Results 1  10
of
10
The PHOTON Family of Lightweight Hash Functions
 CRYPTO, volume 6841 of LNCS
, 2011
"... Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extrem ..."
Abstract

Cited by 50 (9 self)
 Add to MetaCart
(Show Context)
Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a spongelike construction as domain extension algorithm and an AESlike primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AESlike bounds on the number of active Sboxes. This kind of AESlike primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting tradeoffs between speed and preimage security for small messages, the classical usecase in hardware.
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Hash functions and RFID tags: Mind the gap
 of Lecture Notes in Computer Science
, 2008
"... Abstract. The security challenges posed by RFIDtag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an ontag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The security challenges posed by RFIDtag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an ontag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFIDtag protocol. 1
Efficient Hashing using the AES Instruction Set
"... Abstract. In this work, we provide a software benchmark for a large range of 256bit blockcipherbased hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider doublebl ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this work, we provide a software benchmark for a large range of 256bit blockcipherbased hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider doubleblocklength constructions, as well as (singleblocklength) constructions based on RIJNDAEL256. Although we primarily target architectures supporting AESNI, our framework has much broader applications by estimating the performance of these hash functions on any (micro)architecture given AESbenchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblocklength hash functions in software. 1
On the (In)Security of IDEA in Various Hashing Modes ⋆
"... Abstract. In this article, we study the security of the IDEA block cipher when it is used in various simplelength or doublelength hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In par ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this article, we study the security of the IDEA block cipher when it is used in various simplelength or doublelength hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously freestart collisions for most modes, and even semifreestart collisions, pseudopreimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secretkey and known or chosenkey security for block ciphers. Moreover, we also settle the 20yearold standing open question concerning the security of the AbreastDM and TandemDM doublelength compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.
Attacking the KnudsenPreneel compression functions
 In FSE 2010, volume 6147 of LNCS
, 2010
"... Abstract. Knudsen and Preneel (Asiacrypt’96 and Crypto’97) introduced a hash function design in which a linear errorcorrecting code is used to build a widepipe compression function from underlying blockciphers operating in DaviesMeyer mode. Their main design goal was to deliver compression functi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Knudsen and Preneel (Asiacrypt’96 and Crypto’97) introduced a hash function design in which a linear errorcorrecting code is used to build a widepipe compression function from underlying blockciphers operating in DaviesMeyer mode. Their main design goal was to deliver compression functions with collision resistance up to, and even beyond, the block size of the underlying blockciphers. In this paper, we (re)analyse the preimage resistance of the KnudsenPreneel compression functions in the setting of public random functions. We give a new preimage attack that is based on two observations. First, by using the right kind of queries it is possible to mount a nonadaptive preimage attack that is optimal in terms of query complexity. Second, by exploiting the dual code the subsequent problem of reconstructing a preimage from the queries can be rephrased as a problem related to the generalized birthday problem. As a consequence, the time complexity of our attack is intimately tied to the minimum distance of the dual code. Our new attack consistently beats the one given by Knudsen and Preneel (in one case our preimage attack even beats their collision attack) and demonstrates that the gap between their claimed collision resistance and the actual preimage resistance is surprisingly small. Moreover, our new attack falsifies their (conjectured) preimage resistance security bound and shows that intuitive bounds based on the number of ‘active ’ components can be treacherous. Complementing our attack is a formal analysis of the query complexity (both lower and upper bounds) of preimagefinding attacks. This analysis shows that for many concrete codes the time complexity of our attack is optimal. 1
Olivier Billet
"... This document describes the new hash function echo. The design embodies the goal of reusing—and thereby echoing—as many aspects of the Advanced Encryption Standard (AES) [39] as possible. This is not just in terms of operations, though only AES operations are used in echo, but also in terms of simpl ..."
Abstract
 Add to MetaCart
(Show Context)
This document describes the new hash function echo. The design embodies the goal of reusing—and thereby echoing—as many aspects of the Advanced Encryption Standard (AES) [39] as possible. This is not just in terms of operations, though only AES operations are used in echo, but also in terms of simplicity and analysis. echo replicates the structure of the AES in several ways and has the following features: 1. The smooth support—using the same implementation—of any hash output of length from 128 to 512 bits. 2. An established design approach with attendant security arguments. 3. The reuse of AES design principles to give an effective differential security analysis. 4. The ability to directly exploit AESinspired processor developments, such as Intel’s forthcoming AES instruction set for Westmere chips [21]. 5. The ability to reuse AES implementation advances, whether these offer improved performance or improved resistance to sidechannel analysis.
Attacks On a Double Length Blockcipherbased Hash Proposal
"... Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack w ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of Ω(2 3n/4) and a preimage attack with complexity of Ω(2 n). Our result shows this construction is much worse than an ideal 2nbit hash function. 1
Report regarding the winter school on Hash3: Proofs, Analysis and Implementation
, 2009
"... This report outlines the talks presented at the winter school on Hash3: Proofs, Analysis, and Implementation [9]. In general, speakers may not write everything what they talk on the slides. So, this report also outlines such findings following the understanding of the author of this report. The auth ..."
Abstract
 Add to MetaCart
(Show Context)
This report outlines the talks presented at the winter school on Hash3: Proofs, Analysis, and Implementation [9]. In general, speakers may not write everything what they talk on the slides. So, this report also outlines such findings following the understanding of the author of this report. The author of this report would like to disclaim that any mistakes in this report are solely due to author of this report as not all of the technical details are verified with the speakers. The findings presented in this report are solely due to the author’s understanding of the talks at the winter school. For many of the talks, the author of this report has spent some time in understanding some technical details (using prior knowledge and (re)visiting the literature) and explained that in this report. Of course, not all the details are covered while exploring the literature. 0.1 First day: 16/11/2009 0.1.1 Perspective on hash functions Bart discussed overall state of art of hash functions with an emphasis on the