVn = f (0, φ || bin32(n) || 0
⋆ ||S, 0) . (10)
Here, bin32(n) is the digest length n in bits, represented as a 32-bit big-endian
integer. The flag byte φ indicates whether or not a salt value is used; see Table 2.
Note that, if no salt is used, the inital values can be precomputed for each digest
size. Note that generalisations of Lane to other digest lengths can be defined in
a similar way, if desired.
The purpose of the flag byte φ is to provide domain separation. More specif-
ically, the only compression function calls in Lane that use a zero counter C
occur in the derivation of the initial chaining value and in the output transfor-
mation. Hence, it is impossible to simulate these calls using a normal message
block. In order to provide a similar separation for the four cases that do have
7
Table 2. The flag byte φ.
No salt used Salt used
Output transformation 00x 01x
Derivation of IVn,S 02x 03x
Hi−1 Mi
Message Expansion
P0 P1 P2 P3 P4 P5
+ +
Q0 Q1
+
Hi
Fig. 9. The Lane compression function.
a zero counter C, i.e., initial value derivation with or without salt, and output
transformation with or without salt, the flag byte φ is used.
5 The Lane compression function
This section describes the Lane compression function f(Hi−1,Mi, Ci). This
function takes the following three inputs:
– The input chaining value Hi−1 is equal to the output of the previous com-
pression function call, or, for the first compression function call, the initial
value IVn,S .
– The message blockMi holds part of the padded message. Each message block
is of a fixed size, the blocksize, which is indicated in Table 1.
– The counter Ci holds the number of message bits hashed so far, including the
message bits in the current message block Mi. The counter Ci is represented
as a 64-bit unsigned integer in big-endian notation.
The idea of including a bit counter in every compression function call is
borrowed from the ‘HAsh Iterative FrAmework’ (HAIFA) of Biham and Dunkel-
man [1]. This stops several attacks on the iteration, e.g., the long message second
preimage attack by Kelsey and Schneier [7], at only a very modest cost.
8
The structure of the Lane compression function is shown in Figure 9. It
consists of a message expansion, eight permutation lanes, arranged in two layers,
and three XOR combiners. Section 5.1 describes the message expansion. The
permutation lanes are discussed in Sect. 5.2. The Lane compression function
was designed to be simple to understand and easy to analyse.
The use of permutations ensures that internal collisions can only occur in cer-
tain places, i.e., at the XOR combiners. Establishing such an internal collision
is equivalent to satisfying a linear condition on the outputs of several permuta-
tions. Similarly, the message expansion imposes linear relations on the inputs of
the permutations. The rationale is that, while such conditions are very simple, it
is hard to maintain or even track them through the rounds of the permutations.
A similar rationale applies to the problem of finding (second) preimages for
the compression function. Straightforward inversion attempts fail, as one has to
ensure that the linear conditions imposed by the message expansion hold. This
is again considered to be very difficult.
As described in detail in [6], having only a single layer of permutations would
allow for a class of distinguishers for the compression function, based on limiting
the permutation inputs to a small set. The second layer of permutations not only
prevents that, but also has a beneficial effect on the resistance to differential
cryptanalysis. Indeed, in a collision differential, either the entire second layer
must be activated, or an internal collision must be reached simultaneously on
both of the XOR combiners after the first layer, i.e., on a value twice the size of
the chaining value.
The ample parallelism provided by the Lane compression function allows for
flexibility in implementation. In software implementations, Lane offers many op-
portunities for instruction level parallelism (ILP), which can be used by modern
pipelined and superscalar CPU’s. Also, as the same operations are carried out on
many independent data values in parallel, it is possible to use vector instructions,
i.e., Single Instruction Multiple Data (SIMD) instructions. On the other end of
the spectrum, it is equally possible to implement Lane in a completely serial
way. In such implementations, the memory requirements are kept minimal. Hard-
ware designers implementing Lane are offered an area-speed tradeoff, making
Lane suitable for both resource-constrained and very high-speed applications.
5.1 The message expansion
The message expansion of Lane takes the message blockMi and the input chain-
ing valueHi−1, and expands them into six expanded message blocks,W0, . . . ,W5.
In Lane-224 and Lane-256, the six expanded message words, W0, . . . ,W5,
are all 256 bits long. They are computed as follows. Split the 512-bit message
blockMi into four 128-bit parts m0, . . . ,m3, and split the 256-bit input chaining
value Hi−1 into two 128-bit parts, h0 and h1:
m0 ||m1 ||m2 ||m3 ←Mi
h0 ||h1 ← Hi−1
. (11)
9
Then, compute the six expanded message words, W0, . . . ,W5 as
W0 = h0 ⊕m0 ⊕m1 ⊕m2 ⊕m3 || h1 ⊕m0 ⊕m2
W1 = h0 ⊕ h1 ⊕m0 ⊕m2 ⊕m3 || h0 ⊕m1 ⊕m2
W2 = h0 ⊕ h1 ⊕m0 ⊕m1 ⊕m2 || h0 ⊕m0 ⊕m3
W3 = h0 || h1
W4 = m0 || m1
W5 = m2 || m3
. (12)
The message expansion in Lane-384 and Lane-512 is completely analogous. The
only difference is that all sizes are doubled.
Even more so than other components of Lane, the message expansion was
chosen to be very simple and light. Its main purpose is to introduce dependencies
between the inputs of the various permutation lanes, such that they cannot be
chosen independently. It also precludes straightforward inversion attempts, as it
is conjectured that, however simple the linear conditions imposed by the message
expansion, it is not feasible to satisfy them when only having direct control over
the permutation outputs.
The message expansion is based on a (6,3,4) linear code over GF(4). The
minimum distance property of this code ensures that, in a differential attack,
at least four out of the six lanes in the first layer will be active, i.e., have a
difference at the input as well as output.
Provable resistance is offered against meet-in-the-middle preimage attacks on
the compression function. Indeed, it is not possible to construct two independent
sets of permutation lanes to use in such an attack. This follows from the minimum
distance property of the linear code on which the message expansion is based.
Each output of the message expansion can be computed independently of the
others, and read-only access to the current message block suffices. This implies
that the message buffer can be shared with another application, eliminating the
need for extra memory and costly data copying.
Finally, note that the inputs of the permutation lanes P4 and P5 only depend
on the message block input, and not on the chaining value. This implies that
those lanes can already be computed while the previous chaining value is not
yet known, e.g., in parallel with the second layer of the previous compression
function call.
5.2 The permutations
The Lane compression function contains eight permutations, arranged in two
layers. Each permutation consists of a number of rounds, where the number of
rounds is different for the two layers: the permutations in the first layer have
twice as many rounds as those in the second layer. In the rest of the document,
we use “lane” as a synonym for a single Lane permutation. Table 3 gives the
number of rounds in the permutations for each Lane variant. The rationale
behind the choice of the number of permutation rounds is to use as few rounds
as possible, for performance reasons, but still enough rounds to offer an adequate
security margin. We refer to [6] for a more detailed discussion.
10
Table 3. Number of rounds in the Lane permutations.
Lane-224 Lane-256 Lane-384 Lane-512
P0, . . . , P5 6 6 8 8
Q0, Q1 3 3 4 4
function Round(r, X)
1: X ← SubBytes(X)
2: X ← ShiftRows(X)
3: X ← MixColumns(X)
4: X ← AddConstants(r, X)
5: X ← AddCounter(r, X)
6: X ← SwapColumns(X)
7: return X
function LastRound(X)
1: X ← SubBytes(X)
2: X ← ShiftRows(X)
3: X ← MixColumns(X)
4: X ← SwapColumns(X)
5: return X
Fig. 10. Pseudocode for the Lane permutation rounds.
The rounds of the permutations use the building blocks described in Sect. 3.
More in detail, a full permutation round consists of the following sequence
of transformations: SubBytes, ShiftRows, MixColumns, AddConstants, Add-
Counter and SwapColumns. The last round of each permutation omits Add-
Constants and AddCounter. Figure 10 gives a pseudocode description of the
Lane permutation rounds.
Note that a permutation round can be seen as two, for Lane-224 and Lane-
256, or four, for Lane-384 and Lane-512, parallel invocations of a round of the
AES block cipher [3,9], where the appropriate constants and counter word are
used as a round key, followed by SwapColumns.
A round number r is assigned to each of the full rounds across all permu-
tations, to specify the constants and counter to use in each round. The permu-
tations are taken in the order P0, P1, . . . , P5, Q0, Q1 and only the full rounds
are counted, i.e., the last round of each permutation is ignored. Table 4 lists the
round numbers r in each of the permutations.
A pseudocode description of the permutations used in Lane-224 and Lane-
256 is given in Figure 11, including an exact expression to compute the full
round number r for each round. Figure 12 describes the permutations used in
Lane-384 and Lane-512.
The permutations used in Lane are built using components of the AES block
cipher [3,9]. One motivation for this choice is that these components and their
properties are well studied and hence well understood. This allows to build on
existing work on the security of these components to analyse Lane.
Reusing AES components also has several practical benefits. Much effort has
already been spent on efficient implementations of the AES on a wide variety
of platforms. Since Lane is based on the AES, these techniques can equally
be applied to Lane. For example, the new AES-NI instruction set, which was
announced by Intel [2] and will be introduced in the next generation of Intel
processors as of 2009, can be used to accelerate Lane. Another benefit lies in
resource constrained environments, requiring both a hash function and a block
11
Table 4. The full round number r.
Lane-224 Lane-256 Lane-384 Lane-512
P0 0—4 0—4 0—6 0—6
P1 5—9 5—9 7—13 7—13
P2 10—14 10—14 14—20 14—20
P3 15—19 15—19 21—27 21—27
P4 20—24 20—24 28—34 28—34
P5 25—29 25—29 35—41 35—41
Q0 30—31 30—31 42—44 42—44
Q1 32—33 32—33 45—47 45—47
function Pj(X)
1: for i = 0 to 4 do
2: r ← 5j + i
3: X ← Round (r, X)
4: end for
5: X ← LastRound(X)
6: return X
function Qj(X)
1: for i = 0 to 1 do
2: r ← 30 + 2j + i
3: X ← Round (r, X)
4: end for
5: X ← LastRound(X)
6: return X
Fig. 11. Pseudocode for the permutations in Lane-224 and Lane-256.
function Pj(X)
1: for i = 0 to 6 do
2: r ← 7j + i
3: X ← Round (r, X)
4: end for
5: X ← LastRound(X)
6: return X
function Qj(X)
1: for i = 0 to 2 do
2: r ← 42 + 3j + i
3: X ← Round (r, X)
4: end for
5: X ← LastRound(X)
6: return X
Fig. 12. Pseudocode for the permutations in Lane-384 and Lane-512.
12
cipher. Using Lane together with the AES allows large parts of the implemen-
tation to be shared, yielding a substantial overall improvement.
For simplicity and ease of (parallel) implementation, all permutations in
Lane are built in the same way. Different constants are thus required in each
permutation lane, to ensure that any attack based on maintaining symmetry
across several permutation rounds is avoided. The first constant, used to ini-
tialise the LFSR which generates the other constants, was chosen such that no
two constant bytes used in the same position of two different lanes are equal.
The permutations are keyed using the bit counter input to the compression
function. This is a natural way of including the bit counter, as it is very simple
and lightweight, but achieves the goal of making the whole compression function
dependent on this counter.
6 The output transformation
The output transformation of Lane takes as input the chaining value after all
padded message blocks have been processed, and returns the message digest. It
also includes the message length l, and the (optional) salt S, if one was used.
The transformation consists of two parts. First, a single additional compres-
sion function call is done. The counter C is set to zero, and the message input
is set to
φ || bin64(l) || 0
⋆ ||S . (13)
Here, bin64(l) is the (unpadded) message length l in bits, represented as a 64-bit
big-endian integer. The flag byte φ indicates whether or not a salt value is used;
see Table 2. If a salt value is not used, zero bits are used instead of S.
In the second part of the output transformation, a truncation is applied to
compute the final message digest. This truncation keeps the n leftmost bits and
truncates away the other bits, where n is the digest length. For Lane-256 and
Lane-512, no truncation is required. The truncation operation for Lane-224 is
given by
Trunc224 (x0 ||x1 || · · · ||x6 ||x7) = x0 ||x1 || · · · ||x6 . (14)
For Lane-384, the truncation is defined similarly as
Trunc384 (x0 ||x1 || · · · ||x11 || · · · ||x15) = x0 ||x1 || · · · ||x11 . (15)
Note that generalisations of Lane to other digest lengths can be defined using
a similar truncation, if desired.
The output transformation is used to offer an additional layer of protection
against (first) preimage attacks. For simplicity, this output transformation is
constructed based on the Lane compression function, with a message block of
a fixed structure. It is straightforward to see that this structure imposed on the
message block drastically limits the freedom of an adversary seeking a preim-
age. The output transformation also serves to protect against length-extension
attacks, as it is impossible to simulate the effect of the output transformation
using a regular message block. Finally, the output transformation also offers ad-
ditional protection against distinguishing attacks, as any potential bias in the
compression function
13
Acknowledgements
Elena Andreeva, Sebastiaan Indesteege, Elmar Tischhauser (‘Aspirant F.W.O. Vlaan-
deren’) and Christophe De Cannie`re (‘Postdoctoraal Onderzoeker F.W.O. Vlaanderen’)
are supported by the Fund for Scientific Research Flanders (F.W.O. Vlaanderen). This
work was also supported in part by the IAP Programme P6/26 BCRYPT of the Bel-
gian State (Belgian Science Policy), and in part by the European Commission through
the IST Programme under Contract IST-2002-507932 ECRYPT.
References
1. Eli Biham and Orr Dunkelman. A framework for iterative hash functions —
HAIFA. Presented at the second NIST hash workshop (August 24–25), 2006.
2. Intel Corporation. Advanced encryption standard (AES) instructions set. White
paper, July 2008. Available online at http://softwarecommunity.intel.com/
isn/downloads/intelavx/AES-Instructions-Set_WP.pdf.
3. Joan Daemen and Vincent Rijmen. The design of Rijndael: AES — the Advanced
Encryption Standard. Springer-Verlag, 2002.
4. Ivan Damg˚ard. A design principle for hash functions. In Gilles Brassard, edi-
tor, CRYPTO, volume 435 of Lecture Notes in Computer Science, pages 416–427.
Springer, 1989.
5. Shai Halevi and Hugo Krawczyk. Strengthening digital signatures via randomized
hashing. In Cynthia Dwork, editor, CRYPTO, volume 4117 of Lecture Notes in
Computer Science, pages 41–59. Springer, 2006.
6. Sebastiaan Indesteege, Elena Andreeva, Christophe De Cannie`re, Orr Dunkelman,
Emilia Ka¨sper, Svetla Nikova, Bart Preneel, and Elmar Tischhauser. The lane
hash function. Submission to NIST, 2008. Available online at http://www.cosic.
esat.kuleuven.be/lane/.
7. John Kelsey and Bruce Schneier. Second preimages on n-bit hash functions for
much less than 2n work. In Ronald Cramer, editor, EUROCRYPT, volume 3494
of Lecture Notes in Computer Science, pages 474–490. Springer, 2005.
8. Ralph C. Merkle. A certified digital signature. In Gilles Brassard, editor, CRYPTO,
volume 435 of Lecture Notes in Computer Science, pages 218–238. Springer, 1989.
9. National Institue of Standards and Technology. Specification for the Advanced
Encryption Standard (AES). Federal Information Processing Standards Publica-
tion 197, 2001. Available online at http://csrc.nist.gov/publications/fips/
fips197/fips-197.pdf.
10. National Institue of Standards and Technology. Secure hash stan-
dard. Federal Information Processing Standards Publication 180-2, 2002.
Available online at http://csrc.nist.gov/publications/fips/fips180-2/
fips180-2withchangenotice.pdf.
11. National Institute of Standards and Technology. Announcing request for candidate
algorithm nominations for a new cryptographic hash algorithm (SHA-3) family.
Federal Register, 72(212):62212–62220, November 2007.
14
