6

For block ciphers, there are the very well designed schemes of Simple-DES and Simple-AES, which have been created not for security but for teaching the design principles of the real algorithms while maintaining the possibility to calculate them by hand and guarantee an easy demonstration.

Are there any such simplified functions for Merkle-Damgard compression functions or sponge functions available?

mat
  • 2,558
  • 1
  • 14
  • 28

1 Answers1

4

Many of the designs in the NIST SHA-3 competition came with toy variants for study. For example:

  • The winner of the competition, Keccak, has parameters for:
    • word size—the SHA-3 standard is 64-bit, but it is formally defined for 1-bit, 2-bit, 4-bit, 8-bit, 16-bit, and 32-bit words too, for study or for smaller variants like Ketje and Keyak; and
    • number of rounds—the SHA-3 standard is 24 rounds, but that is overkill, so KangarooTwelve uses 12 while still providing comfortable collision resistance, and Kravatte uses 6 without aiming for collision resistance.
  • The popular BLAKE2 was derived from BLAKE, one of the SHA-3 finalists, which uses HAIFA, which is similar to Merkle–Damgård and Davies–Meyer but with improvements, came with several toy versions: BLOKE, FLAKE, BLAZE, and BRAKE, each with simplifications on the real BLAKE. All admit reduced-round variants too, of course.

You could, of course, take any block cipher you like, and apply it with Davies–Meyer, or any of various block cipher constructions, and study the result. One easy target for cryptanalysis might use AES-256 in one of those forms, so that you could apply the Biryukov–Khovratovich related-key attacks.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230