The Hash Function "Fugue
Charanjit Jutla2014, IACR Cryptology ePrint Archive
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
We describe Fugue, a hash function supporting inputs of length upto 2 64 -1 bits and hash outputs of length upto 512 bits. Notably, Fugue is not based on a compression function. Rather, it is directly a hash function that support variable-length input. The starting point for Fugue is the hash function Grindahl, but it extends that design to protect against the kinds of attacks that were developed for Grindahl, as well as earlier hash functions like SHA-1. A key enhancement is the design of a much stronger round function which replaces the AES round function of Grindahl, using better codes (over longer words) than the AES 4 × 4 MDS matrix. Also, Fugue makes judicious use of this new round function on a much larger internal state. The design of Fugue is proof-oriented: the various components are designed in such a way as to allow proofs of security. As a result, we can prove that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack. Although the proof is computer assisted, the assistance is limited to computing ranks of various matrices.
Related papers
Design and analysis of hash functions
2007
A function that compresses an arbitrarily large message into a fixed small size ‘message digest’ is known as a hash function. For the last two decades, many types of hash functions have been defined but, the most widely used in many of the cryptographic applications currently are hash functions based on block ciphers and the dedicated hash functions. Almost all the dedicated hash functions are generated using the Merkle-Damgard construction which is developed independently by Merkle and Damgard in 1989 [6, 7]. A hash function is said to be broken if an attacker is able to show that the design of the hash function violates at least one of its claimed security property. There are various types of attacking strategies found on hash functions, such as attacks based on the block ciphers, attacks depending on the algorithm, attacks independent of the algorithm, attacks based on signature schemes, and high level attacks. Besides this, in recent years, many structural weaknesses have been f...
The Grindahl Hash Functions
Lecture Notes in Computer Science, 2007
In this paper we propose the Grindahl hash functions, which are based on components of the Rijndael algorithm. To make collision search sufficiently difficult, this design has the important feature that no low-weight characteristics form collisions, and at the same time it limits access to the state. We propose two concrete hash functions, Grindahl-256 and Grindahl-512 with claimed security levels with respect to collision, preimage and second preimage attacks of 2 128 and 2 256 , respectively. Both proposals have lower memory requirements than other hash functions at comparable speeds and security levels.
VSH, an Efficient and Provable Collision-Resistant Hash Function
2006
We introduce VSH, very smooth hash, a new S-bit hash function that is provably collision-resistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an S-bit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the S-bit composite per Ω(S) message-bits (as opposed to O(logS) message-bits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024-bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048-bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as Cramer-Shoup) and designated-verifier signatures.
Whirlwind: a new cryptographic hash function
Designs, Codes and Cryptography, 2010
A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6.
Cryptographic Hash Functions and Attacks – A Detailed Study
International Journal of Advanced Research in Computer Science, 2020
The term hash function has been used in computer science from quite some time and it refers to a function that compresses a string of arbitrary input to a string of fixed length. Cryptographic hash functions are one of the most important tools in the field of cryptography and are used to achieve a number of security goals like authenticity, digital signatures, pseudo number generation, digital steganography, digital time stamping etc. For the past few decades cryptographic hash function become the centre of attention in the cryptographic community. The security of hash function became an important topic as almost every day the world of hash function is facing a new attack. The present paper provides an extensive study on cryptographic hash functions with their applications, properties and detailed classification and also presents a detailed description of cryptographic hash algorithms. It also discusses a general classification of all kinds of possible attacks on hash function analyses some attacks on specific hash functions.
LHash: A Lightweight Hash Function
Lecture Notes in Computer Science, 2014
In this paper, we propose a new lightweight hash function supporting three different digest sizes: 80, 96 and 128 bits, providing preimage security from 64 to 120 bits, second preimage and collision security from 40 to 60 bits. LHash requires about 817 GE and 1028 GE with a serialized implementation. In faster implementations based on function T , LHash requires 989 GE and 1200 GE with 54 and 72 cycles per block, respectively. Furthermore, its energy consumption evaluated by energy per bit is also remarkable. LHash allows to make trade-offs among security, speed, energy consumption and implementation costs by adjusting parameters. The design of LHash employs a kind of Feistel-PG structure in the internal permutation, and this structure can utilize permutation layers on nibbles to improve the diffusion speed. The adaptability of LHash in different environments is good, since different versions of LHash share the same basic computing module. The low-area implementation comes from the hardware-friendly Sbox and linear diffusion layer. We evaluate the resistance of LHash against known attacks and confirm that LHash provides a good security margin.
An Overview of Cryptographic Hash Functions
2002
Abstract This report gives a survey on cryptographic hash functions. It gives an overview of different types of hash functions and reviews design principles. It also focuses on keyed hash functions and suggests some applications and constructions of keyed hash functions. We have used hash (keyed) function for authenticating messages encrypted using Rijndael [1] block cipher. Moreover, a parallel message digest has been implemented using VHDL.
Analysis of the Hash Function Design Strategy Called SMASH
IEEE Transactions on Information Theory, 2000
The hash function design strategy SMASH was recently proposed as an alternative to the MD4 family of hash functions. It can be shown that the strategy leads to designs that are vulnerable to efficient collision and (second) preimage attacks. The mathematical structure of the SMASH description facilitates the description of the weakness and the resulting attacks, but also functions with less mathematical elegance may show similar weaknesses.
Some properties of an FSE 2005 Hash Proposal
2005
We consider the hash function proposals by Mridul et al. presented at FSE 2005. For the proposed 2n-bit compression functions it is proved that collision attacks require ›(22n=3) queries of the functions in question. In this note it is shown that with O(2n=3) queries one can distinguish the proposed compression functions from a randomly chosen 2n-bit function with very good probability. Finally we note that our results do not seem to contradict any statements made the designers of the compression functions.
Comparison of Hash Function Algorithms Against Attacks: A Review
Hash functions are considered key components of nearly all cryptographic protocols, as well as of many security applications such as message authentication codes, data integrity, password storage, and random number generation. Many hash function algorithms have been proposed in order to ensure authentication and integrity of the data, including MD5, SHA-1, SHA-2, SHA-3 and RIPEMD. This paper involves an overview of these standard algorithms, and also provides a focus on their limitations against common attacks. These study shows that these standard hash function algorithms suffer collision attacks and time inefficiency. Other types of hash functions are also highlighted in comparison with the standard hash function algorithm in performing the resistance against common attacks. It shows that these algorithms are still weak to resist against collision attacks.
Related topics
Related papers
HaF - A New Family of Hash Functions
Proceedings of the 2nd International Conference on Pervasive Embedded Computing and Communication Systems, 2012
Paper presents a family of parameterized hash functions allowing for flexibility between security and performance. The family consists of three basic hash functions: HaF-256, HaF-512 and HaF-1024 with message digests equal to 256, 512 and 1024 bits, respectively. Details of functions' structure are presented. Method for obtaining function's S-box is described along with the rationale behind it. Security considerations are discussed.
MOIM: A NOVEL DESIGN OF CRYPTOGRAPHIC HASH FUNCTION
A hash function usually has two main components: a compression function or permutation function and mode of operation. In this paper, we propose a new concrete novel design of a permutation based hash functions called MOIM. MOIM is based on concatenating two parallel fast wide pipe constructions as a mode of operation designed by Nandi and Paul, and presented at Indocrypt 2010 where the size of the internal state is significantly larger than the size of the output. And the permutations functions used in MOIM are inspired from the SHA-3 finalist Grøstl hash function which is originally inspired from Rijndael design (AES). As a consequence there is a very strong confusion and diffusion in MOIM. Also, we show that MOIM resists all the generic attacks and Joux attack in two defense security levels.
TWISTERπ - a framework for secure and fast hash functions
International Journal of Applied Cryptography, 2010
In this paper we present TWISTER π , a framework for hash functions. It is an improved version of TWISTER, a candidate of the NIST SHA-3 hash function competition. TWISTER π is built upon the ideas of wide pipe and sponge functions. The core of this framework is a-very easy to analyse-Twister-Round providing both extremely fast diffusion as well as collision-freeness for one internal Twister-Round. The total security level is claimed to be not below /2 2 n for collision attacks and 2 n for (2nd) pre-image attacks. TWISTER π instantiations are secure against all known generic attacks. We also propose two instances TWISTER π-n for hash output sizes n = 256 and n = 512. These instantiations are highly optimised for 64-bit architectures and run very fast in hardware and software, e.g TWISTER π-256 is faster than SHA2-256 on 64-bit platforms and TWISTER π-512 is faster than SHA2-512 on 32-bit platforms. Furthermore, TWISTER π scales very well on low-end platforms.
On the security of dedicated hash functions
1998
Cryptographic hash functions are an important building block for a wide range of applications such as the authentication of information, digital signatures and the protection of pass-phrases. The most popular hash functions are the custom designed iterative hash functions from the MD4 family. Over the years various results on the cryptanalysis of these functions have become available and this paper intends to summarize these results and their impact. We will describe attacks on MD4, MD5 and RIPEMD, and discuss the design and security of the hash functions SHA-1 and RIPEMD-160 which are included in the new standard ISO/IEC 10118-3.
Cryptographic hash functions: recent design trends and security notions
2010
Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA-1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a public competition to select the next hash function standard, to be named SHA-3. Not surprisingly, the hash function literature has since been rapidly growing in an extremely fast pace. In this paper, we provide a comprehensive, up-to-date discussion of the current state of the art of cryptographic hash functions security and design. We first discuss the various hash functions security properties and notions, then proceed to give an overview of how (and why) hash functions evolved over the years giving raise to the current diverse hash functions design approaches. * A short version of this paper is in . This version has been thoroughly extended. An identical version has been uploaded to the Cryptology ePrint Archive: eprint.iacr.org/2011/565
On the cryptanalysis of the hash function Fugue: Partitioning and inside-out distinguishers
2011
Abstract Fugue is an intriguing hash function design with a novel shift-register based compression structure and has formal security proofs eg against collision attacks. In this paper, we present an analysis of Fugueʼs structural properties, and describe our strategies to construct distinguishers for Fugue components.
Attacks on and Advances in Secure Hash Algorithms
2016
In today’s information-based society, encryption along with the techniques for authentication and integrity are key to the security of information. Cryptographic hashing algorithms, such as the Secure Hashing Algorithms (SHA), are an integral part of the solution to the information security problem. This paper presents the state of art hashing algorithms including the security challenges for these hashing algorithms. It also covers the latest research on parallel implementations of these cryptographic algorithms. We present an analysis of serial and parallel implementations of these algorithms, both in hardware and in software, including an analysis of the performance and the level of protection offered against attacks on the algorithms.
ZesT: an all-purpose hash function based on Zémor-Tillich
2008
Hash functions are a very important cryptographic primitive. The collision resistance of provable hash functions relies on hard mathematical problems. This makes them very appealing for the cryptographic community since collision resistance is by far the most important property that a hash function should satisfy. However, provable hash functions tend to be slower than specially-designed hash functions like SHA, and their algebraic structure often implies homomorphic properties and weak behaviors on particular inputs. We introduce the ZesT hash function, a provable hash function that is based on the Zémor-Tillich hash function. ZesT is provably collision and preimage resistant if the balance problem corresponding to Zémor-Tillich is hard, a problem that has remained unbroken since CRYPTO'94. The function admits an ultra-lightweight implementation in ASIC and it is currently between 2 to 3 times less efficient than SHA on FPGA, and between 4 to 10 times slower than SHA in software. The function has structural parallelism, and its simplicity will certainly allow a much wider range of implementations and many code optimization techniques. A careful examination and pseudorandom tests performed with the Dieharder revealed no apparent malleability weakness, which suggests that the function can be used as a general-purpose hash function. Finally, ZesT can be slightly modified to reach all the requirements of the NIST competition. We stress that the hardness of the balance problem corresponding to Zémor-Tillich should be further studied and better established by the cryptography community. In that case, our function ZesT will definitely become a very appealing all-purpose hash function. Research Fellow of the Belgian Fund for Scientific Research (F.R.S.-FNRS) at Université catholique de Louvain (UCL). A member of BCRYPT network.
Shabal, a submission to NIST's cryptographic hash algorithm competition
Submission to …, 2008
SPONGENT: A Lightweight Hash Function
This paper proposes spongent -a family of lightweight hash functions with hash sizes of 88 (for preimage resistance only), 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy. Its smallest implementations in ASIC require 738, 1060, 1329, 1728, and 1950 GE, respectively. To our best knowledge, at all security levels attained, it is the hash function with the smallest footprint in hardware published so far, the parameter being highly technology dependent. spongent offers a lot of flexibility in terms of serialization degree and speed. We explore some of its numerous implementation trade-offs. We furthermore present a security analysis of spongent. Basing the design on a present-type primitive provides confidence in its security with respect to the most important attacks. Several dedicated attack approaches are also investigated.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.