Results 1  10
of
22
A Generalized Birthday Problem
 In CRYPTO
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm ..."
Abstract

Cited by 93 (0 self)
 Add to MetaCart
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, nd some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography.
Cryptographic Hash Functions: A Survey
, 1995
"... This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.
Security Bounds for the Design of CodeBased Cryptosystems
, 2009
"... Codebased cryptography is often viewed as an interesting “PostQuantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms h ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
Codebased cryptography is often viewed as an interesting “PostQuantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms have made their effective complexity quite complex to compute. We give here some lower bounds on the work factor of idealized versions of these algorithms, taking into account all possible tweaks which could improve their practical complexity. The aim of this article is to help designers select durably secure parameters.
Security and privacy in radiofrequency identification devices
 Master thesis, Massachusetts Institute of Technology (MIT
, 2003
"... Abstract Radio Frequency Identification (RFID) systems are a common and useful tool in manufacturing, supply chain management and retail inventory control. Optical barcodes, another ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Abstract Radio Frequency Identification (RFID) systems are a common and useful tool in manufacturing, supply chain management and retail inventory control. Optical barcodes, another
SWIFFT: A Modest Proposal for FFT Hashing
"... We propose SWIFFT, a collection of compression functions that are highly parallelizable and admit very efficient implementations on modern microprocessors. The main technique underlying our functions is a novel use of the Fast Fourier Transform (FFT) to achieve “diffusion, ” together with a linear ..."
Abstract

Cited by 28 (10 self)
 Add to MetaCart
We propose SWIFFT, a collection of compression functions that are highly parallelizable and admit very efficient implementations on modern microprocessors. The main technique underlying our functions is a novel use of the Fast Fourier Transform (FFT) to achieve “diffusion, ” together with a linear combination to achieve compression and “confusion. ” We provide a detailed security analysis of concrete instantiations, and give a highperformance software implementation that exploits the inherent parallelism of the FFT algorithm. The throughput of our implementation is competitive with that of SHA256, with additional parallelism yet to be exploited. Our functions are set apart from prior proposals (having comparable efficiency) by a supporting asymptotic security proof: it can be formally proved that finding a collision in a randomlychosen function from the family (with noticeable probability) is at least as hard as finding short vectors in cyclic/ideal lattices in the worst case.
Lattice reduction by random sampling and birthday methods
 In Proc. STACS 2003, Eds. H. Alt and M. Habib, LNCS 2607
, 2003
"... Abstract. We present a novel practical algorithm that given a lattice basis b1,..., bn finds in O(n 2 ( k 6)k/4) average time a shorter vector than b1 provided that b1 is ( k 6)n/(2k) times longer than the length of the shortest, nonzero lattice vector. We assume that the given basis b1,..., bn has ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. We present a novel practical algorithm that given a lattice basis b1,..., bn finds in O(n 2 ( k 6)k/4) average time a shorter vector than b1 provided that b1 is ( k 6)n/(2k) times longer than the length of the shortest, nonzero lattice vector. We assume that the given basis b1,..., bn has an orthogonal basis that is typical for worst case lattice bases. The new reduction method samples short lattice vectors in high dimensional sublattices, it advances in sporadic big jumps. It decreases the approximation factor achievable in a given time by known methods to less than its fourthth root. We further speed up the new method by the simple and the general birthday method. 1
A Framework for the Design of OneWay Hash Functions Including Cryptanalysis of Damg˚ard’s OneWay Function Based on a Cellular Automaton
 Advances in cryptology  ASIACRYPT '91, Lecture Notes in Computer Science
, 1993
"... At Crypto ’89 Ivan Damg˚ard [1] presented a method that allows one to construct a computationally collision free hash function that has provably the same level of security as the computationally collision free function with input of constant length that it is based upon. He also gave three examples ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
At Crypto ’89 Ivan Damg˚ard [1] presented a method that allows one to construct a computationally collision free hash function that has provably the same level of security as the computationally collision free function with input of constant length that it is based upon. He also gave three examples of collision free functions to use in this construction. For two of these examples collisions have been found[2] [3], and the third one is attacked in this paper. Furthermore it is argued that his construction and proof, in spite of their theoretical importance, encourage inefficient designs in the case of practical hash functions. A framework is presented for the direct design of collision free hash functions. Finally a concrete proposal is presented named Cellhash. 1
New generic algorithms for hard knapsacks
 of Lecture Notes in Computer Science
, 2010
"... Abstract. In this paper, we study the complexity of solving hard knapsack problems, i.e., knapsacks with a density close to 1 where latticebased low density attacks are not an option. For such knapsacks, the current stateoftheart is a 31year old algorithm by Schroeppel and Shamir which is based ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Abstract. In this paper, we study the complexity of solving hard knapsack problems, i.e., knapsacks with a density close to 1 where latticebased low density attacks are not an option. For such knapsacks, the current stateoftheart is a 31year old algorithm by Schroeppel and Shamir which is based on birthday paradox techniques and yields a running time of Õ(2n/2) for knapsacks of n elements and uses Õ(2n/4) storage. We propose here two new algorithms which improve on this bound, finally
How to Improve Rebound Attacks
 In: Advances in Crypology: CRYPTO 2011. Lecture Notes in Computer Science
, 2011
"... Abstract. Rebound attacks are a stateoftheart analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA3 competition, providing the best known analysis in these cases. In this paper we ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Abstract. Rebound attacks are a stateoftheart analysis method for hash functions. These cryptanalysis methods are based on a well chosen differential path and have been applied to several hash functions from the SHA3 competition, providing the best known analysis in these cases. In this paper we study rebound attacks in detail and find for a large number of cases that the complexities of existing attacks can be improved. This is done by identifying problems that optimally adapt to the cryptanalytic situation, and by using better algorithms to find solutions for the differential path. Our improvements affect one particular operation that appears in most rebound attacks and which is often the bottleneck of the attacks. This operation, which varies depending on the attack, can be roughly described as merging large lists. As a result, we introduce new general purpose algorithms for enabling further rebound analysis to be as performant as possible. We illustrate our new algorithms on real hash functions. More precisely, we demonstrate how to reduce the complexities of the best known analysis on four SHA3 candidates: JH, Grøstl, ECHO and Lane and on the best known rebound analysis on the SHA3 candidate Luffa.