Results 1  10
of
11
RIPEMD160: A Strengthened Version of RIPEMD
, 1996
"... Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the des ..."
Abstract

Cited by 106 (12 self)
 Add to MetaCart
Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the design principles of Ron Rivest’s MD4. One such proposal was RIPEMD, which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation). Because of recent progress in the cryptanalysis of these hash functions, we propose a new version of RIPEMD with a 160bit result, as well as a plugin substitute for RIPEMD with a 128bit result. We also compare the software performance of several MD4based algorithms, which is of independent interest. 1
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
On the power of memory in the design of collision resistant hash functions
 Advances in Cryptology, Proc. Auscrypt'92, LNCS 718
, 1993
"... Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff between security and speed. The principles behind the scheme can be used to optimize similar proposals. 1
Cryptanalysis of MDC2
 In A. Joux (Ed.): EUROCRYPT 2009, LNCS 5479
, 2009
"... Abstract. We provide a collision attack and preimage attacks on the MDC2 construction, which is a method (dating back to 1988) of turning an nbit block cipher into a 2nbit hash function. The collision attack is the first below the birthday bound to be described for MDC2 and, with n = 128, it has ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We provide a collision attack and preimage attacks on the MDC2 construction, which is a method (dating back to 1988) of turning an nbit block cipher into a 2nbit hash function. The collision attack is the first below the birthday bound to be described for MDC2 and, with n = 128, it has complexity 2 124.5, which is to be compared to the birthday attack having complexity 2 128. The preimage attacks constitute new time/memory tradeoffs; the most efficient attack requires time and space about 2 n, which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt ’92), having time complexity 2 3n/2 and space complexity 2 n/2, and to a brute force preimage attack having complexity 2 2n.
RIPEMD160: A Strengthened Version of RIPEMD
, 1996
"... . Cryptographic hash functions are an importanttoolincryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last fiveyears, several fast software hash functions have been proposed# most of them are based on the design principl ..."
Abstract
 Add to MetaCart
. Cryptographic hash functions are an importanttoolincryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last fiveyears, several fast software hash functions have been proposed# most of them are based on the design principles of Ron Rivest's MD4. One such proposal was RIPEMD, whichwas developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation). Because of recent progress in the cryptanalysis of these hash functions, we propose a new version of RIPEMD with a 160bit result, as well as a plugin substitute for RIPEMD with a 128bit result. We also compare the software performance of several MD4based algorithms, which is of independentinterest. 1 Introduction and Background Hash functions are functions that map bitstrings of arbitrary finite length into strings of fixed length. Given h and an input x, computing h(x)mustbeeasy. A oneway hash function must satisfy the following prop...
Cryptanalysis of DoubleBlockLength Hash Mode MJH
"... A doubleblocklength (DBL) hash mode of block ciphers, MJH has been proved to be collisionresistant in the ideal cipher model upto 2 2n/3−log n queries. In this paper we provide first cryptanalytic results for MJH. We show that a collision attack on MJH has the time complexity below the birthday b ..."
Abstract
 Add to MetaCart
A doubleblocklength (DBL) hash mode of block ciphers, MJH has been proved to be collisionresistant in the ideal cipher model upto 2 2n/3−log n queries. In this paper we provide first cryptanalytic results for MJH. We show that a collision attack on MJH has the time complexity below the birthday bound. When block ciphers with 128bit blocks are used, it has time complexity around 2 124, which is to be compared to the birthday attack having complexity 2 128. We also give a preimage attack on MJH. It has the time complexity of 2 3n/2+1 with nbit block ciphers, which is to be compared to the brute force attack having complexity 2 2n.
Towards Understanding the KnownKey Security of Block Ciphers
"... Abstract. Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of ..."
Abstract
 Add to MetaCart
Abstract. Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propose new generic knownkey attacks on generalized Feistel ciphers. We introduce the notion of knownkey indifferentiability to capture the security of such block ciphers under a known key. To show its meaningfulness, we prove that the knownkey attacks on block ciphers with ideal primitives to date violate security under knownkey indifferentiability. On the other hand, to demonstrate its constructiveness, we prove the balanced Feistel cipher with random functions and the multiple EvenMansour cipher with random permutations knownkey indifferentiable for a sufficient number of rounds. We note that knownkey indifferentiability is more quickly and tightly attained by multiple EvenMansour which puts it forward as a construction provably secure against knownkey attacks.
Africacrypt’12.
"... Abstract. There are four somewhat classical double length block cipher based compression functions known: MDC2, MDC4, AbreastDM, and TandemDM. They all have been developed over 20 years ago. In recent years, cryptographic research has put a focus on block cipher based hashing and found collision ..."
Abstract
 Add to MetaCart
Abstract. There are four somewhat classical double length block cipher based compression functions known: MDC2, MDC4, AbreastDM, and TandemDM. They all have been developed over 20 years ago. In recent years, cryptographic research has put a focus on block cipher based hashing and found collision security results for three ofthem(MDC2, AbreastDM,TandemDM).Inthispaper, we addMDC4, which is part of the IBM CLiC cryptographic module 1, to that list by showing that – ’instantiated ’ using an ideal block cipher with 128 bit key/plaintext/ciphertext size – no adversary asking less than 2 74.76 queries can find a collision with probability greater than 1/2. This is the first result on the collision security of the hash function MDC4. The compression function MDC4 is created by interconnecting two MDC2 compression functions but only hashing one message block with them instead of two. The developers aim for MDC4 was to offer a higher security margin, when compared to MDC2, but still being fast enough for practical purposes. The MDC2 collision security proof of Steinberger (EUROCRYPT 2007) cannot be directly applied to MDC4 due to the structural differences. Although sharing many commonalities, our proof for MDC4 is much shorter and we claim that our presentation is also easier to grasp.
Cryptographic Hash Functions: A Review
"... Cryptographic Hash functions are used to achieve a number of security objectives. In this paper, we bring out the importance of hash functions, its various structures, design techniques, attacks and the progressive recent development in this field. ..."
Abstract
 Add to MetaCart
Cryptographic Hash functions are used to achieve a number of security objectives. In this paper, we bring out the importance of hash functions, its various structures, design techniques, attacks and the progressive recent development in this field.