How do I construct a 256-bit hash function from 128-bit AES?

Question

I would like to generate a 256-bit hash on a microcontroller that has a 128-bit (only) AES engine. How can I construct a 256-bit hash function from a 128-bit cipher?

Answer 1

HMAC is a specific construction which aims at providing a message authentication code. HMAC is defined over a hash function, something which AES is not.

So if your question is really about having HMAC, not just any MAC, and using an AES primitive, then your question becomes: how can we build a hash function out of a block cipher ? This is not an easy question, especially if the block cipher uses blocks which are smaller than the intended hash function output size. You could investigate ECHO, a former SHA-3 candidate, which received a reasonably fair share of analysis by many cryptographers, who found no actual problem in it. ECHO is built upon some constitutive parts of AES, and can benefit from most hardware accelerators for AES.

On the other hand, if you just want a MAC (not specifically HMAC), and have an available AES primitive, then I recommend CBC-MAC (just don't use the exact same key to encrypt data !). This will yield a 128-bit MAC. A 256-bit MAC is a weird requirement, since 128 bits ought to be enough to provide adequate security (if 128 bits are not enough, then the attacker is way more powerful than the whole of Mankind, including all governments, agencies, private corporations and mafias -- and at that point you probably have more trouble than a possibly weak MAC: for all practical purposes, the attacker is God).

One could imagine defining a 256-bit block cipher with a Feistel network where the confusion function is an AES instance, with enough rounds and distinct round keys -- like what the DEAL block cipher did with DES, during the AES competition. Then CBC-MAC on that block cipher would yield a 256-bit MAC. But custom building of block ciphers or other cryptographic primitives is not recommended at all since it is hard to get right, and you cannot test for the security of the result.

Answer 2

Are you sure you need an HMAC (Hash based MAC)? CBC-MAC is probably a better construction for a keyed message authentication code using a block cipher. To get 256-bits, use two separate keys and compute 2 different MACs and concatenate them together.

If your AES engine is really a Rijndael implementation (which means it would support larger block sizes), just use Rijndael with a 256 bit block size in a CBC-MAC construction.

Answer 3

If you need HMAC in order to be compatible with an existing use of it (to speak to SSL, for example) then you cannot do this with AES: HMAC for SSL will use a specific underlying hash function (like SHA1 or MD5, typically).

If you really want HMAC out of AES, you'll have to first make a crypto hash function out of AES, as Thomas said.

If you have Rijndael (which is the algorithm that AES was made from), you can get a block-size of 256 bits easily enough if it's available on your engine. Then use a construction like Merkle-Damgaard to get a hash function.

If you only have 128-bit AES, you'll need to use a double-wide construction like MDC-2. MDC-2 isn't so well-tested, but it has at least a collision proof in the ideal-cipher model.

Answer 4

This paper: Building Hash Functions from Block Ciphers, Their Security and Implementation Properties may be useful. In particular, section 3.4 deals with "Double-Block-Length Compression Functions" which may be what you need.

Answer 5

It looks like you've changed your question. Anyway, as to the new question (about how to build a 256-bit hash function out of 128-bit AES), the simple answer is: you don't. Don't do that. There's no really good, well-vetted way to build a 256-bit cryptographic hash function out of AES. Instead, if you need a 256-bit hash function, you should be using a dedicated hash construction, such as SHA256.

I would question whether you truly need a 256-bit cryptographic hash function. Are you sure this is needed? My suspicion is that it is not.