Results 1  10
of
38
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
M.: Indifferentiable security analysis of popular hash functions with prefixfree padding
 ASIACRYPT 2006. LNCS
, 2006
"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefixfree MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefixfree padding) which are indifferentiable from random oracle model in the ideal cipher model. 1
A Framework for Iterative Hash Functions: HAIFA
 In Proceedings of Second NIST Cryptographic Hash Workshop, 2006 . Available from: www.csrc.nist.gov/pki/HashWorkshop/2006/program_2006.htm
"... Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the MerkleDamg˚ard construction. Recently, several flaws in this construction were identified, allowing for second preimage attacks and cho ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the MerkleDamg˚ard construction. Recently, several flaws in this construction were identified, allowing for second preimage attacks and chosen target preimage attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent proposals such as randomized hashing, the enveloped MerkleDamg˚ard, and the RMC and ROX modes can be all be instantiated as part of the HAsh
Security/Efficiency Tradeoffs for PermutationBased Hashing
"... Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than three nbit permutation invocations, and any 3nbit to 2nbit compression function will have unacceptable security if it makes fewer than five nbit permutation invocations. Any rateα hash function built from nbit permutations can be broken, in the sense of finding preimages as well as collisions, in about N 1−α queries, where N =2 n. Our results provide guidance when trying to design or analyze a permutationbased hash function about the limits of what can possibly be done. 1
Constructing an Ideal Hash Function from Weak Ideal Compression Functions
 In Selected Areas in Cryptography, Lecture Notes in Computer Science
, 2006
"... Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attack ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by undesirable properties of compression functions. We prove that the construction we give, which we call the “zipper hash, ” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with these weak ideal building blocks. The zipper hash function is relatively simple, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal (strong) compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. Keywords: Hash function, compression function, MerkleDamg˚ard, ideal primitives, nonstreamable hash functions, zipper hash.
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to "behave like " a certain ideal random primitive (e.g. a random function), according to some security notion.
Hardware Implementation of the Compression Function for Selected SHA3 Candidates
"... Abstract. Hardware implementation of the main building block (compression function) for five different SHA3 candidates is presented. The five candidates, namely Blue Midnight Wish, Luffa, Skein, Shabal, and Blake have been considered since they present faster software implementation results compare ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Hardware implementation of the main building block (compression function) for five different SHA3 candidates is presented. The five candidates, namely Blue Midnight Wish, Luffa, Skein, Shabal, and Blake have been considered since they present faster software implementation results compared to the rest of the SHA3 proposals. The compression functions realized in hardware create the message digest of size 256 bits. We report both ASIC and FPGA implementations. The results allow an easy comparison for hardware performance of the candidates.
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Slide Attacks on a Class of Hash Functions
 Advances in Cryptology—ASIACRYPT ’08 Proceedings
, 2008
"... Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for spongefunction like structures. As it turns out, ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for spongefunction like structures. As it turns out, certain constructions for hashfunctionbased MACs can be vulnerable to forgery and even to key recovery attacks. In other cases, we can at least distinguish a given hash function from a random oracle. To illustrate our results, we describe attacks against the Grindahl256 and Grindahl512 hash functions. To the best of our knowledge, this is the first cryptanalytic result on Grindahl512. Furthermore, we point out a slidebased distinguisher attack on a slightly modified version of RadioGatún. We finally discuss simple countermeasures as a defense against slide attacks. Key words: slide attacks, hash function, Grindahl, RadioGatún, MAC, sponge function. 1