On the strength evaluation of lesamnta against differential cryptanalysis

Quantified Score

Visualization

Abstract

We focus on the cryptographic hash algorithm Lesamnta-256. Lesamnta-256 consists of the Merkle-Damgård iteration of a compression function and an output function. The compression function consists of a mixing function and a key scheduling function. The mixing function consists of 32 rounds of four-way generalized Feistel structure. On each round there is a nonlinear function F with 64-bit input/output, which consists of the 4 steps of AES type of SPN (Substitution Permutation Network) structure. A subkey is XORed only at the first step of the SPN. The designers analyzed its security by assuming that the subkey is XORed at every step of the SPN. Such an independent subkey assumption is also applied to the analysis of other SHA-3 candidates, e.g. Grøstl, LANE, Luffa. However we analyze the security of these components of Lesamnta as is. We show that the 2 steps of SPN referred to as XS have the maximum differential probability 2−11.415. This probability is greater than both of the differential characteristic probability 2−18 and the differential probability 2−12 derived under the independent subkey assumption. On the strength of whole compression function, we show that there are at least 15 active F functions in the mixing function on 64-bit truncated analysis. As the input bit length of the mixing function is 256, we can say that it is secure against differential attack if the maximum differential probability of F function is less than 2−256/15 ≈ 2−17.067. We also show that the key scheduling function is secure against differential cryptanalysis.