The Lane hash function

We propose the cryptographic hash function Lane as a candidate for the SHA-3 competition organised by NIST. Lane is an iterated hash function supporting multiple digest sizes. Components of the AES block cipher are reused as building blocks. Lane aims to be secure, easy to understand, elegant and flexible in implementation

Whirlwind: a new cryptographic hash function

A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6

Finding Bugs in Cryptographic Hash Function Implementations

Cryptographic hash functions are security-critical algorithms with many practical applications, notably in digital signatures. Developing an approach to test them can be particularly difficult, and bugs can remain unnoticed for many years. We revisit the NIST hash function competition, which was used to develop the SHA-3 standard, and apply a new testing strategy to all available reference implementations. Motivated by the cryptographic properties that a hash function should satisfy, we develop four tests. The Bit-Contribution Test checks if changes in the message affect the hash value, and the Bit-Exclusion Test checks that changes beyond the last message bit leave the hash value unchanged. We develop the Update Test to verify that messages are processed correctly in chunks, and then use combinatorial testing methods to reduce the test set size by several orders of magnitude while retaining the same fault-detection capability. Our tests detect bugs in 41 of the 86 reference implementations submitted to the SHA-3 competition, including the rediscovery of a bug in all submitted implementations of the SHA-3 finalist BLAKE. This bug remained undiscovered for seven years, and is particularly serious because it provides a simple strategy to modify the message without changing the hash value returned by the implementation. We detect these bugs using a fully-automated testing approach

A Study on RAM Requirements of Various SHA-3 Candidates on Low-cost 8-bit CPUs

In this paper, we compare the implementation costs of various SHA-3 candidates on low-cost 8-bit CPUs by estimating RAM/ROM requirements of them. As a first step toward this kind of research, in our comparison, we make reasonable estimations of RAM/ROM requirements of them which can be done without implementation

FPGA Implementations of SHA-3 Candidates:CubeHash, Grøstl, L{\sc ane}, Shabal and Spectral Hash

Abstract: Hash functions are widely used in, and form an important part of many cryptographic protocols. Currently, a public competition is underway to find a new hash algorithm(s) for inclusion in the NIST Secure Hash Standard (SHA-3). Computational efficiency of the algorithms in hardware will form one of the evaluation criteria. In this paper, we focus on five of these candidate algorithms, namely CubeHash, Grøstl, L{\sc ane}, Shabal and Spectral Hash. Using Xilinx Spartan-3 and Virtex-5 FPGAs, we present architectures for each of these hash functions, and explore area-speed trade-offs in each design. The efficiency of various architectures for the five hash functions is compared in terms of throughput per unit area. To the best of the authors\u27 knowledge, this is the first such comparison of these SHA-3 candidates in the literature

Blockchains in public administration

Tässä tutkielmassa käsittelemme lohkoketjujen julkiseen hallintoon sopivia sovelluksia. Ensiksi esittelemme lohkoketjuteknologiaan liittyviä komponentteja. Itse tutkimuksessa arvioimme erityisesti todistusaineiston eheyteen ja arviointiin, sähköisen äänestämiseen sekä terveystietojen käsittelyyn liittyviä kysymyksiä. Aluksi käsittelemme hajautusfunktioita ja lohkoketjun yleistä rakennetta. Tämän jälkeen esittelemme lohkoketjuteknologian esimerkkinä kryptovaluutta Bitcoinin. Todistusaineiston eheyteen liittyviä kysymyksiä tarkastellaan arvioimalla kolmea eri tutkimusta. Tämän jälkeen syvennymme kolmeen äänestysten luotettavuuteen ja turvallisuuteen liittyvään tutkimukseen. Lopuksi tarkastellaan terveystietojen käsittelyä lohkoketjuteknologialla niin ikään kolmen eri tutkimuksen kautta. Esitämme myös yleisen arvion lohkoketjuteknologian soveltuvuudesta kuhunkin kolmeen aihepiiriin arvioitujen tutkimusten valossa. Lisäksi esittelemme joitakin muita mahdollisia lohkoketjuteknologian sovellutuksia. Viimeiseksi esitämme tarkasteltujen sovellusten valossa yleisen arvion lohkoketjuteknologian soveltuvuudesta julkishallintoon ja muut johtopäätökset.In this thesis, we cover blockchain applications in public administration. First we cover components related to blockchain technology. We cover especially issues related to management of digital evidence, electronic voting, and health data. In the beginning we cover hash functions and the general structure of the blockchain. Then we cover the cryptocurrency Bitcoin as an example of the blockchain technology. The management of the digital evidence is covered by evaluating three published studies. Likewise, the applications related to voting are evaluated in the light of three publications. Lastly, the management of health data is covered by evaluating three publications. For each of the three areas, we present an estimation of the applicability of the blockchain technology, in the form presented in the evaluated publications. Additionally, we cover a few other potential blockchain application areas. Finally, we present the general evaluation of blockchain applicability to the public administration and the conclusion

Efficient Hashing Using the AES Instruction Set

In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL-256. Although we primarily target architectures supporting AES-NI, our framework has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblock- length hash functions in software

Differential and invertibility properties of BLAKE (full version)

BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1.5 rounds we present an algorithm that finds preimages faster than in previous attacks. Discovered properties lead us to describe large classes of impossible differentials for two rounds of BLAKE’s internal permutation, and particular impossible differentials for five and six rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear and rotation-free model, we describe near-collisions for four rounds of the compression function. Finally, we discuss the problem of establishing upper bounds on the probability of differential characteristics for BLAKE

A New Algorithm for the Unbalanced Meet-in-the-Middle Problem

A collision search for a pair of $n$-bit unbalanced functions (one is $R$ times more expensive than the other) is an instance of the meet-in-the-middle problem, solved with the familiar standard algorithm that follows the tradeoff $TM=N$, where $T$ and $M$ are time and memory complexities and $N=2^n$. By combining two ideas, unbalanced interleaving and Oorschot-Wiener parallel collision search, we construct an alternative algorithm that follows $T^2 M = R^2 N$, where $M\le R$. Among others, the algorithm solves the well-known open problem: how to reduce the memory of unbalanced collision search

The Sum Can Be Weaker Than Each Part

In this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusive-or (XOR) combiner H1(M)+H2(M) is one of the two most classical combiners, together with the concatenation combiner H1(M)||H2(M). While the security of the concatenation of two hash functions is well understood since Joux\u27s seminal work on multicollisions, the security of the sum of two hash functions has been much less studied. The XOR combiner is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In a hash function setting, Hoch and Shamir have shown that if the compression functions are modeled as random oracles, or even weak random oracles (i.e. they can easily be inverted -- in particular H1 and H2 offer no security), H1+H2 is indifferentiable from a random oracle up to the birthday bound. In this work, we focus on the preimage resistance of the sum of two narrow-pipe n-bit hash functions, following the Merkle-Damgård or HAIFA structure (the internal state size and the output size are both n bits). We show a rather surprising result: the sum of two such hash functions, e.g. SHA-512+Whirlpool, can never provide n-bit security for preimage resistance. More precisely, we present a generic preimage attack with a complexity of O(2^5n/6). While it is already known that the XOR combiner is not preserving for preimage resistance (i.e. there might be some instantiations where the hash functions are secure but the sum is not), our result is much stronger: for any narrow-pipe functions, the sum is not preimage resistant. Besides, we also provide concrete preimage attacks on the XOR combiner (and the concatenation combiner) when one or both of the compression functions are weak; this complements Hoch and Shamir\u27s proof by showing its tightness for preimage resistance. Of independent interests, one of our main technical contributions is a novel structure to control simultaneously the behavior of independent hash computations which share the same input message. We hope that breaking the pairwise relationship between their internal states will have applications in related settings