Contents






ORANGISH Hash Function


Optimum RAte spoNGE or ORANGE in abbreviation, is an authenticated encryption and sponge hash scheme based on any permutation, that employs sponge based encryption and hash which can absorb data in the optimum rate. The ORANGE based hash function is named as ORANGISH.

Contents
  • 1 Mode Specification
  • 2 Permutation
  • 3 Security
  • 4 Design Rationale

    • Mode Specification

    The mode of hash function ORANGISH is very close to the JH hash function which is one of the finalists of SHA3-competition. JH mode allows us to absorb 128 bit data for each permutation call. Thus, it has higher throughput compared with classical sponge hash function . The design of ORANGISH is expected to provide collision and preimage security against all adversaries running in time 2112 (i.e. making 2112 permutation calls). For further details see the submitted specs. For software implementation see implementation.

    Figure 1: ORANGISH Mode of Hash Function for m input blocks

    Permutation

    construction use PHOTON256 as the underlying permutation. Among the existing 256-bit permutations, PHOTON256 is one of the lightest designs in the literature. It has been well studied and well analysized. Moreover, PHOTON256 is also a part of ISO-IEC: 29192-5 standard, which deal specifically with light-weight cryptography. The details of PHOTON256 can be found here.

    Security

    Collision Security of ORANGISH To mount a collision attack on ORANGISH, suppose an adversary can make q many permutation calls. Suppose all the states reachable from the initial state (we define the initial state as 0256) using the permutation calls are called reachable states. The adversary can set up the queries in an adaptive way to make all the query inputs (and hence query outputs) reachable states. We claim that the number of reachable state can be at most nq (by using multi-collision argument, details will be provided later). Hence, finding a collision pair has probability at most n2q2/2256. This leads to our claim on the collision security.

    Preimage Security of ORANGISH In ORANGISH we set the tag size as 256 bits and the tag squeeze rate as 128 bits. So given a preimage target T2 || T1, an adversary needs to find a Z such that PHOTON256(Z || T1) = * || T2 or PHOTON-1256 ( Z || T2) = * || T1. It is easy to see that the probability of this event can be bounded by q/2128 where q is the number of P and P-1 calls.

    Design Rationale

    1. Choice of Mode Our primary goal is to design a lightweight cipher that has optimum throughput. No such sponge variant is known so far which can absorb message at the rate of the state of the permutation. Our design achieves this at the cost of an additional state. So it is optimum in rate. We also use JH variant of hash which also absorbs much higher data compared with classical sponge hash.

    2. Need of an additional state A b-bit permutation with r bit rate leaks r bit information about the permutation outputs. So when r = b, all the state value would be leaked and the key can be computed easily. Thus we need additional state to keep some amount of secret. We find that 128 bit additional state (chosen dynamically) provides the desired security.

    3. Choice of the Permutation PHOTON is an ISO-standard lightweight permutation which also provides sufficient amount of security level.

    References

    1. Guido Bertoni, Joan Daemen, Micha¨el Peeters, and Gilles Van Assche. Sponge functions. In ECRYPT hash workshop, volume 2007. Citeseer, 2007.
    2. Guido Bertoni, Joan Daemen, Michael Peeters, and Gilles Van Assche. On the indifferentiability of the sponge construction. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 181–197. Springer, 2008.
    3. Avik Chakraborti, Nilanjan Datta, Mridul Nandi, and Kan Yasuda. Beetle family of lightweight and secure authenticated encryption ciphers. IACR Cryptology ePrint Archive, 2018:805, 2018
    4. Tingting Cui, Ling Sun, Huaifeng Chen, and Meiqin Wang. Statistical integral distinguisher with multi-structure and its application on AES. In Information Security and Privacy - 22nd Australasian Conference, ACISP 2017, Auckland, New Zealand, July 3-5, 2017, Proceedings, Part I, pages 402–420, 2017.
    5. Jian Guo, Thomas Peyrin, and Axel Poschmann. The PHOTON family of lightweight hash functions. In Phillip Rogaway, editor, Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, volume 6841 of Lecture Notes in Computer Science, pages 222–239. Springer, 2011.
    6. J´er´emy Jean, Mar´ıa Naya-Plasencia, and Thomas Peyrin. Improved rebound attack on the finalist grøstl. In Anne Canteaut, editor, Fast Software Encryption - 19th International Workshop, FSE 2012, Washington, DC, USA, March 19-21, 2012. Revised Selected Papers, volume 7549 of LNCS, pages 110– 126. Springer, 2012.
    7. J´er´emy Jean, Mar´ıa Naya-Plasencia, and Thomas Peyrin. Multiple limited-birthday distinguishers and applications. In Selected Areas in Cryptography - SAC 2013 - 20th International Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised Selected Papers, pages 533–550, 2013.
    8. Yusuke Naito and Kazuo Ohta. Improved indifferentiable security analysis of PHOTON. In Security and Cryptography for Networks - 9th International Conference, SCN 2014, Amalfi, Italy, September 3-5, 2014. Proceedings, pages 340–357, 2014.
    9. Qingju Wang, Lorenzo Grassi, and Christian Rechberger. Zero-sum partitions of PHOTON permutations. In Topics in Cryptology - CT-RSA 2018 - The Cryptographers’ Track at the RSA Conference 2018, San Francisco, CA, USA, April 16-20, 2018, Proceedings, pages 279–299, 2018.
    10. Hongjun Wu. The hash function jh. Submission to NIST (round 3), 6, 2011.
    | Template by HTML5 Templates