Results 1  10
of
11
How to Forge DESEncrypted Messages in 2^28 Steps
, 1996
"... In this paper we suggest keycollision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messag ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
In this paper we suggest keycollision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messages: in particular, one key of DES can be recovered with complexity 2 28 , and one key of (threekey) tripleDES can be recovered with complexity 2 84 .
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Towards Secure and Fast Hash Functions
, 1999
"... this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that
On the power of memory in the design of collision resistant hash functions
 Advances in Cryptology, Proc. Auscrypt'92, LNCS 718
, 1993
"... Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff between security and speed. The principles behind the scheme can be used to optimize similar proposals. 1
Design principles for dedicated hash functions
 LECTURE NOTES IN THE COMPUTER JOURNAL, 2007 COMPUTER SCIENCE
, 1994
"... Dedicated hash functions are cryptographically secure compression functions which are designed specifically for hashing. They intend to form a practical alternative for hash functions based on another cryptographic primitive like a block cipher or modular squaring. About a dozen of dedicated hash ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Dedicated hash functions are cryptographically secure compression functions which are designed specifically for hashing. They intend to form a practical alternative for hash functions based on another cryptographic primitive like a block cipher or modular squaring. About a dozen of dedicated hash functions have been proposed in the literature. This paper discusses the design principles on which these hash functions are based.
Generalized Birthday Attacks on Unbalanced Feistel Networks
 in proceedings of Crypto’98, LNCS
, 1998
"... Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen pl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. Unbalanced Feistel networks Fk which are used to construct invertible pseudorandom permutations from kn bits to kn bits using d pseudorandom functions from n bits to (k − 1)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on Fk with d ≤ 3k − 3. With 2 (k−1)n chosen plaintexts an adversary can distinguish Fk (with d =3k−3) from a random permutation with high probability. If d< (3k − 3) then fewer plaintexts are required. We also show that for any Fk (with d =2k), any adversary with m chosen plaintext oracle queries, has probability O(m k /2 (k−1)n) of distinguishing Fk from a random permutation.
Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions
 ASIACRYPT'07
, 2007
"... Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Unbalanced Feistel schemes with expanding functions are used to construct pseudorandom permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F^d_k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudorandom permutations, generic attacks on encryption schemes, Block ciphers.
Security Analysis of Double Length Compression Function Based on Block Cipher Abstract
"... Recently Nandi etc. have proposed a 1/3rate and a 2/3rate double length compression functions and studied their security in the blackbox model. They proved that to find a collision for the compression function, it requires Ω(2 2n/3) queries, where n is the length of output size. In this paper, we ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Recently Nandi etc. have proposed a 1/3rate and a 2/3rate double length compression functions and studied their security in the blackbox model. They proved that to find a collision for the compression function, it requires Ω(2 2n/3) queries, where n is the length of output size. In this paper, we show that not all hash functions based on block cipher constructed according to their model are of the same security.i.e., the complexity to find the collisions for these hash functions can be reduced to O(2 n/2).
A Lightweight Hash Function Resisting Birthday Attack and Meetinthemiddle Attack
"... Abstract: In this paper, to match a lightweight digital signing scheme of which the length of modulus is between 80 and 160 bits, a lightweight hash function called JUNA is proposed. It is based on the intractabilities MPP and ASPP, and regards a short message or a message digest as an input which i ..."
Abstract
 Add to MetaCart
Abstract: In this paper, to match a lightweight digital signing scheme of which the length of modulus is between 80 and 160 bits, a lightweight hash function called JUNA is proposed. It is based on the intractabilities MPP and ASPP, and regards a short message or a message digest as an input which is treated as only one block. The JUNA hash contains two algorithms: an initialization algorithm and a compression algorithm, and converts a string of n bits into another of m bits, where 80 ≤ m ≤ n ≤ 4096. The two algorithms are described, and their securities are analyzed from several aspects. The analysis shows that the JUNA hash is oneway, weakly collisionfree, strongly collisionfree along with a proof, especially resistant to birthday attack and meetinthemiddle attack, and up to the security of O(2 m) arithmetic steps at present, while the time complexity of its compression algorithm is O(n) arithmetic steps. Moreover, the JUNA hash with short input and small computation may be used to reform a classical hash with output of n bits and security of O(2 n / 2) into a compact hash with output of n / 2 bits and equivalent security. Thus, it opens a door to convenience for utilization of lightweight digital signing schemes.