Parameterized Hash Functions

Tomasz Bilski\textsuperscript{1,*}, Krzysztof Bucholc\textsuperscript{1,†}, Anna Grocholewska-Czurylo\textsuperscript{1‡}, Janusz Stoklosa\textsuperscript{1§}

\textsuperscript{1}Institute of Control and Information Engineering, Poznań University of Technology
pl. Marii Skłodowskiej Curie 5, 60-965 Poznań, Poland

Abstract – In this paper we describe a family of highly parameterized hash functions. This parameterization results in great flexibility between performance and security of the algorithm. The three basic functions, HaF-256, HaF-512 and HaF-1024 constitute this hash function family. Lengths of message digests are 256, 512 and 1024 bits respectively. The paper discusses the details of functions structure. The method used to generate function S-box is also described in detail.

1 Introduction

Hash functions are used to generate a short form of an original message of any size. This short form is called a hash of a message or a message digest and is used in many cryptographic applications including message integrity verification and message authentication, in which case a keyed hash function is used.

Hash function \( h \) operates on a message \( m \) of an arbitrary length. The result is a hash value \( h(m) \) which has a fixed size.

A lot of recent cryptographic research has been devoted to methods of generating new hash functions which resulted for example in 64 proposals being submitted to the NIST SHA-3 competition for a new hash function in 2008 [1].

The objective while designing the HaF family of hash function was obviously the highest security while maintaining the best possible performance, however, at the same time the function should allow a flexible balance between security and performance which was achieved through parameterization.

\textsuperscript{*}tomasz.bilski@put.poznan.pl
\textsuperscript{†}krzysztof.bucholc@put.poznan.pl
\textsuperscript{‡}anna.grocholewska-czurylo@put.poznan.pl
\textsuperscript{§}janusz.stoklosa@put.poznan.pl
The organization of this paper is the following: In Section 2 we describe the family of the HaF hash functions in general. In Section 3 we concentrate on the details of S-box generation along with our reasoning for designing and choosing this particular method. Reference implementation is briefly described in Section 4. Finally Section 5 contains the concluding remarks.

2 Parameterized family HaF of hash functions

2.1 Design Principles

The following assumptions were taken into account during the design process:

- family should be parameterized;
- message digest length should be selectable;
- flexibility between performance and security should be guaranteed;
- iteration structure and compression function should be resistant to known attacks;
- its iteration mode should be HAIFA (it provides resistance to long message second preimage attacks, and handles hashing with a salt) [2, 3].

2.2 Description of HaF

The HaF family is formed of the three hash functions: HaF-256, HaF-512 and HaF-1024, producing hash values (message digests) with the length equal to 256, 512 and 1024 bits, respectively. The general model of HaF family is presented in (Fig. 1). After formatting the original message $m$ we have the message $M$. We divide $M$ into blocks $M_0, M_1, \ldots, M_k$, $k \in \{1, 2, \ldots\}$, and each block $M_i$ is processed with the salt $s$ by the iterative compression function $\varphi$ [2]. The output $H_k$ is the final result of the function.

2.2.1 Notation

In the paper we use the following notation:

- $a \odot b$ – multiplication mod $(2^n + 1)$ of $n$-bit non-zero integers $a$ and $b$;
- $A_r$ – working variable, $r = 0, 1, \ldots, 15$;
- $F_j$ – step function, $j = 0, 1, \ldots, 15$;
- $GF(2)$ – Galois field of characteristic 2;
- $\text{length}$ – bitstring representing the length of the original message $m$, $|\text{length}| = 128$;
- $\text{lsb}_q(v)$ – $q$ least significant bits of the string $v$;
- $IV$ – initial value;
- $m$ – original message, $|m| < 2^{128}$;
- $M$ – formatted message;
- $n$ – length of the working variable $A_r$ (16 or 32 or 64 bits);
- $s$ – salt, $|s| = 16n$;
- $|v|$ – length in bits of a string $v$;
Fig. 1. General model for HaF.

- $v \ll t$ – $t$-bit left rotation of a string $v$, $|v| = 16n$;
- $v \oplus w$ – bitwise XOR of strings $v$ and $w$, $|v| = |w|$;
- $v \boxplus w$ – addition mod $2^n$ of integers represented (in base 2) by strings $v$ and $w$;
- $p_1(x) \odot p_2(x)$ – multiplication of polynomials $p_1$ and $p_2$ modulo an irreducible polynomial $R(x)$;
- $x^q$ – bitstring of the length $q$; $x^0$ means the empty string;
- $\varphi$ – compression function;
- $\parallel$ – concatenation of bitstrings.

### 2.2.2 Message Padding

The original message $m$ has to be formatted before hash value computation begins. The length of formatted message should be a multiple of $16n$ bits. The message $m$ is formatted by appending to it a single 1-bit and as few 0-bits as necessary to obtain a string whose bit-length increased by 128 bits is a multiple of $16n$. Finally, we must additionally append the original message length. As a result, we obtain the formatted message $M = M_0 \parallel M_1 \parallel \ldots \parallel M_{k-1}$ for some positive integer $k$, where $M_i$ is a block of $M$. 
Therefore, \( M = m \| 10^t \| \text{length} \), where \( t \) is the smallest nonnegative integer necessary to format \( m \), and \( |M| = 16nk \).

### 2.2.3 Compression Function

In the proposed schema the compression function is defined as follows: \( \varphi : \{0,1\}^\mu \times \{0,1\}^\eta \times \{0,1\}^\sigma \rightarrow \{0,1\}^\rho \). The integers \( \mu, \eta \) and \( \sigma \) are the lengths of block \( M_i \), chaining variable \( H_i \), and salt \( s \), respectively, where \( |M_i| = |H_i| = |s| = 16n \) and \( i = 0,1,\ldots,k-1 \). The integer \( \rho \) is the length of the resulting hash value \( h(m) = H_k \), \( |h(m)| = 16n \).

The block \( M_i \) is processed in two rounds. The length of the block equals \( 16n \) bits, where \( n \) is a parameter depending on the hash value we want to obtain. For HaF-256, HaF-512 and HaF-1024 the parameter \( n \) equals 16, 32 and 64 bits, respectively. The parameter \( n \) indicates, in fact, the length of the working variable \( A_r \) used in the step function.

The method of one block processing is presented in Fig. 2. \( M_i, H_i \) and \( s \) are the inputs for \( \varphi \). Before processing in round \#1, \( l = 1 \) or 2, the block \( M_i \) is modified. In the round \#1 four least significant bits of \( N_i = M_i \oplus s \) indicate the number of bits the string \( N_i \) is rotated to the left: \( N_i^* = N_i \ll \text{lsb}_4(N_i) \). Before processing in the round \#2, the blocks are permuted: \( N_i = H_i^* \) and \( H_i = N_i^* \). After two rounds, the value \( H_i^* \) of chaining variable is split into 16 subblocks \( A_0, A_1, \ldots, A_{15} \) of equal lengths. Each of them is modified by adding (mod \( 2^n \)) the respective input subblock of \( H_i \) which is the input to the round \#1. Next, all subblocks \( A_0, A_1, \ldots, A_{15} \) are concatenated giving \( H_{i+1} = A_0 \| A_1 \| \ldots \| A_{15} \).

Fig. 2. Method of one block processing.

### 2.2.4 Round Function

The round function (Fig. 3) has two inputs \( N_i, H_i \) and two outputs \( N_i^*, H_i^* \).

The input block \( N_i \) is rotated by the number of bits corresponding to \( \text{lsb}_4(N_i) \) and added (mod 2 of respective bits) to \( H_i \). Next the block \( H_i \oplus (N_i \ll \text{lsb}_4(N_i)) \) is divided into 16 subblocks of equal length: \( A_0, A_1, \ldots, A_{15} \). They are processed
by a step function. After processing they are concatenated giving $H_i^*$. The output $N_i^* = N_i \ll \text{lsb}_4(N_i)$.

### 2.2.5 Step Function

The essential part of the round is the step function $F_j$ (Fig. 4). In each round the step function is executed 16 times, for $j = 0, 1, \ldots, 15$. 
Let $GF[x]_n$ be a set of polynomials over $GF(2)$ of the degree smaller than $n$. If $w(x) \in GF[x]_n$ then $w(x) = w_{n-1}x^{n-1} \oplus w_{n-2}x^{n-2} \oplus \ldots \oplus w_2x^2 \oplus w_1x \oplus w_0$ or simply $w(x) = w_{n-1}w_{n-2} \ldots w_2w_1w_0$, where $w_r \in GF(2)$ for $r \in \{0,1,\ldots,n-1\}$. Let $u(x), v(x), w(x) \in GF[x]_n$. We define two operations on polynomials, addition ($\oplus$) and multiplication ($\otimes$): $u(x) = v(x) \oplus w(x) \leftrightarrow u_t = v_t \oplus w_t, \; t = 1,2,\ldots,n$, and $u(x) = v(x) \otimes w(x) = v(x) \cdot w(x) \mod R(x)$, where $R(x)$ is a reduction polynomial of degree $n$. In the construction of the step function, the multiplication of polynomials is performed four times: $a_0 \otimes A_0, a_2 \otimes A_2, a_3 \otimes A_3$, and $a_5 \otimes A_5$. The polynomials $a_0, a_2, a_3$ and $a_5$, presented in the hexadecimal form, are given in Table 1.

<table>
<thead>
<tr>
<th>$n$</th>
<th>$R(x)$</th>
<th>Hexadecimal representation</th>
</tr>
</thead>
<tbody>
<tr>
<td>16</td>
<td>$x^{16} \oplus x^{11} \oplus x^{10} \oplus x^5 \oplus 1$</td>
<td>10C21</td>
</tr>
<tr>
<td>32</td>
<td>$x^{32} \oplus x^7 \oplus x^6 \oplus x^2 \oplus 1$</td>
<td>1000000C5</td>
</tr>
<tr>
<td>64</td>
<td>$x^{64} \oplus x^4 \oplus x^3 \oplus x \oplus 1$</td>
<td>1000000000000001B</td>
</tr>
</tbody>
</table>

The reduction polynomials must be irreducible; they are presented in Table 2.

<table>
<thead>
<tr>
<th>$n$</th>
<th>$\alpha_0$</th>
<th>$\alpha_2$</th>
<th>$\alpha_3$</th>
<th>$\alpha_5$</th>
</tr>
</thead>
<tbody>
<tr>
<td>16</td>
<td>B9CB</td>
<td>D949</td>
<td>0001</td>
<td>0001</td>
</tr>
<tr>
<td>32</td>
<td>AC2D</td>
<td>0000</td>
<td>0000</td>
<td>0000</td>
</tr>
<tr>
<td></td>
<td>B263</td>
<td>0110</td>
<td>0001</td>
<td>0001</td>
</tr>
<tr>
<td>64</td>
<td>EDC0</td>
<td>0000</td>
<td>0000</td>
<td>0000</td>
</tr>
<tr>
<td></td>
<td>28B9</td>
<td>2500</td>
<td>0000</td>
<td>0000</td>
</tr>
<tr>
<td></td>
<td>A461</td>
<td>0000</td>
<td>0000</td>
<td>0000</td>
</tr>
<tr>
<td></td>
<td>A403</td>
<td>0001</td>
<td>0001</td>
<td>0001</td>
</tr>
</tbody>
</table>

After performing multiplications of polynomials, a few additions modulo 2 ($\oplus$) and additions modulo $2^n$ ($\oplus$) are done (Fig. 4). In each step the masking constant $c = 3236B539391FD066$ (in the hexadecimal representation) is used. The particular value of $c$ depends on $n$ and $j$, and is indicated by a window of the length $n$ sliding (cyclically, if necessary) from left to right on bits of $c$. For example, if $n = 16$ and $j = 0$ then $c = 3236$; if $n = 32$ and $j = 31$ then $c = 391FD066$; if $n = 64$ and $j = 5$ then $c = 6D6A72723FA0CD9$ (cyclic rotation of $c$ to the left by 5 bits).

In each step a substitution $S_j^{(n)}$ depending (as the masking constant $c$) on $n$ and $j$ is used. It consists of four S-boxes $S_0$, $S_1$, $S_2$ and $S_3$, each of
the dimension $16 \times 16$, working in such a way that for $n = 16$, $S_j^{(16)} = S_{j \mod 4}$; for $n = 32$, $S_j^{(32)} = S_{(j) \mod 4} \| S_{(j+1) \mod 4}$; and for $n = 64$, $S_j^{(64)} = S_{(j) \mod 4} \| S_{(j+1) \mod 4} \| S_{(j+2) \mod 4} \| S_{(j+3) \mod 4}$.

The multiplication modulo $2^n + 1$ of $n$-bit integers with the zero block corresponding to $2^n$ is denoted by $\odot$ [4].

<table>
<thead>
<tr>
<th>$n$</th>
<th>$H_0 = h_0 | h_1 | h_2 | \ldots | h_{15}$</th>
</tr>
</thead>
<tbody>
<tr>
<td>16</td>
<td>34D906D3E3E5298EAC26F9FD2AC5AD23 DB84B0576C82CCA52517CF6B8880A90C</td>
</tr>
<tr>
<td>32</td>
<td>34D906D3E3E5298EAC26F9FD2AC5AD23 DB84B0576C82CCA52517CF6B8880A90C 0BC69C6F64D4B2664579E064AE220A5A 3DA7C5451DA429EF2AB8F289D0F0E5</td>
</tr>
<tr>
<td>64</td>
<td>34D906D3E3E5298EAC26F9FD2AC5AD23 DB84B0576C82CCA52517CF6B8880A90C 0BC69C6F64D4B2664579E064AE220A5A 3DA7C5451DA429EF2AB8F289D0F0E5 9C6595B7B08B0C74BB82BF3CFDE5A1A AB808B7E7425BC9EFA101925CB0D528 3FA76FCBDF7B5D776DE280C8E2EE8B1 69D154F43B096994FDF52B5F148CC134</td>
</tr>
</tbody>
</table>

The initial values $H_0 = h_0 \| h_1 \| h_2 \| \ldots \| h_{15}$ of chaining variable (depending on $n$) are given in Table 3 ($H_0$ for $n = 64$ is obtained as the hexadecimal form of consecutive 512 decimal places after the decimal point of $\pi$ broken up into groups of 32). Before processing they must be assigned to $A_0 \| A_1 \| A_2 \| \ldots \| A_{15}$ in such a way that $h_r = A_r$, $r = 0, 1, \ldots, 15$.

### 2.3 Security Considerations

The round function composed of 16 steps can be represented in the equivalent form as a linear shift register (FSR) over $GF(2^n)$ generating maximum length sequences, additionally equipped with nonlinear feedback, and clocked 16 times [3]. The corresponding approach dealing with the use of feedback shift registers (over $GF(2)$) in the construction of hash functions has been presented in [5]. The function defined by the nonlinear circuit is a nonlinear $8n$-argument function, $n = 16$ or 32 or 64. For the function with such a number of arguments (128, 256 and 512, respectively), it is difficult, from the computational point of view, to perform the best affine approximation attack [6]. The time needed for the attack is equal to that of the birthday attack, i.e. $O(2^{8n})$.

The sequence produced by the nonlinear circuit is resistant to correlation attack [6].
3 S-boxes

3.1 Involutional S

Let $F_2$ be the Galois field $GF(2)$ and $F_2^n$ be the $n$-dimensional vector space over $F_2$. A substitution operation or an $n \times n$ S-box (or S-box of the size $n \times n$) is a mapping:

$$S : F_2^n \rightarrow F_2^n$$

(1)

where $n$ is a fixed positive integer, $n \geq 2$. An $n$-argument Boolean function is a mapping:

$$f : F_2^n \rightarrow F_2.$$  

(2)

An S-box $S$ can be decomposed into the sequence $S = (f_1, f_2, \ldots, f_n) \text{ of the Boolean functions such that } S(x_1, x_2, \ldots, x_n) = (f_1(x_1, x_2, \ldots, x_n), f_2(x_1, x_2, \ldots, x_n), \ldots, f_n(x_1, x_2, \ldots, x_n)).$ We say that the functions $f_1, f_2, \ldots, f_n$ are component functions of $S$.

In the case of HaF’s S-box $n = 16$. HaF’s S-box therefore is a function that takes 16 input bits and outputs also 16 bits – it is a $16 \times 16$ S-box. Additionally, it is generated in such a way that it is its own inverse, i.e., $S^{-1} = S$.

HaF’s S-box has been generated using the multiplicative inverse procedure similar to AES [7] with randomly chosen primitive polynomial defining the Galois field. Nonlinearity of this S-box is 32510 and its nonlinear degree is 15. Sixteen Boolean functions that constitute this S-box have nonlinearities equal to 32510 or 32512. The degree of each function is equal to 15.

The $16 \times 16$ S-box can be stored as a table of 65536 word values. The index for this table is an input of the S-box function, i.e., $x_1, x_2, \ldots, x_{16}$. The values stored are S-box outputs (16 bits: $f_1(x_1, x_2, \ldots, x_{16}), f_2(x_1, x_2, \ldots, x_{16}), \ldots, f_{16}(x_1, x_2, \ldots, x_{16})$). To simplify the description of S-box generation let us consider a smaller S-box of the size $8 \times 8$. For presentation convenience such S-box can be displayed as a 2-dimensional table (Table 4). The input represented as a two digit hexadecimal number HL is divided – the low order digit (L) is on the horizontal axis and the high order digit (H) is on the vertical axis. For example, to see what is the S-box output at input 6F take 6 on the vertical axis and F on the horizontal axis. The S-box output is DA.

Cryptographically a strong S-box should possess some properties that are universally agreed upon among researchers. Such S-box should be balanced, highly nonlinear, have the lowest maximum value in its XOR profile (difference distribution table), have complex algebraic description (especially it should be of high degree). The above criteria are dictated by linear and differential cryptanalyses and algebraic attacks.

It is a well-known fact that S-boxes generated using finite field inversion mapping fulfill these criteria to a very high extent. However, they are susceptible to (theoretical) algebraic attacks. To resist algebraic attacks, multiplicative inverse mapping used to construct an S-box is composed of an additional invertible affine transformation. This affine transformation does not affect the nonlinearity of the S-box, its XOR profile nor
its algebraic degree. The best known example of such an S-box is the S-box of AES. It has been publicly known and it does not affect its security.

The algorithm used for generating the S-box for the purpose of HaF function presented in this paper uses a similar method of generating S-boxes. Additionally, it takes into account the results of some recent studies \[8, 9\] and incorporates changes in the S-box generating procedure to make it even more secure.

### 3.2 Generating Inverse Mapping

HaF S-box is based on the so called inverse mapping $x \rightarrow x^{-1}$, where $x^{-1}$ denotes the multiplicative inverse in a finite field $GF(2^n)$:

$$S(x) = \begin{cases} 0 & \text{for } x = 0 \\ x^{-1} & \text{for } x \neq 0. \end{cases} \quad (3)$$

As mentioned earlier, inversion mapping can be used to generate cryptographically strong S-boxes.

For any prime integer $p$ and any integer $n$ ($n = 1, 2, \ldots$), there is a unique field with $p^n$ elements, denoted $GF(p^n)$. In cryptography $p$ almost always takes the value of 2. To generate an inverse mapping in $GF(2^n)$ we need an irreducible polynomial that defines a Galois field and another polynomial that would be the so called generator (see below). A polynomial is said to be irreducible if it cannot be factored into nontrivial polynomials over the same field. The $n$-bit elements of the Galois field are treated as polynomials with coefficients in $F_2$. For example, in the case of AES, where S-box is of the size $8 \times 8$ we operate mostly on bytes represented as $b_7b_6b_5b_4b_3b_2b_1b_0$ which corresponds to the following polynomial:
An irreducible polynomial mentioned above is used to calculate a multiplication in $GF(2^n)$. When two polynomials are multiplied, the resulting product is a polynomial of degree at most $2(n-1)$ – too much to fit into the $n$-bit data word that represents polynomials in $GF(2^n)$, so the intermediate product of this multiplication is divided by the irreducible polynomial and the remainder of this division is the result of the multiplication. For $GF(2^n)$ an irreducible polynomial should be of degree $n$. For example, in AES (with $GF(2^8)$) an irreducible polynomial selected for construction of the S-box is 11B (in the hexadecimal notation).

A generator in the Galois field is a polynomial whose successive powers take on every element except zero. Which polynomials are generators in a particular Galois field depends on the irreducible polynomial selected. So say the polynomial 03 is a generator in $GF(2^8)$ with the irreducible polynomial 11B (as in AES), but it is not a generator in $GF(2^8)$ with the irreducible polynomial 1BD, for which the generator is for example 07.

For $n = 8$ the nonlinearity of this mapping treated as an S-box is 112. For $n = 16$ it is 32512. In a general case, the nonlinearity of such a mapping is $2^{n-1} - 2^{n/2}$.

However, such an S-box would always have 0 and 1 as the first two entries. This is because for $x = 0$, $x^{-1} = 0$ and for $x = 1$, $x^{-1} = 1$. These would be undesirable fixed points of an S-box. We remove them in the next step.

### 3.3 Affine Transformation

To avoid algebraic attacks (given multiplicative inversion simple algebraic form) every element of the table of multiplicative inverses is changed using an affine transformation. Such transformation has to be a full permutation, so every element is changed and all possible elements are represented as the result of a change, so that no two different bytes are changed to the same byte. After applying this transformation, the table is still a bijective mapping which is invertible and that is a prerequisite for most applications of S-boxes. In the case of AES cipher, this affine transformation is given by the following equation:

$$b'_i = b_i \oplus b_{(i+4)} \mod 8 \oplus b_{(i+5)} \mod 8 \oplus b_{(i+6)} \mod 8 \oplus b_{(i+7)} \mod 8 \oplus c_i$$

where $c$ is an 8-bit constant (in the case of AES, it equals 63 in the hexadecimal notation). $i$ is the bit position. This transformation can be also represented as the matrix multiplication:
The algorithm used for generating S-box $S$ of HaF function in this paper uses the same transformation, however, adopted for the $16 \times 16$ S-box size and with the constant part of this transformation (namely $c_i$) taken at random so that the resulting S-box does not have fixed points (such that $S(x) = x$). Particularly, the two fixed points mentioned in the previous paragraph (0 and 1) are removed by this transformation.

### 3.4 Removing Cycles

One of the requirements for the HaF S-box is the absence of cycles. A cycle is such a sequence of S-box values $S_0, S_1, \ldots, S_{k-1}$ where $S_{(i+1) \mod k} = S(S_i)$. HaF S-box should have only one such cycle containing all the values of the S-box (a cycle for which $k = 2^n$).

The affine transformation described in the previous paragraph changes the number of cycles in an S-box, without changing its nonlinear properties. Note that the fixed points are also short cycles where $k = 1$.

The cycles are removed in a procedure with two steps. The first step is actually the aforementioned affine transformation. It is applied repeatedly with a random value of $c$ until the S-box with only 2 cycles is found. This might not always be possible. In such a case, a new S-box has to be generated with another randomly chosen primitive polynomial using the inverse mapping as described earlier.

When the 2-cycle S-box is found, we move on to the next step, which is performed together with removing the affine equivalence.

### 3.5 Removing Affine Equivalence

According to [8, 9], S-boxes based on the multiplicative inverse in a finite field have such a peculiar property that all component functions of the S-box are from the same affine equivalence class (all the output functions of the S-box can be mapped onto one another using the affine transformations). The HaF’s S-box has been processed to remove this linear redundancy, so that all Boolean functions are now from different affine equivalence classes, while still maintaining exceptionally high nonlinearity of the inverse mapping. The proposed S-box has the maximum XOR difference distribution table value of 6, which is extremely good.

Removing this linear redundancy in the 2-cycle S-box is carried out in such a way that at the same time it will reduce the number of cycles to only 1. It is done by
Parameterized Hash Functions

choosing randomly two S-box entries $x$ and $y$, each belonging to another cycle, and rearranging S-box entries in such a way, that both cycles are joined into one.

After such change a test for linear redundancy is performed. If the affine equivalence is still present (between any component functions), the change is reversed and different S-box entries are randomly selected and tested – this procedure is carried out until S-box without the linear redundancy is found. If such an S-box cannot be found, we need to generate another S-box with inverse mapping.

Many properties of the Boolean functions covered by various cryptographic criteria (such as algebraic degree and nonlinearity) remain unchanged by affine transformations. The absolute values of Walsh transform as well as the autocorrelation function are only rearranged by the affine transformations. The frequency distribution of the absolute values in these transforms is invariant under such affine transformations. To prove that two functions are from different equivalence classes, it is therefore sufficient to show that their respective Walsh transform or autocorrelation function frequency distribution is different.

4 Reference implementations

The HaF family is formed of the three hash functions: HaF-256, HaF-512 and HaF-1024, producing hash values (message digests) with the length equal to 256, 512 and 1024 bits. Each function has been implemented in C language and Microsoft Visual Studio 2008 environment. The HaF test suite gives the following results (for the purpose of this paper we present only two tests for each representative of the family):

HaF-256 (**") = 3423E3FD 153A6AGF 02D565C9 065FF867
2087544 8F4CD756 F8A82E4A A3F82D3

HaF-256 ("message digest") = A854BE6D 18E2A293 3106637A 3C986590
35140BB 9E551CFC 25080B2E 2E9130E5

HaF-512 (**") = D573B56A 3C3C2B15 FB0F7205 3599703A
03FDE0CF 56CECAA1 A5B25ED9 39B34D32
E49F9E70 8B553660 4BF59F54 F16932B8
D393E5A6 838503A8 65FB8942 D857C563

HaF-512 ("message digest") = D00FA833 6B5E294A 43E2162A 24C50474
704D9FC7 2249391C A2B67C59 9221F507
F421064E 01AFC7B8 576735B9 65600C3E
20355B3E 90A918AF 5E612DAD 40065BCA

HaF-1024 (**") = 73D71224 0F60CA46 E723DD90 D525BE23
1637ADB7 A10C7D89 0B2F3C16 EFAF86C6
2C932E33 C51B1044 72183B33 1BB2E2F4
4133DEC8 785C5C9C E4ACD3E2 9B888AED
201DF434 E9C9A87E 5723D12F 0B6375B7
5A0C7767 B72E91C4 600955BE E40B83A8
D98578CE F42656C0 F17D37EC 1B7B096A
523300D7 1B13E541 47BC59EB 2C325534

HaF-1024 ("message digest") = 4D1D0179 6D6589B1 E96C8EE0 E486DDDC
B610C8E8 33208E5F 28C5658E 442B9059
B706FB90 D1E22670 56E8BF46 40D2D0CC
FP2150A8 52E0277 3C6099F1 CB6514A2
E655F145 43AB9390 140F5CCE 348E27EF
077A1571 5044D7E2 F331775B F8C9EF39
566A2497 1325FA47 4E4EE3E9 2BD4695B
BA0113B1 041F635C 35468802 63187C7D
HaF can be easily implemented for 32, and 64-bit processors. Here we present tentative evaluation of HaF performance. The results were obtained for reference (non-optimized) implementations in ANSI C for HaF-256, HaF-512, and HaF-1024. We compiled our programs with Intel C++ Compiler Professional 11.1 for Windows. Both 32-bit and 64-bit codes were generated. Then the programs were executed on a PC computer with the 2.2 GHz Athlon-64 processor. We measured processing time for 20MB text file. The results are presented in Tables 5 and 6 respectively.

<table>
<thead>
<tr>
<th>Function</th>
<th>MB/s</th>
<th>Cycles/byte</th>
</tr>
</thead>
<tbody>
<tr>
<td>HaF-256</td>
<td>2.86</td>
<td>769.2</td>
</tr>
<tr>
<td>HaF-512</td>
<td>3.63</td>
<td>606.7</td>
</tr>
<tr>
<td>HaF-1024</td>
<td>0.84</td>
<td>2611.1</td>
</tr>
</tbody>
</table>

Table 5. HaF family performance – 32-bit code.

<table>
<thead>
<tr>
<th>Function</th>
<th>MB/s</th>
<th>Cycles/byte</th>
</tr>
</thead>
<tbody>
<tr>
<td>HaF-256</td>
<td>3.12</td>
<td>704.2</td>
</tr>
<tr>
<td>HaF-512</td>
<td>3.69</td>
<td>595.9</td>
</tr>
<tr>
<td>HaF-1024</td>
<td>2.09</td>
<td>1050.9</td>
</tr>
</tbody>
</table>

Table 6. HaF family performance – 64-bit code.

As we can see in Tables 5 and 6, the best performance is achieved for HaF-512. For HaF-1024, 64-bit code performs much better than 32-bit code (speed up to 150%). The measured processing speed is relatively slow. But we expect substantially better performance for optimized implementations.

5 Conclusions

Most cryptographic hash functions designers focus on high processing speed. Therefore relatively simple algorithms are preferred. Implementations of these algorithms may be vulnerable to fault attack and side channel attack.

In the HaF hash functions the family processing scheme is more elaborated and we use relatively big $16 \times 16$ S-boxes. It leads to more complex implementation.

We expect it to give greater robustness against fault attack and side channel attack. The processing speed is relatively small. But we expect that optimised implementation will perform substantially better. Especially, multithreaded implementation exploiting parallelism of the algorithm.
Acknowledgement

This work was supported by the Polish Ministry of Science and Higher Education as the 2010–2013 research project and partially by the grant DS-PB/45-085/12.

References


