Results 11  20
of
76
Hash function balance and its impact on birthday attacks
 Advances in Cryptology – EUROCRYPT ’04, Lecture Notes in Computer Science
, 2004
"... Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of preimages under h; if h is ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of preimages under h; if h is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the “amount of regularity ” of a hash function that we call its balance, and then providing estimates of the successrate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r 1/2 for hash functions of low balance. This leads us to examine popular design principles, such as the MD (MerkleDamg˚ard) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions. 1
Software performance of universal hash functions
 In Advances in Cryptology — EUROCRYPT ’99
, 1999
"... Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. This paper compares the parameters sizes and software performance of several recent constructions for universal hash functions: bucket hashing, polynomial hashing, Toeplitz hashing, division hashing, evaluation hashing, and MMH hashing. An objective comparison between these widely varying approaches is achieved by defining constructions that offer a comparable security level. It is also demonstrated how the security of these constructions compares favorably to existing MAC algorithms, the security of which is less understood. 1
Secure Names for BitStrings
 in ACM Conference on Computer and Communications Security
, 1997
"... The increasing use of digital documents, and the need to refer to them conveniently and unambiguously, raise an important question: can one "name" a digital document in a way that conveniently enables users to find it, and at the same time enables a user in possession of a document to be sure that i ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
The increasing use of digital documents, and the need to refer to them conveniently and unambiguously, raise an important question: can one "name" a digital document in a way that conveniently enables users to find it, and at the same time enables a user in possession of a document to be sure that it is indeed the one that is referred to by the name? One crucial piece of a complete solution to this problem would be a method that provides a cryptographically verifiable label for any bitstring (for example, the content, in a particular format, of the document). This problem has become even more acute with the emergence of the WorldWide Web, where a document (whose only existence may be online) is now typically named by giving its URL, which is merely a pointer to its virtual location at a particular moment in time. Using a oneway hash function to call files by their hash values is cryptographically verifiable, but the resulting names are unwieldy, because of their length and randomn...
Secure Applications of LowEntropy Keys
 LECTURE NOTES IN COMPUTER SCIENCE
, 1998
"... We introduce the notion of key stretching, a mechanism to convert short sbit keys into longer keys, such that the complexity required to bruteforce search a s + tbit keyspace is the same as the time required to bruteforce search a sbit key stretched by t bits. ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
We introduce the notion of key stretching, a mechanism to convert short sbit keys into longer keys, such that the complexity required to bruteforce search a s + tbit keyspace is the same as the time required to bruteforce search a sbit key stretched by t bits.
Fast Hashing and Stream Encryption with PANAMA
 PANAMA,” Fast Software Encryption, LNCS 1372
, 1998
"... We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low workfactor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the strea ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low workfactor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a commercially available VLIW microprocessor.
Second preimages on nbit hash functions for much less than 2^n work
"... We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RI ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any nbit hash function built using the DamgårdMerkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
Reflection as a Mechanism for Software Integrity Verification
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 2000
"... ..."
Performance Analysis and Parallel Implementation of Dedicated
 Hash Functions on Pentium III”, IEICE Trans. Fundamentals, Vol.E86A, No.1
, 2003
"... Abstract. This paper shows an extensive software performance analysis of dedicated hash functions, particularly concentrating on Pentium III, which is a current dominant processor. The targeted hash functions are MD5, RIPEMD128160, SHA1256512 and Whirlpool, which fully cover currently used and ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. This paper shows an extensive software performance analysis of dedicated hash functions, particularly concentrating on Pentium III, which is a current dominant processor. The targeted hash functions are MD5, RIPEMD128160, SHA1256512 and Whirlpool, which fully cover currently used and future promising hashing algorithms. We try to optimize hashing speed not only by carefully arranging pipeline scheduling but also by processing two or even three message blocks in parallel using MMX registers for 32bit oriented hash functions. Moreover we thoroughly utilize 64bit MMX instructions for maximizing performance of 64bit oriented hash functions, SHA512 and Whirlpool. To our best knowledge, this paper gives the first detailed measured performance analysis
SHA: A Design for Parallel Architectures?
 Advances in Cryptology, Proceedings Eurocrypt’97, LNCS 1233
, 1997
"... To enhance system performance computer architectures tend to incorporate an increasing number of parallel execution units. This paper shows that the new generation of MD4based customized hash functions (RIPEMD128, RIPEMD160, SHA1) contains much more software parallelism than any of these com ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
To enhance system performance computer architectures tend to incorporate an increasing number of parallel execution units. This paper shows that the new generation of MD4based customized hash functions (RIPEMD128, RIPEMD160, SHA1) contains much more software parallelism than any of these computer architectures is currently able to provide. It is conjectured that the parallelism found in SHA1 is a design principle. The critical path of SHA1 is twice as short as that of its closest contender RIPEMD160, but realizing it would require a 7way multipleissue architecture. It will also be shown that, due to the organization of RIPEMD160 in two independent lines, it will probably be easier for future architectures to exploit its software parallelism.