SPN-Hash: Improving the Provable Resistance against Differential Collision Attacks

  • Jiali Choy
  • Huihui Yap
  • Khoongming Khoo
  • Jian Guo
  • Thomas Peyrin
  • Axel Poschmann
  • Chik How Tan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7374)


Collision resistance is a fundamental property required for cryptographic hash functions. One way to ensure collision resistance is to use hash functions based on public key cryptography (PKC) which reduces collision resistance to a hard mathematical problem, but such primitives are usually slow. A more practical approach is to use symmetric-key design techniques which lead to faster schemes, but collision resistance can only be heuristically inferred from the best probability of a single differential characteristic path. We propose a new hash function design with variable hash output sizes of 128, 256, and 512 bits, that reduces this gap. Due to its inherent Substitution-Permutation Network (SPN) structure and JH mode of operation, we are able to compute its differential collision probability using the concept of differentials. Namely, for each possible input differences, we take into account all the differential paths leading to a collision and this enables us to prove that our hash function is secure against a differential collision attack using a single input difference. None of the SHA-3 finalists could prove such a resistance. At the same time, our hash function design is secure against pre-image, second pre-image and rebound attacks, and is faster than PKC-based hashes. Part of our design includes a generalization of the optimal diffusion used in the classical wide-trail SPN construction from Daemen and Rijmen, which leads to near-optimal differential bounds when applied to non-square byte arrays. We also found a novel way to use parallel copies of a serial matrix over the finite field GF(24), so as to create lightweight and secure byte-based diffusion for our design. Overall, we obtain hash functions that are fast in software, very lightweight in hardware (about 4625 GE for the 256-bit hash output) and that provide much stronger security proofs regarding collision resistance than any of the SHA-3 finalists.


SPN wide-trail strategy Hash Functions collision resistance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Augot, D., Finiasz, M., Gaborit, P., Manuel, S., Sendrier, N.: SHA-3 Proposal: FSB. Submission to NIST (2008)Google Scholar
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A Lightweight Hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  3. 3.
    Aumasson, J.-P., Henzen, L., Meier, W., Phan, R.C.-W.: SHA-3 Proposal BLAKE. Candidate to the NIST Hash Competition (2008),
  4. 4.
    Barreto, P., Rijmen, V.: The Whirlpool Hashing Function,
  5. 5.
    Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 Proposal: ECHO. Submission to NIST (2009) (updated)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge Functions. In: ECRYPT Hash Workshop (2007)Google Scholar
  7. 7.
    Bhattacharyya, R., Mandal, A., Nandi, M.: Security Analysis of the Mode of JH Hash Function. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 168–191. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Billet, O., Robshaw, M.J.B., Peyrin, T.: On Building Hash Functions from Multivariate Quadratic Equations. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 82–95. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and Related-Key Attack on the Full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Biryukov, A., Wagner, D.: Slide Attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
    Biryukov, A., Wagner, D.: Advanced Slide Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Canright, D.: A Very Compact S-Box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005); The HDL specification is available at the author’s official webpage CrossRefGoogle Scholar
  13. 13.
    Contini, S., Lenstra, A.K., Steinfeld, R.: VSH, an Efficient and Provable Collision-Resistant Hash Function. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 165–182. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Intel Corporation. Advanced Encryption Standard (AES) Instruction Set (October 30, 2008),
  15. 15.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
  16. 16.
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein Hash Function Family. Submission to NIST, Round 2 (2009)Google Scholar
  17. 17.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schlaffer, M., Thomsen, S.S.: Grøstl addendum. Submission to NIST (2009) (updated)Google Scholar
  18. 18.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)Google Scholar
  19. 19.
    Henzen, L., Aumasson, J.-P., Meier, W., Phan, R.C.W.: VLSI Characterization of the Cryptographic Hash Function BLAKE. IEEE Transactions on Very Large Scale Integration (VLSI) Systems (99), 1–9Google Scholar
  20. 20.
    Nakahara Jr., J., Abrahão, É.: A New Involutary MDS Matrix for AES. International Journal of Network Security 9(2), 109–116 (2009)Google Scholar
  21. 21.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1996)Google Scholar
  23. 23.
    Park, S., Sung, S.H., Lee, S., Lim, J.: Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 247–260. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Peyrin, T.: Improved Differential Attacks for ECHO and Grøstl. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 370–392. Springer, Heidelberg (2010)Google Scholar
  25. 25.
    Sasaki, Y., Li, Y., Wang, L., Sakiyama, K., Ohta, K.: Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 38–55. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Shannon, C.: Communication Theory of Secrecy System. Bell System Technical Journal 28, 656–715 (1949)MathSciNetzbMATHGoogle Scholar
  27. 27.
    Tillich, S., Feldhofer, M., Issovits, W., Kern, T., Kureck, H., Mühlberghuber, M., Neubauer, G., Reiter, A., Köfler, A., Mayrhofer, M.: Compact Hardware Implementations of the SHA-3 Candidates Arirang, Blake, Grøstl, and Skein. IACR ePrint archive, Report 2009/349 (2009)Google Scholar
  28. 28.
    Wu, H.J.: The Hash Function JH. Submission to NIST (September 2009) (updated),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jiali Choy
    • 1
  • Huihui Yap
    • 1
  • Khoongming Khoo
    • 1
  • Jian Guo
    • 2
  • Thomas Peyrin
    • 3
  • Axel Poschmann
    • 3
  • Chik How Tan
    • 4
  1. 1.DSO National LaboratoriesSingapore
  2. 2.Institute for Infocomm ResearchA*STARSingapore
  3. 3.SPMSNanyang Technological UniversitySingapore
  4. 4.Temasek LaboratoriesNational University of SingaporeSingapore

Personalised recommendations