The overall structure of the hash function LSH is shown in the following figure.

The hash function LSH has the wide-pipe Merkle-Damgård structure with one-zeros padding. The message hashing process of LSH consists of the following three stages.

1. Initialization:
   • One-zeros padding of a given bit string message.
   • Conversion to 32-word array message blocks from the padded bit string message.
   • Initialization of a chaining variable with the initialization vector.
2. Compression:
   • Updating of chaining variables by iteration of a compression function with message blocks.
3. Finalization:
   • Generation of an ${\displaystyle n}$ -bit hash value from the final chaining variable.

The specifications of the hash function LSH are as follows.

Initialization

Let ${\displaystyle m}$  be a given bit string message. The given ${\displaystyle m}$  is padded by one-zeros, i.e., the bit ‘1’ is appended to the end of ${\displaystyle m}$ , and the bit ‘0’s are appended until a bit length of a padded message is ${\displaystyle 32wt}$ , where ${\displaystyle t=\lceil (|m|+1)/32w\rceil }$  and ${\displaystyle \lceil x\rceil }$  is the smallest integer not less than ${\displaystyle x}$ .

Let ${\displaystyle m_{p}=m_{0}\|m_{1}\|\ldots \|m_{(32wt-1)}}$  be the one-zeros-padded ${\displaystyle 32wt}$ -bit string of ${\displaystyle m}$ . Then ${\displaystyle m_{p}}$  is considered as a ${\displaystyle 4wt}$ -byte array ${\displaystyle m_{a}=(m[0],\ldots ,m[4wt-1])}$ , where ${\displaystyle m[k]=m_{8k}\|m_{(8k+1)}\|\ldots \|m_{(8k+7)}}$  for all ${\displaystyle 0\leq k\leq (4wt-1)}$ . The ${\displaystyle 4wt}$ -byte array ${\displaystyle m_{a}}$  converts into a ${\displaystyle 32t}$ -word array ${\displaystyle {\textsf {M}}=(M[0],\ldots ,M[32t-1])}$  as follows.

${\displaystyle M[s]\leftarrow m[ws/8+(w/8-1)]\|\ldots \|m[ws/8+1]\|m[ws/8]}$  ${\displaystyle (0\leq s\leq (32t-1))}$ 

From the word array ${\displaystyle {\textsf {M}}}$ , we define the ${\displaystyle t}$  32-word array message blocks ${\displaystyle \{{\textsf {M}}^{(i)}\}_{i=0}^{t-1}}$  as follows.

${\displaystyle {\textsf {M}}^{(i)}\leftarrow (M[32i],M[32i+1],\ldots ,M[32i+31])}$  ${\displaystyle (0\leq i\leq (t-1))}$ 

The 16-word array chaining variable ${\displaystyle {\textsf {CV}}^{(0)}}$  is initialized to the initialization vector ${\displaystyle {\textsf {IV}}}$ .

${\displaystyle {\textsf {CV}}^{(0)}[l]\leftarrow {\textsf {IV}}[l]}$  ${\displaystyle (0\leq l\leq 15)}$ 

The initialization vector ${\displaystyle {\textsf {IV}}}$  is as follows. In the following tables, all values are expressed in hexadecimal form.

Compression

In this stage, the ${\displaystyle t}$  32-word array message blocks ${\displaystyle \{{\textsf {M}}^{(i)}\}_{i=0}^{t-1}}$ , which are generated from a message ${\displaystyle m}$  in the initialization stage, are compressed by iteration of compression functions. The compression function ${\displaystyle {\textrm {CF}}:{\mathcal {W}}^{16}\times {\mathcal {W}}^{32}\rightarrow {\mathcal {W}}^{16}}$  has two inputs; the ${\displaystyle i}$ -th 16-word chaining variable ${\displaystyle {\textsf {CV}}^{(i)}}$  and the ${\displaystyle i}$ -th 32-word message block ${\displaystyle {\textsf {M}}^{(i)}}$ . And it returns the ${\displaystyle (i+1)}$ -th 16-word chaining variable ${\displaystyle {\textsf {CV}}^{(i+1)}}$ . Here and subsequently, ${\displaystyle {\mathcal {W}}^{t}}$  denotes the set of all ${\displaystyle t}$ -word arrays for ${\displaystyle t\geq 1}$ .

The following four functions are used in a compression function:

• Message expansion function ${\displaystyle {\textrm {MsgExp}}:{\mathcal {W}}^{32}\rightarrow {\mathcal {W}}^{16(Ns+1)}}$ 
• Message addition function ${\displaystyle {\textrm {MsgAdd}}:{\mathcal {W}}^{16}\times {\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$ 
• Mix function ${\displaystyle {\textrm {Mix}}_{j}:{\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$ 
• Word-permutation function ${\displaystyle {\textrm {WordPerm}}:{\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$ 

The overall structure of the compression function is shown in the following figure.

In a compression function, the message expansion function ${\displaystyle {\textrm {MsgExp}}}$  generates ${\displaystyle (N_{s}+1)}$  16-word array sub-messages ${\displaystyle \{{\textsf {M}}_{j}^{(i)}\}_{j=0}^{N_{s}}}$  from given ${\displaystyle {\textsf {M}}^{(i)}}$ . Let ${\displaystyle {\textsf {T}}=(T[0],\ldots ,T[15])}$  be a temporary 16-word array set to the ${\displaystyle i}$ -th chaining variable ${\displaystyle {\textsf {CV}}^{(i)}}$ . The ${\displaystyle j}$ -th step function ${\displaystyle {\textrm {Step}}_{j}}$  having two inputs ${\displaystyle {\textsf {T}}}$  and ${\displaystyle {\textsf {M}}_{j}^{(i)}}$  updates ${\displaystyle {\textsf {T}}}$ , i.e., ${\displaystyle {\textsf {T}}\leftarrow {\textrm {Step}}_{j}\left({\textsf {T}},{\textsf {M}}_{j}^{(i)}\right)}$ . All step functions are proceeded in order ${\displaystyle j=0,\ldots ,N_{s}-1}$ . Then one more ${\displaystyle {\textrm {MsgAdd}}}$  operation by ${\displaystyle {\textsf {M}}_{N_{s}}^{(i)}}$  is proceeded, and the ${\displaystyle (i+1)}$ -th chaining variable ${\displaystyle {\textsf {CV}}^{(i+1)}}$  is set to ${\displaystyle {\textsf {T}}}$ . The process of a compression function in detail is as follows.

Here the ${\displaystyle j}$ -th step function ${\displaystyle {\textrm {Step}}_{j}:{\mathcal {W}}^{16}\times {\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$  is as follows.

${\displaystyle {\textrm {Step}}_{j}:={\textrm {WordPerm}}\circ {\textrm {Mix}}_{j}\circ {\textrm {MsgAdd}}}$  ${\displaystyle (0\leq j\leq (N_{s}-1))}$ 

The following figure shows the ${\displaystyle j}$ -th step function ${\displaystyle {\textrm {Step}}_{j}}$  of a compression function.

Message Expansion Function MsgExp

Let ${\displaystyle {\textsf {M}}^{(i)}=(M^{(i)}[0],\ldots ,M^{(i)}[31])}$  be the ${\displaystyle i}$ -th 32-word array message block. The message expansion function ${\displaystyle {\textrm {MsgExp}}}$  generates ${\displaystyle (N_{s}+1)}$  16-word array sub-messages ${\displaystyle \{{\textsf {M}}_{j}^{(i)}\}_{j=0}^{N_{s}}}$  from a message block ${\displaystyle {\textsf {M}}^{(i)}}$ . The first two sub-messages ${\displaystyle {\textsf {M}}_{0}^{(i)}=(M_{0}^{(i)}[0],\ldots ,M_{0}^{(i)}[15])}$  and ${\displaystyle {\textsf {M}}_{1}^{(i)}=(M_{1}^{(i)}[0],\ldots ,M_{1}^{(i)}[15])}$  are defined as follows.

• ${\displaystyle {\textsf {M}}_{0}^{(i)}\leftarrow (M^{(i)}[0],M^{(i)}[1],\ldots ,M^{(i)}[15])}$ 
• ${\displaystyle {\textsf {M}}_{1}^{(i)}\leftarrow (M^{(i)}[16],M^{(i)}[17],\ldots ,M^{(i)}[31])}$ 

The next sub-messages ${\displaystyle \{{\textsf {M}}_{j}^{(i)}=(M_{j}^{(i)}[0],\ldots ,M_{j}^{(i)}[15])\}_{j=2}^{N_{s}}}$  are generated as follows.

• ${\displaystyle {\textsf {M}}_{j}^{(i)}[l]\leftarrow {\textsf {M}}_{j-1}^{(i)}[l]\boxplus {\textsf {M}}_{j-2}^{(i)}[\tau (l)]}$  ${\displaystyle (0\leq l\leq 15,\ 2\leq j\leq N_{s})}$ 

Here ${\displaystyle \tau }$  is the permutation over ${\displaystyle \mathbb {Z} _{16}}$  defined as follows.

Message Addition Function MsgAdd

For two 16-word arrays ${\displaystyle {\textsf {X}}=(X[0],\ldots ,X[15])}$  and ${\displaystyle {\textsf {Y}}=(Y[0],\ldots ,Y[15])}$ , the message addition function ${\displaystyle {\textrm {MsgAdd}}:{\mathcal {W}}^{16}\times {\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$  is defined as follows.

${\displaystyle {\textrm {MsgAdd}}({\textsf {X}},{\textsf {Y}}):=(X[0]\oplus Y[0],\ldots ,X[15]\oplus Y[15])}$ 

Mix Function Mix

The ${\displaystyle j}$ -th mix function ${\displaystyle {\textrm {Mix}}_{j}:{\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$  updates the 16-word array ${\displaystyle {\textsf {T}}=(T[0],\ldots ,T[15])}$  by mixing every two-word pair; ${\displaystyle T[l]}$  and ${\displaystyle T[l+8]}$  for ${\displaystyle (0\leq l<8)}$ . For ${\displaystyle 0\leq j<N_{s}}$ , the mix function ${\displaystyle {\textrm {Mix}}_{j}}$  proceeds as follows.

${\displaystyle (T[l],T[l+8])\leftarrow {\textrm {Mix}}_{j,l}(T[l],T[l+8])}$  ${\displaystyle (0\leq l<8)}$ 

Here ${\displaystyle {\textrm {Mix}}_{j,l}}$  is a two-word mix function. Let ${\displaystyle X}$  and ${\displaystyle Y}$  be words. The two-word mix function ${\displaystyle {\textrm {Mix}}_{j,l}:{\mathcal {W}}^{2}\rightarrow {\mathcal {W}}^{2}}$  is defined as follows.

The two-word mix function ${\displaystyle {\textrm {Mix}}_{j,l}}$  is shown in the following figure.

The bit rotation amounts ${\displaystyle \alpha _{j}}$ , ${\displaystyle \beta _{j}}$ , ${\displaystyle \gamma _{l}}$  used in ${\displaystyle {\textrm {Mix}}_{j,l}}$  are shown in the following table.

The ${\displaystyle j}$ -th 8-word array constant ${\displaystyle {\textsf {SC}}_{j}=(SC_{j}[0],\ldots ,SC_{j}[7])}$  used in ${\displaystyle {\textrm {Mix}}_{j,l}}$  for ${\displaystyle 0\leq l<8}$  is defined as follows. The initial 8-word array constant ${\displaystyle {\textsf {SC}}_{0}=(SC_{0}[0],\ldots ,SC_{0}[7])}$  is defined in the following table. For ${\displaystyle 1\leq j<N_{s}}$ , the ${\displaystyle j}$ -th constant ${\displaystyle {\textsf {SC}}_{j}=(SC_{j}[0],\ldots ,SC_{j}[7])}$  is generated by ${\displaystyle SC_{j}[l]\leftarrow SC_{j-1}[l]\boxplus SC_{j-1}[l]^{\lll 8}}$  for ${\displaystyle 0\leq l<8}$ .

Word-Permutation Function WordPerm

Let ${\displaystyle {\textsf {X}}=(X[0],\ldots ,X[15])}$  be a 16-word array. The word-permutation function ${\displaystyle {\textrm {WordPerm}}:{\mathcal {W}}^{16}\rightarrow {\mathcal {W}}^{16}}$  is defined as follows.

${\displaystyle {\textrm {WordPerm}}({\textsf {X}})=(X[\sigma (0)],\ldots ,X[\sigma (15)])}$ 

Here ${\displaystyle \sigma }$  is the permutation over ${\displaystyle \mathbb {Z} _{16}}$  defined by the following table.

Finalization

The finalization function ${\displaystyle {\textrm {FIN}}_{n}:{\mathcal {W}}^{16}\rightarrow \{0,1\}^{n}}$  returns ${\displaystyle n}$ -bit hash value ${\displaystyle h}$  from the final chaining variable ${\displaystyle {\textsf {CV}}^{(t)}=(CV^{(t)}[0],\ldots ,CV^{(t)}[15])}$ . When ${\displaystyle {\textsf {H}}=(H[0],\ldots ,H[7])}$  is an 8-word variable and ${\displaystyle {\textsf {h}}_{\textsf {b}}=(h_{b}[0],\ldots ,h_{b}[w-1])}$  is a ${\displaystyle w}$ -byte variable, the finalization function ${\displaystyle {\textrm {FIN}}_{n}}$  performs the following procedure.

• ${\displaystyle H[l]\leftarrow CV^{(t)}[l]\oplus CV^{(t)}[l+8]}$  ${\displaystyle (0\leq l\leq 7)}$ 
• ${\displaystyle h_{b}[s]\leftarrow H[\lfloor 8s/w\rfloor ]_{[7:0]}^{\ggg (8s\mod w)}}$  ${\displaystyle (0\leq s\leq (w-1))}$ 
• ${\displaystyle h\leftarrow (h_{b}[0]\|\ldots \|h_{b}[w-1])_{[0:n-1]}}$ 

Here, ${\displaystyle X_{[i:j]}}$  denotes ${\displaystyle x_{i}\|x_{i-1}\|\ldots \|x_{j}}$ , the sub-bit string of a word ${\displaystyle X}$  for ${\displaystyle i\geq j}$ . And ${\displaystyle x_{[i:j]}}$  denotes ${\displaystyle x_{i}\|x_{i+1}\|\ldots \|x_{j}}$ , the sub-bit string of a ${\displaystyle l}$ -bit string ${\displaystyle x=x_{0}\|x_{1}\|\ldots \|x_{l-1}}$  for ${\displaystyle i\leq j}$ .

LSH is secure against known attacks on hash functions up to now. LSH is collision-resistant for ${\displaystyle q<2^{n/2}}$  and preimage-resistant and second-preimage-resistant for ${\displaystyle q<2^{n}}$  in the ideal cipher model, where ${\displaystyle q}$  is a number of queries for LSH structure.^[1] LSH-256 is secure against all the existing hash function attacks when the number of steps is 13 or more, while LSH-512 is secure if the number of steps is 14 or more. Note that the steps which work as security margin are 50% of the compression function.^[1]

LSH outperforms SHA-2/3 on various software platforms. The following table shows the speed performance of 1MB message hashing of LSH on several platforms.

The following table is the comparison at the platform based on Haswell, LSH is measured on Intel Core i7-4770k @ 3.5 GHz quad core platform, and others are measured on Intel Core i5-4570S @ 2.9 GHz quad core platform.

The following table is measured on Samsung Exynos 5250 ARM Cortex-A15 @ 1.7 GHz dual core platform.

Test vectors for LSH for each digest length are as follows. All values are expressed in hexadecimal form.

LSH-256-224("abc") = F7 C5 3B A4 03 4E 70 8E 74 FB A4 2E 55 99 7C A5 12 6B B7 62 36 88 F8 53 42 F7 37 32

LSH-256-256("abc") = 5F BF 36 5D AE A5 44 6A 70 53 C5 2B 57 40 4D 77 A0 7A 5F 48 A1 F7 C1 96 3A 08 98 BA 1B 71 47 41

LSH-512-224("abc") = D1 68 32 34 51 3E C5 69 83 94 57 1E AD 12 8A 8C D5 37 3E 97 66 1B A2 0D CF 89 E4 89

LSH-512-256("abc") = CD 89 23 10 53 26 02 33 2B 61 3F 1E C1 1A 69 62 FC A6 1E A0 9E CF FC D4 BC F7 58 58 D8 02 ED EC

LSH-512-384("abc") = 5F 34 4E FA A0 E4 3C CD 2E 5E 19 4D 60 39 79 4B 4F B4 31 F1 0F B4 B6 5F D4 5E 9D A4 EC DE 0F 27 B6 6E 8D BD FA 47 25 2E 0D 0B 74 1B FD 91 F9 FE

LSH-512-512("abc") = A3 D9 3C FE 60 DC 1A AC DD 3B D4 BE F0 A6 98 53 81 A3 96 C7 D4 9D 9F D1 77 79 56 97 C3 53 52 08 B5 C5 72 24 BE F2 10 84 D4 20 83 E9 5A 4B D8 EB 33 E8 69 81 2B 65 03 1C 42 88 19 A1 E7 CE 59 6D

LSH is free for any use public or private, commercial or non-commercial. The source code for distribution of LSH implemented in C, Java, and Python can be downloaded from KISA's cryptography use activation webpage.^[2]

LSH is one of the cryptographic algorithms approved by the Korean Cryptographic Module Validation Program (KCMVP).^[3]

LSH is included in the following standard.

• KS X 3262, Hash function LSH (in Korean)^[4]