## Square Hash: Fast Message Authentication via Optimized Universal Hash Functions (1999)

Venue: | In Proc. CRYPTO 99, Lecture Notes in Computer Science |

Citations: | 21 - 6 self |

### BibTeX

@INPROCEEDINGS{Etzel99squarehash:,

author = {Mark Etzel and Sarvar Patel and Zulfikar Ramzan},

title = {Square Hash: Fast Message Authentication via Optimized Universal Hash Functions},

booktitle = {In Proc. CRYPTO 99, Lecture Notes in Computer Science},

year = {1999},

pages = {234--251},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication.

### Citations

2477 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ... family requires less computation time than LCH . The speedup occurs because squaring an n-bit number requires roughly half the number of basic word multiplications than multiplying two n-bit numbers =-=[18]-=-; thus we can save when dealing with quantities that are several words long. We now compare Square Hash with the MMH construction [12]. 4 Comparison with MMH Recently Halevi and Krawczyk [12] studied ... |

835 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...lgorithm will accept as valid. The formal security requirement for a MAC was first defined by Bellare, et al [4]. This definition is analogous to the formal security definition of a digital signature =-=[11]-=-. In particular, we say that an adversary forges a MAC if, when given oracle access to (S x ; V x ), where x is kept secret, the adversary can come up with a pair (M ;s) such that V x (M ;s) = 1 but t... |

630 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...be replaced by pseudo-random sequence. Then, the parties would have to pre-agree on the function h and on the seed s which would be fed to either a pseudo-random generator or a pseudo-random function =-=[10]-=-. This approach to message authentication was first studied in [6]. If pseudo-randomness is used, then the resulting MAC is secure against a polynomially bounded adversary. The Square Hash. This paper... |

478 | H.: Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...ular scheme is vulnerable to a clever key recovery attack due to Preneel and and van Oorschot [23]. Other work on using cryptographic hash functions in MACs is the HMAC construction of Bellare, et al =-=[3]-=-; their schemes are good because they use fast and secure cryptographic building blocks. At first it appears that these techniques yield the most efficient results; however, Wegman and Carter [28] dis... |

371 |
The MD4 Message Digest Algorithm
- Rivest
- 1990
(Show Context)
Citation Context ... using a secure block cipher, such as DES [21], in cipher block chaining mode. Another approach to message authentication, often seen in practice, involves using cryptographic hash functions like MD5 =-=[24]-=-. For example, one approach was to sets= MD5(x \Delta m \Delta x); unfortunately, this particular scheme is vulnerable to a clever key recovery attack due to Preneel and and van Oorschot [23]. Other w... |

332 |
New hash functions and their use in authentication and set equality. Journal of computer and system sciences, 22(3):265–279
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...t al [3]; their schemes are good because they use fast and secure cryptographic building blocks. At first it appears that these techniques yield the most efficient results; however, Wegman and Carter =-=[28]-=- discovered that universal hash functions, allow us to avoid using heavy duty cryptographic primitives on the entire input string. The Universal Hash Function Approach. In this approach, one starts wi... |

144 | The Security of Cipher Block Chaining
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...ble for an adversary to construct a message and a corresponding MAC that the verification algorithm will accept as valid. The formal security requirement for a MAC was first defined by Bellare, et al =-=[4]-=-. This definition is analogous to the formal security definition of a digital signature [11]. In particular, we say that an adversary forges a MAC if, when given oracle access to (S x ; V x ), where x... |

118 |
LFSR based hashing and authentication
- Krawczyk
- 1994
(Show Context)
Citation Context ...age authentication was first studied in [9] and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature [27], =-=[16]-=-, [25], [2], [13], [14], [26], [12]. The MMH scheme [12] is our point of departure. MMH achieves impressive software speeds and is substantially faster than many current software implementations of me... |

112 | UMAC: Fast and secure message authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...future research would be to apply some of our techniques of ignoring carry bits to MMH and NMH . 4.10 Comparison to UMAC Recently, another universal hash function based MAC entitled UMAC was proposed =-=[5]-=-. This construction gives extremely high speeds on the current Pentium processors. In fact, the design makes heavy use of the available MMX instructions. Thus for message authentication applications o... |

99 | Truncated and higher order differentials
- Knudsen
- 2011
(Show Context)
Citation Context ...es of the parameters. Square Hash builds on some of the ideas in the MMH construction of Halevi and Krawczyk [12]; Knudsen independently proposed a similar construction for use in block cipher design =-=[15]-=-. We start with an underlying hash function which is similar to the one used in MMH ; however, our new hash function performs fewer multiplications. In MMH , the final carry bit of the output is ignor... |

94 | On the construction of pseudo-random permutations: Luby-rackoff revisited
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...ich noticeably optimize the implementation with reasonably small security costs. In addition to their message authentication applications, universal hash functions are used in numerous other settings =-=[19]-=-, [22], [7], [28]. Organization of This Paper. In section 2 we review the basic definitions and properties of universal hash function families and their variants. In section 3 we give the basic constr... |

84 |
Universal hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...ly optimize the implementation with reasonably small security costs. In addition to their message authentication applications, universal hash functions are used in numerous other settings [19], [22], =-=[7]-=-, [28]. Organization of This Paper. In section 2 we review the basic definitions and properties of universal hash function families and their variants. In section 3 we give the basic construction of t... |

67 | On Fast and Provably Secure Message Authentication Based on Universal Hashing
- Shoup
- 1996
(Show Context)
Citation Context ...studied in [9] and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature [27], [16], [25], [2], [13], [14], =-=[26]-=-, [12]. The MMH scheme [12] is our point of departure. MMH achieves impressive software speeds and is substantially faster than many current software implementations of message authentication techniqu... |

58 |
Codes which detect deception
- Gilbert, MacWilliams, et al.
- 1974
(Show Context)
Citation Context ...gly universal hash function. Thus Square Hash has other applications besides those related to message authentication. Previous Work. Unconditionally secure message authentication was first studied in =-=[9]-=- and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature [27], [16], [25], [2], [13], [14], [26], [12]. Th... |

58 | Universal hashing and authentication codes
- Stinson
- 1994
(Show Context)
Citation Context ...e message authentication was first studied in [9] and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature =-=[27]-=-, [16], [25], [2], [13], [14], [26], [12]. The MMH scheme [12] is our point of departure. MMH achieves impressive software speeds and is substantially faster than many current software implementations... |

51 | Bucket Hashing and its Application to Fast Message Authentication
- Rogaway
(Show Context)
Citation Context ...thentication was first studied in [9] and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature [27], [16], =-=[25]-=-, [2], [13], [14], [26], [12]. The MMH scheme [12] is our point of departure. MMH achieves impressive software speeds and is substantially faster than many current software implementations of message ... |

38 | Vandewalle J.: Fast Hashing on the Pentium
- Bosselaers, Govaerts
- 1996
(Show Context)
Citation Context ...ations of universal hashing. Unfortunately, it is impossible to do precise comparisons because the available data represents simulations done on various platforms. The reader can refer to [26], [16], =-=[5]-=-, [20] for implementation results of various MAC schemes. This paper aims to extend the ideas in the MMH construction by exhibiting, what seems to be, a faster to compute underlying hash function and ... |

35 |
On computationally secure authentication tags requiring short secret shared keys.InD.Chaum,R.L.Rivest,andA.T.Sherman
- Brassard
- 1983
(Show Context)
Citation Context ... to pre-agree on the function h and on the seed s which would be fed to either a pseudo-random generator or a pseudo-random function [10]. This approach to message authentication was first studied in =-=[6]-=-. If pseudo-randomness is used, then the resulting MAC is secure against a polynomially bounded adversary. The Square Hash. This paper introduces two new ideas in the construction of fast universal ha... |

31 | New Hash Functions For Message Authentication - Krawczyk - 1995 |

28 | Oorshot, "On the security of two MAC algorithms
- Preneel, van
- 1996
(Show Context)
Citation Context ...like MD5 [24]. For example, one approach was to sets= MD5(x \Delta m \Delta x); unfortunately, this particular scheme is vulnerable to a clever key recovery attack due to Preneel and and van Oorschot =-=[23]-=-. Other work on using cryptographic hash functions in MACs is the HMAC construction of Bellare, et al [3]; their schemes are good because they use fast and secure cryptographic building blocks. At fir... |

26 | Software performance of universal hash functions
- Nevelsteen, Preneel
(Show Context)
Citation Context ...s of universal hashing. Unfortunately, it is impossible to do precise comparisons because the available data represents simulations done on various platforms. The reader can refer to [26], [16], [5], =-=[20]-=- for implementation results of various MAC schemes. This paper aims to extend the ideas in the MMH construction by exhibiting, what seems to be, a faster to compute underlying hash function and by dev... |

19 | Universal hashing and multiple authentication
- Atici, Stinson
- 1996
(Show Context)
Citation Context ...cation was first studied in [9] and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature [27], [16], [25], =-=[2]-=-, [13], [14], [26], [12]. The MMH scheme [12] is our point of departure. MMH achieves impressive software speeds and is substantially faster than many current software implementations of message authe... |

14 |
Universal Hash Functions from Exponential Sums over Finite Fields and Galois Rings
- Helleseth, Johansson
- 1996
(Show Context)
Citation Context ...ple above with a 1 and a 2 the correction vector c is: 1000000100000000. Similarly, if we let s 0 = C( P k i=2 (m 0 i + x i ) 2 ) then C( k X i=1 (m 0 i + x i ) 2 ) = (x 1 +m 0 1 ) 2 + s 0 \Gamma c 0 =-=(13)-=- where c 0 is the associated correction vector. Therefore, Pr x1 [g x (m) \Gamma g x (m 0 ) j a (mod p)] = Pr x1 [(x 1 +m 1 ) 2 + s \Gamma c \Gamma (x 1 +m 0 1 ) 2 \Gamma s 0 + c 0 j a (mod p)] = Pr x... |

10 | Bucket hashing with a small key size
- Johansson
- 1997
(Show Context)
Citation Context ...first studied in [9] and later in [28]. The universal hash function approach for MACs was first studied in [28] and the topic has been heavily addressed in the literature [27], [16], [25], [2], [13], =-=[14]-=-, [26], [12]. The MMH scheme [12] is our point of departure. MMH achieves impressive software speeds and is substantially faster than many current software implementations of message authentication te... |

4 |
MMH: Message Authentication in Software in the Gbit/second Rates
- Halevi, Krawczyk
- 1997
(Show Context)
Citation Context ... describe a simple but novel family of universal hash functions that is more efficient than many standard constructions. We compare our hash functions to the MMH family studied by Halevi and Krawczyk =-=[12]-=-. All the main techniques used to optimize MMH work on our hash functions as well. Second, we introduce additional techniques for speeding up our constructions; these techniques apply to MMH and may a... |

3 |
Introduction to Assembly Language Programming From 8086 to Pentium Proecessors
- Dandamudi
- 1998
(Show Context)
Citation Context ...ommend using Square Hash on such architectures. On some of the more modern processors such as the Pentium Pro and Pentium II, multiplications do not take much more time than additions (closer to 2:1, =-=[8]-=-), so Square Hash is not advantageous is such cases. Another important implementation consideration is the memory architecture of the processor on which you are implementing. In our case, we need extr... |

1 |
Towards making Luby-Rackoff ciphers practical and optimal
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ...ticeably optimize the implementation with reasonably small security costs. In addition to their message authentication applications, universal hash functions are used in numerous other settings [19], =-=[22]-=-, [7], [28]. Organization of This Paper. In section 2 we review the basic definitions and properties of universal hash function families and their variants. In section 3 we give the basic construction... |

1 |
Luby-Rackoff ciphers over arbitrary finite groups
- Patel, Ramzan, et al.
- 1999
(Show Context)
Citation Context ...ions. Thus for message authentication applications on modern microprocessors, it is a preferable alternative to Square Hash. On the other hand, for applications such as block cipher design ([20],[24],=-=[23]-=-), UMAC may not be the best choice since it needs a tag length of 2w in order to obtain security 2 \Gammaw . Square Hash only needs a tag length of w to achieve security more or less equal to 2 \Gamma... |

1 | 21. National Bureau of Standards. FIPS publication 46: Data encryption standard - Patel, Ramzan, et al. - 1999 |