The SHAvite-3 Hash Function

In this document we present SHAvite-3, a secure and efficient hash function based on the HAIFA construction and the AES building blocks. SHAvite-3 uses a well understood set of primitives such as a Feistel block cipher which iterates a round function based on the AES round function. SHAvite-3’s compression functions are secure against cryptanalysis, while the selected mode of iteration offers maximal security against black box attacks on the hash function. SHAvite-3 is both fast and resource-efficient, making it suitable for a wide range of environments, ranging from 8-bit platforms to 64-bit platforms (and beyond).

[1]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[2]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[3]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[4]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[5]  Luke O'Connor On the Distribution of Characteristics in Bijective Mappings , 1993, EUROCRYPT.

[6]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[7]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[8]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[9]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[10]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[11]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[12]  Jongsung Kim,et al.  Impossible Differential Cryptanalysis for Block Cipher Structures , 2003, INDOCRYPT.

[13]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[14]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[15]  Alok N. Choudhary,et al.  Exploring Area/Delay Tradeoffs in an AES FPGA Implementation , 2004, FPL.

[16]  Ingrid Verbauwhede,et al.  Minimum area cost for a 30 to 70 Gbits/s AES processor , 2004, IEEE Computer Society Annual Symposium on VLSI.

[17]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[18]  Liam Keliher,et al.  Exact Maximum Expected Differential and Linear Probability for 2-Round Advanced Encryption Standard (AES) , 2005, IACR Cryptol. ePrint Arch..

[19]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[20]  Gaëtan Leurent,et al.  An Analysis of the XSL Algorithm , 2005, ASIACRYPT.

[21]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[22]  Tim Good,et al.  AES on FPGA from the Fastest to the Smallest , 2005, CHES.

[23]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[24]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[25]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[26]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[27]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[28]  Vincent Rijmen,et al.  AES implementation on a grain of sand , 2005 .

[29]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[30]  Panu Hämäläinen,et al.  Design and Implementation of Low-Area and Low-Power AES Encryption Hardware Core , 2006, 9th EUROMICRO Conference on Digital System Design (DSD'06).

[31]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[32]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[33]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[34]  Mitsuru Matsui,et al.  How Far Can We Go on the x64 Processors? , 2006, FSE.

[35]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[36]  Bart Preneel,et al.  Seven-Property-Preserving Iterated Hashing: ROX , 2007, ASIACRYPT.

[37]  Mitsuru Matsui,et al.  On the Power of Bitslice Implementation on Intel Core2 Processor , 2007, CHES.

[38]  Thomas Peyrin Cryptanalysis of Grindahl , 2007, ASIACRYPT.

[39]  Khoongming Khoo,et al.  An Analysis of XSL Applied to BES , 2007, FSE.

[40]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[41]  Thomas Peyrin,et al.  Hash Functions and the (Amplified) Boomerang Attack , 2007, CRYPTO.

[42]  C. Paar,et al.  Performance Analysis of Contemporary Light-Weight Block Ciphers on 8-bit Microcontrollers , 2007 .

[43]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[44]  Stefan Tillich,et al.  Boosting AES Performance on a Tiny Processor Core , 2008, CT-RSA.

[45]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[46]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[47]  Raphael C.-W. Phan,et al.  How (Not) to Efficiently Dither Blockcipher-Based Hash Functions? , 2008, AFRICACRYPT.

[48]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[49]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[50]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[51]  Quynh Dang Randomized Hashing for Digital Signatures , 2009 .

[52]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[53]  Matthew J. B. Robshaw,et al.  The Intel AES Instructions Set and the SHA-3 Candidates , 2009, ASIACRYPT.

[54]  John Kelsey,et al.  Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård , 2009, Selected Areas in Cryptography.

[55]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[56]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.