Why have round constants in hashes?

Question

This may seem like basic crypto knowledge, but why do hash functions like SHA-2 and Whirlpool have round constants that are absorbed into their respective states?

I can understand that in a cipher you need some way to incorporate a variable secret key, but there are no such user keys for hash functions. All the round constants start off from fixed (and publicly known) values. I thought that substitution and permutation operations were sufficient for encryption. So, why XOR in round constants?

Encryption is not known to be sufficient for collision-resistance. $;$ — , Jul 07 '15 at 02:54
Is this the answer? If so, if you please post it as such - I can TICK it then... — Paul Uszak, Jul 07 '15 at 21:32
It isn't the answer, it's definitely a side remark. Note that symmetric ciphers may also contain constants (besides the variable key). — Maarten Bodewes, Jul 07 '15 at 22:21
Could you please expand on the collision resistance theme? I thought that it was sufficient for a hash to exhibit strict avalanche behaviour to avoid collisions? KECCAK only adds in a round constant over 4% of it's state. That's not much - suggesting that it's not critical..? — Paul Uszak, Jul 09 '15 at 03:19

score 9 · Accepted Answer · answered Jul 10 '15 at 13:41

9

There are attacks on both blockciphers and hash functions that can exploit symmetry in the round functions. For example, completely identical round functions can permit Slide Attacks on Hash Functions, and rotational symmetries of the round function can permit rotational cryptanalysis. The round constant addition or 'iota' step of the Keccak Hash Function is designed to break up the self-similarity symmetry of the round function. Similar tweaks to the 'key schedule' (i.e. round) constant of Threefish/Skein were intended to break up rotational symmetries (see section 9.5.2 of the latest specification for details).

The up shot is that too much symmetry can be very dangerous, even for hash functions, and opens the door to attacks. Round constants are an easy and cheap way to close that door.

answered Jul 10 '15 at 13:41

J.D.

4,445
16
21

If the hash was not being used for security stuff, for something benign like just data storage /indexing in a table with no possibility of attack, would round constants not be required then? Would a totally symmetric round function be adequate? – Paul Uszak Jul 14 '15 at 03:49
2

@PaulUszak - If you don't need the hash function to be cryptographically secure then many design requirements can be dropped. That said, there are much faster (insecure) checksum functions than Keccak or Skein without the round constants. e.g. The simple Modular sum of all the words in a message produces a fingerprint (the sum) enormously faster than any hash function, and is often sufficient in 'benign' situations. – J.D. Jul 14 '15 at 10:56
1

If you need a high-performance hash function without cryptographic security, say for making an in-memory hash table, check out FNV, MurmurHash, CityHash, FarmHash. These also typically use some constants to remove symmetry and increase non-linearity. If you don't know if you need the security properties of a cryptographic hash function, you should use a SHA-2 or SHA-3 family member just in case you actually do! – rmalayter Oct 19 '15 at 15:22

Why have round constants in hashes?

1 Answers1

Linked