Results 1  10
of
12
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
The security of abreastdm in the ideal cipher model
"... Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of q ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O (2 n). Based on a novel technique using queryresponse cycles, our security proof is simpler than those for MDC2 and TandemDM. We also present a wide class of AbreastDM variants that enjoy a birthdaytype security guarantee with a simple proof. 1
The collision security of TandemDM in the ideal cipher model
"... Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype b ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of TandemDM as an open problem until now. 1
Blockcipher Based Hashing Revisited
 Fast Software Encryption – FSE ’09
, 2009
"... Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This lead ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This leads to a clearer understanding of the current classification of rate1 blockcipher based schemes as introduced by Preneel et al. and refined by Black et al. In addition, we also gain insight in chopped, overloaded and supercharged compression functions. In the latter category we propose two compression functions based on a single call to a blockcipher whose collision resistance exceeds the birthday bound on the cipher’s blocklength. 1
Stam’s collision resistance conjecture
 In: EUROCRYPT 2010. LNCS
, 2010
"... Abstract. At CRYPTO 2008 Stam [7] made the following conjecture: if an m + sbit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f. For example, a 2nbit to nbit compressio ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. At CRYPTO 2008 Stam [7] made the following conjecture: if an m + sbit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f. For example, a 2nbit to nbit compression function making two calls to a random function of nbit input cannot have collision security exceeding 2 n/3. We prove this conjecture up to a constant multiplicative factor and under the condition m ′: = (2m − n(r − 1))/(r + 1) ≥ log 2 (17). This covers nearly all cases r = 1 of the conjecture and the aforementioned example of a 2nbit to nbit compression function making two calls to a primitive of nbit input. 1
The preimage security of doubleblocklength compression functions. Cryptology ePrint Archive, Report 2011/210, 2011. http: //eprint.iacr.org
 16 Gatan Leurent, Charles Bouillaguet, and PierreAlain Fouque. SIMD Is a Message Digest
"... Abstract. We give improved bounds on the preimage security of the three “classical ” doubleblocklength, doublecall, blockcipherbased compression functions, these being AbreastDM, TandemDM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 2 2n−5 blockcipher q ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We give improved bounds on the preimage security of the three “classical ” doubleblocklength, doublecall, blockcipherbased compression functions, these being AbreastDM, TandemDM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 2 2n−5 blockcipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For AbreastDM and TandemDM we show that at least 2 2n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 2 2n. 1
Security of Singlepermutationbased Compression Functions
"... Abstract. In this paper, we study security for a certain class of permutationbased compression functions. Denoted lp231 in [12], they are 2nbit to nbit compression functions using three calls to a single nbit random permutation. We prove that lp231 is asymptotically preimage resistant up to (2 2 ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. In this paper, we study security for a certain class of permutationbased compression functions. Denoted lp231 in [12], they are 2nbit to nbit compression functions using three calls to a single nbit random permutation. We prove that lp231 is asymptotically preimage resistant up to (2 2n 3 /n) queries, adaptive preimage resistant up to (2 n 2 /n) queries/commitments, and collision resistant up to (2 n 2 /n 1+ɛ) queries for ɛ> 0. 1
Stam’s Conjecture and Threshold Phenomena in Collision Resistance
"... Abstract. At CRYPTO 2008 Stam [8] conjectured that if an (m+s)bit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f, which is sometimes less than the birthday bound. Steinb ..."
Abstract
 Add to MetaCart
Abstract. At CRYPTO 2008 Stam [8] conjectured that if an (m+s)bit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f, which is sometimes less than the birthday bound. Steinberger [9] proved Stam’s conjecture up to a constant multiplicative factor for most cases in which r = 1 and for certain other cases that reduce to the case r = 1. In this paper we prove the general case of Stam’s conjecture (also up to a constant multiplicative factor). Our result is qualitatively different from Steinberger’s, moreover, as we show the following novel threshold phenomenon: that exponentially many (more exactly, 2 s−2(m−n)/(r+1)) collisions are obtained with high probability after O(1)r2 (nr−m)/(r+1) queries. This in particular shows that threshold phenomena observed in practical compression functions such as JH are, in fact, unavoidable for compression functions with those parameters. (This is the full version of the sametitled article that appeared at CRYPTO ’12.) 1
Security Analysis and Comparison of the SHA3 Finalists
"... Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got acce ..."
Abstract
 Add to MetaCart
Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the first round. At present, 5 candidates are left in the third round of the competition. An important criterion in the selection process is the SHA3 hash function security and more concretely, the possible reductions of the hash function security to the security of its underlying building blocks. At NIST’s second SHA3 Candidate Conference 2010, Andreeva et al. provided a provable security classification of the second round SHA3 candidates in the ideal model. In this work, we revisit this classification for the five SHA3 finalists. We evaluate recent provable security results on the candidates, and resolve remaining open problems for Grøstl, JH, and Skein.