Tiger (hash function)

Last updated
Tiger
General
Designers Ross Anderson and Eli Biham
First published1996
Detail
Digest sizes 192, 128, 160
Rounds 24

In cryptography, Tiger [1] is a cryptographic hash function designed by Ross Anderson and Eli Biham in 1995 for efficiency on 64-bit platforms. The size of a Tiger hash value is 192 bits. Truncated versions (known as Tiger/128 and Tiger/160) can be used for compatibility with protocols assuming a particular hash size. Unlike the SHA-2 family, no distinguishing initialization values are defined; they are simply prefixes of the full Tiger/192 hash value.

Contents

Tiger2 [2] is a variant where the message is padded by first appending a byte with the hexadecimal value of 0x80 as in MD4, MD5 and SHA, rather than with the hexadecimal value of 0x01 as in the case of Tiger. The two variants are otherwise identical.

Algorithm

Tiger is based on Merkle–Damgård construction. The one-way compression function operates on 64-bit words, maintaining 3 words of state and processing 8 words of data. There are 24 rounds, using a combination of operation mixing with XOR and addition/subtraction, rotates, and S-box lookups, and a fairly intricate key scheduling algorithm for deriving 24 round keys from the 8 input words.

Although fast in software, Tiger's large S-boxes (four S-boxes, each with 256 64-bit entries totaling 8 KiB) make implementations in hardware or microcontrollers difficult.[ citation needed ]

Usage

Tiger is frequently used in Merkle hash tree form, where it is referred to as TTH (Tiger Tree Hash). TTH is used by many clients on the Direct Connect and Gnutella file sharing networks, and can optionally be included in the BitTorrent metafile [3] for better content availability.

Tiger was considered for inclusion in the OpenPGP standard, but was abandoned in favor of RIPEMD-160. [4] [5]

OID

RFC   2440 refers to TIGER as having no OID, whereas the GNU Coding Standards list TIGER as having OID 1.3.6.1.4.1.11591.12.2. [6] In the IPSEC subtree, HMAC-TIGER is assigned OID 1.3.6.1.5.5.8.1.3. [7] No OID for TTH has been announced yet.

Byte order

The specification of Tiger does not define the way its output should be printed but only defines the result to be three ordered 64-bit integers. The "testtiger" program at the author's homepage was intended to allow easy testing of the test source code, rather than to define any particular print order. The protocols Direct Connect and ADC as well as the program tthsum use little-endian byte order, which is also preferred by one of the authors. [8]

Examples

In the example below, the 192-bit (24-byte) Tiger hashes are represented as 48 hexadecimal digits in little-endian byte order. The following demonstrates a 43-byte ASCII input and the corresponding Tiger hashes:

Tiger("The quick brown fox jumps over the lazy dog") = 6d12a41e72e644f017b6f0e2f7b44c6285f06dd5d2c5b075  Tiger2("The quick brown fox jumps over the lazy dog") = 976abff8062a2e9dcea3a1ace966ed9c19cb85558b4976d8

Even a small change in the message will (with very high probability) result in a completely different hash, e.g. changing d to c:

Tiger("The quick brown fox jumps over the lazy cog") = a8f04b0f7201a0d728101c9d26525b31764a3493fcd8458f  Tiger2("The quick brown fox jumps over the lazy cog") = 09c11330283a27efb51930aa7dc1ec624ff738a8d9bdd3df

The hash of the zero-length string is:

Tiger("") = 3293ac630c13f0245f92bbb1766e16167a4e58492dde73f3  Tiger2("") = 4441be75f6018773c206c22745374b924aa8313fef919f41

Cryptanalysis

Unlike MD5 or SHA-0/1, there are no known effective attacks on the full 24-round Tiger [9] except for pseudo-near collision. [10] While MD5 processes its state with 64 simple 32-bit operations per 512-bit block and SHA-1 with 80, Tiger updates its state with a total of 144 such operations per 512-bit block, additionally strengthened by large S-box look-ups.

John Kelsey and Stefan Lucks have found a collision-finding attack on 16-round Tiger with a time complexity equivalent to about 244 compression function invocations and another attack that finds pseudo-near collisions in 20-round Tiger with work less than that of 248 compression function invocations. [9] Florian Mendel et al. have improved upon these attacks by describing a collision attack spanning 19 rounds of Tiger, and a 22-round pseudo-near-collision attack. These attacks require a work effort equivalent to about 262 and 244 evaluations of the Tiger compression function, respectively. [11]

See also

Related Research Articles

<span class="mw-page-title-main">HMAC</span> Computer communications hash algorithm

In cryptography, an HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as RFC 1321.

<span class="mw-page-title-main">RIPEMD</span> Cryptographic hash function

RIPEMD is a family of cryptographic hash functions developed in 1992 and 1996. There are five functions in the family: RIPEMD, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320, of which RIPEMD-160 is the most common.

In cryptography, SHA-1 is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. The algorithm has been cryptographically broken but is still widely used.

<span class="mw-page-title-main">Cryptographic hash function</span> Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

<span class="mw-page-title-main">MD4</span> Cryptographic hash function

The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" stands for "Message Digest".

In cryptography, a collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision. This is in contrast to a preimage attack where a specific target hash value is specified.

HAVAL is a cryptographic hash function. Unlike MD5, but like most modern cryptographic hash functions, HAVAL can produce hashes of different lengths – 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits. HAVAL also allows users to specify the number of rounds to be used to generate the hash. HAVAL was broken in 2004.

The MD2 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1989. The algorithm is optimized for 8-bit computers. MD2 is specified in IETF RFC 1319. The "MD" in MD2 stands for "Message Digest".

SHA-2 is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression function itself built using the Davies–Meyer structure from a specialized block cipher.

<span class="mw-page-title-main">Merkle–Damgård construction</span> Method of building collision-resistant cryptographic hash functions

In cryptography, the Merkle–Damgård construction or Merkle–Damgård hash function is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. This construction was used in the design of many popular hash algorithms such as MD5, SHA-1 and SHA-2.

In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint."

Grøstl is a cryptographic hash function submitted to the NIST hash function competition by Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl was chosen as one of the five finalists of the competition. It uses the same S-box as AES in a custom construction. The authors claim speeds of up to 21.4 cycles per byte on an Intel Core 2 Duo, and 9.6 cycles/byte on an Intel i7 with AES-NI.

The following tables compare general and technical information for a number of cryptographic hash functions. See the individual functions' articles for further information. This article is not all-inclusive or necessarily up-to-date. An overview of hash function security/cryptanalysis can be found at hash function security summary.

The following outline is provided as an overview of and topical guide to cryptography:

This article summarizes publicly known attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.

BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the word size. ChaCha operates on a 4×4 array of words. BLAKE repeatedly combines an 8-word hash value with 16 message words, truncating the ChaCha result to obtain the next hash value. BLAKE-256 and BLAKE-224 use 32-bit words and produce digest sizes of 256 bits and 224 bits, respectively, while BLAKE-512 and BLAKE-384 use 64-bit words and produce digest sizes of 512 bits and 384 bits, respectively.

The rebound attack is a tool in the cryptanalysis of cryptographic hash functions. The attack was first published in 2009 by Florian Mendel, Christian Rechberger, Martin Schläffer and Søren Thomsen. It was conceived to attack AES like functions such as Whirlpool and Grøstl, but was later shown to also be applicable to other designs such as Keccak, JH and Skein.

Streebog is a cryptographic hash function defined in the Russian national standard GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function. It was created to replace an obsolete GOST hash function defined in the old standard GOST R 34.11-94, and as an asymmetric reply to SHA-3 competition by the US National Institute of Standards and Technology. The function is also described in RFC 6986 and one out of hash functions in ISO/IEC 10118-3:2018.

Kupyna is a cryptographic hash function defined in the Ukrainian national standard DSTU 7564:2014. It was created to replace an obsolete GOST hash function defined in the old standard GOST 34.11-95, similar to Streebog hash function standardized in Russia.

References

  1. Ross Anderson and Eli Biham (1996-02-08). "Tiger: A Fast New Hash Function". Fast Software Encryption 3. Cambridge . Retrieved 2017-03-03.
  2. "Tiger2 Test Vectors". Project NESSIE . 2005-02-25. Retrieved 2017-03-03.
  3. Feit, Harold (2012-02-12). "P2P:Protocol:Specifications:Optional Hashes: TTH Root" . Retrieved 2017-11-18.
  4. Callas, Jon (2004-08-18). "Re: re-consideration of TIGER". Archived from the original on 2014-07-14.
  5. Pornin, Thomas (2013-10-25). "How do you use the Tiger hash function with GPG?".
  6. "Program Behavior for All Programs: OID Allocations". GNU . Retrieved 2017-11-18.
  7. "Reference record for OID 1.3.6.1.5.5.8.1.3 – hmacTIGER". 1998-10-18. Retrieved 2017-11-18.
  8. "Digest::Tiger Module". CPAN . Retrieved 2017-03-03.
  9. 1 2 John Kelsey; Stefan Lucks (2006). "Collisions and Near-Collisions for Reduced-Round Tiger" (PDF). Fast Software Encryption 13. Graz. Archived from the original (PDF) on 2016-03-04.
  10. Mendel, Florian; Vincent, Rijmen. "Cryptanalysis of the Tiger Hash Function". ASIACRYPT 2007. Springer Berlin / Heidelberg. pp. 536–550. doi: 10.1007/978-3-540-76900-2_33 .
  11. Florian Mendel; Bart Preneel; Vincent Rijmen; Hirotaka Yoshida; Dai Watanabe (2006). "Update on Tiger" (PDF). Indocrypt 7. Kolkata.