ISO/IEC 29192-5:2016
(Main)Information technology — Security techniques — Lightweight cryptography — Part 5: Hash-functions
Information technology — Security techniques — Lightweight cryptography — Part 5: Hash-functions
ISO/IEC 29192-5:2016 specifies three hash-functions suitable for applications requiring lightweight cryptographic implementations. - PHOTON: a lightweight hash-function with permutation sizes of 100, 144, 196, 256 and 288 bits computing hash-codes of length 80, 128, 160, 224, and 256 bits, respectively. - SPONGENT: a lightweight hash-function with permutation sizes of 88, 136, 176, 240 and 272 bits computing hash-codes of length 88, 128, 160, 224, and 256 bits, respectively. - Lesamnta-LW: a lightweight hash-function with permutation size 384 bits computing a hash-code of length 256 bits. The requirements for lightweight cryptography are given in ISO/IEC 29192‑1.
Technologies de l'information — Techniques de sécurité — Cryptographie pour environnements contraints — Partie 5: Fonctions de hachage
General Information
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 29192-5
First edition
2016-08-01
Information technology —
Security techniques — Lightweight
cryptography —
Part 5:
Hash-functions
Technologies de l’information — Techniques de sécurité —
Cryptographie pour environnements contraints —
Partie 5: Fonctions de hachage
Reference number
ISO/IEC 29192-5:2016(E)
©
ISO/IEC 2016
---------------------- Page: 1 ----------------------
ISO/IEC 29192-5:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 29192-5:2016(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols . 3
5 Lightweight hash-functions optimized for hardware implementations .3
5.1 General . 3
5.2 PHOTON . 3
5.2.1 General. 3
5.2.2 PHOTON specific notation . 4
5.2.3 Domain extension algorithm . 4
5.2.4 Internal permutation . 5
5.3 SPONGENT .10
5.3.1 General.10
5.3.2 SPONGENT specific notation .10
5.3.3 Domain extension algorithm .10
5.3.4 Internal permutation .11
6 Lightweight hash-functions optimized for software implementations .12
6.1 General .12
6.2 Lesamnta-LW .13
6.2.1 General.13
6.2.2 Message padding .13
6.2.3 Lesamnta-LW specific notation .13
6.2.4 Compression function and domain extension .13
6.2.5 Block cipher .14
Annex A (normative) Object identifiers .17
Annex B (informative) Numerical examples .19
Annex C (informative) Feature tables .23
Bibliography .26
© ISO/IEC 2016 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 29192-5:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security
techniques.
ISO/IEC 29192 consists of the following parts, under the general title Information technology — Security
techniques — Lightweight cryptography:
— Part 1: General
— Part 2: Block ciphers
— Part 3: Stream ciphers
— Part 4: Mechanisms using asymmetric techniques
— Part 5: Hash-functions
Further parts may follow.
iv © ISO/IEC 2016 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 29192-5:2016(E)
Introduction
This part of ISO/IEC 29192 specifies lightweight hash-functions, which are tailored for implementation
in constrained environments.
ISO/IEC 29192-1 specifies the requirements for lightweight cryptography.
A hash-function maps an arbitrary string of bits to a fixed-length string of bits.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this part of
ISO/IEC 29192 may involve the use of patents. The ISO and IEC take no position concerning the evidence,
validity and scope of these patent rights.
The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate
licences under reasonable and non-discriminatory terms and conditions with applicants throughout
the world.
In this respect, the statements of the holders of these patent rights are registered with the ISO and IEC.
Information may be obtained from the following:
Nanyang Technological University - NTUitive Pte Ltd
16 Nanyang Drive, #01-109, Innovation Centre, Singapore 637722
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents
relevant to their standards. Users are encouraged to consult the databases for the most up to date
information concerning patents.
© ISO/IEC 2016 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 29192-5:2016(E)
Information technology — Security techniques —
Lightweight cryptography —
Part 5:
Hash-functions
1 Scope
This part of ISO/IEC 29192 specifies three hash-functions suitable for applications requiring lightweight
cryptographic implementations.
— PHOTON: a lightweight hash-function with permutation sizes of 100, 144, 196, 256 and 288 bits
computing hash-codes of length 80, 128, 160, 224, and 256 bits, respectively.
— SPONGENT: a lightweight hash-function with permutation sizes of 88, 136, 176, 240 and 272 bits
computing hash-codes of length 88, 128, 160, 224, and 256 bits, respectively.
— Lesamnta-LW: a lightweight hash-function with permutation size 384 bits computing a hash-code
of length 256 bits.
The requirements for lightweight cryptography are given in ISO/IEC 29192-1.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29192-1, Information technology — Security techniques — Lightweight cryptography —
Part 1: General
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
absorbing phase
input phase of a sponge function
[SOURCE: [4]]
3.2
bitrate
part of the internal state of a sponge function of length r bits
[SOURCE: [4]]
3.3
capacity
part of the internal state of a sponge function of length c bits
[SOURCE: [4]]
© ISO/IEC 2016 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 29192-5:2016(E)
3.4
collision resistance
computationally infeasible to find any two distinct inputs which map to the same output of a hash-
function
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
3.5
hash-code
string of bits which is the output of a hash-function
Note 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning
as hash-code. Modification Detection Code, Manipulation Detection Code, digest, hash-result, hash-value and
imprint are some examples.
1)
[SOURCE: ISO/IEC 10118-1:— , 2.3]
3.6
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two
properties:
— it is computationally infeasible to find for a given output, an input which maps to this output;
— it is computationally infeasible to find for a given input, a second input which maps to the same output
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
1)
[SOURCE: ISO/IEC 10118-1:— , 2.4]
3.7
initializing value
value used in defining the starting point of a hash-function
Note 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning
as initializing value. Initialization vector and starting value are examples.
1)
[SOURCE: ISO/IEC 10118-1:— , 2.5]
3.8
preimage resistance
computationally infeasible to find for a given output of a hash-function, an input which maps to this output
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
3.9
second preimage resistance
computationally infeasible to find for a given input of a hash-function, a second input which maps to the
same output
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
3.10
sponge function
mode of operation, based on a fixed-length permutation (or transformation) and a padding rule, which
builds a function mapping variable-length input to variable-length output
[SOURCE: [4]]
1) To be published. (Revision of ISO/IEC 10118-1:2000)
2 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 29192-5:2016(E)
3.11
squeezing phase
output phase of a sponge function
[SOURCE: [4]]
4 Symbols
c
{0} bit-string containing exactly c zeros
0x prefix indicating a binary string in hexadecimal notation
|| concatenation of bit strings
a ← b set variable a to the value of b
bitwise exclusive-OR operation
⊕
c length of the capacity in bits
hash n-bit hash-code
IV t-bit initialization value
m message block i of r bits
i
n length of the hash code in bits
r length of the bitrate in bits
S t-bit internal state at iteration i
i
t length of the internal state in bits
the smallest integer greater than or equal to the real number x
x
5 Lightweight hash-functions optimized for hardware implementations
5.1 General
Clause 5 specifies PHOTON and SPONGENT hash-functions which are optimized for hardware
implementations. ISO/IEC 29192-1 shall be referred to for the requirements for lightweight
cryptography.
5.2 PHOTON
5.2.1 General
[5]
In order to cover a wide spectrum of applications, five different variants of PHOTON are specified.
Each variant is defined by its internal permutation size t = c + r, where c and r denote the capacity
and the bitrate, respectively. For a fixed permutation size t, the choice of c and r provides a security-
efficiency trade-off. PHOTON-t denotes the variant using a t-bit internal permutation.
The five variants are the following:
a) PHOTON-100 computes an 80-bit hash-code and offers 64-bit preimage resistance, 40-bit second
preimage resistance, and 40-bit collision resistance.
© ISO/IEC 2016 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 29192-5:2016(E)
b) PHOTON-144 computes a 128-bit hash-code and offers 112-bit preimage resistance, 64-bit second
preimage resistance, and 64-bit collision resistance.
c) PHOTON-196 computes a 160-bit hash-code and offers 124-bit preimage resistance, 80-bit second
preimage resistance, and 80-bit collision resistance.
d) PHOTON-256 computes a 224-bit hash-code and offers 192-bit preimage, 112-bit second preimage
resistance, and 112-bit collision resistance.
e) PHOTON-288 computes a 256-bit hash-code and offers 224-bit preimage, 128-bit second preimage
resistance, and 128-bit collision resistance.
PHOTON-100 does not provide the minimum security strength as required in ISO/IEC 29192-1. It shall
not be used as a general purpose hash function. PHOTON-144 does not provide the minimum security
strength for collision resistance and second preimage resistance as required in ISO/IEC 29192-1. It
shall only be used in applications where collision resistance and second preimage resistance are not
required.
5.2.2 PHOTON specific notation
P
t internal permutation, where t∈{100,144,196,256,288}
z the r’ leftmost bits of the internal state S
i
c′ length of the capacity in bits during the squeezing phase of PHOTON
d number of rows and columns of the internal state matrix
r′ length of the bitrate in bits during the squeezing phase of PHOTON
S[i,j]
the s-bit internal state cell located at row i and column j, with 0≤
RC(v) round constant of round v
IC (i) internal constants of row i
d
X 3-bit or 4-bit internal state of a shift register to generate the round constants
r
RC(v) or the internal constants IC (i)
d
FB() feedback function to update the internal state of a shift register
[1]
SBOX the 4-bit substitution table (S-box) also used in the block cipher PRESENT
PRE
SBOX the 8-bit substitution table (S-box) also used in the Advanced Encryption Algo-
AES
[2]
rithm
5.2.3 Domain extension algorithm
The message M to hash is first padded by appending a “1” bit and as many zeros (possibly none), such
that the total length is a multiple of the bitrate, r, and finally l message blocks m ,…, m of r bits each
0 l-1
t-24
can be obtained. The t-bit internal state, S, is initialized by setting it to the value S =IV= {0} ||n/4||r||r’,
0
where each value is coded on 8 bits.
NOTE For implementation purposes, each byte is interpreted in big-endian form, that is, the leftmost bit is
the most significant bit.
4 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 29192-5:2016(E)
Then, as for the classical sponge strategy, at iteration i the message block m is absorbed on the leftmost
i
part of the internal state S and then the permutation P is applied, i.e.
i t
c
SP←⊕((Sm 0 )).
{}
it+1 ii
Once all l message blocks have been absorbed, the hash value is built by concatenating the successive
r’-bit output blocks z until the appropriate output size n is reached:
i
hash= zz.
01l′−
with the rightmost bits truncated if necessary to produce an n-bit hash. More precisely, z is the r′
i
leftmost bits of the internal state S and S ← P (S ) for 0≤
l+i l+i+1 t l+i
squeezing iterations, that is ln''= / r − 1 . If the hash output size is not a multiple of r′, one just truncates
z to n mod r′ bits.
l′-1
5.2.4 Internal permutation
5.2.4.1 General
2
The internal permutations P , where t∈{100,144,196,256,288}, are applied to an internal state of d
t
elements of s bits each, which can be represented as a (d × d) matrix. P is composed of N rounds, each
t r
containing four layers as depicted in Figure 1:
a) AddConstants (AC),
b) SubCells (SC),
c) ShiftRows (ShR), and
d) MixColumnsSerial (MCS).
Table 1 shows an overview of the parameters of the different variants of PHOTON.
Table 1 — Overview of parameters of PHOTON
Variant t c r r’ d s N IC (.) Irr. polynomial Z coefficients
r d i
4
PHOTON-100 100 80 20 16 5 4 12 [0, 1, 3, 6, 4] x + x + 1 (1, 2, 9, 9, 2)
4
PHOTON-144 144 128 16 16 6 4 12 [0,1, 3, 7, 6, 4] x + x + 1 (1, 2, 8, 5, 8, 2)
4
PHOTON-196 196 160 36 36 7 4 12 [0,1, 2, 5, 3, 6, 4] x + x + 1 (1, 4, 6, 1, 1, 6, 4)
[0,1, 3, 7, 15, 14, (2, 4, 2, 11, 2, 8,
4
PHOTON-256 256 224 32 32 8 4 12 x + x + 1
12, 8] 5, 6)
8 4 3
PHOTON-288 288 256 32 32 6 8 12 [0, 1, 3, 7, 6, 4] x + x + x + x + 1 (2, 3, 1, 2, 1, 4)
NOTE Always a cell size of 4 bits is used, except for the largest version for which 8-bit cells are used, and that
the number of rounds is always N = 12 for all values of t. The output rate r′ is always the same as the input rate r,
r
except for PHOTON-100. The internal state cell located at row i and column j is denoted S[i,j] with 0≤
Informally, AddConstants simply consists in adding fixed values to the cells of the internal state, while
SubCells applies an s-bit S-box to each of them. ShiftRows rotates the position of the cells in each of the
rows and MixColumnsSerial linearly mixes all the columns independently.
© ISO/IEC 2016 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 29192-5:2016(E)
Figure 1 — One round of a PHOTON permutation
5.2.4.2 AddConstants
At round number v (start the counting from 1), first a round constant RC(v) is XORed to each cell S[i,0]
of the first column of the internal state. Then, distinct internal constants IC (i) are XORed to each cell
d
S[i,0] of the same first column. Overall, for round v it holds that
Si′≤,,00← Si ⊕ RC vI⊕ Ci forall 0 id< .
() ()
d
The round constants RC(v) have been generated by a 4-bit linear feedback shift register with maximum
cycle length; they are
RC v = 13,, 71,, 4131,, 16,, 12 9,, 251,. 0
()
The internal constants, IC (i), depend on the square size d and on the row position i and they have
d
been generated by shift registers with a cycle length of d. For all variants shift registers with l = 3 bits
are used, except for d = 8, where l = 4 is used. The internal state of the shift register is denoted with
X = (x , ., x , x ), where each x = {0,1}, and the state is initialized with all 0’s, that is X = (0, . . . , 0, 0).
r l−1 1 0 i 0
Then in each update iteration the new content of the shift register is given by X ← (x , ., x , FB(X )),
r+1 l−2 0 r
where FB(X ) is the feedback function. The round constants are computed by FB(X ) = x XNOR x , while
r r 3 2
the feedback functions for the internal constants are shown in Table 2. Constants for all square sizes,
round numbers, and row positions are displayed in Table 3 through Table 6.
Table 2 — Feedback functions for internal constants generation
d 5 6 7 8
FB(X ) x NOR x NOT x x XNOR x NOT x
r 2 1 2 2 0 3
IC (.) [0, 1, 3, 6, 4] [0, 1, 3, 7, 6, 4] [0, 1, 2, 5, 3, 6, 4] [0, 1, 3, 7, 15, 14, 12, 8]
d
Table 3 — RC(v) ⊕ IC (i) for d = 5
d
Round v
1 2 3 4 5 6 7 8 9 10 11 12
Row i
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 2 0 4 13 14 8 5 15 10 1 6 9
3 7 5 1 8 11 13 0 10 15 4 3 12
4 5 7 3 10 9 15 2 8 13 6 1 14
6 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 29192-5:2016(E)
Table 4 — RC(v) ⊕ IC (i) for d = 6
d
Round v
1 2 3 4 5 6 7 8 9 10 11 12
Row i
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 2 0 4 13 14 8 5 15 10 1 6 9
3 6 4 0 9 10 12 1 11 14 5 2 13
4 7 5 1 8 11 13 0 10 15 4 3 12
5 5 7 3 10 9 15 2 8 13 6 1 14
Table 5 — RC(v) ⊕ IC (i) for d = 7
d
Round v
1 2 3 4 5 6 7 8 9 10 11 12
Row i
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 3 1 5 12 15 9 4 14 11 0 7 8
3 4 6 2 11 8 14 3 9 12 7 0 15
4 2 0 4 13 14 8 5 15 10 1 6 9
5 7 5 1 8 11 13 0 10 15 4 3 12
6 5 7 3 10 9 15 2 8 13 6 1 14
Table 6 — RC(v) ⊕ IC (i) for d = 8
d
Round v
1 2 3 4 5 6 7 8 9 10 11 12
Row i
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 2 0 4 13 14 8 5 15 10 1 6 9
3 6 4 0 9 10 12 1 11 14 5 2 13
4 14 12 8 1 2 4 9 3 6 13 10 5
5 15 13 9 0 3 5 8 2 7 12 11 4
6 13 15 11 2 1 7 10 0 5 14 9 6
7 9 11 15 6 5 3 14 4 1 10 13 2
5.2.4.3 SubCells
This layer simply applies an s-bit S-box to each of the cells of the internal state, i.e.
Si′≤,,jS←
[1]
For PHOTON-100, PHOTON-144, PHOTO-196, and PHOTON-256, the PRESENT S-box SBOX is used,
PRE
[2]
while for PHOTON-288 the AES S-box SBOX is used. Table 7 and Table 8 show the output values of
AES
SBOX and SBOX , respectively. In these tables, all values are expressed in a hexadecimal notation.
PRE AES
For an 8-bit input of an S-box, the upper 4 bits indicate a row and the lower 4 bits indicate a column. For
example, if a value 0xAB is input, 0x62 is output by SBOX because it is on the cross line of the row
AES
indexed by “A” and the column indexed by “B”.
© ISO/IEC 2016 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC 29192-5:2016(E)
Table 7 — PRESENT S-box look-up table
x 0 1 2 3 4 5 6 7 8 9 A B C D E F
C 5 6 B 9 0 A D 3 E F 8 4 7 1 2
S(x)
Table 8 — AES S-box look-up table
.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
0. 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
1.
2. b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
3. 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
4. 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
5. 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
6. d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
7. 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
8.
9. 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
A. e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
B. e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
C. ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
D. 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
E. e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
F.
5.2.4.4 ShiftRows
For each row i, this layer rotates all cells to the left by i column positions, where i counts from 0 to
d-1. Namely,
Si′≤,,jS←+[]ij()idmodf or all 0 ij,.< d
5.2.4.5 MixColumnsSerial
Let A be the matrix that updates the last cell of the column vector with a linear combination of all of
the vector cells and then rotates the vector by one position towards the top. The MixColumnsSerial
layer will be composed of d applications of this matrix to the input column vector. More formally, let
T T
X = (x ,.,x ) be an input column vector of MixColumnsSerial and Y = (y ,.,y ) be the corresponding
0 d-1 0 d-1
d
output. Then, Y = A × X, where A is a (d × d) matrix of the form:
01 00 . 00 00
00 10 . 00 00
... ...
A = 00 00 . 0100
00 00 . 00 10
00 00 . 00 01
Z ZZZ . ZZ ZZ
01 23 dd−−43 dd−−21
where coefficients (Z ,.,Z ) can be chosen freely. Such a matrix is denoted by Serial (Z ,.,Z ). Of
0 d-1 0 d-1
d
course, the final matrix A should be maximum distance separable (MDS), so as to maintain, as much
diffusion as for the AES initial design strategy.
8 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 29192-5:2016(E)
The final mixing layer is applied to each of the columns of the internal state independently. For each
T
column j, an input vector (S[0,j],.,S[d-1,j]) , the matrix A = Serial(Z ,.,Z ) is applied d times. That is:
t 0 d-1
T T
d
Sj′′01,,.,Sd −←,,jA ×−Sj01,.,Sd , j fora 0ll ≤
() ()
t
where the coefficients (Z ,.,Z ) are given in Table 1. For PHOTON-100, PHOTON-144, PHOTON-196, and
0 d-1
4 8 4 3
PHOTON-256, the irreducible polynomial used is x + x + 1, while for PHOTON-288 it is x + x + x + x + 1.
Figure 2 to Figure 6 show the MixColumnsSerial matrices used for the PHOTON variants.
Figure 2 — MixColumnsSerial matrix for PHOTON-100
Figure 3 — MixColumnsSerial matrix for PHOTON-144
Figure 4 — MixColumnsSerial matrix for PHOTON-196
Figure 5 — MixColumnsSerial matrix for PHOTON-256
© ISO/IEC 2016 – All rights reserved 9
---------------------- Page: 14 ----------------------
ISO/IEC 29192-5:2016(E)
Figure 6 — MixColumnsSerial matrix for PHOTON-288
5.3 SPONGENT
5.3.1 General
[6]
In order to cover a wide spectrum of applications, five different variants of SPONGENT are specified.
Each variant will be defined by its internal permutation size t = c + r, where c and r denote the capacity
and the bitrate, respectively. For a fixed permutation size, t, the choice of c and r provides a security-
efficiency trade-off. SPONGENT-t denotes the variant using a t-bit internal permutation.
The five variants are the following.
a) SPONGENT-88 computes an 88-bit hash-code and offers 80-bit preimage resistance, 40-bit second
preimage resistance, and 40-bit collision resistance.
b) SPONGENT-136 computes a 128-bit hash-code and offers 120-bit preimage resistance, 64-bit
second preimage resistance, and 64-bit collision resistance.
c) SPONGENT-176 computes a 160-bit hash-code and offers 144-bit preimage resistance, 80-bit second
preimage resistance, and 80-bit collision
...
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 29192-5
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2015-07-27 2015-10-27
Information technology — Security techniques —
Lightweight cryptography —
Part 5:
Hash-functions
Technologies de l’information — Techniques de sécurité — Cryptographie pour environnements
contraints —
Partie 5: Fonctions de hachage
ICS: 35.040
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 29192-5:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2015
---------------------- Page: 1 ----------------------
ISO/IEC DIS 29192-5:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 29192-5
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols . 2
5 Lightweight hash-functions optimized for hardware implementations . 3
5.1 PHOTON . 3
5.1.1 General . 3
5.1.2 PHOTON specific notation . 3
5.1.3 The domain extension algorithm . 4
5.1.4 The internal permutation . 4
5.2 SPONGENT . 10
5.2.1 General . 10
5.2.2 SPONGENT specific notation . 11
5.2.3 The domain extension algorithm . 11
5.2.4 The internal permutation . 11
6 Lightweight hash-functions optimized for software implementations . 13
6.1 Lesamnta-LW . 13
6.1.1 Message Padding . 13
6.1.2 Lesamnta-LW specific notation . 13
6.1.3 Compression Function and Domain Extension . 14
6.1.4 Block Cipher . 14
Annex A (normative) Object identifiers . 17
Annex B (informative) Numerical examples . 19
B.1 PHOTON numerical examples . 19
B.1.1 PHOTON-100 . 19
B.1.2 PHOTON-144 . 19
B.1.3 PHOTON-196 . 20
B.1.4 PHOTON-256 . 20
B.1.5 PHOTON-288 . 20
B.2 SPONGENT numerical examples . 21
B.2.1 SPONGENT-88 . 21
B.2.2 SPONGENT-136 . 21
B.2.3 SPONGENT-176 . 21
B.2.4 SPONGENT-240 . 21
B.2.5 SPONGENT-272 . 21
B.3 Lesamnta-LW numerical examples . 21
Annex C (informative) Feature tables . 22
Bibliography . 24
© ISO/IEC 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 29192-5
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 29192-5 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 29192 consists of the following parts, under the general title Information technology — Security
techniques — Lightweight cryptography:
Part 1: General
Part 2: Block ciphers
Part 3: Stream ciphers
Part 4: Mechanisms using asymmetric techniques
Part 5: Hash-functions
Further parts may follow.
iv © ISO/IEC 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 29192-5
Introduction
This part of ISO/IEC 29192 specifies lightweight hash-functions, which are tailored for implementation in
constrained environments.
ISO/IEC 29192-1 specifies the requirements for lightweight cryptography.
A hash-function maps an arbitrary string of bits to a fixed-length string of bits.
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
draw attention to the fact that it is claimed that compliance with this part of ISO/IEC 18033 may involve the
use of patents. The ISO and IEC take no position concerning the evidence, validity, and scope of these patent
rights.
The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world.
In this respect, the statements of the holders of these patent rights are registered with the ISO and IEC.
Information may be obtained from the following:
Patent holder name:
Postal address:
Patent holder name:
Postal address:
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents relevant to
their standards. Users are encouraged to consult the databases for the most up to date information
concerning patents.
© ISO/IEC 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 29192-5
Information technology — Security techniques — Lightweight
cryptography — Part 5: Hash-functions
1 Scope
This part of ISO/IEC 29192 specifies three hash-functions suitable for applications requiring lightweight
cryptographic implementations:
PHOTON: a lightweight hash-function with permutation sizes of 100, 144, 196, 256 and 288 bits
computing hash-codes of length 80, 128, 160, 224, and 256 bits, respectively.
SPONGENT: a lightweight hash-function with permutation sizes of 88, 136, 176, 240 and 272 bits
computing hash-codes of length 88, 128, 160, 224, and 256 bits, respectively.
Lesamnta-LW: a lightweight hash-function with permutation size 384 bits computing a hash-code of
length 256 bits.
ISO/IEC 29192-1 shall be referred for the requirements for lightweight cryptography.
2 Normative references
The following referenced document is indispensable for the application of this document. For dated references,
only the edition cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
ISO/IEC 29192-1, Information technology — Security techniques — Lightweight Cryptography — Part 1:
General
3 Terms and definitions
For the purpose of this document, the following terms and definitions apply.
3.1
absorbing phase
input phase of a sponge function
[SOURCE: [4]]
3.2
bitrate
part of the internal state of a sponge function of length r bits
[SOURCE: [4]]
3.3
capacity
part of the internal state of a sponge function of length c bits
[SOURCE: [4]]
© ISO/IEC 2015 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC DIS 29192-5
3.4
hash-code
string of bits which is the output of a hash-function
Note 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning as
hash-code. Modification Detection Code, Manipulation Detection Code, digest, hash-result, hash-value and imprint are
some examples.
[SOURCE: ISO/IEC 10118-1:2000, definition 3.4]
3.5
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties:
it is computationally infeasible to find for a given output, an input which maps to this output;
it is computationally infeasible to find for a given input, a second input which maps to the same output
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
[SOURCE: ISO/IEC 10118-1:2000, definition 3.5]
3.6
initializing value
value used in defining the starting point of a hash-function
[SOURCE: ISO/IEC 10118-1:2000, definition 3.7]
3.7
sponge function
mode of operation, based on a fixed-length permutation (or transformation) and a padding rule, which builds a
function mapping variable-length input to variable-length output
[SOURCE: [4]]
3.8
squeezing phase
output phase of a sponge function
[SOURCE: [4]]
4 Symbols
0x A prefix indicating a binary string in hexadecimal notation
|| Concatenation of bit strings
a ← b Set variable a to the value of b
⊕
Bitwise exclusive-OR operation
c Length of the capacity in bits
hash n-bit hash-code
IV t-bit initialization value
m Message block i of r bits
i
2 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DIS 29192-5
n Length of the hash code in bits
r Length of the bitrate in bits
S t-bit internal state at iteration i
i
t Length of the internal state in bits
5 Lightweight hash-functions optimized for hardware implementations
5.1 PHOTON
5.1.1 General
In order to cover a wide spectrum of applications, five different variants of PHOTON [5] are specified. Each
variant is defined by its internal permutation size t=c+r, where c and r denote the capacity and the bitrate,
respectively. For a fixed permutation size t, the choice of c and r provides a security-efficiency trade-off. We
denote PHOTON-t the variant using a t-bit internal permutation. <- Tatsuta: "we" should not be used.
The five variants are:
a) PHOTON-100 computes an 80-bit hash-code and offers 64-bit preimage, 40-bit 2nd-preimage, and
40-bit collision security
b) PHOTON-144 computes a 128-bit hash-code and offers 112-bit preimage, 64-bit 2nd-preimage, and
64-bit collision security
c) PHOTON-196 computes a 160-bit hash-code and offers 124-bit preimage, 80-bit 2nd-preimage, and
80-bit collision security
d) PHOTON-256 computes a 224-bit hash-code and offers 192-bit preimage, 112-bit 2nd-preimage, and
112-bit collision security
e) PHOTON-288 computes a 256-bit hash-code and offers 224-bit preimage, 128-bit 2nd-preimage, and
128-bit collision security
NOTE The first proposal is special in the sense that it is designed for the specific cases where 64-bit preimage
security is considered to be sufficient. In contrary, the last proposal provides a high security level of 128-bit collision
resistance, thus making it suitable for generic applications.
5.1.2 PHOTON specific notation
P Internal permutation, where
t ∈ {100,144,196,256,288}
t
z The r' leftmost bits of the internal state S
i
c’ Length of the capacity in bits during the squeezing phase of PHOTON
d Number of rows and columns of the internal state matrix
r’ Length oft he bitrate in bits during the squeezing phase of PHOTON
S[i,j] The s-bit internal state cell located at row i and column j, with
0 ≤ i, j < d
RC(v) Round constant of round v
IC (i) Internal constants of row i
d
© ISO/IEC 2015 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC DIS 29192-5
X 3-bit or 4-bit internal state of a shift register to generate the round constants RC(v) or the internal
r
constants IC (i)
d
FB() Feedback function to update the internal state of a shift register
SBOX The 4-bit substitution table (S-box) also used in the block cipher PRESENT [1]
PRE
SBOX The 8-bit substitution table (S-box) also used in the Advanced Encryption Algorithm [2]
AES
5.1.3 The domain extension algorithm
The message M to hash is first padded by appending a “1” bit and as many zeros (possibly none) such that
the total length is a multiple of the bitrate r and we can finally obtain l message blocks m ,…, m of r bits each.
0 l-1
t-24
The t-bit internal state S is initialized by setting it to the value S =IV= {0} ||n/4||r||r', where each value is
0
coded on 8 bits. <- Tatsuta: "we" should not be used.
NOTE For implementation purposes, each byte is interpreted in big-endian form, that is, the leftmost bit is the most
significant bit.
Then, as for the classical sponge strategy, at iteration i we absorb the message block m on the leftmost part
i
of the internal state S and then apply the permutation P , i.e. <- Tatsuta: "we" should not be used.
i t
c
S ← P (S ⊕ (m||{0} )).
i+1 t i i
Once all l message blocks have been absorbed, we build the hash value by concatenating the successive r'-
bit output blocks z until we reach the appropriate output size n: <- Tatsuta: "we" should not be used.
i
hash = z ||…||z
0 l'-1
with the rightmost bits truncated if necessary to produce an n-bit hash. More precisely, z are the r' leftmost
i
bits of the internal state S and we have S ← P (S ) for 0 ≤ i < l', where l' denotes the number of
l+i l+i+1 t l+i
squeezing iterations, that is l' = n / r' −1. If the hash output size is not a multiple of r', one just truncates z
l'-1
to n mod r' bits. <- Tatsuta: "we" should not be used.
5.1.4 The internal permutation
5.1.4.1 General
2
The internal permutations P , where are applied to an internal state of d
t ∈{100,144,196,256,288},
t
elements of s bits each, which can be represented as a (d x d) matrix. P is composed of N rounds, each
t r
containing four layers as depicted in Figure 1:
a) AddConstants (AC),
b) SubCells (SC),
c) ShiftRows (ShR),
d) MixColumnsSerial (MCS).
Table 1 shows an overview of the parameters of the different variants of PHOTON.
4 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DIS 29192-5
Table 1 — Overview of parameters of PHOTON
Variant t d s N IC (.) Irr. polynomial Z coefficients
r d i
4
PHOTON-100 100 5 4 12 [0, 1, 3, 6, 4] x +x+1 (1, 2, 9, 9, 2)
4
PHOTON-144 144 6 4 12 [0,1, 3, 7, 6, 4] x +x+1 (1, 2, 8, 5, 8, 2)
4
PHOTON-196 196 7 4 12 [0,1, 2, 5, 3, 6, 4] x +x+1 (1, 4, 6, 1, 1, 6, 4)
4
PHOTON-256 256 8 4 12 [0,1, 3, 7, 15, 14, 12, 8] x +x+1 (2, 4, 2, 11, 2, 8, 5, 6)
8 4 3
PHOTON-288 288 6 8 12 [0, 1, 3, 7, 6, 4] x +x +x +x+1 (2, 3, 1, 2, 1, 4)
NOTE Always a cell size of 4 bits is used, except for the largest version for which 8-bit cells are used, and that the
number of rounds is always N = 12 for all values of t. The internal state cell located at row i and column j is denoted S[i,j]
r
with
0 ≤ i, j < d.
Informally, AddConstants simply consists in adding fixed values to the cells of the internal state, while
SubCells applies an s-bit S-box to each of them. ShiftRows rotates the position of the cells in each of the rows
and MixColumnsSerial linearly mixes all the columns independently.
Figure 1 — One round of a PHOTON permutation.
5.1.4.2 AddConstants
At round number v (start the counting from 1), first a round constant RC(v) is XORed to each cell S[i,0] of the
first column of the internal state. Then, distinct internal constants IC (i) are XORed to each cell S[i,0] of the
d
same first column. Overall, for round v we have <- Tatsuta: "we" should not be used.
S'[i,0] ← S[i,0] ⊕ RC(v) ⊕ IC (i) for all 0 ≤ i < d.
d
The round constants RC(v) have been generated by a 4-bit linear feedback shift register with maximum cycle
length, they are
RC(v) = [1, 3, 7, 14, 13, 11, 6, 12, 9, 2, 5, 10].
© ISO/IEC 2015 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC DIS 29192-5
The internal constants IC (i) depend on the square size d and on the row position i and they have been
d
generated by shift registers with a cycle length of d. For all variants we used shift registers with l = 3 bits,
except for d = 8, where we used l = 4. The internal state of the shift register is denoted with X = (x , ., x , x ),
r l−1 1 0
where each x = {0,1}, and the state is initialized with all 0's, that is X = (0, . . . , 0, 0). Then in each update
i 0
iteration the new content of the shift register is given by X ← (x , ., x , FB(X )), where FB(X ) is the
r+1 l−2 0 r r
feedback function. For the round constants we chose FB(X ) = x XNOR x , while our choices for the feedback
r 3 2
functions for the internal constants are shown in Table 2. Constants for all square sizes, round numbers, and
row positions are displayed in Tables Table 3Table 6. <- Tatsuta: "we" should not be used.
Table 2 — Feedback functions for internal constants generation.
d 5 6 7 8
FB(X ) x NOR x NOT x x XNOR x NOT x
r 2 1 1 2 1 3
IC (.) [0, 1, 3, 6, 4] [0, 1, 3, 7, 6, 4] [0, 1, 2, 5, 3, 6, 4] [0, 1, 3, 7, 15, 14, 12, 8]
d
Table 3 — Constants for d = 5.
Round
1 2 3 4 5 6 7 8 9 10 11 12
Row
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 2 0 4 13 14 8 5 15 10 1 6 9
3 7 5 1 8 11 13 0 10 15 4 3 12
4 5 7 3 10 9 15 2 8 13 6 1 14
Table 4 — Constants for d = 6.
Round
1 2 3 4 5 6 7 8 9 10 11 12
Row
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 2 0 4 13 14 8 5 15 10 1 6 9
3 6 4 0 9 10 12 1 11 14 5 2 13
4 7 5 1 8 11 13 0 10 15 4 3 12
5 5 7 3 10 9 15 2 8 13 6 1 14
6 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC DIS 29192-5
Table 5 — Constants for d = 7.
Round
1 2 3 4 5 6 7 8 9 10 11 12
Row
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 3 1 5 12 15 9 4 14 11 0 7 8
3 4 6 2 11 8 14 3 9 12 7 0 15
4 2 0 4 13 14 8 5 15 10 1 6 9
5 7 5 1 8 11 13 0 10 15 4 3 12
6 5 7 3 10 9 15 2 8 13 6 1 14
Table 6 — Constants for d = 8.
Round
1 2 3 4 5 6 7 8 9 10 11 12
Row
0 1 3 7 14 13 11 6 12 9 2 5 10
1 0 2 6 15 12 10 7 13 8 3 4 11
2 2 0 4 13 14 8 5 15 10 1 6 9
3 6 4 0 9 10 12 1 11 14 5 2 13
4 14 12 8 1 2 4 9 3 6 13 10 5
5 15 13 9 0 3 5 8 2 7 12 11 4
6 13 15 11 2 1 7 10 0 5 14 9 6
7 9 11 15 6 5 3 14 4 1 10 13 2
5.1.4.3 SubCells
This layer simply applies an s-bit S-box to each of the cells of the internal state, i.e.
© ISO/IEC 2015 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO/IEC DIS 29192-5
S'[i,j] ← SBOX(S[i,j]) for all 0 ≤ i, j < d.
For PHOTON-100, PHOTON-144, PHOTO-196, and PHOTON-256, the PRESENT S-box SBOX [1] is
PRE
used, while for PHOTON-288 the AES S-box SBOX [2] is used. Table 7 and Table 8 show the output
AES
values of SBOX and SBOX , respectively. In these tables all values are expressed in a hexadecimal
PRE AES
notation. For an 8-bit input of an S-box, the upper 4 bits indicate a row and the lower 4 bits indicate a column.
For example, if a value 0xAB is input, 0xAC is output by SBOX , because it is on the cross line of the row
AES
indexed by 'A.' and the column indexed by '.B'.
Table 7 — The PRESENT S-box look-up table.
0 1 2 3 4 5 6 7 8 9 A B C D E F
x
S(x)
C 5 6 B 9 0 A D 3 E F 8 4 7 1 2
Table 8 — The AES S-box look-up table.
.0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
0. 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1. CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2. B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3.
04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4. 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5.
53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6. D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7. 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8. CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9. 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A. E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B. E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C. BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D. 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E. E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F.
8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
5.1.4.4 ShiftRows
For each row i this layer rotates all cells to the left by i column positions, where i counts from 0 to d-1. Namely,
S'[i,j] ← S[i,(j+i) mod d] for all 0 ≤ i, j < d.
8 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC DIS 29192-5
5.1.4.5 MixColumnsSerial
Let A be the matrix that updates the last cell of the column vector with a linear combination of all of the vector
cells and then rotates the vector by one position towards the top. The MixColumnsSerial layer will be
T
composed of d applications of this matrix to the input column vector. More formally, let X=(x ,.,x ) be an
0 d-1
T
input column vector of MixColumnsSerial and Y=(y ,.,y ) be the corresponding output. Then, we have Y=
0 d-1
d
A x X, where A is a (d x d) matrix of the form: <- Tatsuta: "we" should not be used.
0 1 0 0 . 0 0 0 0
0 0 1 0 . 0 0 0 0
... ...
A = 0 0 0 0 . 0 1 0 0
0 0 0 0 . 0 0 1 0
0 0 0 0 . 0 0 0 1
Z Z Z Z . Z Z Z Z
0 1 2 3 d−4 d−3 d−2 d−1
where coefficients (Z ,.,Z ) can be chosen freely. We denote by Serial(Z ,.,Z ) such a matrix. Of course,
0 d-1 0 d-1
d
we would like the final matrix A to be Maximum Distance Separable (MDS), so as to maintain as much
diffusion as for the AES initial design strategy. <- Tatsuta: "we" should not be used.
The final mixing layer is applied to each of the columns of the internal state independently. For each column j
T
an input vector (S[0,j],.,S[d-1,j]) , the matrix A = Serial(Z ,.,Z ) is applied d times. That is:
t 0 d-1
T d T
(S'[0,j],.,S'[d-1,j]) ← A x (S[0,j],.,S[d-1,j]) for all
0 ≤ j < d,
t
where the coefficients (Z ,.,Z ) are given in Table 1. For PHOTON-100, PHOTON-144, PHOTON-196, and
0 d-1
4 8 4 3
PHOTON-256, the irreducible polynomial used is x +x+1, while for PHOTON-288 it is x +x +x +x+1. Figure 2
to Figure 6 show the MixColumnsSerial matrices used for the PHOTON variants.
5
0 1 0 0 0 1 2 9 9 2
0 0 1 0 0 2 5 3 8 13
5
(A ) = 0 0 0 1 0 = 13 11 10 12 1
100
0 0 0 0 1 1 15 2 3 14
1 2 9 9 2 14 14 8 5 12
Figure 2 — MixColumnsSerial matrix for PHOTON-100
6
0 1 0 0 0 0 1 2 8 5 8 2
0 0 1 0 0 0 2 5 1 2 6 12
0 0 0 1 0 0 12 9 15 8 8 13
6
(A ) = =
144
0 0 0 0 1 0 13 5 11 3 10 1
0 0 0 0 0 1 1 15 13 14 11 8
1 2 8 5 8 2 8 2 3 3 2 8
Figure 3 — MixColumnsSerial matrix for PHOTON-144
© ISO/IEC 2015 – All rights reserved 9
---------------------- Page: 14 ----------------------
ISO/IEC DIS 29192-5
7
0 1 0 0 0 0 0 1 4 6 1 1 6 4
0 0 1 0 0 0 0 4 2 15 2 5 10 5
0 0 0 1 0 0 0 5 3 15 10 7 8 13
7
(A ) = =
0 0 0 0 1 0 0 13 4 11 2 7 15 9
196
0 0 0 0 0 1 0 9 15 7 2 11 4 13
0 0 0 0 0 0 1 13 8 7 10 15 3 5
1 4 6 1 1 6 4 5 10 5 2 15 2 4
Figure 4 — MixColumnsSerial matrix for PHOTON-196
8
0 1 0 0 0 0 0 0 2 4 2 11 2 8 5 6
0 0 1 0 0 0 0 0 12 9 8 13 7 7 5 2
0 0 0 1 0 0 0 0 4 4 13 13 9 4 13 9
0 0 0 0 1 0 0 0 1 6 5 1 12 13 15 14
8
(A ) = =
256
0 0 0 0 0 1 0 0 15 12 9 13 14 5 14 13
0 0 0 0 0 0 1 0 9 14 5 15 4 12 9 6
0 0 0 0 0 0 0 1 12 2 2 10 3 1 1 14
2 4 2 11 2 8 5 6 15 1 13 10 5 10 2 3
Figure 5 — MixColumnsSerial matrix for PHOTON-256
6
0 1 0 0 0 0 2 3 1 2 1 4
0 0 1 0 0 0 8 14 7 9 6 17
0 0 0 1 0 0 34 59 31 37 24 66
6
(A ) = =
288
0 0 0 0 1 0 132 228 121 155 103 11
0 0 0 0 0 1 22 153 239 111 144 75
2 3 1 2 1 4 150 203 210 121 36 167
Figure 6 — MixColumnsSerial matrix for PHOTON-288
5.2 SPONGENT
5.2.1 General
In order to cover a wide spectrum of app
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.