Results 11  20
of
53
Slide Attacks on a Class of Hash Functions
 Advances in Cryptology—ASIACRYPT ’08 Proceedings
, 2008
"... Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for spongefunction like structures. As it turns out, ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Abstract. This paper studies the application of slide attacks to hash functions. Slide attacks have mostly been used for block cipher cryptanalysis. But, as shown in the current paper, they also form a potential threat for hash functions, namely for spongefunction like structures. As it turns out, certain constructions for hashfunctionbased MACs can be vulnerable to forgery and even to key recovery attacks. In other cases, we can at least distinguish a given hash function from a random oracle. To illustrate our results, we describe attacks against the Grindahl256 and Grindahl512 hash functions. To the best of our knowledge, this is the first cryptanalytic result on Grindahl512. Furthermore, we point out a slidebased distinguisher attack on a slightly modified version of RadioGatún. We finally discuss simple countermeasures as a defense against slide attacks. Key words: slide attacks, hash function, Grindahl, RadioGatún, MAC, sponge function. 1
Domain Extension for MACs Beyond the Birthday Barrier. Eurocrypt 2011. Full version of this paper available at http://people.csail.mit.edu/dodis/ps/optimalmac.pdf
"... Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain exte ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain extension from noncompressing primitives, since our security bound is meaningful even for q = 2 n /poly(n) (assuming ε is the best possible O(1/2 n)). In contrast, the previous best construction for MAC domain extension for nbit to nbit primitives, due to Dodis and Steinberger [13], achieved MAC security of O(εq 2 (log q) 2), which means that q cannot cross the “birthday bound ” of 2 n/2.
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Blockcipher Based Hashing Revisited
 Fast Software Encryption – FSE ’09
, 2009
"... Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This lead ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the rate1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre and postprocessing is considered. This leads to a clearer understanding of the current classification of rate1 blockcipher based schemes as introduced by Preneel et al. and refined by Black et al. In addition, we also gain insight in chopped, overloaded and supercharged compression functions. In the latter category we propose two compression functions based on a single call to a blockcipher whose collision resistance exceeds the birthday bound on the cipher’s blocklength. 1
Cryptanalysis of MDC2
 In A. Joux (Ed.): EUROCRYPT 2009, LNCS 5479
, 2009
"... Abstract. We provide a collision attack and preimage attacks on the MDC2 construction, which is a method (dating back to 1988) of turning an nbit block cipher into a 2nbit hash function. The collision attack is the first below the birthday bound to be described for MDC2 and, with n = 128, it has ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a collision attack and preimage attacks on the MDC2 construction, which is a method (dating back to 1988) of turning an nbit block cipher into a 2nbit hash function. The collision attack is the first below the birthday bound to be described for MDC2 and, with n = 128, it has complexity 2 124.5, which is to be compared to the birthday attack having complexity 2 128. The preimage attacks constitute new time/memory tradeoffs; the most efficient attack requires time and space about 2 n, which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt ’92), having time complexity 2 3n/2 and space complexity 2 n/2, and to a brute force preimage attack having complexity 2 2n.
Multipropertypreserving Domain Extension Using Polynomialbased Modes of Operation
 Advances in cryptology – EUROcrYPT’10, LNCS
"... Abstract. In this paper, we propose a new doublepiped mode of operation for multipropertypreserving domain extension of MACs (message authentication codes), PRFs (pseudorandom functions) and PROs (pseudorandom oracles). Our mode of operation performs twice as fast as the original doublepiped mode ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we propose a new doublepiped mode of operation for multipropertypreserving domain extension of MACs (message authentication codes), PRFs (pseudorandom functions) and PROs (pseudorandom oracles). Our mode of operation performs twice as fast as the original doublepiped mode of operation of Lucks [15] while providing comparable security. Our construction, which uses a class of polynomialbased compression functions proposed by Stam [22, 23], makes a single call to a 3nbit to nbit primitive at each iteration and uses a finalization function f2 at the last iteration, producing an nbit hash function H[f1, f2] satisfying the following properties. 1. H[f1, f2] is unforgeable up to O(2 n /n) query complexity as long as f1 and f2 are unforgeable. 2. H[f1, f2] is pseudorandom up to O(2 n /n) query complexity as long as f1 is unforgeable and f2 is pseudorandom. 3. H[f1, f2] is indifferentiable from a random oracle up to O(2 2n/3) query complexity as long as f1 and f2 are public random functions. To our knowledge, our result constitutes the first time O(2 n /n) unforgeability has been achieved using only an unforgeable primitive of nbit output length. (Yasuda showed unforgeability of O(2 5n/6) for Lucks ’ construction assuming an unforgeable primitive, but the analysis is suboptimal; in the appendix, we show how Yasuda’s bound can be improved to O(2 n).) In related work, we strengthen Stam’s collision resistance analysis of polynomialbased compression functions (showing that unforgeability of the primitive suffices) and discuss how to implement our mode by replacing f1 with a 2nbit key blockcipher in DaviesMeyer mode or by replacing f1 with the cascade of two 2nbit to nbit compression functions. 1
Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound
"... Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg˚ard ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg˚ard from 1989 states that a collision on the hash function cannot be found without finding a collision on the compression function at the same time. This is however not the case for another basic requirement, namely second preimage resistance. In fact, on many popular hash functions it is possible to find a second preimage on the iteration without breaking the compression function. This paper studies the resistance of two practical modes of operations of hash functions against such attacks. We prove that the known generic second preimage attacks against the MerkleDamg˚ard construction are optimal, and that there is no generic second preimage attack faster than exhaustive search on Haifa, a recent proposal by Biham and Dunkelman. Keywords: hash functions, modes of operation, second preimage attacks, provable security 1.
A new hash family obtained by modifying the SHA2 family
 Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
, 2009
"... Abstract. In this work, we study several properties of the SHA2 design which have been utilized in recent collision attacks against reduced round SHA2. Small modifications to the SHA2 design are suggested to thwart these attacks. The modified round function provides the same resistance to lineari ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this work, we study several properties of the SHA2 design which have been utilized in recent collision attacks against reduced round SHA2. Small modifications to the SHA2 design are suggested to thwart these attacks. The modified round function provides the same resistance to linearization attacks as the original SHA2 round function, but, provides better resistance to nonlinear attacks. Our next contribution is to introduce the general idea of “multiple feedforward ” for the construction of cryptographic hash functions. This can provide increased resistance to the ChabaudJoux type “perturbationcorrection ” collision attacks. The idea of feedforward is taken further by introducing the idea of feedforward across message blocks leading to resistance against generic multicollision attacks. The net effect of the suggested changes to the SHA2 design has insignificant impact on the efficiency of computing the digest. 1
Attacks on AURORA512 and the doublemix MerkleDamg˚ard transform. Cryptology ePrint Archive, Report 2009/113
, 2009
"... Abstract. We analyse the DoubleMix MerkleDamg˚ard construction (DMMD) used in the AURORA family of hash functions. We show that DMMD falls short of providing the expected level of security. Specifically, we are able to find 2nd preimages for AURORA512 in time 2 291, and collisions in time 2 234 ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyse the DoubleMix MerkleDamg˚ard construction (DMMD) used in the AURORA family of hash functions. We show that DMMD falls short of providing the expected level of security. Specifically, we are able to find 2nd preimages for AURORA512 in time 2 291, and collisions in time 2 234.4. A limitedmemory variant finds collisions in time 2 249. 1
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody
"... Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all (meaningful) generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing N ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all (meaningful) generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing NIST SHA3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode (with nbit digest and 2nbit permutation) has remained remarkably low, only at n/3 bits (FSE 2010), while the other four finalist modes – with comparable parameter values – offer a security guarantee of n/2 bits. In this paper, we improve the indifferentiability security bound for the JH mode to n/2 bits (e.g. from 171 to 256 bits when n = 512). To put this into perspective, our result guarantees the absence of attacks on both JH256 and JH512 hash functions with time less than approximately 2 256 computations of the underlying 1024bit permutation, under the assumption that the basic permutation is structurally strong. Our bounds are optimal for JH256, and the best, so far, for JH512. We obtain this improved bound by establishing an isomorphism of certain queryresponse graphs through a careful design of the simulators and the bad events. Our experimental data strongly supports the theoretically obtained results. 1