Results 1  10
of
32
The PHOTON Family of Lightweight Hash Functions
 CRYPTO, volume 6841 of LNCS
, 2011
"... Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extrem ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a spongelike construction as domain extension algorithm and an AESlike primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AESlike bounds on the number of active Sboxes. This kind of AESlike primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting tradeoffs between speed and preimage security for small messages, the classical usecase in hardware.
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
M.: Indifferentiable security analysis of popular hash functions with prefixfree padding
 ASIACRYPT 2006. LNCS
, 2006
"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefixfree MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefixfree padding) which are indifferentiable from random oracle model in the ideal cipher model. 1
Security of Cyclic Double Block Length Hash Functions including AbreastDM
"... Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AE ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AES256, i.e. a block cipher with 128bit block length and 256bit key length, any adversary that asks less than 2 124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a nearoptimal collision resistance guarantee. We generalize our techniques used in the proof of AbreastDM to a huge class of double block length (DBL) hash functions that we will call cyclic. Using this generalized theorem we are able to derive several DBL constructions that lead to compression functions that even have a higher security guarantee and are more efficient than AbreastDM. Furthermore we give DBL constructions that have the highest security guarantee of all DBL compression functions currently known in literature. We also provide an analysis of preimage resistance for cyclic compression functions. Note that this work has been already presented at Dagstuhl ’09.
Cryptanalysis of GRINDAHL
"... Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an ef ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA256. This paper provides the first cryptanalytic work on this new scheme. We show that the 256bit version of GRINDAHL is not collision resistant. With a work effort of approximatively 2 112 hash computations, one can generate a collision. Key words: GRINDAHL, hash functions, RIJNDAEL. 1
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
The security of abreastdm in the ideal cipher model
"... Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of q ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O (2 n). Based on a novel technique using queryresponse cycles, our security proof is simpler than those for MDC2 and TandemDM. We also present a wide class of AbreastDM variants that enjoy a birthdaytype security guarantee with a simple proof. 1
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
The collision security of TandemDM in the ideal cipher model
"... Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype b ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of TandemDM as an open problem until now. 1