IACR News item: 06 June 2014
Shai Halevi, William E. Hall, Charanjit S. Jutla
ePrint Reportupto 2^{64}-1 bits and hash outputs of length upto 512 bits. Notably, Fugue is not based on a compression function. Rather, it is directly a hash function that supports variable-length inputs.
The starting point for Fugue is the hash function Grindahl, but it extends that design to protect against the kind of attacks that were developed for Grindahl, as well as earlier hash functions like SHA-1.
A key enhancement is the design of a much stronger round function which replaces the AES round function of Grindahl, using better
codes (over longer words) than the AES 4 X 4 MDS matrix. Also,
Fugue makes judicious use of this new round function on a much larger
internal state.
The design of Fugue is proof-oriented: the various components are
designed in such a way as to allow proofs of security, and yet be efficient to implement. As a result, we can prove that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack. Although the proof is computer assisted, the assistance is limited to computing ranks of various matrices.
Additional news items may be found on the IACR news page.