Results 1  10
of
47
Towards realizing random oracles: Hash functions that hide all partial information
, 1997
"... The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random oracle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. ..."
Abstract

Cited by 106 (9 self)
 Add to MetaCart
The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random oracle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. However, we do not have a general mechanism for transforming protocols that are secure in the random oracle model into protocols that are secure in real life. In fact, we do not even know how to meaningfully specify the properties required from such a mechanism. Instead, it is a common practice to simply replace  often without mathematical justification  the random oracle with a `cryptographic hash function' (e.g., MD5 or SHA). Consequently, the resulting protocols have no meaningful proofs of security. We propose a research program aimed at rectifying this situation by means of identifying, and subsequently realizing, the useful properties of random oracles. As a first step, we introduce a new primitive that realizes a specific aspect of random oracles. This primitive, called oracle hashing, is a hash function that, like random oracles, `hides all partial information on its input'. A salient property of oracle hashing is that it is probabilistic: different applications to the same input result in different hash values. Still, we maintain the ability to verify whether a given hash value was generated from a given input. We describe constructions of oracle hashing, as well as applications where oracle hashing successfully replaces random oracles.
RIPEMD160: A Strengthened Version of RIPEMD
, 1996
"... Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the des ..."
Abstract

Cited by 103 (12 self)
 Add to MetaCart
Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the design principles of Ron Rivest’s MD4. One such proposal was RIPEMD, which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation). Because of recent progress in the cryptanalysis of these hash functions, we propose a new version of RIPEMD with a 160bit result, as well as a plugin substitute for RIPEMD with a 128bit result. We also compare the software performance of several MD4based algorithms, which is of independent interest. 1
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 82 (8 self)
 Add to MetaCart
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
MDxMAC and Building Fast MACs from Hash Functions
 In Crypto 95
, 1995
"... . We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDxMAC) is proposed for transforming any secure hash function of the MD4family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...
PublicKey Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447
, 2003
"... This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. IESG Note The IESG thanks RSA Laboratories for transferring change control to the IETF. Enhancements to this specification that preserve backward c ..."
Abstract

Cited by 57 (0 self)
 Add to MetaCart
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. IESG Note The IESG thanks RSA Laboratories for transferring change control to the IETF. Enhancements to this specification that preserve backward compatibility are expected in an upcoming IETF standards track document. This document represents a republication of PKCS #8 v1.2 from RSA Laboratories ’ Public Key Cryptography Standard (PKCS) series. Change control is transferred to the IETF. The body of this document, except for the security considerations section, is taken directly from the PKCS #8 v1.2 specification. This document describes a syntax for privatekey information.
HAVAL  A OneWay Hashing Algorithm with Variable Length of Output
, 1993
"... A oneway hashing algorithm is a deterministic algorithm that compresses an arbitrary long message into a value of specified length. The output value represents the fingerprint or digest of the message. A cryptographically useful property of a oneway hashing algorithm is that it is infeasible to fi ..."
Abstract

Cited by 51 (17 self)
 Add to MetaCart
A oneway hashing algorithm is a deterministic algorithm that compresses an arbitrary long message into a value of specified length. The output value represents the fingerprint or digest of the message. A cryptographically useful property of a oneway hashing algorithm is that it is infeasible to find two distinct messages that have the same fingerprint. This paper proposes a oneway hashing algorithm called HAVAL. HAVAL compresses a message of arbitrary length into a fingerprint of 128, 160, 192, 224 or 256 bits. In addition, HAVAL has a parameter that controls the number of passes a message block (of 1024 bits) is processed. A message block can be processed in 3, 4 or 5 passes. By combining output length with pass, we can provide fifteen (15) choices for practical applications where different levels of security are required. The algorithm is very efficient and particularly suited for 32bit computers which predominate the current workstation market. Experiments show that HAVAL is 60%...
A composition theorem for universal oneway hash functions
 In Eurocrypt ’00
, 2000
"... Abstract. In this paper we present a new scheme for constructing universal oneway hash functions that hash arbitrarily long messages out of universal oneway hash functions that hash fixedlength messages. The new construction is extremely simple and is also very efficient, yielding shorter keys th ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
Abstract. In this paper we present a new scheme for constructing universal oneway hash functions that hash arbitrarily long messages out of universal oneway hash functions that hash fixedlength messages. The new construction is extremely simple and is also very efficient, yielding shorter keys than previously proposed composition constructions. 1
Forgery and Partial KeyRecovery Attacks on HMAC and NMAC Using Hash Collisions", Cryptology ePrint Report 2006/319
, 2006
"... Abstract. In this paper, we analyze the security of HMAC and NMAC, both of which are hashbased message authentication codes. We present distinguishing, forgery, and partial key recovery attacks on HMAC and NMAC using collisions of MD4, MD5, SHA0, and reduced SHA1. Our results demonstrate that the ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. In this paper, we analyze the security of HMAC and NMAC, both of which are hashbased message authentication codes. We present distinguishing, forgery, and partial key recovery attacks on HMAC and NMAC using collisions of MD4, MD5, SHA0, and reduced SHA1. Our results demonstrate that the strength of a cryptographic scheme can be greatly weakened by the insecurity of the underlying hash function. 1
Short chosenprefix collisions for MD5 and the creation of a rogue CA certificate
 CRYPTO 2009, SPRINGERVERLAG 2009, LNCS XXXX, YY–ZZ
, 2009
"... We present a refined chosenprefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular enduser website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
We present a refined chosenprefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular enduser website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a timememory tradeoff, these improvements lead to just three pairs of nearcollision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 2 49 MD5 compression function calls. Finally, we improve the complexity of identicalprefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical singleblock chosenprefix collision construction of which an example is given.
A New Class of Collision Attacks and its Application to DES
, 2003
"... Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new clas ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Until now in cryptography the term collision was mainly associated with the surjective mapping of different inputs to an equal output of a hash function. Previous collision attacks were only able to detect collisions at the output of a particular function. In this publication we introduce a new class of attacks which uses side channel analysis to detect internal collisions. We applied our attack against the widely used Data Encryption Standard (DES). We show that internal collisions can be caused in the SBoxes of DES in order to gain information about the secret keybits. As result, we were able to exploit an internal collision with a minimum of 140 encryptions yielding 10.2 keybits. Moreover, we successfully applied the attack to a smart card processor.