We focus on the cryptographic hash algorithm Lesamnta-256. Lesamnta-256 consists of the Merkle-Damgard iteration of a compression function and an output function. The compression function consists of a mixing function and a key scheduling function. The mixing function consists of 32 rounds of four-way generalized Feistel structure. On each round there is a nonlinear function F with 64-bit input/output, which consists of the 4 steps of AES type of SPN (Substitution Permutation Network) structure. A subkey is XORed only at the first step of the SPN. The designers analyzed its security by assuming that the sub-key is XORed at every step of the SPN. Such an independent subkey assumption is also applied to the analysis of other SHA-3 candidates, e.g. Gr0stl, LANE, Luffa. However we analyze the security of these components of Lesamnta as is. We show that the 2 steps of SPN referred to as XS have the maximum differential probability 2~(11.415). This probability is greater than both of the differential characteristic probability 2~(-18) and the differential probability 2~(-12) derived under the independent subkey assumption. On the strength of whole compression function, we show that there are at least 15 active F functions in the mixing function on 64-bit truncated analysis. As the input bit length of the mixing function is 256, we can say that it is secure against differential attack if the maximum differential probability of F function is less than 2~(-256/15)≈ 2~(-17.067).We also show that the key scheduling function is secure against differential cryptanalysis.
展开▼
