LSH (hash function) explained

LSH is a cryptographic hash function designed in 2014 by South Korea to provide integrity in general-purpose software environments such as PCs and smart devices.^[1] LSH is one of the cryptographic algorithms approved by the Korean Cryptographic Module Validation Program (KCMVP).And it is the national standard of South Korea (KS X 3262).

Specification

The overall structure of the hash function LSH is shown in the following figure.

The hash function LSH has the wide-pipe Merkle-Damgård structure with one-zeros padding.The message hashing process of LSH consists of the following three stages.

Initialization:
- One-zeros padding of a given bit string message.
- Conversion to 32-word array message blocks from the padded bit string message.
- Initialization of a chaining variable with the initialization vector.
Compression:
- Updating of chaining variables by iteration of a compression function with message blocks.
Finalization:
- Generation of an

-bit hash value from the final chaining variable.

function Hash function LSH
input: Bit string message

output: Hash value

h\in\{0,1\}ⁿ

procedure

One-zeros padding of

Generation of

message blocks

\{sf{M}⁽ⁱ⁾

	t-1
\}
	i=0

, where

t=\lceil

	\|m\|+1
	32w

\rceil

from the padded bit string

sf{CV}⁽⁰⁾\leftarrowsf{IV}

for

i=0

(t-1)

sf{CV}⁽ⁱ⁺¹⁾\leftarrowrm{CF}(sf{CV}⁽ⁱ⁾,sf{M}⁽ⁱ⁾)

end for

h\leftarrow

	(t)
rm{FIN}
	n(sf{CV}

)

return

The specifications of the hash function LSH are as follows.

Hash function LSH specifications
Algorithm	Digest size in bits ( n )	Number of step functions ( N_s )	Chaining variable size in bits	Message block size in bits	Word size in bits ( w )
LSH-256-224	224	26	512	1024	32
LSH-256-256	256	26	512	1024	32
LSH-512-224	224	28	1024	2048	64
LSH-512-256	256
LSH-512-384	384
LSH-512-512	512

Initialization

Let

be a given bit string message.The given

is padded by one-zeros, i.e., the bit ‘1’ is appended to the end of

, and the bit ‘0’s are appended until a bit length of a padded message is

32wt

, where

t=\lceil(|m|+1)/32w\rceil

and

\lceilx\rceil

is the smallest integer not less than

Let

m_p=m₀\|m₁\|\ldots\|m_(32wt-1)

be the one-zeros-padded

32wt

-bit string of

.Then

m_p

is considered as a

4wt

-byte array

m_a=(m[0],\ldots,m[4wt-1])

, where

m[k]=m_8k\|m_(8k+1)\|\ldots\|m_(8k+7)

for all

0\lek\le(4wt-1)

.The

4wt

-byte array

m_a

converts into a

32t

-word array

sf{M}=(M[0],\ldots,M[32t-1])

as follows.

M[s]\leftarrowm[ws/8+(w/8-1)]\|\ldots\|m[ws/8+1]\|m[ws/8]

(0\les\le(32t-1))

From the word array

sf{M}

, we define the

32-word array message blocks

\{sf{M}⁽ⁱ⁾

	t-1
\}
	i=0

as follows.

sf{M}⁽ⁱ⁾\leftarrow(M[32i],M[32i+1],\ldots,M[32i+31])

(0\lei\le(t-1))

The 16-word array chaining variable

sf{CV}⁽⁰⁾

is initialized to the initialization vector

sf{IV}

sf{CV}⁽⁰⁾[l]\leftarrowsf{IV}[l]

(0\lel\le15)

The initialization vector

sf{IV}

is as follows.In the following tables, all values are expressed in hexadecimal form.

LSH-256-224 initialization vector
sf{IV}[0]	sf{IV}[1]	sf{IV}[2]	sf{IV}[3]	sf{IV}[4]	sf{IV}[5]	sf{IV}[6]	sf{IV}[7]
068608D3	62D8F7A7	D76652AB	4C600A43	BDC40AA8	1ECA0B68	DA1A89BE	3147D354
sf{IV}[8]	sf{IV}[9]	sf{IV}[10]	sf{IV}[11]	sf{IV}[12]	sf{IV}[13]	sf{IV}[14]	sf{IV}[15]
707EB4F9	F65B3862	6B0B2ABE	56B8EC0A	CF237286	EE0D1727	33636595	8BB8D05F

LSH-256-256 initialization vector
sf{IV}[0]	sf{IV}[1]	sf{IV}[2]	sf{IV}[3]	sf{IV}[4]	sf{IV}[5]	sf{IV}[6]	sf{IV}[7]
46A10F1F	FDDCE486	B41443A8	198E6B9D	3304388D	B0F5A3C7	B36061C4	7ADBD553
sf{IV}[8]	sf{IV}[9]	sf{IV}[10]	sf{IV}[11]	sf{IV}[12]	sf{IV}[13]	sf{IV}[14]	sf{IV}[15]
105D5378	2F74DE54	5C2F2D95	F2553FBE	8051357A	138668C8	47AA4484	E01AFB41

LSH-512-224 initialization vector
sf{IV}[0]	sf{IV}[1]	sf{IV}[2]	sf{IV}[3]
0C401E9FE8813A55	4A5F446268FD3D35	FF13E452334F612A	F8227661037E354A
sf{IV}[4]	sf{IV}[5]	sf{IV}[6]	sf{IV}[7]
A5F223723C9CA29D	95D965A11AED3979	01E23835B9AB02CC	52D49CBAD5B30616
sf{IV}[8]	sf{IV}[9]	sf{IV}[10]	sf{IV}[11]
9E5C2027773F4ED3	66A5C8801925B701	22BBC85B4C6779D9	C13171A42C559C23
sf{IV}[12]	sf{IV}[13]	sf{IV}[14]	sf{IV}[15]
31E2B67D25BE3813	D522C4DEED8E4D83	A79F5509B43FBAFE	E00D2CD88B4B6C6A

LSH-512-256 initialization vector
sf{IV}[0]	sf{IV}[1]	sf{IV}[2]	sf{IV}[3]
6DC57C33DF989423	D8EA7F6E8342C199	76DF8356F8603AC4	40F1B44DE838223A
sf{IV}[4]	sf{IV}[5]	sf{IV}[6]	sf{IV}[7]
39FFE7CFC31484CD	39C4326CC5281548	8A2FF85A346045D8	FF202AA46DBDD61E
sf{IV}[8]	sf{IV}[9]	sf{IV}[10]	sf{IV}[11]
CF785B3CD5FCDB8B	1F0323B64A8150BF	FF75D972F29EA355	2E567F30BF1CA9E1
sf{IV}[12]	sf{IV}[13]	sf{IV}[14]	sf{IV}[15]
B596875BF8FF6DBA	FCCA39B089EF4615	ECFF4017D020B4B6	7E77384C772ED802

LSH-512-384 initialization vector
sf{IV}[0]	sf{IV}[1]	sf{IV}[2]	sf{IV}[3]
53156A66292808F6	B2C4F362B204C2BC	B84B7213BFA05C4E	976CEB7C1B299F73
sf{IV}[4]	sf{IV}[5]	sf{IV}[6]	sf{IV}[7]
DF0CC63C0570AE97	DA4441BAA486CE3F	6559F5D9B5F2ACC2	22DACF19B4B52A16
sf{IV}[8]	sf{IV}[9]	sf{IV}[10]	sf{IV}[11]
BBCDACEFDE80953A	C9891A2879725B3E	7C9FE6330237E440	A30BA550553F7431
sf{IV}[12]	sf{IV}[13]	sf{IV}[14]	sf{IV}[15]
BB08043FB34E3E30	A0DEC48D54618EAD	150317267464BC57	32D1501FDE63DC93

LSH-512-512 initialization vector
sf{IV}[0]	sf{IV}[1]	sf{IV}[2]	sf{IV}[3]
ADD50F3C7F07094E	E3F3CEE8F9418A4F	B527ECDE5B3D0AE9	2EF6DEC68076F501
sf{IV}[4]	sf{IV}[5]	sf{IV}[6]	sf{IV}[7]
8CB994CAE5ACA216	FBB9EAE4BBA48CC7	650A526174725FEA	1F9A61A73F8D8085
sf{IV}[8]	sf{IV}[9]	sf{IV}[10]	sf{IV}[11]
B6607378173B539B	1BC99853B0C0B9ED	DF727FC19B182D47	DBEF360CF893A457
sf{IV}[12]	sf{IV}[13]	sf{IV}[14]	sf{IV}[15]
4981F5E570147E80	D00C4490CA7D3E30	5D73940C0E4AE1EC	894085E2EDB2D819

Compression

In this stage, the

32-word array message blocks

\{sf{M}⁽ⁱ⁾

	t-1
\}
	i=0

, which are generated from a message

in the initialization stage, are compressed by iteration of compression functions.The compression function

rm{CF}:l{W}¹⁶ x l{W}³² → l{W}¹⁶

has two inputs; the

-th 16-word chaining variable

sf{CV}⁽ⁱ⁾

and the

-th 32-word message block

sf{M}⁽ⁱ⁾

.And it returns the

(i+1)

-th 16-word chaining variable

sf{CV}⁽ⁱ⁺¹⁾

.Here and subsequently,

l{W}^t

denotes the set of all

-word arrays for

t\ge1

The following four functions are used in a compression function:

Message expansion function

rm{MsgExp}:l{W}³² → l{W}^16(Ns+1)

Message addition function

rm{MsgAdd}:l{W}¹⁶ x l{W}¹⁶ → l{W}¹⁶

Mix function

rm{Mix}_j:l{W}¹⁶ → l{W}¹⁶

Word-permutation function

rm{WordPerm}:l{W}¹⁶ → l{W}¹⁶

The overall structure of the compression function is shown in the following figure.

In a compression function, the message expansion function

rm{MsgExp}

generates

(N_s+1)

16-word array sub-messages

	(i)
sf{M}
	j

	N_s
\}
	j=0

from given

sf{M}⁽ⁱ⁾

.Let

sf{T}=(T[0],\ldots,T[15])

be a temporary 16-word array set to the

-th chaining variable

sf{CV}⁽ⁱ⁾

.The

-th step function

rm{Step}_j

having two inputs

sf{T}

and

	(i)
sf{M}
	j

updates

sf{T}

, i.e.,

sf{T}\leftarrowrm{Step}_j\left(

	(i)
sf{T},sf{M}
	j

\right)

.All step functions are proceeded in order

j=0,\ldots,N_s-1

.Then one more

rm{MsgAdd}

operation by

	(i)
sf{M}
	N_s

is proceeded, and the

(i+1)

-th chaining variable

sf{CV}⁽ⁱ⁺¹⁾

is set to

sf{T}

.The process of a compression function in detail is as follows.

function Compression function

rm{CF}

input: The

-th chaining variable

sf{CV}⁽ⁱ⁾\inl{W}¹⁶

and the

-th message block

sf{M}⁽ⁱ⁾\inl{W}³²

output: The

(i+1)

-th chaining variable

sf{CV}⁽ⁱ⁺¹⁾\inl{W}¹⁶

procedure

	(i)
sf{M}
	j

	N_s
\}
	j=0

\leftarrowrm{MsgExp}\left(sf{M}⁽ⁱ⁾\right)

sf{T}\leftarrowsf{CV}⁽ⁱ⁾

for

j=0

(N_s-1)

sf{T}\leftarrowrm{Step}_j\left(

	(i)
sf{T},sf{M}
	j

\right)

end for

sf{CV}⁽ⁱ⁺¹⁾\leftarrowrm{MsgAdd}\left(

	(i)
sf{T},sf{M}
	N_s

\right)

return

sf{CV}⁽ⁱ⁺¹⁾

Here the

-th step function

rm{Step}_j:l{W}¹⁶ x l{W}¹⁶ → l{W}¹⁶

is as follows.

rm{Step}_j:=rm{WordPerm}\circrm{Mix}_j\circrm{MsgAdd}

(0\lej\le(N_s-1))

The following figure shows the

-th step function

rm{Step}_j

of a compression function.

Message Expansion Function MsgExp

Let

sf{M}⁽ⁱ⁾=(M⁽ⁱ⁾[0],\ldots,M⁽ⁱ⁾[31])

be the

-th 32-word array message block.The message expansion function

rm{MsgExp}

generates

(N_s+1)

16-word array sub-messages

	(i)
sf{M}
	j

	N_s
\}
	j=0

from a message block

sf{M}⁽ⁱ⁾

.The first two sub-messages

	(i)
sf{M}
	0

	(i)
M
	0

[0],\ldots,

	(i)
M
	0

[15])

and

	(i)
sf{M}
	1

	(i)
M
	1

[0],\ldots,

	(i)
M
	1

[15])

are defined as follows.

	(i)
sf{M}
	0

\leftarrow(M⁽ⁱ⁾[0],M⁽ⁱ⁾[1],\ldots,M⁽ⁱ⁾[15])

	(i)
sf{M}
	1

\leftarrow(M⁽ⁱ⁾[16],M⁽ⁱ⁾[17],\ldots,M⁽ⁱ⁾[31])

The next sub-messages

	(i)
sf{M}
	j

	(i)
M
	j

[0],\ldots,

	(i)
M
	j

[15])

	N_s
\}
	j=2

are generated as follows.

	(i)
sf{M}
	j

[l]\leftarrow

	(i)
sf{M}
	j-1

[l]

	(i)
\boxplussf{M}
	j-2

[\tau(l)]

(0\lel\le15, 2\lej\leN_s)

Here

\tau

is the permutation over

Z₁₆

defined as follows.

The permutation
*\tau*:Z₁₆ → Z₁₆
l	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
\tau(l)	3	2	0	1	7	4	5	6	11	10	8	9	15	12	13	14

Message Addition Function MsgAdd

For two 16-word arrays

sf{X}=(X[0],\ldots,X[15])

and

sf{Y}=(Y[0],\ldots,Y[15])

, the message addition function

rm{MsgAdd}:l{W}¹⁶ x l{W}¹⁶ → l{W}¹⁶

is defined as follows.

rm{MsgAdd}(sf{X},sf{Y}):=(X[0] ⊕ Y[0],\ldots,X[15] ⊕ Y[15])

Mix Function Mix

The

-th mix function

rm{Mix}_j:l{W}¹⁶ → l{W}¹⁶

updates the 16-word array

sf{T}=(T[0],\ldots,T[15])

by mixing every two-word pair;

T[l]

and

T[l+8]

for

(0\lel<8)

.For

0\lej<N_s

, the mix function

rm{Mix}_j

proceeds as follows.

(T[l],T[l+8])\leftarrowrm{Mix}_j,l(T[l],T[l+8])

(0\lel<8)

Here

rm{Mix}_j,l

is a two-word mix function.Let

and

be words.The two-word mix function

rm{Mix}_j,l:l{W}² → l{W}²

is defined as follows.

function Two-word mix function

rm{Mix}_j,l

input: Words

and

output: Words

and

procedure

X\leftarrowX\boxplusY

X\leftarrow

	\lll\alpha_j
X

X\leftarrowX ⊕ SC_j[l]

Y\leftarrowX\boxplusY

Y\leftarrow

	\lll\beta_j
Y

X\leftarrowX\boxplusY

Y\leftarrow

	\lll\gamma_l
Y

return

;

The two-word mix function

rm{Mix}_j,l

is shown in the following figure.

The bit rotation amounts

\alpha_j

\beta_j

\gamma_l

used in

rm{Mix}_j,l

are shown in the following table.

Bit rotation amounts
*\alpha*_j

,
*\beta*_j

, and
*\gamma*_l
w	j	\alpha_j	\beta_j	\gamma₁	\gamma₂	\gamma₃	\gamma₄	\gamma₅	\gamma₆	\gamma₇
32	even	29	1	8	16	24	24	16	8	0
32	odd	5	17	8	16	24	24	16	8	0
64	even	23	59	16	32	48	8	24	40	56
64	odd	7	3	16	32	48	8	24	40	56

The

-th 8-word array constant

sf{SC}_j=(SC_j[0],\ldots,SC_j[7])

used in

rm{Mix}_j,l

for

0\lel<8

is defined as follows.The initial 8-word array constant

sf{SC}₀=(SC_0[0],\ldots,SC_0[7])

is defined in the following table.For

1\lej<N_s

, the

-th constant

sf{SC}_j=(SC_j[0],\ldots,SC_j[7])

is generated by

SC_j[l]\leftarrowSC_j-1[l]\boxplusSC_j-1[l]^\lll

for

0\lel<8

Initial 8-word array constant
sf{SC}₀
	w=32	w=64
SC_0[0]	917caf90	97884283c938982a
SC_0[1]	6c1b10a2	ba1fca93533e2355
SC_0[2]	6f352943	c519a2e87aeb1c03
SC_0[3]	cf778243	9a0fc95462af17b1
SC_0[4]	2ceb7472	fc3dda8ab019a82b
SC_0[5]	29e96ff2	02825d079a895407
SC_0[6]	8a9ba428	79f2d0a7ee06a6f7
SC_0[7]	2eeb2642	d76d15eed9fdf5fe

Word-Permutation Function WordPerm

Let

sf{X}=(X[0],\ldots,X[15])

be a 16-word array.The word-permutation function

rm{WordPerm}:l{W}¹⁶ → l{W}¹⁶

is defined as follows.

rm{WordPerm}(sf{X})=(X[\sigma(0)],\ldots,X[\sigma(15)])

Here

\sigma

is the permutation over

Z₁₆

defined by the following table.

The permutation
*\sigma*:Z₁₆ → Z₁₆
l	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
\sigma(l)	6	4	5	7	12	15	14	13	2	0	1	3	8	11	10	9

Finalization

The finalization function

rm{FIN}_n:l{W}¹⁶ → \{0,1\}ⁿ

returns

-bit hash value

from the final chaining variable

sf{CV}^(t)=(CV^(t)[0],\ldots,CV^(t)[15])

.When

sf{H}=(H[0],\ldots,H[7])

is an 8-word variable and

sf{h}_sf{b}=(h_b[0],\ldots,h_b[w-1])

is a

-byte variable, the finalization function

rm{FIN}_n

performs the following procedure.

H[l]\leftarrowCV^(t)[l] ⊕ CV^(t)[l+8]

(0\lel\le7)

h_b[s]\leftarrowH[\lfloor8s/w\rfloor

	\ggg(8s\modw)
]
	[7:0]

(0\les\le(w-1))

h\leftarrow(h_b[0]\|\ldots\|h_b[w-1])_[0:n-1]

Here,

X_[i:j]

denotes

x_i\|x_i-1\|\ldots\|x_j

, the sub-bit string of a word

for

i\gej

.And

x_[i:j]

denotes

x_i\|x_i+1\|\ldots\|x_j

, the sub-bit string of a

-bit string

x=x₀\|x₁\|\ldots\|x_l-1

for

i\lej

Security

LSH is secure against known attacks on hash functions up to now.LSH is collision-resistant for

q<2^n/2

and preimage-resistant and second-preimage-resistant for

q<2ⁿ

in the ideal cipher model, where

is a number of queries for LSH structure.LSH-256 is secure against all the existing hash function attacks when the number of steps is 13 or more, while LSH-512 is secure if the number of steps is 14 or more.Note that the steps which work as security margin are 50% of the compression function.

Performance

LSH outperforms SHA-2/3 on various software platforms.The following table shows the speed performance of 1MB message hashing of LSH on several platforms.

1MB message hashing speed of LSH (cycles/byte)
Platform	P1	P2	P3	P4	P5	P6	P7	P8
LSH-256- n	3.60	3.86	5.26	3.89	11.17	15.03	15.28	14.84
LSH-512- n	2.39	5.04	7.76	5.52	8.94	18.76	19.00	18.10

The following table is the comparison at the platform based on Haswell, LSH is measured on Intel Core i7-4770k @ 3.5 GHz quad core platform, and others are measured on Intel Core i5-4570S @ 2.9 GHz quad core platform.

Speed benchmark of LSH, SHA-2 and the SHA-3 finalists at the platform based on Haswell CPU (cycles/byte)
Algorithm	Message size in bytes
Algorithm	long	4,096	1,536	576	64	8
LSH-256-256	3.60	3.71	3.90	4.08	8.19	65.37
Skein-512-256	5.01	5.58	5.86	6.49	13.12	104.50
Blake-256	6.61	7.63	7.87	9.05	16.58	72.50
Grøstl-256	9.48	10.68	12.18	13.71	37.94	227.50
Keccak-256	10.56	10.52	9.90	11.99	23.38	187.50
SHA-256	10.82	11.91	12.26	13.51	24.88	106.62
JH-256	14.70	15.50	15.94	17.06	31.94	257.00
LSH-512-512	2.39	2.54	2.79	3.31	10.81	85.62
Skein-512-512	4.67	5.51	5.80	6.44	13.59	108.25
Blake-512	4.96	6.17	6.82	7.38	14.81	116.50
SHA-512	7.65	8.24	8.69	9.03	17.22	138.25
Grøstl-512	12.78	15.44	17.30	17.99	51.72	417.38
JH-512	14.25	15.66	16.14	17.34	32.69	261.00
Keccak-512	16.36	17.86	18.46	20.35	21.56	171.88

The following table is measured on Samsung Exynos 5250 ARM Cortex-A15 @ 1.7 GHz dual core platform.

Speed benchmark of LSH, SHA-2 and the SHA-3 finalists at the platform based on Exynos 5250 ARM Cortex-A15 CPU (cycles/byte)
Algorithm	Message size in bytes
Algorithm	long	4,096	1,536	576	64	8
LSH-256-256	11.17	11.53	12.16	12.63	22.42	192.68
Skein-512-256	15.64	16.72	18.33	22.68	75.75	609.25
Blake-256	17.94	19.11	20.88	25.44	83.94	542.38
SHA-256	19.91	21.14	23.03	28.13	90.89	578.50
JH-256	34.66	36.06	38.10	43.51	113.92	924.12
Keccak-256	36.03	38.01	40.54	48.13	125.00	1000.62
Grøstl-256	40.70	42.76	46.03	54.94	167.52	1020.62
LSH-512-512	8.94	9.56	10.55	12.28	38.82	307.98
Blake-512	13.46	14.82	16.88	20.98	77.53	623.62
Skein-512-512	15.61	16.73	18.35	22.56	75.59	612.88
JH-512	34.88	36.26	38.36	44.01	116.41	939.38
SHA-512	44.13	46.41	49.97	54.55	135.59	1088.38
Keccak-512	63.31	64.59	67.85	77.21	121.28	968.00
Grøstl-512	131.35	138.49	150.15	166.54	446.53	3518.00

Test vectors

Test vectors for LSH for each digest length are as follows.All values are expressed in hexadecimal form.

LSH-256-224("abc") =

F7 C5 3B A4 03 4E 70 8E 74 FB A4 2E 55 99 7C A5 12 6B B7 62 36 88 F8 53 42 F7 37 32

LSH-256-256("abc") =

5F BF 36 5D AE A5 44 6A 70 53 C5 2B 57 40 4D 77 A0 7A 5F 48 A1 F7 C1 96 3A 08 98 BA 1B 71 47 41

LSH-512-224("abc") =

D1 68 32 34 51 3E C5 69 83 94 57 1E AD 12 8A 8C D5 37 3E 97 66 1B A2 0D CF 89 E4 89

LSH-512-256("abc") =

CD 89 23 10 53 26 02 33 2B 61 3F 1E C1 1A 69 62 FC A6 1E A0 9E CF FC D4 BC F7 58 58 D8 02 ED EC

LSH-512-384("abc") =

5F 34 4E FA A0 E4 3C CD 2E 5E 19 4D 60 39 79 4B 4F B4 31 F1 0F B4 B6 5F D4 5E 9D A4 EC DE 0F 27 B6 6E 8D BD FA 47 25 2E 0D 0B 74 1B FD 91 F9 FE

LSH-512-512("abc") =

A3 D9 3C FE 60 DC 1A AC DD 3B D4 BE F0 A6 98 53 81 A3 96 C7 D4 9D 9F D1 77 79 56 97 C3 53 52 08 B5 C5 72 24 BE F2 10 84 D4 20 83 E9 5A 4B D8 EB 33 E8 69 81 2B 65 03 1C 42 88 19 A1 E7 CE 59 6D

Implementations

LSH is free for any use public or private, commercial or non-commercial.The source code for distribution of LSH implemented in C, Java, and Python can be downloaded from KISA's cryptography use activation webpage.^[2]

KCMVP

LSH is one of the cryptographic algorithms approved by the Korean Cryptographic Module Validation Program (KCMVP).^[3]

Standardization

LSH is included in the following standard.

KS X 3262, Hash function LSH (in Korean)^[4]

Notes and References

Book: Kim . Dong-Chan . Hong . Deukjo . Lee . Jung-Keun . Kim . Woo-Hwan . Kwon . Daesung . Information Security and Cryptology - ICISC 2014 . LSH: A New Fast Secure Hash Function Family . Lecture Notes in Computer Science . 2015 . 8949 . Springer International Publishing . 978-3-319-15943-0 . 286–313 . 10.1007/978-3-319-15943-0_18 . https://link.springer.com/chapter/10.1007/978-3-319-15943-0_18 . en.
Web site: KISA 암호이용활성화 - 암호알고리즘 소스코드. seed.kisa.or.kr.
Web site: KISA 암호이용활성화 - 개요. seed.kisa.or.kr.
Web site: Korean Standards & Certifications (in Korean) .