Abstract
Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.
Highlights
Cryptographic hash functions are commonly constructed with collision resistance in mind
Haraka v1 was originally presented to a larger group of cryptographers in November 2015 [Pro], with the explicit goal of providing fast hashing on short inputs, the main application being speeding up hash-based signature schemes
We focus on second-preimage resistance, as the main applications of Haraka v2 do not require collision resistance
Summary
Cryptographic hash functions are commonly constructed with collision resistance in mind. A recent version of the former, XMSS-T [HRS16], attains additional security against multi-target preimage attacks on the underlying hash function. Such designs are the most mature candidates for signature schemes offering post-quantum security, i.e. they are believed to be secure in the presence of hypothetical quantum computers, as their security reduces solely to the security properties of the hash function(s) used, relying on minimal assumptions. The applications share the absence of collision resistance from the requirements imposed on the underlying hash function(s), and further they process only short inputs[1]. Most cryptographic hash functions are geared towards high performance on long messages and, as we will show, perform rather poorly on short inputs
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have