. Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing m-bit and 2m-bit hash round functions from m-bit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple #in both directions# invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2m-bit hash round functions are formulated. Finally, three new hash round functions based on an m-bit block cipher with a 2m-bit key are proposed. 1 Introduction This paper is intended to provide a rather rounded treatment of hash functions that are obtained by iterati...

this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that

Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general free-start attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences of some specified minimum length or greater to the set of binary sequences of some fixed length. In cryptographic applications, hash functions are used within digital signature schemes and within schemes to provide data integrity (e.g., to detect modification of a message). An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M 1 ; M 2 ; :::; M n ), where M i...

. Designing distributed cryptographic protocols that combine correctness, security, efficiency and practical constraints can be very difficult. Here, we suggest a new modular tool that we call "pseudorandom intermixing" which allows parties (or architectural components, such as hardware devices) sharing pseudorandomness to mix extra correlated pseudorandom information inside their computational results. We show how the pseudorandom intermixing may ease the design, increase efficiency and allow more refined control of cryptographic protocols for several important tasks, while maintaining "provable security." It can even turn a "heuristic protocol" into a "provably secure" one. We concentrate on the area of "distributed public key systems," which has been a very active area of research in the last decade, and for which there is a great interest in practical implementations of protocols. Among other things, we demonstrate the first "fault-free non-interactive" proactive main...