## SWIFFT: A Modest Proposal for FFT Hashing

### Cached

### Download Links

- [people.csail.mit.edu]
- [www.cc.gatech.edu]
- [theory.csail.mit.edu]
- [theory.lcs.mit.edu]
- [www.cc.gatech.edu]
- [fse2008.epfl.ch]
- [www.eecs.harvard.edu]
- [www.iacr.org]
- [www.iacr.org]
- [www.cs.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.cs.ucsd.edu]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [www-cse.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- [theory.lcs.mit.edu]
- [www.cc.gatech.edu]
- [www.cc.gatech.edu]

Citations: | 31 - 11 self |

### BibTeX

@MISC{Lyubashevsky_swifft:a,

author = {Vadim Lyubashevsky and Daniele Micciancio and Chris Peikert and Alon Rosen},

title = {SWIFFT: A Modest Proposal for FFT Hashing },

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

We propose SWIFFT, a collection of compression functions that are highly parallelizable and admit very efficient implementations on modern microprocessors. The main technique underlying our functions is a novel use of the Fast Fourier Transform (FFT) to achieve “diffusion, ” together with a linear combination to achieve compression and “confusion. ” We provide a detailed security analysis of concrete instantiations, and give a high-performance software implementation that exploits the inherent parallelism of the FFT algorithm. The throughput of our implementation is competitive with that of SHA-256, with additional parallelism yet to be exploited. Our functions are set apart from prior proposals (having comparable efficiency) by a supporting asymptotic security proof: it can be formally proved that finding a collision in a randomly-chosen function from the family (with noticeable probability) is at least as hard as finding short vectors in cyclic/ideal lattices in the worst case.

### Citations

665 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...istinguish between the case where (1) f is chosen at random from the given family, and (2) every output of f is uniformly random and independent of all other outputs. (The formal definition is due to =-=[9]-=-.) We stress that the adversary’s view of the function is limited to oracle access, and that the particular choice of the function from the family is kept secret. Our family of functions is not pseudo... |

312 |
A Design Principle for Hash Functions
- Damgård
- 1989
(Show Context)
Citation Context ...dent interest, and might find other applications in cryptographic design. The subset-sum and knapsack problems have long ago been suggested as foundations for compression functions, e.g., by Damg˚ard =-=[10]-=-. Unfortunately, these functions are only efficient in small dimensions, at which point lattice-based attacks [14] and other forms of cryptanalysis [7] become possible. An important ingredient in the ... |

251 | How to Break MD5 and Other Hash Functions
- Wang, Yu
(Show Context)
Citation Context ...ave been designed to be highly efficient, but their resilience to attacks is based only on intuitive arguments and validated by intensive cryptanalytic efforts. Recently, new cryptanalytic techniques =-=[24, 25, 4]-=- have started casting serious doubts both on the security of these specific functions and on the effectiveness of the underlying design paradigm. On the other side of the spectrum, there are hash func... |

168 |
Generating hard instances of lattice problems
- Ajtai
- 1996
(Show Context)
Citation Context ...tructions (most notably, the NTRU encryption scheme [10] and LASH hash function [3]), but without any security reductions. More closely related to our work is the theoretical study initiated by Ajtai =-=[1]-=- of cryptographic functions that are provably secure under worst-case assumptions for lattice problems. Ajtai’s work and subsequent improvements [8, 6, 14, 15] do not lead to very efficient implementa... |

134 | NTRU: A Ring-Based Public Key Cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ...problem. Special classes of lattices (with closely related, but somewhat different structure than ours) also have been used before in practical constructions (most notably, the NTRU encryption scheme =-=[10]-=- and LASH hash function [3]), but without any security reductions. More closely related to our work is the theoretical study initiated by Ajtai [1] of cryptographic functions that are provably secure ... |

124 | Noise-tolerant learning, the parity problem, and the statistical query model
- Blum, Kalai, et al.
(Show Context)
Citation Context ...n solve Equation 5. Finding one vector from each list such that the sum is 0 is essentially the k-list problem that was studied by Wagner [23], and is also related to the technique used by Blum et al =-=[5]-=- for solving the parity problem in the presence of noise. The idea is to use the lists to obtain new lists of vectors that are {−1, 0, 1}-combinations of A’s columns, but which have many coordinates t... |

98 | A generalized birthday problem
- Wagner
- 2002
(Show Context)
Citation Context ...e mn column vectors of A. And in fact, the fastest known algorithm for inverting (or finding collisions in) our function f is the same one that is used for solving the high density subset sum problem =-=[23, 11]-=-. We describe this algorithm next. 5.2.2 Generalized Birthday Attack Finding a collision in our function is equivalent to finding a nonzero x ∈ {−1, 0, 1} mn such that Ax = 0 mod p (5) where A is as i... |

88 | Worst-case to average-case reductions based on gaussian measures
- Micciancio, Regev
(Show Context)
Citation Context ...ur work is the theoretical study initiated by Ajtai [1] of cryptographic functions that are provably secure under worst-case assumptions for lattice problems. Ajtai’s work and subsequent improvements =-=[8, 6, 14, 15]-=- do not lead to very efficient implementations, mostly because of the huge size of the function description and slow evaluation time (which grow quadratically in the security parameter). A first step ... |

83 | Cryptographic hash-function basics: definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ...ons of hash functions, e.g., digital signatures. Under relatively mild assumptions, our functions satisfy several (but not all) of these cryptographic properties. (For precise definitions, see, e.g., =-=[23]-=-.) Informally, a function f is said to one-way if, given the value y = f(x) for an x chosen uniformly at random from the domain, it is infeasible for an adversary to find any x ′ in the domain such th... |

60 | Collision-free hashing from lattice problems
- Goldreich, Goldwasser, et al.
- 1996
(Show Context)
Citation Context ...ur work is the theoretical study initiated by Ajtai [1] of cryptographic functions that are provably secure under worst-case assumptions for lattice problems. Ajtai’s work and subsequent improvements =-=[8, 6, 14, 15]-=- do not lead to very efficient implementations, mostly because of the huge size of the function description and slow evaluation time (which grow quadratically in the security parameter). A first step ... |

56 | An improved worst-case to average-case connection for lattice problems
- Cai, Nerurkar
(Show Context)
Citation Context ...ur work is the theoretical study initiated by Ajtai [1] of cryptographic functions that are provably secure under worst-case assumptions for lattice problems. Ajtai’s work and subsequent improvements =-=[8, 6, 14, 15]-=- do not lead to very efficient implementations, mostly because of the huge size of the function description and slow evaluation time (which grow quadratically in the security parameter). A first step ... |

50 | Generalized compact knapsacks, cyclic lattices, and efficient oneway functions
- Micciancio
(Show Context)
Citation Context ...epresent as a vector (a0, . . . , an−1) ∈ Z n p . Because α n ≡ −1 in the ring R, the product of two polynomials a, x ∈ R is represented by the matrix product of the square skew-circulant matrix 2 In =-=[13, 17, 12]-=-, the mapping from ideals to lattices is slightly different, involving the coefficient vectors of elements in Z[ζ2n] rather than the canonical embedding. However, both mappings are essentially the sam... |

48 | Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices
- Peikert, Rosen
- 2006
(Show Context)
Citation Context ...mathematical problem on certain kinds of point lattices in the worst case. This claim follows from the fact that the SWIFFT functions are a special case of the cyclic/ideal lattice-based functions of =-=[13, 17, 12]-=-. SWIFFT’s simple design has a number of other advantages. First, it also enables unconditional proofs of a variety of statistical properties that are desirable in many applications of hash functions,... |

46 | Generalized compact knapsacks are collision resistant
- Lyubashevsky, Micciancio
- 2006
(Show Context)
Citation Context ...mathematical problem on certain kinds of point lattices in the worst case. This claim follows from the fact that the SWIFFT functions are a special case of the cyclic/ideal lattice-based functions of =-=[13, 17, 12]-=-. SWIFFT’s simple design has a number of other advantages. First, it also enables unconditional proofs of a variety of statistical properties that are desirable in many applications of hash functions,... |

35 | LLL on the average
- Nguyen, Stehlé
- 2006
(Show Context)
Citation Context ...ero vector (in the ℓ∞ norm) of the lattice would yield a collision in our compression function. The lattice ker(A) shares many properties with the commonly occurring knapsack-type lattice (see, e.g., =-=[16]-=-). Our lattice is essentially a knapsack-type lattice with some additional algebraic structure. It is worthwhile to note that none of the well-known lattice reduction algorithms take advantage of the ... |

31 | Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor
- Micciancio
- 2004
(Show Context)
Citation Context |

29 |
The Knapsck Hash Function Proposed at Crypto ’89 Can be Broken
- Camion, Patarin
- 1991
(Show Context)
Citation Context ...ns for compression functions, e.g., by Damg˚ard [10]. Unfortunately, these functions are only efficient in small dimensions, at which point lattice-based attacks [14] and other forms of cryptanalysis =-=[7]-=- become possible. An important ingredient in the conceptual design of our functions (and associated proof of security) is the use of lattices with special structure as an underlying mathematical probl... |

20 | The parity problem in the presence of noise, decoding random linear codes, and the subset sum problem
- Lyubashevsky
- 2005
(Show Context)
Citation Context ...e mn column vectors of A. And in fact, the fastest known algorithm for inverting (or finding collisions in) our function f is the same one that is used for solving the high density subset sum problem =-=[23, 11]-=-. We describe this algorithm next. 5.2.2 Generalized Birthday Attack Finding a collision in our function is equivalent to finding a nonzero x ∈ {−1, 0, 1} mn such that Ax = 0 mod p (5) where A is as i... |

20 | Lattices that admit logarithmic worst-case to averagecase connection factors
- Peikert, Rosen
- 2007
(Show Context)
Citation Context ... for which we assume finding short vectors is difficult in the worst case. 2 Further connections between the complexity of lattice problems and algebraic number theory were given by Peikert and Rosen =-=[18]-=-. For the cryptographic security of our hash functions, it is important that the extra ring structure does not make it easier to find short vectors in ideal lattices. As far as we know, and despite be... |

16 | Collisions of SHA-0 and Reduced SHA-1 - Biham, Chen, et al. - 2005 |

12 |
FFT hashing is not collision-free
- Baritaud, Gilbert, et al.
- 1993
(Show Context)
Citation Context ...ding block in hash functions is not new. For example, Schnorr proposed a variety of FFT-based hash functions [19, 20, 21], which unfortunately were subsequently cryptanalyzed and shown to be insecure =-=[7, 2, 22]-=-. Our compression functions are set apart from previous work by the way that the FFT is used, and the resulting proof of security. Namely, while in previous work [19, 20, 21] the FFT was applied to un... |

11 | A practical attack against knapsack based hash functions
- Joux, Granboulan
(Show Context)
Citation Context ...e long ago been suggested as foundations for compression functions, e.g., by Damg˚ard [10]. Unfortunately, these functions are only efficient in small dimensions, at which point lattice-based attacks =-=[14]-=- and other forms of cryptanalysis [7] become possible. An important ingredient in the conceptual design of our functions (and associated proof of security) is the use of lattices with special structur... |

10 |
An e±cient cryptographic hash function," Presented at the rump session of Crypto'91
- Schnorr
(Show Context)
Citation Context ...modern microprocessors. 2s1.2 Related Work Using the Fast Fourier Transform (FFT) as a building block in hash functions is not new. For example, Schnorr proposed a variety of FFT-based hash functions =-=[19, 20, 21]-=-, which unfortunately were subsequently cryptanalyzed and shown to be insecure [7, 2, 22]. Our compression functions are set apart from previous work by the way that the FFT is used, and the resulting... |

10 |
Fft-hash ii, efficient cryptographic hashing
- Schnorr
- 1992
(Show Context)
Citation Context ...modern microprocessors. 2s1.2 Related Work Using the Fast Fourier Transform (FFT) as a building block in hash functions is not new. For example, Schnorr proposed a variety of FFT-based hash functions =-=[19, 20, 21]-=-, which unfortunately were subsequently cryptanalyzed and shown to be insecure [7, 2, 22]. Our compression functions are set apart from previous work by the way that the FFT is used, and the resulting... |

8 | Parallel FFT-Hashing
- Schnorr, Vaudenay
- 1994
(Show Context)
Citation Context ...modern microprocessors. 2s1.2 Related Work Using the Fast Fourier Transform (FFT) as a building block in hash functions is not new. For example, Schnorr proposed a variety of FFT-based hash functions =-=[19, 20, 21]-=-, which unfortunately were subsequently cryptanalyzed and shown to be insecure [7, 2, 22]. Our compression functions are set apart from previous work by the way that the FFT is used, and the resulting... |

8 | FFT-hash-II is not yet collision-free
- Vaudenay
- 1993
(Show Context)
Citation Context ...ding block in hash functions is not new. For example, Schnorr proposed a variety of FFT-based hash functions [19, 20, 21], which unfortunately were subsequently cryptanalyzed and shown to be insecure =-=[7, 2, 22]-=-. Our compression functions are set apart from previous work by the way that the FFT is used, and the resulting proof of security. Namely, while in previous work [19, 20, 21] the FFT was applied to un... |

7 | Collisions for Schnorr’s hash function FFT-Hash presented at
- Daemen, Bosselaers, et al.
- 1993
(Show Context)
Citation Context ...ding block in hash functions is not new. For example, Schnorr proposed a variety of FFT-based hash functions [19, 20, 21], which unfortunately were subsequently cryptanalyzed and shown to be insecure =-=[7, 2, 22]-=-. Our compression functions are set apart from previous work by the way that the FFT is used, and the resulting proof of security. Namely, while in previous work [19, 20, 21] the FFT was applied to un... |

3 | X.: Cryptanalysis for Hash Functions MD4 - Wang, Lai, et al. - 2005 |