LHash: A Lightweight Hash Function (Full Version)

In this paper, we propose a new lightweight hash function supporting three different digest sizes: 80, 96 and 128 bits, providing preimage security from 64 to 120 bits, second preimage and collision security from 40 to 60 bits. LHash requires about 817 GE and 1028 GE with a serialized implementation. In faster implementations based on function $T$, LHash requires 989 GE and 1200 GE with 54 and 72 cycles per block, respectively. Furthermore, its energy consumption evaluated by energy per bit is also remarkable. LHash allows to make trade-offs among security, speed, energy consumption and implementation costs by adjusting parameters. The design of LHash employs a kind of Feistel-PG structure in the internal permutation, and this structure can utilize permutation layers on nibbles to improve the diffusion speed. The adaptability of LHash in different environments is good, since different versions of LHash share the same basic computing module. The low-area implementation comes from the hardware-friendly S-box and linear diffusion layer. We evaluate the resistance of LHash against known attacks and confirm that LHash provides a good security margin

practical rebound attack on 12-round cheetah-256

Natl Secur Res Inst, Elect Telecommunicat Res Inst, Natl Inst Math Sci, Korea Internet & Secur Agcy, Korea Univ BK21 Info Secur Ubiquitous Environm, Seoul Natl Univ Res Inst Math, Korean Federat Sci & Technol Soc, Chungnam Natl Univ, Internet Intrus ResponseTechnol Res Ctr, MarkAny, SG Advantech, AhnLab, LG CNS, Korea UnivIn this paper, we propose cryptanalysis of the hash function Cheetah-256. Cheetah is accepted as a first round candidate of SHA-3 competition hosted by NIST 1, but it is not in the second round. First, we discuss relation between degrees of freedom injected from round message blocks and round number of a pseudo-collision attack on hash functions with S boxes and MDS diffusion. A pseudo-collision attack on 8-round Cheetah-256 can be derived by trivially applying original rebound techniques. Then, we propose a rebound differential path for semi-free start collision attack on 12-round Cheetah-256 and an observation of the neutral bytes influence on state values. Based on this observation, algebraic message modifications are designed using the neutral bytes and total complexity is reduced to 2(24). This is a practical rebound attack