Efficient Hashing Using the AES Instruction Set
Ozan Özen2011, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AES-NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL-256. Although we primarily target architectures supporting AES-NI, our framework has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblock-length hash functions in software.
Related papers
AVON: A fast Hash function for Intel SIMD architectures
2013 International Conference on Security and Cryptography (SECRYPT), 2013
In this paper, we propose a hash function that takes advantage of the AES-NI and other Single-Instruction Multiple-Data operations on Intel x64 platforms to generate digests very efficiently. It is suitable for applications in which a server needs to securely hash electronic documents at a rate of several cycles/byte. This makes it much more efficient for certain applications than SHA-2, SHA-3 or any of the SHA-3 finalists. On the common Sandy Bridge micro-architecture, our hash function, AVON, has a throughput of 2.65 cycles per byte while retaining a high degree of security.
Experimental Evaluation of Hash Function Performance on Embedded Devices
2018 IEEE Canadian Conference on Electrical & Computer Engineering (CCECE), 2018
With embedded devices collecting, manipulating, and transmitting growing amounts of data in various Internet of Things applications, it is increasingly important to process data on device for performance and energy efficiency. A common data processing function is computing hash functions for use in hashbased data structures and algorithms. The limited computation and memory resources of embedded devices results in different performance characteristics compared to general purpose computers. This research implements and experimentally evaluates the performance of non-cryptographic hash functions. Seven hash function algorithms were chosen on the basis of implementation complexity, popularity, and compatibility with microcontroller architecture. These functions were implemented in C/C++ for the ATmega328P 8-bit microcontroller used in the Arduino Uno, and on the Microchip PIC24 16-bit microcontroller. Some optimizations were implemented to reduce memory usage. Experimental results demonstrate that there are platform specific performance differences.
Instruction Set Extensions for Cryptographic Hash Functions on a Microcontroller Architecture
2012 IEEE 23rd International Conference on Application-Specific Systems, Architectures and Processors, 2012
In this paper, we investigate the benefits of instruction set extensions (ISEs) on a 16-bit microcontroller architecture for software implementations of cryptographic hash functions, using the example of the five SHA-3 final round candidates. We identify the general algorithm bottlenecks, taking into account memory footprints and cycle counts of our optimized reference assembly implementations. We show that our target applications benefit from algorithm-specific ISEs based on finite state machines for address generation, lookup table integration, and extension of computational units through microcoded instructions. The gains in throughput, memory consumption, and the area overhead are assessed, by implementing the modified cores and applications utilizing the developed ISEs. Our results show that with less than 10% additional core area, it is possible to increase the execution speed on average by 172% (ranging from 21% to 703%), while reducing memory requirements on average by more than 40%.
Regular and almost universal hashing: an efficient implementation
Software: Practice and Experience, 2016
Random hashing can provide guarantees regarding the performance of data structures such as hash tableseven in an adversarial setting. Many existing families of hash functions are universal: given two data objects, the probability that they have the same hash value is low given that we pick hash functions at random. However, universality fails to ensure that all hash functions are well behaved. We might further require regularity: when picking data objects at random they should have a low probability of having the same hash value, for any fixed hash function. We present the efficient implementation of a family of non-cryptographic hash functions (PM+) offering good running times, good memory usage as well as distinguishing theoretical guarantees: almost universality and component-wise regularity. On a variety of platforms, our implementations are comparable to the state of the art in performance. On recent Intel processors, PM+ achieves a speed of 4.7 bytes per cycle for 32-bit outputs and 3.3 bytes per cycle for 64-bit outputs. We review vectorization through SIMD instructions (e.g., AVX2) and optimizations for superscalar execution.
LHash: A Lightweight Hash Function
Lecture Notes in Computer Science, 2014
In this paper, we propose a new lightweight hash function supporting three different digest sizes: 80, 96 and 128 bits, providing preimage security from 64 to 120 bits, second preimage and collision security from 40 to 60 bits. LHash requires about 817 GE and 1028 GE with a serialized implementation. In faster implementations based on function T , LHash requires 989 GE and 1200 GE with 54 and 72 cycles per block, respectively. Furthermore, its energy consumption evaluated by energy per bit is also remarkable. LHash allows to make trade-offs among security, speed, energy consumption and implementation costs by adjusting parameters. The design of LHash employs a kind of Feistel-PG structure in the internal permutation, and this structure can utilize permutation layers on nibbles to improve the diffusion speed. The adaptability of LHash in different environments is good, since different versions of LHash share the same basic computing module. The low-area implementation comes from the hardware-friendly Sbox and linear diffusion layer. We evaluate the resistance of LHash against known attacks and confirm that LHash provides a good security margin.
A case for a parallelizable hash
MILCOM 2008 - 2008 IEEE Military Communications Conference, 2008
On November 2, 2007, NIST (United States National Institute of Standards and Technology) announced an initiative to design a new secure hash function for this century, to be called SHA-3. The competition will be open and it is planned to conclude in 2012. These developments are quite similar to the recent history of symmetric block ciphersbreaking of the DES (Data Encryption Standard) and emergence of the AES (Advanced Encryption Standard) in 2001 as the winner of a multiyear NIST competition. In this paper we make a case that parallelizability should be one of the properties sought in the new SHA-3 design. We present a design concept for a parallelizable hash function called PHASH based on a block cipher, and we discuss PHASH's performance and security.
Fast and secure hashing based on codes
Lecture Notes in Computer Science, 1997
This paper considers hash functions based on block ciphers. It presents a new attazk on the compression function of the 128-bit hash function MDC-4 using DES with a complexity far less that one would expect, and proposes new constructions of fast and secure compression functions based on error-correcting codes and m-bit block ciphers with an m-bit key. This leads to simple and practical hash function constructions based on block ciphers such as DES, where the key size is slightly smaller than the block size, IDEA, where the key size is twice the block size and to MD4--like hash functions. Under reasonable assumptions about the underlying block cipher, we obtain collision resistant compression functions. Finally we provide examples of hashing constructions based on both DES and IDEA more efficient than previous proposals and discuss applications of our approach for MD4-1ike hash functions.
Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
International Journal of Computer Network and Information Security, 2021
A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated. The comparative analysis...
Efficient Hash Collision Search Strategies on Special-Purpose Hardware
Lecture Notes in Computer Science, 2008
Hash functions play an important role in various cryptographic applications. Modern cryptography relies on a few but supposedly well analyzed hash functions which are mostly members of the so-called MD4-family. This work shows whether it is possible, using special-purpose hardware, to significantly speedup collision search for MD4-family hash functions. A thorough analysis of the computational requirements for MD4-family hash functions and corresponding collision attacks reveals that a microprocessor based architecture is best suited for the implementation of collision search algorithms. Consequently, we designed and implemented a (concerning MD4-family hash-functions) general-purpose microprocessor with minimal area requirements and, based on this, a full collision search unit. Comparing the performance characteristics of both ASICs with standard PC processors and clusters, it turns out that our design, massively parallelized, is nearly four times more cost-efficient than parallelized standard PCs. With further optimizations, we believe that this factor can even be improved.
Attacks on and Advances in Secure Hash Algorithms
2016
In today’s information-based society, encryption along with the techniques for authentication and integrity are key to the security of information. Cryptographic hashing algorithms, such as the Secure Hashing Algorithms (SHA), are an integral part of the solution to the information security problem. This paper presents the state of art hashing algorithms including the security challenges for these hashing algorithms. It also covers the latest research on parallel implementations of these cryptographic algorithms. We present an analysis of serial and parallel implementations of these algorithms, both in hardware and in software, including an analysis of the performance and the level of protection offered against attacks on the algorithms.
Related topics
Related papers
SPONGENT: A Lightweight Hash Function
This paper proposes spongent -a family of lightweight hash functions with hash sizes of 88 (for preimage resistance only), 128, 160, 224, and 256 bits based on a sponge construction instantiated with a present-type permutation, following the hermetic sponge strategy. Its smallest implementations in ASIC require 738, 1060, 1329, 1728, and 1950 GE, respectively. To our best knowledge, at all security levels attained, it is the hash function with the smallest footprint in hardware published so far, the parameter being highly technology dependent. spongent offers a lot of flexibility in terms of serialization degree and speed. We explore some of its numerous implementation trade-offs. We furthermore present a security analysis of spongent. Basing the design on a present-type primitive provides confidence in its security with respect to the most important attacks. Several dedicated attack approaches are also investigated.
Software Performance of Universal Hash Functions
Lecture Notes in Computer Science, 1999
This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. F.W.O. postdoctoral researcher, sponsored by the Fund for Scientific Research-Flanders (Belgium). 1 Throughout this paper performance numbers will be given for a 200 MHz Pentium.
Engineering Aspects of Hash Functions
cerc.wvu.edu
Hash functions have numerous applications in cryptography, from public key to cryptographic protocols and cryptosystems. Evidently, substantial effort was invested on designing "secure" hash functions, unintentionally overlooking other engineering aspects that may affect their use in practice. However, we argue that in some applications, the efficiency of hash functions is as important as their security. Unlike most of the existing related works in the literature (which merely report on efficiency figures of some popular hash functions without discussing how and why these results were obtained), we not only discuss how to carry out efficiency evaluations, we also provide a set of optimization guidelines to assist implementers in optimizing their implementations. We demonstrate this by adopting an existing SHA-1/SHA-2 implementation and show how minor optimization can lead to significant efficiency improvements.
TWISTERπ - a framework for secure and fast hash functions
International Journal of Applied Cryptography, 2010
In this paper we present TWISTER π , a framework for hash functions. It is an improved version of TWISTER, a candidate of the NIST SHA-3 hash function competition. TWISTER π is built upon the ideas of wide pipe and sponge functions. The core of this framework is a-very easy to analyse-Twister-Round providing both extremely fast diffusion as well as collision-freeness for one internal Twister-Round. The total security level is claimed to be not below /2 2 n for collision attacks and 2 n for (2nd) pre-image attacks. TWISTER π instantiations are secure against all known generic attacks. We also propose two instances TWISTER π-n for hash output sizes n = 256 and n = 512. These instantiations are highly optimised for 64-bit architectures and run very fast in hardware and software, e.g TWISTER π-256 is faster than SHA2-256 on 64-bit platforms and TWISTER π-512 is faster than SHA2-512 on 32-bit platforms. Furthermore, TWISTER π scales very well on low-end platforms.
SPONGENT: The Design Space of Lightweight Cryptographic Hashing
The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography -optimizing the algorithms to fit the most constrained environments -has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well-investigated with only few proposals in the public domain. In this article, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants -for different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them we provide several ASIC hardware implementations -ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.
Comparative Analysis of the Hardware Implementations of Hash Functions SHA1 and SHA512
2002
Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols such as IPSec and SSL. In this paper, we compare and contrast hardware implementations of the newly proposed draft hash standard SHA-512, and the old standard, SHA-1. In our implementation based on Xilinx Virtex FPGAs, the throughput of SHA-512 is equal to 670 Mbit/s, compared to 530 Mbit/s for SHA-1. Our analysis shows that the newly proposed hash standard is not only orders of magnitude more secure, but also significantly faster than the old standard. The basic iterative architectures of both hash functions are faster than the basic iterative architectures of symmetric-key ciphers with equivalent security.
Revisiting Dedicated and Block Cipher based Hash Functions
Abstract: A hash function maps a variable length input into a fixed length output. The hash functions that are used in the information security related applications are referred as cryptographic hash functions. Hash functions are being used as building blocks of many complex cryptographic mechanisms and protocols. Construction of a hash function consists of two components. First component is a compression function and the second component is a domain extender.
An ultra high speed architecture for VLSI implementation of hash functions
10th IEEE International Conference on Electronics, Circuits and Systems, 2003. ICECS 2003. Proceedings of the 2003
Today, security is a topic which attacks the great interest of researchers. Many encryption algorithms have been investigated, and developed in the last years. The research community efforts are also centered to the efficient implementation of them, in both software platforms and hardware devices. This work is related to hash functions FPGA implementation. Two different hash functions are studied: RIPEMD-160 and SHA-1. A high speed architecture is proposed for the implementation of both of them in the same hardware module. The proposed system reaches throughput values equal to 1,4 for SHA-1 and 1,6 for RIPEMND-160. The proposed system is compared with other related works in both software and hardware.
Design and analysis of hash functions
2007
A function that compresses an arbitrarily large message into a fixed small size ‘message digest’ is known as a hash function. For the last two decades, many types of hash functions have been defined but, the most widely used in many of the cryptographic applications currently are hash functions based on block ciphers and the dedicated hash functions. Almost all the dedicated hash functions are generated using the Merkle-Damgard construction which is developed independently by Merkle and Damgard in 1989 [6, 7]. A hash function is said to be broken if an attacker is able to show that the design of the hash function violates at least one of its claimed security property. There are various types of attacking strategies found on hash functions, such as attacks based on the block ciphers, attacks depending on the algorithm, attacks independent of the algorithm, attacks based on signature schemes, and high level attacks. Besides this, in recent years, many structural weaknesses have been f...
2n-Bit Hash-Functions Using n-Bit Symmetric Block Cipher Algorithms
Lecture Notes in Computer Science, 1990
We present a new hash-function, which provides 2n-bit hash-results, using any n-bit symmetric block cipher algorithm. This hash-function can be considered as a extension of an already known one, which only provided n-bit hash-results. The difference is crucial, because a lot of symmetric block cipher algorithms use 64-bit blocks and recent works have shown that a 64-bit hash-result is greatly insufficient.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.