Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.

Download Full-text

On chosen target forced prefix preimage resistance

Tatra Mountains Mathematical Publications ◽

10.2478/v10127-010-0034-5 ◽

2010 ◽

Vol 47 (1) ◽

pp. 115-135 ◽

Cited By ~ 1

Author(s):

Michal Rjaško

Keyword(s):

Hash Function ◽

Hash Functions ◽

Formal Definition ◽

Collision Resistance ◽

Preimage Resistance ◽

The Family ◽

Lecture Notes ◽

Definition Of ◽

Cryptographic Techniques ◽

Security Notion

Abstract In this paper we analyze the Chosen Target Forced Prefix (CTFP) preimage resistance security notion for hash functions firstly introduced in [Kelsey, J.-Kohno, T.: Herding hash functions and the Nostradamus attack, in: Advances in Cryptology-EUROCRYPT ’06, 25th Annual Internat. Conf. on the Theory and Appl. of Cryptographic Techniques (S. Vaudenay, ed.), St. Peters- burg, Russia, 2006, Lecture Notes in Comput. Sci., Vol. 4004, Springer-Verlag, Berlin, 2006, pp. 183-200]. We give a formal definition of this property in hash function family settings and work out all the implications and separations be- tween the CTFP preimage resistance and other standard notions of hash function security (preimage resistance, collision resistance, etc.). This paper follows the work of [Rogaway, P.-Shrimpton, T.: Cryptographic hash-function basics: Def- initions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance, in: Fast Software Encryption, 11th Interna- tional Workshop-FSE ’04 (B. Roy et al., eds.), Delhi, India, 2004, Lecture Notes in Comput. Sci., Vol. 3017, Springer-Verlag, Berlin, 2004, pp. 371-388], where they define seven basic notions of hash function security and examine all the relationships among these notions. We also define a new property for security of hash function families-always CTFP preimage resistance, which guarantees CTFP security for all the hash functions in the family.

Download Full-text

Data Integrity

10.1093/oso/9780198788003.003.0006 ◽

2017 ◽

Author(s):

Keith M. Martin

Keyword(s):

Hash Function ◽

Hash Functions ◽

Data Integrity ◽

Message Authentication ◽

Authenticated Encryption ◽

Authentication Codes ◽

Basic Model ◽

Function Design ◽

Security Properties ◽

Different Levels

This chapter discusses cryptographic mechanisms for providing data integrity. We begin by identifying different levels of data integrity that can be provided. We then look in detail at hash functions, explaining the different security properties that they have, as well as presenting several different applications of a hash function. We then look at hash function design and illustrate this by discussing the hash function SHA-3. Next, we discuss message authentication codes (MACs), presenting a basic model and discussing basic properties. We compare two different MAC constructions, CBC-MAC and HMAC. Finally, we consider different ways of using MACs together with encryption. We focus on authenticated encryption modes, and illustrate these by describing Galois Counter mode.

Download Full-text

On Pseudo-Random Oracles

Tatra Mountains Mathematical Publications ◽

10.2478/v10127-012-0045-5 ◽

2012 ◽

Vol 53 (1) ◽

pp. 155-187

Author(s):

Michal Rjaško

Keyword(s):

Hash Function ◽

Random Function ◽

Hash Functions ◽

Random Oracle Model ◽

Random Oracle ◽

Public Image ◽

Signature Schemes ◽

Random Oracles ◽

Random Behavior ◽

Domain Extension

ABSTRACT Many cryptographic systems which involve hash functions have proof of their security in a so called random oracle model. Behavior of hash functions used in such cryptographic systems should be as close as possible to the behavior of a random function. There are several properties of hash functions dealing with a random behavior. A hash function is pseudo-random oracle if it is indifferentiable from a random oracle. However, it is well known that hash functions based on the popular Merkle-Damg˚ard domain extension transform do not satisfy the pseudo-random oracle property. On the other hand no attack is known for many concrete applications utilizing Merkle-Damg˚ard hash functions. Hence, a weakened notion called public-use pseudo random oracle was introduced. The property can be met by the Merkle-Damg˚ard construction and is sufficient for several important applications. A hash function is public use pseudo-random oracle if it is indifferentiable from a random oracle with public messages (i.e., all messages hashed so far are available to all parties). This is the case of most hash based signature schemes. In this paper we analyze relationship between the property pseudo-random oracle and its variant public image pseudo-random oracle. Roughly, a hash function is public image pseudo-random oracle if it is indifferentiable from a random oracle with public images (i.e., all images of messages hashed so far are available to all parties, messages are kept secret). We prove that the properties are equivalent.

Download Full-text

Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance

Fast Software Encryption - Lecture Notes in Computer Science ◽

10.1007/978-3-540-25937-4_24 ◽

2004 ◽

pp. 371-388 ◽

Cited By ~ 190

Author(s):

Phillip Rogaway ◽

Thomas Shrimpton

Keyword(s):

Hash Function ◽

Collision Resistance ◽

Cryptographic Hash Function ◽

Preimage Resistance

Download Full-text

A Method to Bound the Number of Active S-Boxes for a Kind of AES-Like Structure

The Computer Journal ◽

10.1093/comjnl/bxz006 ◽

2019 ◽

Vol 62 (8) ◽

pp. 1121-1131

Author(s):

Qian Wang ◽

Chenhui Jin

Keyword(s):

Lower Bound ◽

Lower Bounds ◽

Hash Function ◽

High Performance ◽

Block Cipher ◽

Hash Functions ◽

Theoretical Method ◽

Building Blocks ◽

Branch Number ◽

Diffusion Layers

AbstractDue to the strong security and high performance of the AES block cipher, many hash functions take AES-like structures as building blocks. To evaluate the security of these AES-like structures against differential cryptanalysis, giving the lower bounds on the number of active S-boxes in a differential trail, is an important perspective. However, the original ‘wide-trail strategy’ for AES becomes less effective to get tight bounds for these AES-like structures, because of the different state dimensions (M×M2, instead of M×M) and different round functions from AES. In this paper, we focus on a kind of AES-like structure with state dimensions M×M2, diffusion-optimal permutations and MixColumns transformations using MDS matrices. Inspired by the ‘wide-trail strategy’, we propose a theoretical method to count active S-boxes, by which we prove that there are at least rBd(Bd−1) active S-boxes in any 2r(r≥3) rounds of such an AES-like structure, where Bd is the differential branch number of the MixColumns transformation and equals to M+1. What’s more, this lower bound can be achieved by some diffusion layers. As examples, we apply our method to the LANE hash function and 3D block cipher, optimal lower bounds are both got.

Download Full-text

The legal and practical implications of recent attacks on 128-bit cryptographic hash function

First Monday ◽

10.5210/fm.v11i1.1306 ◽

2006 ◽

Cited By ~ 2

Author(s):

Praveen Gauravaram ◽

Adrian McCullagh ◽

Ed Dawson

Keyword(s):

Hash Function ◽

Single Point ◽

Hash Functions ◽

Cryptographic Hash Function ◽

Function Design ◽

The Future ◽

Security Properties ◽

Practical Implications ◽

Wide Usage

This paper discusses the legal and practical implications of attacks, presented at Crypto ’2004, against various 128–bit hash functions and in particular MD5 due to its wide usage. These attacks are significant because a number of important applications depend on MD5. It is argued in this paper that the MD–x style of hash function designs for various applications can be a single point of failure. New hash function design schemes with some strict security properties should be developed in order to avoid new attacks in the future.

Download Full-text

Performance and Security Tradeoffs in Cryptographic Hash Functions

International Journal of Interdisciplinary Telecommunications and Networking ◽

10.4018/ijitn.2020100103 ◽

2020 ◽

Vol 12 (4) ◽

pp. 37-51

Author(s):

Sultan Almuhammadi ◽

Omar Mohammed Bawazeer

Keyword(s):

Sensitivity Analysis ◽

Mobile Devices ◽

Digital Signature ◽

Hash Function ◽

Hash Functions ◽

Paper Study ◽

Computational Power ◽

Collision Resistance ◽

Block Sizes ◽

Cryptographic Hash Functions

A cryptographic hash function is an important component used in many applications, such as blockchain, authentication, data integrity, and digital signature. With the rapid increase in usage of mobile devices, more attention goes towards the tradeoffs between performance and security of cryptographic hash functions on mobile devices due to their limited computational power. The researchers in this paper study the most common cryptographic hash functions and highlights the tradeoffs between their performance and security. The hash functions considered in this study are MD4, MD5, Whirlpool, and the hash functions in the SHA family. The security of these hash functions is compared based on recent attacks in terms of collision resistance, preimage attacks, and sensitivity analysis. While the performance is tested on different input block sizes, useful observations and recommendations are made based on the results of this study.

Download Full-text

Alloying effect on the order–disorder transformation in tetragonal FeNi

Scientific Reports ◽

10.1038/s41598-021-84482-5 ◽

2021 ◽

Vol 11 (1) ◽

Author(s):

Li-Yun Tian ◽

Oliver Gutfleisch ◽

Olle Eriksson ◽

Levente Vitos

Keyword(s):

Transition Temperature ◽

High Performance ◽

Density Functional ◽

Permanent Magnets ◽

Positive Impact ◽

Design Strategies ◽

Alloying Effect ◽

Functional Theory ◽

Disorder Transition ◽

Disorder Transition Temperature

AbstractTetragonal ($${\hbox{L1}}_{0}$$ L1 0 ) FeNi is a promising material for high-performance rare-earth-free permanent magnets. Pure tetragonal FeNi is very difficult to synthesize due to its low chemical order–disorder transition temperature ($$\approx {593}$$ ≈ 593 K), and thus one must consider alternative non-equilibrium processing routes and alloy design strategies that make the formation of tetragonal FeNi feasible. In this paper, we investigate by density functional theory as implemented in the exact muffin-tin orbitals method whether alloying FeNi with a suitable element can have a positive impact on the phase formation and ordering properties while largely maintaining its attractive intrinsic magnetic properties. We find that small amount of non-magnetic (Al and Ti) or magnetic (Cr and Co) elements increase the order–disorder transition temperature. Adding Mo to the Co-doped system further enhances the ordering temperature while the Curie temperature is decreased only by a few degrees. Our results show that alloying is a viable route to stabilizing the ordered tetragonal phase of FeNi.

Download Full-text