Efficient Hashing Using the AES Instruction Set

  • Joppe W. Bos
  • Onur Özen
  • Martijn Stam
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6917)


In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AES-NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on Rijndael-256. Although we primarily target architectures supporting AES-NI, our framework has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi-block-length hash functions in software.


Hash Function Advance Encryption Standard Compression Function Data Encryption Standard Cryptology ePrint Archive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    American National Standards Institute: Public key cryptography using reversible algorithms for the financial services industry. American National Standards Institute (1998)Google Scholar
  2. 2.
    Benadjila, R., Billet, O., Gueron, S., Robshaw, M.J.B.: The Intel AES instructions set and the SHA-3 candidates. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 162–178. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: Cache-timing attacks on AES (2005),
  4. 4.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems (2010),
  5. 5.
    Bertoni, G., Breveglieri, L., Farina, R., Regazzoni, F.: Speeding up AES by extending a 32 bit processor instruction set. In: Application-specific Systems, Architectures and Processors, pp. 275–282. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Biham, E., Dunkelman, O.: A framework for iterative hash functions – HAIFA. Presented at Second NIST Cryptographic Hash Workshop, Santa Barbara, USA (2006)Google Scholar
  8. 8.
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. Journal of Cryptology 23(4), 519–545 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  11. 11.
    Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash functions and RFID tags: Mind the gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Bos, J.W., Özen, O., Stam, M.: Efficient hashing using the AES instruction set. Cryptology ePrint Archive, Report 2010/576 (2010)Google Scholar
  13. 13.
    Brachtl, B., Coppersmith, D., Hyden, M., Matyas Jr., S., Meyer, C., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one-way encryption function. U.S. Patent No 4,908,861 (1990)Google Scholar
  14. 14.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  15. 15.
    De Cannière, C., Sato, H., Watanabe, D.: Hash function Luffa: Supporting document. Submission to NIST (Round 2) (2009),
  16. 16.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of cyclic double block length hash functions. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Fog, A.: Instruction tables, lists of instruction latencies, throughputs and microoperation breakdowns for Intel, AMD and VIA CPUs (2010),
  18. 18.
    Gueron, S.: Intel’s new AES instructions for enhanced performance and security. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 51–66. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Gueron, S.: Intel advanced encryption standard (AES) instructions set. Tech. rep., Intel (2010),
  20. 20.
    Gueron, S., Kounavis, M.E.: Intel carry-less multiplication instruction and its usage for computing the GCM mode. Tech. rep., Intel (2010),
  21. 21.
    Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Indesteege, S.: The LANE hash function. Submission to NIST (2008),
  23. 23.
    International Organization for Standardization: ISO/IEC 10118-2: hash functions using an n-bit block cipher (2010)Google Scholar
  24. 24.
    Khovratovich, D.: New Approaches to the Cryptanalysis of Symmetric Primitives. Ph.D. thesis, University of Luxembourg (2010)Google Scholar
  25. 25.
    Knudsen, L.R., Mendel, F., Rechberger, C., Thomsen, S.S.: Cryptanalysis of MDC-2. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 106–120. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Knudsen, L.R., Preneel, B.: Construction of secure and fast hash functions using nonbinary error-correcting codes. IEEE Transactions on Information Theory 48(9), 2524–2539 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    Krause, M., Armknecht, F., Fleischmann, E.: Preimage resistance beyond the birthday barrier – the case of blockcipher based hashing. Cryptology ePrint Archive, Report 2010/519 (2010)Google Scholar
  28. 28.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  29. 29.
    Lee, J., Kwon, D.: The security of Abreast-DM in the ideal cipher model. Cryptology ePrint Archive, Report 2009/225 (2009)Google Scholar
  30. 30.
    Lee, J., Park, J.H.: Adaptive preimage resistance and permutation-based hash functions. Cryptology ePrint Archive, Report 2009/066 (2009)Google Scholar
  31. 31.
    Lee, J., Park, J.H.: Preimage resistance of LPmkr with r = m − 1. Information Processing Letters 110(14-15), 602–608 (2010)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Lee, J., Stam, M.: MJH: A faster alternative to MDC-2. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 213–236. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Lee, J., Stam, M., Steinberger, J.: The collision security of Tandem-DM in the ideal cipher model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–568. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  34. 34.
    Lee, J., Steinberger, J.P.: Multi-property-preserving domain extension using polynomial-based modes of operation. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 573–596. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  35. 35.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. 36.
    Lucks, S.: A collision-resistant rate-1 double-block-length hash function. In: Symmetric Cryptography. No. 07021 in Dagstuhl Seminar Proceedings, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany (2007)Google Scholar
  37. 37.
    Manley, R., Magrath, P., Gregg, D.: Code generation for hardware accelerated AES. In: 21st IEEE International Conference on Application-specific Systems Architectures and Processors (ASAP), pp. 345–348 (2010)Google Scholar
  38. 38.
    Matusiewicz, K., Naya-Plasencia, M., Nikolic, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  39. 39.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.: CRC-Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  40. 40.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  41. 41.
    NIST: FIPS-197: Advanced encryption standard (AES) (2001),
  42. 42.
    NIST: Secure hash standard. FIPS 180-2, NIST (August 2002),
  43. 43.
    NIST: Cryptographic hash algorithm competition (2008),
  44. 44.
    Özen, O., Shrimpton, T., Stam, M.: Attacking the Knudsen-Preneel compression functions. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 94–115. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  45. 45.
    Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker, M. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  46. 46.
    Özen, O., Stam, M.: Collision attacks against the Knudsen-Preneel compression functions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 76–93. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  47. 47.
    Peyrin, T., Gilbert, H., Muller, F., Robshaw, M.J.B.: Combining compression functions and block cipher-based hash functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 315–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  48. 48.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
  49. 49.
    Rabin, M.O.: Digitalized signatures. In: Foundations of Secure Computations, pp. 155–166. Academic Press, London (1978)Google Scholar
  50. 50.
    Rivest, R.: The MD5 message-digest algorithm, request for comments (RFC) 1320. Tech. rep., Internet Activities Board, Internet Privacy Task Force (1992)Google Scholar
  51. 51.
    Rogaway, P., Steinberger, J.: Security/efficiency tradeoffs for permutation-based hashing. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  52. 52.
    Rogaway, P., Steinberger, J.P.: Constructing cryptographic hash functions from fixed-key blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)Google Scholar
  53. 53.
    Seurin, Y., Peyrin, T.: Security analysis of constructions combining FIL random oracles. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 119–136. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  54. 54.
    Shrimpton, T., Stam, M.: Building a collision-resistant compression function from non-compressing primitives. In: Aceto, L., Damgård, I., Goldberg, L., Halldórsson, M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  55. 55.
    Stam, M.: Beyond uniformity: Better security/efficiency tradeoffs for compression functions. In: Wagner, D. (ed.) Crypto 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)Google Scholar
  56. 56.
    Stam, M.: Blockcipher-based hashing revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  57. 57.
    Steinberger, J.P.: The collision intractability of MDC-2 in the ideal-cipher model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  58. 58.
    Tillich, S., Großschädl, J.: Instruction set extensions for efficient AES implementation on 32-bit processors. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 270–284. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  59. 59.
    Tillich, S., Herbst, C.: Boosting AES performance on a tiny processor core. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 170–186. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  60. 60.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23, 37–71 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  61. 61.
    Wu, H.: The hash function JH. Submission to NIST (updated) (2009),

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Joppe W. Bos
    • 1
  • Onur Özen
    • 1
  • Martijn Stam
    • 2
  1. 1.Laboratory for Cryptologic AlgorithmsEPFLLausanneSwitzerland
  2. 2.Department of Computer ScienceUniversity of BristolBristolUnited Kingdom

Personalised recommendations