Results 1  10
of
20
G.V.: On the Indifferentiability of the Sponge Construction
 In: Advances in Cryptology – Eurocrypt
, 2008
"... Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (instead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length). 1
The PHOTON Family of Lightweight Hash Functions
 CRYPTO, volume 6841 of LNCS
, 2011
"... Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extrem ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
(Show Context)
Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a spongelike construction as domain extension algorithm and an AESlike primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AESlike bounds on the number of active Sboxes. This kind of AESlike primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting tradeoffs between speed and preimage security for small messages, the classical usecase in hardware.
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Duplexing the sponge: Singlepass authenticated encryption and other applications
 In SAC 2011 (2011
"... Abstract. This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and—at no extra cost—provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence in ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper proposes a novel construction, called duplex, closely related to the sponge construction, that accepts message blocks to be hashed and—at no extra cost—provides digests on the input blocks received so far. It can be proven equivalent to a cascade of sponge functions and hence inherits its security against singlestage generic a�acks. The main application proposed here is an authenticated encryption mode based on the duplex construction. This mode is efficient, namely, enciphering and authenticating together require only a single call to the underlying permutation per block, and is readily usable in, e.g., key wrapping. Furthermore, it is the first mode of this kind to be directly based on a permutation instead of a block cipher and to natively support intermediate tags. The duplex construction can be used to efficiently realize other modes, such as a reseedable pseudorandom bit sequence generators and a sponge variant that overwrites part of the state with the input block rather than to XOR it in.
Keccak specifications
, 2009
"... Keccak (pronounced [kEtSak]) is a family of hash functions that are based on the sponge construction [1] and use as a building block a permutation from a set of 7 permutations. In this document, we specify these permutations, the Keccak sponge functions and the parameter values we propose for use in ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Keccak (pronounced [kEtSak]) is a family of hash functions that are based on the sponge construction [1] and use as a building block a permutation from a set of 7 permutations. In this document, we specify these permutations, the Keccak sponge functions and the parameter values we propose for use in our SHA3 candidates. We also give conventions for bit and byte numbering, for using the arbitrarylong output mode and for naming parts of the Keccak state. These specifications give all the necessary information to implement the Keccak sponge functions. For more information, and for the reference code, please refer to the Keccak web page given above. 1 1 The Keccak
Blockcipher Based Hashing Revisited
 Fast Software Encryption – FSE ’09
, 2009
"... Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This lead ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This leads to a clearer understanding of the current classification of rate1 blockcipher based schemes as introduced by Preneel et al. and refined by Black et al. In addition, we also gain insight in chopped, overloaded and supercharged compression functions. In the latter category we propose two compression functions based on a single call to a blockcipher whose collision resistance exceeds the birthday bound on the cipher’s blocklength. 1
A unified indifferentiability proof for . . .
"... In the recent years, several hash constructions have been introduced that aim at achieving enhanced security margins by strengthening the MerkleDamgård mode. However, their security analysis have been conducted independently and using a variety of proof methodologies. This paper unifies these resu ..."
Abstract
 Add to MetaCart
In the recent years, several hash constructions have been introduced that aim at achieving enhanced security margins by strengthening the MerkleDamgård mode. However, their security analysis have been conducted independently and using a variety of proof methodologies. This paper unifies these results by proposing a unique indifferentiability proof that considers a broadened form of the general compression function introduced by Stam at FSE09. This general definition enables us to capture in a realistic model most of the features of the mode of operation (e.g., message encoding, blank rounds, message insertion,...) within the preprocessing and postprocessing functions. Furthermore, it relies on an inner primitive which can be instantiated either by an ideal block cipher, or by an ideal permutation. Then, most existing hash functions can be seen as the ChopMD construction applied to some compression function which fits the broadened Stam model. Our result then gives the tightest known indifferentiability bounds for several general modes of operations, including ChopMD, Haifa or sponges. Moreover, we show that it applies in a quite automatic way, by providing the security bounds for 7 out of the 14 second round SHA3 candidates, which are in some cases improved over previously known ones.
unknown title
"... Note on K���� � parameters and usage The K���� � sponge function family is characterized by three parameters: the bitrate r, the capacity c (where r + c is the width of the underlying permutation) and the diversifier d. We propose in [5] four instances that can be taken as functions for the four (fi ..."
Abstract
 Add to MetaCart
(Show Context)
Note on K���� � parameters and usage The K���� � sponge function family is characterized by three parameters: the bitrate r, the capacity c (where r + c is the width of the underlying permutation) and the diversifier d. We propose in [5] four instances that can be taken as functions for the four (fixed) output lengths NIST requires for SHA3 and a variableoutputlength instance, denoted by K�����[], with default values for the parameters. Section 1 below recalls the K���� � offering: its parameters, security claim and design strategy, and our proposal to NIST. Whilst we are happy with our choice, there are other valid parameter choices that NIST or others may prefer. In this note we discuss our choice of parameters and other possible ways of using the K���� � family. With its arbitrary length, the output of K���� � can be truncated at the length requested by the user. In Section 2 we discuss how using a single function has clear advantages and, if needed, simple ways to achieve diversification. The capacity c is the security parameter of K���� � and the use of a single instance with fixed capacity