1、BS ISO/IEC 29192-5:2016 Information technology Security techniques Lightweight cryptography Part 5: Hash-functions BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 29192-5:2016 BRITISH STANDARD National foreword This British Standard is the UK implementati
2、on of ISO/IEC 29192-5:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/2, Cryptography and Security Mechanisms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all
3、 the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 87701 8 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British
4、 Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2016. Amendments issued since publication Date Text affectedBS ISO/IEC 29192-5:2016 Information technology Security techniques Lightweight cryptography Part 5: Hash-functions Technologies de linform
5、ation Techniques de scurit Cryptographie pour environnements contraints Partie 5: Fonctions de hachage INTERNATIONAL STANDARD ISO/IEC 29192-5 Reference number ISO/IEC 29192-5:2016(E) First edition 2016-08-01 ISO/IEC 2016 BS ISO/IEC 29192-5:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED
6、DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
7、 written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/
8、IEC 29192-5:2016(E)BS ISO/IEC 29192-5:2016ISO/IEC 29192-5:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols 3 5 Lightweight hash-functions optimized for hardware implementations 3 5.1 General . 3 5.2 PHOTON 3 5.2.1 General 3 5.2.2 PHOTON sp
9、ecific notation . 4 5.2.3 Domain extension algorithm . 4 5.2.4 Internal permutation . 5 5.3 SPONGENT .10 5.3.1 General.10 5.3.2 SPONGENT specific notation 10 5.3.3 Domain extension algorithm 10 5.3.4 Internal permutation 11 6 Lightweight hash-functions optimized for software implementations 12 6.1 G
10、eneral 12 6.2 Lesamnta-LW .13 6.2.1 General.13 6.2.2 Message padding 13 6.2.3 Lesamnta-LW specific notation 13 6.2.4 Compression function and domain extension .13 6.2.5 Block cipher 14 Annex A (normative) Object identifiers .17 Annex B (informative) Numerical examples 19 Annex C (informative) Featur
11、e tables .23 Bibliography .26 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 29192-5:2016ISO/IEC 29192-5:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardi
12、zation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mut
13、ual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document a
14、nd those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2
15、(see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development
16、of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specif
17、ic terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee responsible for this document is ISO/IEC JTC 1, Information
18、technology, SC 27, IT Security techniques. ISO/IEC 29192 consists of the following parts, under the general title Information technology Security techniques Lightweight cryptography: Part 1: General Part 2: Block ciphers Part 3: Stream ciphers Part 4: Mechanisms using asymmetric techniques Part 5: H
19、ash-functions Further parts may follow.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 29192-5:2016ISO/IEC 29192-5:2016(E) Introduction This part of ISO/IEC 29192 specifies lightweight hash-functions, which are tailored for implementation in constrained environments. ISO/IEC 29192-1 specifies the requ
20、irements for lightweight cryptography. A hash-function maps an arbitrary string of bits to a fixed-length string of bits. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with th
21、is part of ISO/IEC 29192 may involve the use of patents. The ISO and IEC take no position concerning the evidence, validity and scope of these patent rights. The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate licences under reasonable and non-discrimin
22、atory terms and conditions with applicants throughout the world. In this respect, the statements of the holders of these patent rights are registered with the ISO and IEC. Information may be obtained from the following: Nanyang Technological University - NTUitive Pte Ltd 16 Nanyang Drive, #01-109, I
23、nnovation Centre, Singapore 637722 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO (www.iso.org/patents
24、) and IEC (http:/ /patents.iec.ch) maintain on-line databases of patents relevant to their standards. Users are encouraged to consult the databases for the most up to date information concerning patents. ISO/IEC 2016 All rights reserved vBS ISO/IEC 29192-5:2016BS ISO/IEC 29192-5:2016Information tech
25、nology Security techniques Lightweight cryptography Part 5: Hash-functions 1 Scope This part of ISO/IEC 29192 specifies three hash-functions suitable for applications requiring lightweight cryptographic implementations. PHOTON: a lightweight hash-function with permutation sizes of 100, 144, 196, 256
26、 and 288 bits computing hash-codes of length 80, 128, 160, 224, and 256 bits, respectively. SPONGENT: a lightweight hash-function with permutation sizes of 88, 136, 176, 240 and 272 bits computing hash-codes of length 88, 128, 160, 224, and 256 bits, respectively. Lesamnta-LW: a lightweight hash-fun
27、ction with permutation size 384 bits computing a hash-code of length 256 bits. The requirements for lightweight cryptography are given in ISO/IEC 29192-1. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its ap
28、plication. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 29192-1, Information technology Security techniques Lightweight cryptography Part 1: General 3 T erms a nd definiti ons F
29、or the purposes of this document, the following terms and definitions apply. 3.1 absorbing phase input phase of a sponge function SOURCE: 4 3.2 bitrate part of the internal state of a sponge function of length r bits SOURCE: 4 3.3 capacity part of the internal state of a sponge function of length c
30、bits SOURCE: 4 INTERNATIONAL ST ANDARD ISO/IEC 29192-5:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 29192-5:2016ISO/IEC 29192-5:2016(E) 3.4 collision resistance computationally infeasible to find any two distinct inputs which map to the same output of a hash- function Note 1 to entry: Comput
31、ational feasibility depends on the specific security requirements and environment. 3.5 hash-code string of bits which is the output of a hash-function Note 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning as hash-code. Modification Detectio
32、n Code, Manipulation Detection Code, digest, hash-result, hash-value and imprint are some examples. SOURCE: ISO/IEC 10118-1: 1) , 2.3 3.6 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: it is computationally infeasible to fi
33、nd for a given output, an input which maps to this output; it is computationally infeasible to find for a given input, a second input which maps to the same output Note 1 to entry: Computational feasibility depends on the specific security requirements and environment. SOURCE: ISO/IEC 10118-1: 1) ,
34、2.4 3.7 initializing value value used in defining the starting point of a hash-function Note 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning as initializing value. Initialization vector and starting value are examples. SOURCE: ISO/IEC 1011
35、8-1: 1) , 2.5 3.8 preimage resistance computationally infeasible to find for a given output of a hash-function, an input which maps to this output Note 1 to entry: Computational feasibility depends on the specific security requirements and environment. 3.9 second preimage resistance computationally
36、infeasible to find for a given input of a hash-function, a second input which maps to the same output Note 1 to entry: Computational feasibility depends on the specific security requirements and environment. 3.10 sponge function mode of operation, based on a fixed-length permutation (or transformati
37、on) and a padding rule, which builds a function mapping variable-length input to variable-length output SOURCE: 4 1) To be published. (Revision of ISO/IEC 10118-1:2000)2 ISO/IEC 2016 All rights reservedBS ISO/IEC 29192-5:2016ISO/IEC 29192-5:2016(E) 3.11 squeezing phase output phase of a sponge funct
38、ion SOURCE: 4 4 Symbols 0 c bit-string containing exactly c zeros 0x prefix indicating a binary string in hexadecimal notation | concatenation of bit strings a b set variable a to the value of b bitwise exclusive-OR operation c length of the capacity in bits hash n-bit hash-code IV t-bit initializat
39、ion value m i message block i of r bits n length of the hash code in bits r length of the bitrate in bits S i t-bit internal state at iteration i t length of the internal state in bits x the smallest integer greater than or equal to the real number x 5 Lightweight hash-functions optimized for hardwa
40、re implementations 5.1 General Clause 5 specifies PHOTON and SPONGENT hash-functions which are optimized for hardware implementations. ISO/IEC 29192-1 shall be referred to for the requirements for lightweight cryptography. 5.2 PHOTON 5.2.1 General In order to cover a wide spectrum of applications, f
41、ive different variants of PHOTON 5are specified. Each variant is defined by its internal permutation size t = c + r, where c and r denote the capacity and the bitrate, respectively. For a fixed permutation size t, the choice of c and r provides a security- efficiency trade-off. PHOTON-t denotes the
42、variant using a t-bit internal permutation. The five variants are the following: a) PHOTON-100 computes an 80-bit hash-code and offers 64-bit preimage resistance, 40-bit second preimage resistance, and 40-bit collision resistance. ISO/IEC 2016 All rights reserved 3BS ISO/IEC 29192-5:2016ISO/IEC 2919
43、2-5:2016(E) b) PHOTON-144 computes a 128-bit hash-code and offers 112-bit preimage resistance, 64-bit second preimage resistance, and 64-bit collision resistance. c) PHOTON-196 computes a 160-bit hash-code and offers 124-bit preimage resistance, 80-bit second preimage resistance, and 80-bit collisio
44、n resistance. d) PHOTON-256 computes a 224-bit hash-code and offers 192-bit preimage, 112-bit second preimage resistance, and 112-bit collision resistance. e) PHOTON-288 computes a 256-bit hash-code and offers 224-bit preimage, 128-bit second preimage resistance, and 128-bit collision resistance. PH
45、OTON-100 does not provide the minimum security strength as required in ISO/IEC 29192-1. It shall not be used as a general purpose hash function. PHOTON-144 does not provide the minimum security strength for collision resistance and second preimage resistance as required in ISO/IEC 29192-1. It shall
46、only be used in applications where collision resistance and second preimage resistance are not required. 5.2.2 PHO T ON specific notation P t internal permutation, where t z i the r leftmost bits of the internal state S c length of the capacity in bits during the squeezing phase of PHOTON d number o
47、f rows and columns of the internal state matrix r length of the bitrate in bits during the squeezing phase of PHOTON Si,j the s-bit internal state cell located at row i and column j, with 0 , RC(v) round constant of round v IC d (i) internal constants of row i X r 3-bit or 4-bit internal state of a
48、shift register to generate the round constants RC(v) or the internal constants IC d (i) FB() feedback function to update the internal state of a shift register SBOX PRE the 4-bit substitution table (S-box) also used in the block cipher PRESENT 1 SBOX AES the 8-bit substitution table (S-box) also use
49、d in the Advanced Encryption Algo- rithm 2 5.2.3 Domain extension algorithm The message M to hash is first padded by appending a “1” bit and as many zeros (possibly none), such that the total length is a multiple of the bitrate, r, and finally l message blocks m 0 , m l-1of r bits each can be obtained. The t-bit internal state, S, is initialized by setting it to the value S 0
