Authors: Emmanuel Bresson, Anne Canteaut, Thomas Fuhr, Thomas Icart, María Naya-Plasencia, Pascal Paillier, Jean-René Reinhard, Marion Videau

Note: This work was partially supported by the French Agence Nationale de la Recherche through the SAPHIR2 project under Contract ANR-08-VERS-014.

Download:

Internall Distinguishers in Indifferentiable Hashing: The Shabal Case (42)

Authors: Julien Francq and Céline Thuillet

Note: This  work  was partially  supported  by  the French  Agence Nationale de la Recherche through the SAPHIR2 project under Contract ANR-08-VERS-014.

Download PDF: Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results (31)

Download implementations (529Mo)

Download:

High-Speed Implementation of the SHA-3 Candidate Shabal (44)

• Internal Distinguishers in Indifferentiable Hashing:  The Shabal Case
• Unfolding Method for Shabal on Virtex-5 FPGAs: Concrete Results

The list of accepted papers is available at

http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/AcceptedPapersListing_SHA3_2010.pdf

This code was benched on an Intel x86 Core2 Q6600 system, clocked at 2.4 GHz and running Linux. The compiler is Intel C/C++ compiler version 11.1. Achieved speed (for long messages) is 631 MB/s (in 32-bit mode; 621 MB/s in 64-bit mode); this is the cumulative bandwidth of the four parallel instances (each instance is hashed with a bandwidth of about 158 MB/s). All of this is on a single CPU core.

See the mshabal.h header file for documentation on the API. The code itself should compile properly with GCC, the Intel C/C++ compiler, and Microsoft Visual C (this was tested with GCC 4.4.1 and Visual C 2005).

Download: SSE2-enhanced parallel implementations of the Shabal hash functions (78)

(c) 2010 SAPHIR project. This software is provided ‘as-is’, without any epxress or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to no restriction.

Technical remarks and questions can be addressed to:
<thomas.pornin at cryptolog.com>

Abstract. In this paper, we present an efficient FPGA implementation of the SHA-3 hash function candidate Shabal. Targeted at the recent Xilinx Virtex-5 FPGA family, our design achieves a relatively high throughput of 2 Gbit/s at a cost of only 153 slices, yielding a throughput-vs.-area ratio of 13.4 Mbit/s per slice. Our work can also be ported to Xilinx Spartan-3 FPGAs, on which it supports a throughput of 800 Mbit/s for only 499 slices, or equivalently 1.6 Mbit/s per slice.
According to the SHA-3 Zoo website, this work is among the smallest reported FPGA implementations of SHA-3 candidates, and ranks first in terms of throughput per area.

PDF version available on ePrint: http://eprint.iacr.org/2010/292

For instance, when compiled with GCC-4.4.1 on an Intel x86 Linux system (32-bit mode), with the “-Os -fomit-frame-pointer” flags, the footprint of Shabal is 698 bytes. Yet it still hash data with a bandwidth of 109 MB/s on a 2.4 GHz Core2 machine, which is similar to what can be achieved with heavyweight, assembly-optimized implementations of SHA-256 and SHA-512 on the same platform.

See the shabal_small.h header file for documentation on the API. The code itself is written in C and should compile on any platform with a C89 compiler (“ANSI C”), subject to the only restriction that the architecture should be octet oriented (i.e. an ‘unsigned char’ shall have a width of exactly 8 bits, no more; only a few exotic embedded DSP do not follow that rule, and the code will cleanly abort compilation in such a case).

(c) 2010 SAPHIR project. This software is provided ‘as-is’, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to no restriction.

Technical remarks and questions can be addressed to:  thomas.pornin at cryptolog.com

Authors: Romain Feron and Julien Francq (EADS Defence & Security, Cyber Security Customer Solutions Center)

This work was partially supported by the French Agence Nationale de la Recherche through the SAPHIR2 project under Contract ANR-08-VERS-014.

Authors: Romain Feron and Julien Francq (EADS Defence & Security, Cyber Security Customer Solutions Center)

This work was partially supported by the French Agence Nationale de la Recherche through the SAPHIR2 project under Contract ANR-08-VERS-014.

Title: Capturing the existence of distinguishers into indifferentiability proofs for hash functions

Abstract:
Indifferentiability proofs for hash functions show that the underlying mode of operation used with an ideal compression function (or with an ideal block cipher) is indifferentiable from a random oracle (up to a certain number of calls to the compression function). However, for many practical hash functions, we can provide evidence that the compression function is not uniformly chosen at random (the extremal case is the case where it is fixed). It is then important to determine how the choice of a “biased” compression function affects the security of the hash function. Here, we show how some indifferentiability proofs can be adapted to the case where the compression function is uniformly chosen at random in some subset of all possible compression functions, instead of all of them. For those distinguishers, we give new bounds on the security of several modes of operation, including chop-MD and Shabal’s mode of operation.

(joint work with E. Bresson, T. Fuhr, A. Gouget, T. Icart, M. Naya-Plasencia, P. Paillier, J.-R. Reinhard, M. Videau)