## Software performance of universal hash functions (1999)

### Cached

### Download Links

- [www.mathmagic.cn]
- [www.cosic.esat.kuleuven.be]
- DBLP

### Other Repositories/Bibliography

Venue: | In Advances in Cryptology — EUROCRYPT ’99 |

Citations: | 26 - 0 self |

### BibTeX

@INPROCEEDINGS{Nevelsteen99softwareperformance,

author = {Wim Nevelsteen and Bart Preneel},

title = {Software performance of universal hash functions},

booktitle = {In Advances in Cryptology — EUROCRYPT ’99},

year = {1999},

pages = {24--41},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1

### Citations

2728 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ... Introduction In many commercial applications, protecting the integrity of information is even more important than protecting its secrecy. Digital signatures, introduced in 1976 by Diffie and Hellman =-=[13]-=-, are the main tool for protecting the integrity of information. They are essential to build a worldwide trust infrastructure. However, there are still a significant number of applications for which d... |

797 |
Communication theory of secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ...construction of authentication codes appeared in a 1974 paper by Gilbert et al. [18]. Subsequently their theory has been developed further by Simmons, analogous to Shannon’s theory of secrecy systems =-=[34]-=-. An overview of the theory of authentication codes can be found in the work of Simmons [36] and Stinson [38]. In the seventies and the eighties, the research on authentication codes in the cryptograp... |

673 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...c○1999 Springer-VerlagsThis is the more surprising because Carter and Wegman developed already in the late seventies efficient authentication codes under the name of strongly universal hash functions =-=[12, 40]-=-. They show that this is an interesting combinatorial tool that can be applied to other problems as well (such as interactive proof systems, pseudo-random number generation, and probabilistic algorith... |

477 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...ds and on the currently deployed Point of Sale (POS) terminals. During the last five years, our understanding of MACs has improved considerably, through development of security proofs (Bellare et al. =-=[3, 5, 6]-=-) and new attacks (Knudsen [23] and Preneel and van Oorschot [30, 31]). An important disadvantage of both digital signatures and MAC algorithms is that their security is only computational. That impli... |

334 |
A.: Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
(Show Context)
Citation Context ...he product of two large primes. However it seems wise to anticipate further progress in cryptanalysis of specific primitives. In the nineties we have witnessed the development of differential attacks =-=[8]-=-, linear attacks [26], and of the use of optimization techniques as in [14]. The ultimate solution to this problem is unconditional security. The idea of unconditionally secure authentication (and the... |

329 | New hash functions and their use in authentication and set equality - Wegman, Carter - 1981 |

260 | Small-bias probability spaces: Efficient constructions and applications
- Naor, Naor
- 1990
(Show Context)
Citation Context ...vector-matrix multiplication. The Toeplitz construction uses matrices generated by sequences of length n + m − 1 drawn from δ-biased distributions. δ-biased distributions, introduced by Naor and Naor =-=[29]-=-, are a tool for replacing truly random sequences by more compact and easier to generate sequences. The lower δ, the more random the sequence is. Krawczyk proves that the family of hash functions asso... |

144 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...ds and on the currently deployed Point of Sale (POS) terminals. During the last five years, our understanding of MACs has improved considerably, through development of security proofs (Bellare et al. =-=[3, 5, 6]-=-) and new attacks (Knudsen [23] and Preneel and van Oorschot [30, 31]). An important disadvantage of both digital signatures and MAC algorithms is that their security is only computational. That impli... |

130 |
The MD5 message-digest algorithm. Request for Comments (RFC
- Rivest
- 1992
(Show Context)
Citation Context ...t. We provide a comparison with MAC algorithms based on [10]. The performance of HMAC [3] and MDx-MAC [30] depends on the underlying hash function (MDx-MAC is a few percent slower than HMAC). For MD5 =-=[32]-=-, SHA-1 [17], RIPEMD-160, and RIPEMD-128 [15] the speeds are respectively 228 Mbit/s, 122 Mbit/s, 101 Mbit/s, and 173 Mbit/s (note however that the security of MD5 as a hash-function is questionable; ... |

123 |
The rst experimental cryptanalysis of the Data Encryption Standard
- Matsui
- 1994
(Show Context)
Citation Context ...rge primes. However it seems wise to anticipate further progress in cryptanalysis of specific primitives. In the nineties we have witnessed the development of differential attacks [8], linear attacks =-=[26]-=-, and of the use of optimization techniques as in [14]. The ultimate solution to this problem is unconditional security. The idea of unconditionally secure authentication (and the so-called authentica... |

120 | XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...ds and on the currently deployed Point of Sale (POS) terminals. During the last five years, our understanding of MACs has improved considerably, through development of security proofs (Bellare et al. =-=[3, 5, 6]-=-) and new attacks (Knudsen [23] and Preneel and van Oorschot [30, 31]). An important disadvantage of both digital signatures and MAC algorithms is that their security is only computational. That impli... |

118 |
LFSR based hashing and authentication
- Krawczyk
- 1994
(Show Context)
Citation Context ... During the last five years, progress has been made both in theory and practice of universal hash functions. Krawczyk has proposed universal hash functions that are linear with respect to bitwise xor =-=[24, 25]-=-. This property makes it easier to reuse the authentication code (with the same key): one encrypts the m-bit hash result for each new message using a one-time pad. This approach leads to simple and ef... |

108 |
Randomized and deterministic simulations of PRAMs by parallel machines with restricted granularity of parallel memories
- Mehlhorn, Vishkin
- 1984
(Show Context)
Citation Context ...in conditions, the hash function can remain the same for many plaintexts, provided that the hash result is encrypted using a one-time pad. Mehlhorn and Vishkin propose more efficient constructions in =-=[28]-=-. At Crypto’82, Brassard pointed out that combining this primitive with a pseudo-random string generator will result in efficient computationally secure message authentication with short keys [11]. In... |

106 | RIPEMD-160, a strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...s based on [10]. The performance of HMAC [3] and MDx-MAC [30] depends on the underlying hash function (MDx-MAC is a few percent slower than HMAC). For MD5 [32], SHA-1 [17], RIPEMD-160, and RIPEMD-128 =-=[15]-=- the speeds are respectively 228 Mbit/s, 122 Mbit/s, 101 Mbit/s, and 173 Mbit/s (note however that the security of MD5 as a hash-function is questionable; this has no immediate impact to its use in HM... |

78 | MDx-MAC and Building Fast MACs from Hash Functions
- Preneel, Oorshot
- 1995
(Show Context)
Citation Context ... the last five years, our understanding of MACs has improved considerably, through development of security proofs (Bellare et al. [3, 5, 6]) and new attacks (Knudsen [23] and Preneel and van Oorschot =-=[30, 31]-=-). An important disadvantage of both digital signatures and MAC algorithms is that their security is only computational. That implies that an opponent with sufficient computing power can in principle ... |

73 | Incremental cryptography: The case of hashing and signing
- BELLARE, GOLDREICH, et al.
- 1994
(Show Context)
Citation Context ...ional, and that their speed is comparable to or better than that of currently used MAC algorithms. In addition, they are easy to implement and easy to parallelize. Finally, they are often incremental =-=[4]-=- (this means that after small updates to the input, the output can be recomputed quickly). If they are used with a pseudo-random string generator, the unconditional security is lost, but what remains ... |

67 | On fast and provably secure message authentication based on universal hashing
- Shoup
- 1996
(Show Context)
Citation Context ... to simple and efficient constructions based on polynomials and Linear Feedback Shift Registers (LFSRs). Other constructions based on polynomials over finite fields are proposed and analyzed by Shoup =-=[35]-=-. Shoup [35] and Afanassiev et al. [1] study efficient software implementations of this primitive. Another line of research has been to improve the speed at the cost of an increased key size and size ... |

58 |
Codes which detect deception
- Gilbert, MacWilliams, et al.
- 1974
(Show Context)
Citation Context ...earch was that apparently the NSA refused to export strong conventional cryptographic mechanisms to the USSR. The first construction of authentication codes appeared in a 1974 paper by Gilbert et al. =-=[18]-=-. Subsequently their theory has been developed further by Simmons, analogous to Shannon’s theory of secrecy systems [34]. An overview of the theory of authentication codes can be found in the work of ... |

51 | Bucket Hashing and its Application to Fast Message Authentication
- Rogaway
(Show Context)
Citation Context ...ementations of this primitive. Another line of research has been to improve the speed at the cost of an increased key size and size of the authentication tag. Rogaway has introduced bucket hashing in =-=[33]-=-; a slower variant with shorter keys was proposed by Johansson in [21]. Halevi and Krawczyk have developed an extremely fast scheme (MMH) which makes optimal used of the multiply and accumulate instru... |

44 |
On families of hash functions via geometric codes and concatenation
- Bierbrauer, Johansson, et al.
- 1994
(Show Context)
Citation Context ...y requirements are still large, and the hash results are a little shorter. 3.3 Hash Family Based on Fast Polynomial Evaluation The next family of hash functions has been proposed by Bierbrauer et al. =-=[7]-=-; it is based on polynomial evaluation over a finite field. Let q = 2 r , Q = 2 m = 2 r+s , n = 1 + 2 s , and π be a linear mapping from GF(Q) onto GF(q), where Q = q m 0 , q = q r 0, and q0 a prime p... |

40 |
Advanced Encryption Standard," Federal Information Processing Stan- dard
- FIPS
- 2001
(Show Context)
Citation Context ...e impact to its use in HMAC and MDx-MAC, but it is prudent to plan for its replacement). For CBC-MAC [6, 20], the performance corresponds approximately to that of the underlying block cipher. For DES =-=[16]-=- this is 37.5 Mbit/s; for other block ciphers, this varies between 20 and 100 Mbit/s. XOR-MAC [5] is about 25% slower. Appeared in Advances in Cryptology – EUROCRYPT 1999, Lecture Notes in Computer Sc... |

40 | MMH: Software message authentication in the Gbit/second rates
- Halevi, Krawczyk
- 1997
(Show Context)
Citation Context ...s was proposed by Johansson in [21]. Halevi and Krawczyk have developed an extremely fast scheme (MMH) which makes optimal used of the multiply and accumulate instruction of the Pentium MMX processor =-=[19]-=-. Recently Black et al. have further improved the performance on high end processors with the UMAC construction [9]. While it is clear that authentication codes (or universal hash functions) have a la... |

35 |
On computationally secure authentication tags requiring short secret shared keys.InD.Chaum,R.L.Rivest,andA.T.Sherman
- Brassard
- 1983
(Show Context)
Citation Context ... in [28]. At Crypto’82, Brassard pointed out that combining this primitive with a pseudo-random string generator will result in efficient computationally secure message authentication with short keys =-=[11]-=-. In the beginning of the nineties, the two ‘independent’ research threads are brought together. Stinson improves the work by Wegman and Carter, and establishes an explicit link between authentication... |

31 |
New Hash Functions For Message Authentication
- Krawczyk
- 1995
(Show Context)
Citation Context ... During the last five years, progress has been made both in theory and practice of universal hash functions. Krawczyk has proposed universal hash functions that are linear with respect to bitwise xor =-=[24, 25]-=-. This property makes it easier to reuse the authentication code (with the same key): one encrypts the m-bit hash result for each new message using a one-time pad. This approach leads to simple and ef... |

31 |
An introduction to contemporary cryptology
- Massey
- 1988
(Show Context)
Citation Context ...ptimal) will be denoted with Pi, Ps, and Pd respectively. A first result that follows from Kerckhoffs’ assumption (namely that the strategy to choose the key is known by Eve) is that Pd = max(Pi, Ps) =-=[27]-=-. In the following the length (in bits) of the plaintext, authentication tag, and key is denoted with m, n, and k respectively. The combinatorial bounds state that Pi and Ps are at least 1/2 n . In th... |

28 | Oorshot, "On the security of two MAC algorithms
- Preneel, van
- 1996
(Show Context)
Citation Context ... the last five years, our understanding of MACs has improved considerably, through development of security proofs (Bellare et al. [3, 5, 6]) and new attacks (Knudsen [23] and Preneel and van Oorschot =-=[30, 31]-=-). An important disadvantage of both digital signatures and MAC algorithms is that their security is only computational. That implies that an opponent with sufficient computing power can in principle ... |

23 |
RIPEMD with Two-Round Compress Function is Not CollisionFree
- Dobbertin
- 1997
(Show Context)
Citation Context ...r progress in cryptanalysis of specific primitives. In the nineties we have witnessed the development of differential attacks [8], linear attacks [26], and of the use of optimization techniques as in =-=[14]-=-. The ultimate solution to this problem is unconditional security. The idea of unconditionally secure authentication (and the so-called authentication codes) dates back to the early seventies, when Si... |

20 |
The combinatorics of authentication and secrecy codes
- Stinson
- 1990
(Show Context)
Citation Context ...ry has been developed further by Simmons, analogous to Shannon’s theory of secrecy systems [34]. An overview of the theory of authentication codes can be found in the work of Simmons [36] and Stinson =-=[38]-=-. In the seventies and the eighties, the research on authentication codes in the cryptographic community focussed mainly on the properties of authentication codes that meet certain bounds (such as per... |

19 | Universal hashing and multiple authentication
- Atici, Stinson
- 1996
(Show Context)
Citation Context ...n objective comparison of performance and parameter sizes for the most promising constructions. For three related universal hash functions, similar work has been done by Shoup [35]. Atici and Stinson =-=[2]-=- provide an overview of the general parameters of several schemes, but do not discuss the performance. The remainder of this paper is organized as follows. §2 introduces the most important definitions... |

15 |
Smeets B. Fast message authentication using efficient polynomial evaluation
- Afanassiev, Gehrmann
- 1997
(Show Context)
Citation Context ...based on polynomials and Linear Feedback Shift Registers (LFSRs). Other constructions based on polynomials over finite fields are proposed and analyzed by Shoup [35]. Shoup [35] and Afanassiev et al. =-=[1]-=- study efficient software implementations of this primitive. Another line of research has been to improve the speed at the cost of an increased key size and size of the authentication tag. Rogaway has... |

10 | Bucket hashing with a small key size
- Johansson
- 1997
(Show Context)
Citation Context ...prove the speed at the cost of an increased key size and size of the authentication tag. Rogaway has introduced bucket hashing in [33]; a slower variant with shorter keys was proposed by Johansson in =-=[21]-=-. Halevi and Krawczyk have developed an extremely fast scheme (MMH) which makes optimal used of the multiply and accumulate instruction of the Pentium MMX processor [19]. Recently Black et al. have fu... |

9 | A Survey of Information Authentication, in Contemporary Cryptology, The Science of Information Integrity - Simmons - 1992 |

8 |
Information technology -- Data cryptographic techniques -- Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm
- ISOIEC
- 1987
(Show Context)
Citation Context ...t/s (note however that the security of MD5 as a hash-function is questionable; this has no immediate impact to its use in HMAC and MDx-MAC, but it is prudent to plan for its replacement). For CBC-MAC =-=[6,20]-=-, the performance corresponds approximately to that of the un38 Wim Nevelsteen and Bart Preneel derlying block cipher. For DES [16] this is 37.5 Mbit/s; for other block ciphers, this varies between 2... |

7 |
How to insure that data acquired to verify treaty compliance are trustworthy
- Simmons
- 1998
(Show Context)
Citation Context ...etting where the parties do not trust each other. Moreover, MACs rely on shared symmetric keys, which requires additional key management functions. Banks have been using MACs since the late seventies =-=[36, 37]-=- for message authentication. Recent applications in which MACs have been introduced include electronic purses (such as Proton and Mondex) and credit/debit applications (e.g., the EMV specifications). ... |

5 |
Chosen-text attack on CBC-MAC
- Knudsen
- 1997
(Show Context)
Citation Context ...nt of Sale (POS) terminals. During the last five years, our understanding of MACs has improved considerably, through development of security proofs (Bellare et al. [3, 5, 6]) and new attacks (Knudsen =-=[23]-=- and Preneel and van Oorschot [30, 31]). An important disadvantage of both digital signatures and MAC algorithms is that their security is only computational. That implies that an opponent with suffic... |

3 |
On the cardinality of systematic Acodes via error correcting codes
- Kabatianskii, Johansson, et al.
- 1996
(Show Context)
Citation Context ...gly universal hash functions [39]. A second important development is that Johansson, Kabatianskii, and Smeets establish a relation between authentication codes and codes correcting independent errors =-=[22]-=-. This provides a better understanding of the existing constructions and their limitations. During the last five years, progress has been made both in theory and practice of universal hash functions. ... |

3 |
Universal hashing and authentication codes, Designs
- Stinson
- 1994
(Show Context)
Citation Context ...independent’ research threads are brought together. Stinson improves the work by Wegman and Carter, and establishes an explicit link between authentication codes and strongly universal hash functions =-=[39]-=-. A second important development is that Johansson, Kabatianskii, and Smeets establish a relation between authentication codes and codes correcting independent errors [22]. This provides a better unde... |

2 |
Fast implementations on the Pentium,” http://www.esat.kuleuven.ac.be/∼bosselae/fast.html
- Bosselaers
(Show Context)
Citation Context ...to be decrypted before it can be used, this will introduce a performance penalty (for example, 13.7 msec if 3-DES is used, which runs at 13.8 Mbit/s and 0.43 msec for SEAL-3, which runs at 440 Mbit/s =-=[10]-=-). If memory requirements (both for the hash function and for the result) are an issue, scheme D is the best solution. It is about 4 times slower than scheme A, and requires less memory than scheme B.... |

1 |
UMAC: fast and secure message authentication,” preprint
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...ptimal used of the multiply and accumulate instruction of the Pentium MMX processor [19]. Recently Black et al. have further improved the performance on high end processors with the UMAC construction =-=[9]-=-. While it is clear that authentication codes (or universal hash functions) have a large potential for certain applications, they are not widely known to application developers. Some of the reasons mi... |