Square Hash: Fast Message Authentication via Optimized Universal Hash Functions ⋆ Mark Etzel 1 , Sarvar Patel 1 , and Zulfikar Ramzan ⋆⋆2 1 Bell Labs, Lucent Technologies {mhetzel,sarvar}@bell-labs.com 2 Laboratory for Computer Science, MIT zulfikar@theory.lcs.mit.edu Abstract. This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authen- tication. First, we describe a simple but novel family of universal hash functions that is more efficient than many standard constructions. We compare our hash functions to the MMH family studied by Halevi and Krawczyk [12]. All the main techniques used to optimize MMH work on our hash functions as well. Second, we introduce additional techniques for speeding up our constructions; these techniques apply to MMH and may apply to other hash functions. The techniques involve ignoring certain parts of the computation, while still retaining the necessary statistical properties for secure message authentication. Finally, we give implemen- tation results on an ARM processor. Our constructions are general and can be used in any setting where universal hash functions are needed; therefore they may be of independent interest. Key words: Message authentication codes, Universal Hashing. 1 Introduction Message Authentication. Designing good Message Authentication schemes is a very important objective in cryptography. The goal in message authentica- tion is for one party to efficiently transmit a message to another party in such a way that the receiving party can determine whether or not the message he receives has been tampered with. The setting involves two parties, Alice and Bob, who have agreed on a pre-specified secret key x. Two algorithms are used: an algorithm S x that applies a tag to a message, and a verification algorithm V x that checks if the tag associated with a given message is valid. If Alice wants to send a message M to Bob, she first computes a message authentication code, or MAC, µ = S x (M ). She sends (M,µ) to Bob, and upon receiving the pair, Bob computes V x (M,µ) which returns 1 if the MAC is valid, or returns 0 otherwise. Without knowledge of the secret key x, it should be infeasible for an adversary ⋆ Extended abstract. A full version is available at http://theory.lcs.mit.edu/~zulfikar ⋆⋆ Work done while this author was at Lucent Technologies. This author would like to acknowledge DARPA grant DABT63-96-C-0018 and an NSF graduate fellowship. Michael Wiener (Ed.): CRYPTO’99, LNCS 1666, pp. 234–251, 1999. c  Springer-Verlag Berlin Heidelberg 1999