3
About the tweak
This document defines the version 1.1 of SIMD. The following modifications have been made
since version 1.0:
• The permutations p
(i)
have been optimized to provide a better security.
• The rotations r
(i)
and s
(i)
have been optimized to provide a better security.
• We introduce a new family of strengthened versions SIMD+ with more rounds than SIMD.
These versions can be used if strong security margins are needed.
• We introduce a new family of reduced versions SISD which can be used in constrained
environment when only a short tag is needed. These versions can also be useful to develop
cryptanalysis techniques.
• The IV and the test vectors have been updated.
The tweak has essentially no effect on the performances of SIMD.
This tweak is motivated by the discovery of a differential distinguisher on the compression
function of SIMD-512 1.0 by Nad and Mendel [21]. This distinguishing attack has complexity
2
427
and is a based on a differential trail where no difference is introduced in the message, but a
specific difference ∆
in
in the chaining value can go to a difference ∆
out
with probability 2
−507
.
The attack is possible because the diffusion in the compression function is relatively slow and the
permutations and rotations of SIMD 1.0 have some bad properties that allow good differential
paths.
The tweak prevents the attack in its current form by removing unwanted properties of the
permutations and rotations, but it is possible that future improvements give a distinguisher based
on similar ideas. However, we decided to not increase the number of rounds of SIMD because we
believe that such distinguishers do not threaten the security of SIMD.
The compression function of SIMD was designed with the idea that the message input and
the chaining value input of the compression function have a different role. An attacker can easily
control the message input, but the chaining value can only be chosen by hashing a previous block.
That is why we use a strong message expansion step, and the chaining value undergoes less
transformations. Moreover, since SIMD is using a wide-pipe design, attacks on the compression
function which require control of the chaining value are very unlikely to be transferable to the
full hash function. For instance a free-start preimage attack on the compression compression can
not be used to break the hash function, even if it is only has unit cost.
Therefore, we believe that it not worth increase the number of rounds to avoid potential free-
start distinguishers, but we provide a strengthened version SIMD+ for those who feel otherwise.