Subscribe

Issue No.10 - Oct. (2013 vol.62)

pp: 2041-2053

Andrey Bogdanov , Katholieke Universiteit Leuven, Leuven

Miroslav Knezevic , NXP Semiconductors, Leuven

Gregor Leander , Technical University of Denmark, Lyngby

Deniz Toz , Katholieke Universiteit Leuven, Leuven

Kerem Varici , Katholieke Universiteit Leuven, Leuven

Ingrid Verbauwhede , Katholieke Universiteit Leuven, Leuven

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2012.196

ABSTRACT

The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography--optimizing the algorithms to fit the most constrained environments--has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well investigated with only few proposals in the public domain. In this paper, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants--or different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them, we provide several ASIC hardware implementations--ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.

INDEX TERMS

Resistance, Photonics, Hardware, Standards, RFID, Hash function, lightweight cryptography, low-cost cryptography, low-power design, sponge construction, present, spongent

CITATION

Andrey Bogdanov, Miroslav Knezevic, Gregor Leander, Deniz Toz, Kerem Varici, Ingrid Verbauwhede, "SPONGENT: The Design Space of Lightweight Cryptographic Hashing",

*IEEE Transactions on Computers*, vol.62, no. 10, pp. 2041-2053, Oct. 2013, doi:10.1109/TC.2012.196REFERENCES

- [1] J.P. Aumasson, L. Henzen, W. Meier, and M. Naya-Plasencia, "Quark: A Lightweight Hash,"
Proc. 12th Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '10), pp. 1-15, 2010.- [2] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, "On the Indifferentiability of the Sponge Construction,"
Proc. Theory and Applications Cryptographic Techniques 27th Ann. Int'l Conf. Advances Cryptology (EUROCRYPT '08), pp. 181-197, 2008.- [3] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, "Sponge-Based Pseudo-Random Number Generators,"
Proc. 12th Int'l Conf. Cryptographic Hardware and Embedded Systems (CHES '10), pp. 33-47, 2010.- [4] A. Bogdanov, M. Knezevic, G. Leander, D. Toz, K. Varici, and I. Verbauwhede, "SPONGENT: A Lightweight Hash Function,"
Proc. 13th Int'l Conf. Cryptographic Hardware and Embedded Systems (CHES '11), pp. 312-325, 2011.- [5] A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe, "PRESENT: An Ultra-Lightweight Block Cipher,"
Proc. Ninth Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '07), pp. 450-466, 2007.- [6] A. Bogdanov, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, and Y. Seurin, "Hash Functions and RFID Tags: Mind the Gap,"
Proc. 10th Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '08), pp. 283-299, 2008.- [7] J.Y. Cho, "Linear Cryptanalysis of Reduced-Round PRESENT,"
Proc. Int'l Conf. Topics Cryptology (CT-RSA '10), pp. 302-317, 2010.- [8] B. Collard and F.X. Standaert, "A Statistical Saturation Attack against the Block Cipher PRESENT,"
Proc. Int'l Conf. Topics Cryptology (CT-RSA '09), pp. 195-210, 2009.- [9] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, "Sponge Functions,"
Proc. Ecrypt Hash Workshop, May 2007.- [10] C. De Canniè, "Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles,"
Proc. Ninth Int'l Conf. Information Security (ISC '06), pp. 171-186, 2006.- [11] C. De Cannière, O. Dunkelman, and M. Knežević, "KATAN and KTANTAN—A Family of Small and Efficient Hardware-Oriented Block Ciphers,"
Proc. 11th Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '09), pp. 272-288, 2009.- [12] A. Duc, J. Guo, T. Peyrin, and L. Wei, "Unaligned Rebound Attack—Application to Keccak," http://eprint.iacr.org/2011420, 2011.
- [13] P. Gauravaram, L.R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schläffer, and S.S. Thomsen, "Grøstl—A SHA-3 Candidate," http://www.groestl. infoGroestl.pdf, 2011.
- [14] J. Guo, T. Peyrin, and A. Poschmann, "The PHOTON Family of Lightweight Hash Functions,"
Proc. 31st Ann. Conference Advances Cryptology (CRYPTO '11) , pp. 222-239, 2011.- [15] X. Guo and P. Schaumont, "The Technology Dependence of Lightweight Hash Implementation Cost,"
Proc. ECRYPT Workshop Lightweight Cryptography, 2011.- [16] D.M. Hein, J. Wolkerstorfer, and N. Felber, "ECC Is Ready for RFID—A Proof in Silicon,"
Proc. Int'l Workshop Selected Areas in Cryptography, pp. 401-413, 2008.- [17] L. Henzen, J.P. Aumasson, W. Meier, and R.C.W. Phan, "VLSI Characterization of the Cryptographic Hash Function BLAKE," http://131002.net/data/papersHAMP10.pdf, 2010.
- [18] M. Kim, J. Ryou, and S. Jun, "Efficient Hardware Architecture of SHA-256 Algorithm for Trusted Mobile Computing,"
Proc. Int'l Conf. Theory and Application of Cryptology and Information Security (Inscrypt '08), pp. 240-252, 2008.- [19] G. Leander, "On Linear Hulls, Statistical Saturation Attacks, Present and a Cryptanalysis of Puffin,"
Proc. 30th Ann. Int'l Conf. Theory and Applications Cryptographic Techniques: Advances in Cryptology, pp. 303-322, 2011.- [20] G. Leander, M.A. Abdelraheem, H. AlKhzaimi, and E. Zenner, "A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack,"
Proc. 31st Ann. Conf. Advances in Cryptology, pp. 206-221, 2011.- [21] F. Mendel, C. Rechberger, M. Schläffer, and S.S. Thomsen, "The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl,"
Proc. 16th Int'l Workshop Fast Software Encryption (FSE '09), pp. 260-276, 2009.- [22] NanGate, "The NanGate 45nm Open Cell Library," http:/www.nangate.com, 2013.
- [23] S. Rohde, T. Eisenbarth, E. Dahmen, J. Buchmann, and C. Paar, "Fast Hash-Based Signatures on Constrained Devices,"
Proc. Eighth IFIP WG 8.8/11.2 Int'l Conf. Smart Card Research and Advanced Applications, pp. 104-117, 2008.- [24] S. Tillich, M. Feldhofer, W. Issovits, T. Kern, H. Kureck, M. Muehlberghuber, G. Neubauer, A. Reiter, A. Koefler, and M. Mayrhofer, "Compact Hardware Implementations of the SHA-3 Candidates ARIRANG, BLAKE, Grøstl, and Skein," http://eprint.iacr.org/2009349, 2009.
- [25] G. Van Assche, "Errata for Keccak Presentation," E-mail sent to the NIST SHA-3 Mailing List on 7 Feb. 2011 on Behalf of the Keccak Team, 2011.
- [26] B. Yang, K. Wu, and R. Karri, "Scan Based Side Channel Attack on Dedicated Hardware Implementations of Data Encryption Standard,"
Proc. Int'l Test Conf., pp. 339-344, 2004. |