RadioGatún is a
cryptographic hash primitive created by Guido Bertoni,
Joan Daemen
Joan Daemen (; born 1965) is a Belgian cryptographer who co-designed with Vincent Rijmen the Rijndael cipher, which was selected as the Advanced Encryption Standard (AES) in 2001. More recently, he co-designed the Keccak cryptographic hash, whi ...
, Michaël Peeters, and
Gilles Van Assche
Gilles Van Assche is a Belgians, Belgian cryptographer who co-designed the Keccak cryptographic hash, which was NIST hash function competition, selected as the new SHA-3 hash by NIST in October 2012. The SHA-3 standard was released by NIST on Aug ...
. It was first publicly presented at the NIST Second Cryptographic Hash Workshop, held in
Santa Barbara, California
Santa Barbara ( es, Santa Bárbara, meaning "Saint Barbara") is a coastal city in Santa Barbara County, California, of which it is also the county seat. Situated on a south-facing section of coastline, the longest such section on the West Coas ...
, on August 24–25, 2006, as part of the
NIST hash function competition
The NIST hash function competition was an open competition held by the US National Institute of Standards and Technology (NIST) to develop a new hash function called SHA-3 to complement the older SHA-1 and SHA-2. The competition was formally ann ...
. The same team that developed RadioGatún went on to make considerable revisions to this
cryptographic primitive
Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash functions and ...
, leading to the
Keccak
SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...
SHA-3 algorithm.
RadioGatún is a family of 64 different hash functions, distinguished by a single parameter, the word width in
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s (''w''), adjustable between 1 and 64. The only word sizes with official test vectors are the 32-bit and 64-bit variants of RadioGatún. The algorithm uses 58 words, each using ''w'' bits, to store its internal state, so the 32-bit version needs 232 bytes to store its state (since each word needs 32 bits or four bytes, and 58 multiplied by four is 232) and the 64-bit version 464 bytes (each word using eight bytes).
Although RadioGatún is a derivative of
Panama
Panama ( , ; es, link=no, Panamá ), officially the Republic of Panama ( es, República de Panamá), is a transcontinental country spanning the southern part of North America and the northern part of South America. It is bordered by Cos ...
, a
stream cipher
stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
and hash construction from the late 1990s whose hash construction has been broken, RadioGatún does not have Panama's weaknesses when used as a hash function. As of 2022, RadioGatún is still a secure hash function; the largest version of RadioGatún that is broken is the one with a word size of two bits. RadioGatún has a claimed
security strength
In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security" (also security strength) ...
of 304 bits for the 32-bit version and 608 bits for the 64-bit version. The best known cryptanalysis has not broken this claim: It needs 352 bits of work for the 32-bit version and 704 bits of work for the 64-bit version.
RadioGatún can be used either as a hash function or a stream cipher; it can output an arbitrarily long stream of
pseudo-random numbers
A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process.
Background
The generation of random numbers has many uses, such as for random ...
; this kind of hash construction is now known as an "Extendable-Output Function" (XOF).
Claimed strength
The algorithm's designers, in the original RadioGatún paper, claimed that the first 19 × ''w'' bits (where ''w'' is the word width used) of RadioGatún's output is a cryptographically secure hash function.
Since publishing the paper, the designers revised their security claim, and now claim that RadioGatún has the security of a cryptographic
sponge function
In cryptography, a sponge function or sponge construction is any of a class of algorithms with finite state (computer science), internal state that take an input bit stream of any length and produce an output bit stream of any desired length. Spon ...
with a capacity of 19''w''. This means that the 32-bit version of RadioGatún can be used to make a hash with 304
bits of security
In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security" (also security strengt ...
(both from
collision attack
In cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified.
There are roughl ...
s and from
Preimage attack
In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage (set of possible inputs).
In the context of attack, th ...
s), and the 64-bit version offers 608 bits of security.
Implementation details
The designers call RadioGatún an "ideal mangling function". RadioGatún uses a "belt" and "mill" to cryptographically process binary data, with the majority of mangling operations performed on the "mill" part of RadioGatún.
Keccak
SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...
removed the belt, increased the size of the mill from 19 words to 25 words, and made the mill function somewhat more complicated.
The core belt function looks like this:
(A,B) = R(a,b)
for row = 0 to 2 do
for all i do
B , row= b + 1 mod 13, row end for
end for
for i = 0 to 11 do
B + 1, i mod 3= B + 1, i mod 3⊕ a + 1end for
A = Mill(a)
b = B
for i = 0 to 2 do
A + 13= A + 13⊕ b 2, iend for
And the mill function Mill(A) looks like this:
for all i do
A = a ⊕ (a + 1~a + 2
end for
for all i do
a = A i≫ i(i + 1)/2
end for
for all i do
A = a ⊕ a + 1⊕ a + 4end for
A = A ⊕ 1
The Wikibooks page on RadioGatún provides full implementation details, and
Module:RadioGatun32 is an implementation of the 32-bit version of RadioGatún.
Cryptanalysis
In the paper "Two attacks on RadioGatún",
Dmitry Khovratovich
Dmitry Khovratovich is a cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research. He developed, together with Alex Biryuk ...
presents two attacks that do not break the designers' security claims, one with a complexity of 2
18''w'' and another with a complexity of 2
23.1''w''. Khovratovich also authored a paper, entitled "Cryptanalysis of hash functions with structures", which describes an attack with a complexity of 2
18''w''.
In the paper "Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques", Charles Bouillaguet and Pierre-Alain Fouque present a way of generating collisions with the 1-bit version of the algorithm using an attack that needs 2
24.5 operations. The attack can not be extended to larger versions since "all the possible trails we knew for the 1-bit version turned out to be impossible to extend to n-bit versions." This attack is less effective than the other attacks and also does not break RadioGatún's security claim.
The most effective attack against the algorithm, one with a complexity of 2
11''w'', is given in the paper "Cryptanalysis of RadioGatun" by Thomas Fuhr and Thomas Peyrin. In the paper, they break the 2-bit (word size of two) version of RadioGatún. While more effective than the other attacks, this attack still does not break the security claim.
The developers of RadioGatún have stated that their "own experiments did not inspire confidence in RadioGatún".
Test vectors
The only RadioGatún variants that the designers supplied test vectors (published hash values for sample inputs so programmers can verify they are correctly implementing the algorithm) for are the 32-bit and 64-bit versions.
RadioGatún 2/h2>
These test vectors, generated using the 32-bit version of RadioGatún, only show the first 256 bits of RadioGatún
2s arbitrarily long output stream:
RadioGatún 4/h2>
Here are hashes for the 64-bit version:
RadioGatun
4"") =
64A9A7FA139905B57BDAB35D33AA216370D5EAE13E77BFCDD85513408311A584
RadioGatun
4"The quick brown fox jumps over the lazy og") =
6219FB8DAD92EBE5B2F7D18318F8DA13CECBF13289D79F5ABF4D253C6904C807
RadioGatun
4"The quick brown fox jumps over the lazy og") =
C06265CAC961EA74912695EBF20F1C256A338BC0E980853A3EEF188D4B06FCE5
References
External links
The RadioGatún Hash Function Family RadioGatún's official web page, with the hash's official description, public domain reference code, and test vectors
rg32hash an independent public-domain implementation of the 32-bit version of RadioGatún
{{DEFAULTSORT:Radiogatun
Cryptographic hash functions
Extendable-output functions