This page uses content from Wikipedia and is licensed under CC BY-SA.

**RadioGatún** is a cryptographic hash primitive created by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. It was first publicly presented at the NIST Second Cryptographic Hash Workshop, held in Santa Barbara, California, on August 24–25, 2006, as part of the NIST hash function competition.

Although RadioGatún is a derivative of Panama, a stream cipher and hash construction from the late 1990s whose hash construction has been broken, RadioGatún does not have Panama's weaknesses when used as a hash function.

RadioGatún is actually a family of 64 different hash functions, distinguished by a single parameter, the word width in bits (*w*), adjustable between 1 and 64. The algorithm uses 58 words, each of size *w*, to store its internal state. Thus, for example, the 32-bit version needs 232 bytes to store its state and the 64-bit version 464 bytes.

RadioGatún can be used either as a hash function or a stream cipher; it can output an arbitrarily long stream of pseudo-random numbers; this kind of hash construction is now known as an "Extendable-Output Function" (XOF).^{[1]}

The same team that developed RadioGatún went on to make considerable revisions to this cryptographic primitive, leading to the Keccak SHA-3 algorithm.^{[2]}

The algorithm's designers, in the original RadioGatún paper, claimed that the first 19 × *w* bits (where *w* is the word width used) of RadioGatún's output is a cryptographically secure hash function.^{[3]} In other words, they claimed that the first 608 bits of the 32-bit version and 1216 bits of the 64-bit version of RadioGatún can be used as a cryptographic hash value.

In light of the birthday attack, this means that for a given word width *w*, RadioGatún is designed to have no attack with complexity less than 2^{9.5w}. This corresponds to 2^{304} for the 32-bit version and 2^{608} for the 64-bit version.

Since publishing the paper, the designers revised their security claim, and now claim that RadioGatún has the security of a cryptographic sponge function with a capacity of 19*w*.^{[4]} This means that the 32-bit version of RadioGatún can be used to make a hash with 304 bits of security (both from collision attacks and from Preimage attacks), and the 64-bit version offers 608 bits of security.

In the paper "Two attacks on RadioGatún", Dmitry Khovratovich and Alex Biryukov present two attacks that do not break the designers' security claims, one with a complexity of 2^{18w} and another with a complexity of 2^{23.1w}.^{[5]} Khovratovich also authored a paper, entitled "Cryptanalysis of hash functions with structures", which describes an attack with a complexity of 2^{18w}.^{[6]}

In the paper "Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques", Charles Bouillaguet and Pierre-Alain Fouque present a way of generating collisions with the 1-bit version of the algorithm using an attack that needs 2^{24.5} operations.^{[7]} The attack can not be extended to larger versions since "all the possible trails we knew for the 1-bit version turned out to be impossible to extend to n-bit versions." This attack is less effective than the other attacks and also does not break RadioGatún's security claim.

The most effective attack against the algorithm, one with a complexity of 2^{11w}, is given in the paper "Cryptanalysis of RadioGatun" by Thomas Fuhr and Thomas Peyrin.^{[8]} While more effective than the other attacks, this attack still does not break the security claim.

The developers of RadioGatún have stated that their "own experiments did not inspire confidence in RadioGatún".^{[9]}

The only RadioGatún variants that the designers supplied test vectors (published hash values for sample inputs so programmers can verify they are correctly implementing the algorithm) for are the 32-bit and 64-bit versions.

These test vectors only show the first 256 bits of the output of RadioGatún's arbitrarily long output stream:

RadioGatun[32]("") = F30028B54AFAB6B3E55355D277711109A19BEDA7091067E9A492FB5ED9F20117

```
RadioGatun[32]("The quick brown fox jumps over the lazy dog") =
191589005FEC1F2A248F96A16E9553BF38D0AEE1648FFA036655CE29C2E229AE
```

```
RadioGatun[32]("The quick brown fox jumps over the lazy cog") =
EBDC1C8DCD54DEB47EEEFC33CA0809AD23CD9FFC0B5254BE0FDABB713477F2BD
```

And hashes in 64-bit version:

RadioGatun[64]("") = 64A9A7FA139905B57BDAB35D33AA216370D5EAE13E77BFCDD85513408311A584

```
RadioGatun[64]("The quick brown fox jumps over the lazy dog") =
6219FB8DAD92EBE5B2F7D18318F8DA13CECBF13289D79F5ABF4D253C6904C807
```

```
RadioGatun[64]("The quick brown fox jumps over the lazy cog") =
C06265CAC961EA74912695EBF20F1C256A338BC0E980853A3EEF188D4B06FCE5
```

**^**[csrc.nist.gov]**^**Bertoni, Guido; Daemen, Joan; Peeters, Michaël; Van Assche, Gilles. "The Road from Panama to Keccak via RadioGatún". Retrieved 2009-10-20.**^**Page 9 (Section 6) of "RadioGatún, a belt-and-mill hash function" states that "RadioGatún [l*w*] offers a security level indicated by a capacity*c*= 19 * w. For the 64-bit version RadioGatún this is a capacity of 1216 bits, for the 32-bit version and 16-bit version this gives 608 and 304 bits respectively."**^**[radiogatun.noekeon.org] "We now prefer to express the security claim for RadioGatún as a flat sponge claim with capacity 19*w*"**^**Khovratovich, Dmitry; Biryukov, Alex. "Two attacks on RadioGatún" (PDF).^{[permanent dead link]}**^**[www.cryptolux.org]**^**Bouillaguet, Charles; Fouque, Pierre-Alain. "Analysis of the Collision Resistance of RadioGatun using Algebraic Techniques".**^**Fuhr, Thomas; Peyrin, Thomas. "Cryptanalysis of RadioGatun".**^**"Keccak and the SHA-3 Standardization" (PDF).

- The RadioGatún Hash Function Family, RadioGatún's official web page, with the hash's official description, public domain reference code, and test vectors
- rg32hash, an independent public-domain implementation of the 32-bit version of RadioGatún