Abstract: Secure communication in resource-constrained environments such as RFID tags and sensor networks is getting one of the important research topics. To achieve secure communication, both of confidentiality and authentication are important. A hash function is a useful primitive for them. We present a model of compression functions using a blockcipher for lightweight hashing on memory-constrained devices. It is similar to the model by Preneel, Govaerts and Vandewalle presented at CRYPTO '93. The novelty of the proposed model is that the key length of the underlying blockcipher is half of its block length, which enables the reduction of the size of the internal state without sacrificing the security. Security of iterated hash functions composed of compression functions in the model is also discussed. First, their collision resistance and preimage resistance are quantified in the ideal cipher model. Then, keyed hashing modes are defined, and their security as a pseudorandom function is almost reduced to the security of the underlying blockcipher as a pseudorandom permutation. Finally, preimage resistance is quantified assuming a computationally secure blockcipher. |