Results 1  10
of
20
Cryptographic HashFunction Basics: Definitions, Implications, and Separations for Preimage Resistance, SecondPreimage Resistance, and Collision Resistance
, 2004
"... We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among ..."
Abstract

Cited by 75 (3 self)
 Add to MetaCart
We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concretesecurity, provablesecurity framework.
Formalizing human ignorance: Collisionresistant hashing without the keys
 In Proc. Vietcrypt ’06
, 2006
"... Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just t ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitlygiven reduction, normally a blackbox one. We illustrate this approach using wellknown examples involving digital signatures, pseudorandom functions, and the MerkleDamg˚ard construction. Key words. Collisionfree hash function, Collisionintractable hash function, Collisionresistant hash function, Cryptographic hash function, Provable security. 1
Generic Groups, Collision Resistance, and ECDSA
 Designs, Codes and Cryptography
, 2002
"... Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, ( ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.
A Parallelizable Design Principle for Cryptography Hash Functions
 INDOCRYPT 2001, LNCS 2247
, 2001
"... We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parall ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parallel rounds required to hash a message of length L is b t c + t + 2. Further, our algorithm is incrementally parallelizable in the following sense: given a digest produced using a binary tree of 2 processors, we show that the same digest can also be produced using a binary tree of 2 (0 t t) processors.
Multicollision Attacks on a Class of Hash Functions
 IACR PREPRINT ARCHIVE
, 2005
"... In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper, we first try to fix the attack by introducing a natural and wide class hash functions. However, we show that the multicollision attacks also exist in this general class. Thus, we rule out a natural and a wide class of hash functions as candidates for multicollision secure hash functions.
A critical look at cryptographic hash function literature
 ECRYPT Hash Workshop
, 2007
"... Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accur ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accurately depicting the research aims people have today. 1
A Simple and Generic Construction of Authenticated Encryption With Associated Data
"... Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256bit hash function is combined with some known singlepass AE protocols employing either 128bit or 256bit block ciphers. This results in possible efficiency improvement in the processing of the header.
Construction of UOWHF: Tree Hashing Revisited
, 2002
"... We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously be ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously best known binary tree algorithm required a key length expansion of m 2(t 1) bits. We also obtain the lower bound that any binary tree based algorithm must make a key length expansion of 2m bits if t = 2 and a key length expansion of m (t + 1) bits for t 3. Hence for 2 t 6 our algorithm makes optimal key length expansion and for practical sized processor trees the key length expansion is close to the lower bound.
Domain Extender for Collision Resistant Hash Functions Using a Directed Acyclic Graph
, 2003
"... We study the problem of securely extending the domain of a collision resistant compression function. Our rst contribution is to show that given an arbitrary directed acyclic graph and a collision resistant compression function, it is possible to construct a collision resistant hash function. Nex ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We study the problem of securely extending the domain of a collision resistant compression function. Our rst contribution is to show that given an arbitrary directed acyclic graph and a collision resistant compression function, it is possible to construct a collision resistant hash function. Next we introduce a new technique for constructing a hash function which can handle arbitrary length strings. The amount of padding and the number of invocations of the compression function required by our algorithm is asymptotically smaller compared to the MerkleDamgard algorithm. Our third contribution is to provide some concrete examples and hence derive the foundation for the design of a secure parallel hash algorithm.
Foundations of security for hash chains in ad hoc networks
, 2004
"... Nodes in ad hoc networks generally transmit data at regular intervals over long periods of time. Recently, ad hoc network nodes have been built that run on little power and have very limited memory. In ad hoc networks authentication can be a significant challenge, even without consideringsize and po ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Nodes in ad hoc networks generally transmit data at regular intervals over long periods of time. Recently, ad hoc network nodes have been built that run on little power and have very limited memory. In ad hoc networks authentication can be a significant challenge, even without consideringsize and power constraints. Assuming idealized hashing, this paper examines lower bounds for ad hoc broadcast authentication for µTESLAlike protocols. In particular, this paper focuses on idealized hashing for generating preimages of hash chains. In particular, using variations on these idealized hash functions, this paper gives an idealized timespace product \Omega (t2 log4 n) bit operation lowerbound for optimal preimage hash chain generation. Where n is the total length of the hash chain and the hash elements are twise independent. Given our foundations, these results follow as corollaries to a lower bound of Coppersmith and Jakobsson.