Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

Authors

  • Stefan Kölbl Department of Applied Mathematics and Computer Science (DTU Compute), Technical University of Denmark, Kongens Lyngby, Denmark
  • Martin M. Lauridsen InfoSec Global Ltd., Zurich, Switzerland
  • Florian Mendel Institute of Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria
  • Christian Rechberger Department of Applied Mathematics and Computer Science (DTU Compute), Technical University of Denmark, Kongens Lyngby, Denmark;Institute of Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria

DOI:

https://doi.org/10.13154/tosc.v2016.i2.1-29

Keywords:

Cryptographic hash functions, second-preimage resistance, AES-NI, hash-based signatures, post-quantum

Abstract

Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.

Downloads

Published

2017-02-03

How to Cite

Kölbl, S., Lauridsen, M. M., Mendel, F., & Rechberger, C. (2017). Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications. IACR Transactions on Symmetric Cryptology, 2016(2), 1–29. https://doi.org/10.13154/tosc.v2016.i2.1-29

Issue

Section

Articles