Abstract

Universal hash functions based on univariate polynomials are well known, e.g. Poly1305 and GHASH. Using Horner’s rule to evaluate such hash functionsrequire l − 1 field multiplications for hashing a message consisting of l blocks where each block is one field element. A faster method is based on the class of Bernstein-Rabin-Winograd (BRW) polynomials which require ⌊l/2⌋ multiplications and ⌊lgl⌋ squarings for l≥3 blocks. Though this is significantly smaller than Horner’s rule based hashing, implementation of BRW polynomials for variable length messages present significant difficulties. In this work, we propose a two-level hash function where BRW polynomial based hashing is done at the lower level and Horner’s rule based hashing is done at the higher level. The BRW polynomial based hashing is applied to a fixed number of blocks and hence the difficulties in handling variable length messages is avoided. Even though the hash function has two levels, we show that it is sufficient to use a single field element as the hash key. The basic idea is instantiated to propose two new hash functions, one which hashes a single binary string and the other can hash a vector of binary strings. We describe two actual implementations, one over F2128 and the other over F2256 both using the pclmulqdq instruction available in modern Intel processors. On both the Haswell and Skylake processors, the implementation over F2128 is faster than both an implementation of GHASH by Gueron; and a highly optimised implementation, also by Gueron, of another polynomial based hash function called POLYVAL. We further show that the Fast Fourier Transform based field multiplication over F2256 proposed by Bernstein and Chou can be used to evaluate the new hash function at a cost of about at most 46 bit operations per bit of digest, but, unlike the Bernstein-Chou analysis, there is no hidden cost of generating the hash key. More generally, the new idea of building a two-level hash function having a single field element as the hash key can be applied to other finite fields to build new hash functions.

Highlights

  • An important primitive in cryptography is a hash function family with provably low collision and differential probabilities

  • We consider some of the important universal hash functions and corresponding message authentication code (MAC) schemes that have been proposed

  • We have shown how to combine the BRW family of polynomials with the Horner based polynomial evaluation to design a new hash function

Read more

Summary

Introduction

An important primitive in cryptography is a hash function family with provably low collision and differential probabilities. A well known approach to the construction of an AU hash function is the multilinear map [8] This requires field multiplications to obtain the digest when the message consists of field elements. By choosing a suitable value of η, the number of multiplications required by the new hash function can be made quite close to that of BRW Such a two-level strategy has the advantage that it avoids the difficulties associated with implementing BRW on variable length messages. In [27], Gueron and Lindell have proposed a new nonce misuse-resistant AEAD scheme called GCM-SIV This scheme uses a polynomial based hash function called POLYVAL, which has a highly optimised implementation by Gueron [9]. Brief surveys on various constructions of universal hash functions can be found in [3, 21]

Preliminaries
Polynomial Hashing
BRW Hashing
Combining BRW with Horner
Two-Level Hash Function
Hashing a Vector of Strings
Implementations Based on pclmulqdq
Field Multiplication
Efficient Reduction
Arithmetic Operations for Computing BRW
Computing BRW Polynomials
Decimated Horner
Implementation of Hash2L
Implementation Strategy Without Using pclmulqdq
Message Authentication Code
Comparison to Some Previous Works
Comparison to Schemes Using Long Hash Keys
Comparison to Schemes Using Short Hash Keys
Findings
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call