Results 1  10
of
18
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Towards Secure and Fast Hash Functions
, 1999
"... this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that
Security/Efficiency Tradeoffs for PermutationBased Hashing
"... Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than three nbit permutation invocations, and any 3nbit to 2nbit compression function will have unacceptable security if it makes fewer than five nbit permutation invocations. Any rateα hash function built from nbit permutations can be broken, in the sense of finding preimages as well as collisions, in about N 1−α queries, where N =2 n. Our results provide guidance when trying to design or analyze a permutationbased hash function about the limits of what can possibly be done. 1
Hash Functions Based on Block Ciphers and Quaternary Codes
 Advances in Cryptology ASIACRYPT
, 1996
"... . We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remai ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
. We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an mbit block, and for which finding a collision requires at least 2 m encryptions...
Security of Cyclic Double Block Length Hash Functions including AbreastDM
"... Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AE ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AES256, i.e. a block cipher with 128bit block length and 256bit key length, any adversary that asks less than 2 124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a nearoptimal collision resistance guarantee. We generalize our techniques used in the proof of AbreastDM to a huge class of double block length (DBL) hash functions that we will call cyclic. Using this generalized theorem we are able to derive several DBL constructions that lead to compression functions that even have a higher security guarantee and are more efficient than AbreastDM. Furthermore we give DBL constructions that have the highest security guarantee of all DBL compression functions currently known in literature. We also provide an analysis of preimage resistance for cyclic compression functions. Note that this work has been already presented at Dagstuhl ’09.
Multicollision Attacks on a Class of Hash Functions
 IACR PREPRINT ARCHIVE
, 2005
"... In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper, we first try to fix the attack by introducing a natural and wide class hash functions. However, we show that the multicollision attacks also exist in this general class. Thus, we rule out a natural and a wide class of hash functions as candidates for multicollision secure hash functions.
The security of abreastdm in the ideal cipher model
"... Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of q ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O (2 n). Based on a novel technique using queryresponse cycles, our security proof is simpler than those for MDC2 and TandemDM. We also present a wide class of AbreastDM variants that enjoy a birthdaytype security guarantee with a simple proof. 1
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Generalized Birthday Attacks on Unbalanced Feistel Networks
 in proceedings of Crypto’98, LNCS
, 1998
"... Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen pl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen plaintexts an adversary can distinguish Fk (with d =3k−3) from a random permutation with high probability. If d< (3k − 3) then fewer plaintexts are required. We also show that for any Fk (with d =2k), any adversary with m chosen plaintext oracle queries, has probability O(m k /2 (k−1)n) of distinguishing Fk from a random permutation.