This report describes the SWIFFTX hash function. It is part of our submission package to the SHA-3 hash function competition. The SWIFFTX compression functions have a simple and mathematically elegant design. This makes them highly amenable to analysis and optimization. In addition, they enjoy two unconventional features: Asymptotic proof of security: it can be formally proved that finding a collision in a randomly-chosen compression function from the SWIFFTX family is at least as hard as finding short vectors in cyclic/ideal lattices in the worst case. High parallelizability: the compression function admits efficient implementations on modern microprocessors. This can be achieved even without relying on multi core capabilities, and is obtained through a novel cryptographic use of the Fast Fourier Transform (FFT). The main building block of SWIFFTX is the SWIFFT family of compression functions, presented in the 2008 workshop on Fast Software Encryption (Lyubashevsky et al., FSE’08). Great care was taken in making sure that SWIFFTX does not inherit the major shortcoming of SWIFFT – linearity – while preserving its provable collision resistance. The SWIFFTX compression function maps 2048 input bits to 520 output bits. The mode of operation that we employ is HAIFA (Biham and Dunkelman, 2007), resulting in a hash function that accepts inputs of any length up to 264− 1 bits, and produces message digests of the SHA-3 required lengths of 224, 256, 384 and 512 bits. ∗Mobileye Inc., Israel. †Tel-Aviv University, Israel. E-mail vlyubash@cs.ucsd.edu. ‡University of California at San Diego. E-mail: daniele@cs.ucsd.edu. Supported by the National Science Foundation under Grant CCF-0634909. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. §SRI International. E-mail: cpeikert@alum.mit.edu. Supported by the National Science Foundation under Grants CNS-0716786 and CNS-0749931. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. ¶IDC Herzliya, Israel. E-mail: alon.rosen@idc.ac.il.
[1]
David A. Wagner,et al.
A Generalized Birthday Problem
,
2002,
CRYPTO.
[2]
Adam Tauman Kalai,et al.
Noise-tolerant learning, the parity problem, and the statistical query model
,
2000,
STOC '00.
[3]
Daniele Micciancio,et al.
Generalized Compact Knapsacks Are Collision Resistant
,
2006,
ICALP.
[4]
Chris Peikert,et al.
Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices
,
2006,
TCC.
[5]
Daniele Micciancio.
Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions
,
2007,
computational complexity.
[6]
Eli Biham,et al.
A Framework for Iterative Hash Functions - HAIFA
,
2007,
IACR Cryptol. ePrint Arch..
[7]
Chris Peikert,et al.
Lattices that admit logarithmic worst-case to average-case connection factors
,
2007,
STOC '07.
[8]
Vadim Lyubashevsky,et al.
Lattice-Based Identification Schemes Secure Under Active Attacks
,
2008,
Public Key Cryptography.
[9]
Chris Peikert,et al.
SWIFFT: A Modest Proposal for FFT Hashing
,
2008,
FSE.