Cryptology ePrint Archive: Report 2011/609
The PHOTON Family of Lightweight Hash Functions
Jian Guo and Thomas Peyrin and Axel Poschmann
Abstract: RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an on-tag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware.
Category / Keywords: secret-key cryptography / lightweight, hash function, sponge function, AES.
Publication Info: extended version of the CRYPTO 2011 article
Date: received 9 Nov 2011, last revised 29 Oct 2015
Contact author: thomas peyrin at gmail com
Available format(s): PDF | BibTeX Citation
Note: Also available at https://sites.google.com/site/photonhashfunction/
Version: 20151029:153910 (All versions of this report)
Short URL: ia.cr/2011/609
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]