Cryptanalysis of Tav-128 Hash Function

  • Ashish Kumar
  • Somitra Kumar Sanadhya
  • Praveen Gauravaram
  • Masoumeh Safkhani
  • Majid Naderi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6498)


Many RFID protocols use cryptographic hash functions for their security. The resource constrained nature of RFID systems forces the use of light weight cryptographic algorithms. Tav-128 is one such 128-bit light weight hash function proposed by Peris-Lopez et al. for a low-cost RFID tag authentication protocol. Apart from some statistical tests for randomness by the designers themselves, Tav-128 has not undergone any other thorough security analysis. Based on these tests, the designers claimed that Tav-128 does not posses any trivial weaknesses. In this article, we carry out the first third party security analysis of Tav-128 and show that this hash function is neither collision resistant nor second preimage resistant. Firstly, we show a practical collision attack on Tav-128 having a complexity of 237 calls to the compression function and produce message pairs of arbitrary length which produce the same hash value under this hash function. We then show a second preimage attack on Tav-128 which succeeds with a complexity of 262 calls to the compression function. Finally, we study the constituent functions of Tav-128 and show that the concatenation of nonlinear functions A and B produces a 64-bit permutation from 32-bit messages. This could be a useful light weight primitive for future RFID protocols.


Hash function Tav-128 Cryptanalysis RFID Compression function 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A lightweight hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Baldwin, B., Byrne, A., Hamilton, M., Hanley, N., McEvoy, R.P., Pan, W., Marnane, W.P.: FPGA implementations of SHA-3 candidates: Cubehash, grostl, LANE, shabal and spectral hash. In: Núñez, A., Carballo, P.P. (eds.) 12th Euromicro Conference on Digital System Design, Architectures, Methods and Tools, DSD, pp. 783–790. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  3. 3.
    Bertasi, P., Bressan, M., Peserico, E.: Yet Another Fast Stable Sorting Software. In: Experimental Algorithms. LNCS, vol. 5526, pp. 76–78. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash Functions and RFID Tags: Mind the Gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Brassard, G.: CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  7. 7.
    Choi, E.Y., Lee, S.-M., Lee, D.H.: Efficient RFID Authentication Protocol for Ubiquitous Computing Environment. In: Enokido, T., Yan, L., Xiao, B., Kim, D.Y., Dai, Y.-S., Yang, L.T. (eds.) EUC-WS 2005. LNCS, vol. 3823, pp. 945–954. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard [6], pp. 416–427Google Scholar
  9. 9.
    Dimitriou, T.: A Lightweight RFID Protocol to protect against Traceability and Cloning attacks. In: First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005), Athens, Greece, pp. 56–66. IEEE Computer Society Press, Los Alamitos (September 2005)Google Scholar
  10. 10.
    Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong Authentication for RFID Systems Using the AES Algorithm. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 357–370. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Feldhofer, M., Rechberger, C.: A Case Against Currently Used Hash Functions in RFID Protocols. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4277, pp. 372–381. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Gaj, K., Homsirikamol, E., Rogawski, M.: Fair and comprehensive methodology for comparing hardware performance of fourteen round two SHA-3 candidates using FPGAs. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 264–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Henrici, D., Müller, P.: Hash-based Enhancement of Location Privacy for Radio-Frequency Identification Devices using Varying Identifiers. In: PerCom Workshops, pp. 149–153. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  14. 14.
    Kelsey, J., Schneier, B.: Second Preimages on n-bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Markle, R.: One way Hash Functions and DES. In: Brassard [6], pp. 428–446Google Scholar
  16. 16.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997), zbMATHGoogle Scholar
  17. 17.
    National Institute of Standards and Technology. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family (November 2007), with the Docket No: 070911510751201 (Accessed on 22/09/2010)
  18. 18.
    NIST. FIPS PUB 180-2-Secure Hash Standard (August 2002), (accessed on 23/09/2010)
  19. 19.
    NIST. Second Round Candidates. Official notification from NIST (2009), (accessed on 22/09/2010)
  20. 20.
    Peris-Lopez, P., Castro, J.C.H., Estévez-Tapiador, J.M., Ribagorda, A.: An Efficient Authentication Protocol for RFID Systems Resistant to Active Attacks. In: Denko, M.K., Shih, C.-s., Li, K.-C., Tsao, S.-L., Zeng, Q.-A., Park, S.H., Ko, Y.-B., Hung, S.-H., Park, J.-H. (eds.) EUC-WS 2007. LNCS, vol. 4809, pp. 781–794. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Rhee, K., Kwak, J., Kim, S., Won, D.: Challenge-Response Based RFID Authentication Protocol for Distributed Database Environment. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 70–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Weis, S.A., Sarma, S.E., Rivest, R.L., Engels, D.W.: Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: Hutter, D., Müller, G., Stephan, W., Ullmann, M. (eds.) Security in Pervasive Computing. LNCS, vol. 2802, pp. 201–212. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Ashish Kumar
    • 1
  • Somitra Kumar Sanadhya
    • 2
  • Praveen Gauravaram
    • 3
  • Masoumeh Safkhani
    • 4
  • Majid Naderi
    • 4
  1. 1.Indian Institute of TechnologyKharagpurIndia
  2. 2.Indraprastha Institute of Information Technology-DelhiNew DelhiIndia
  3. 3.Technical University of DenmarkDenmark
  4. 4.Iran University of Science and TechnologyTehranIran

Personalised recommendations