Journal of Cryptology

, Volume 26, Issue 2, pp 313-339

First online:

Quark: A Lightweight Hash

  • Jean-Philippe AumassonAffiliated withNAGRA Email author 
  • , Luca HenzenAffiliated withUBS AG
  • , Willi MeierAffiliated withFHNW
  • , María Naya-PlasenciaAffiliated withUniversity of Versailles

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


The need for lightweight (that is, compact, low-power, low-energy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security and performance. The ongoing SHA-3 Competition will not help, as it concerns general-purpose designs and focuses on software performance. This paper thus proposes a novel design philosophy for lightweight hash functions, based on the sponge construction in order to minimize memory requirements. Inspired by the stream cipher Grain and by the block cipher KATAN (amongst the lightest secure ciphers), we present the hash function family Quark, composed of three instances: u-Quark, d-Quark, and s-Quark. As a sponge construction, Quark can be used for message authentication, stream encryption, or authenticated encryption. Our hardware evaluation shows that Quark compares well to previous tentative lightweight hash functions. For example, our lightest instance u-Quark conjecturally provides at least 64-bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gate-equivalents, and consumes on average 2.44 μW at 100 kHz in 0.18 μm ASIC. For 112-bit security, we propose s-Quark, which can be implemented with 2296 gate-equivalents with a power consumption of 4.35 μW.

Key words

Hash functions Lightweight cryptography Sponge functions Cryptanalysis Indifferentiability