This is the version 02 of the supporting documentation that describes in details the cryptographic hash function EDON-R which was submitted as a candidate for SHA-3 hash competition organized by National Institute of Standards and Technology (NIST), according to the public call [1]. The difference between version 01 and version 02 of the documentation is in the produced test vectors for HMAC. That is due to the fact that there was mismatch between rotation values defined in the documentation and implemented C code. Accordingly, C source code (in the accompanied CD) has been changed with the correct rotation values. So, in this documentation we do not change anything in the originally submitted algorithm, but just give the correct HMAC test values. In this version a minor change in the performance has been measured with Microsoft Visual Studio 2005, but we add new measurements performed by Intel C++ v 11.0.066 (that are slightly better than those obtained by Microsoft Visual Studio 2005). Additionally, we put a remark that our claims about free-start collisions in the Section 3.14 are not correct. EDON-R is a cryptographic hash function with output size of n bits where n = 224, 256, 384 or 512. Its conjectured cryptographic security is: O(2 n 2) hash computations for finding collisions, O(2n) hash computations for finding preimages, O(2n−k) hash computations for finding second preimages

Abstract. This paper presents some theoretical and experimental results about off-line/on-line digital signatures. The goal of this type of schemes is to reduce the time used to compute a signature using some kind of preprocessing. They were introduced by Even, Goldreich and Micali and constructed by combining regular digital signatures with efficient one-time signatures. Later Shamir and Tauman presented an alternative construction (which produces shorter signatures) by combining regular signatures with chameleon hash functions. We first unify the Shamir-Tauman and Even et al. approaches by showing that they can be considered different instantiations of the same paradigm. We do this by showing that the one-time signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing are in effect a type of one-time signatures which satisfy this weaker security notion. In the process we study the relationship between one-time signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call two-trapdoor) is a fully secure one-time signature. Finally we ran experimental tests using OpenSSL libraries to test the difference between the two approaches. In our implementation we make extensive use of the observation that off-line/on-line digital signatures do not require collision-resistant hash functions to compress the message, but can be safely implemented with universal one-way hashing in both the off-line and the on-line step. The main application of this observation is that both the steps can be applied to shorter digests. This has particular relevance if block-ciphers or hash functions based one-time signatures are used since these are very sensitive to the length of the message. Interestingly, we show that (mostly due to the above observation about hashing), the two approaches are comparable in efficiency and signature length. 1

Abstract. This paper proposes a new hash construction based on the widely used Merkle-Damg˚ard (MD) iteration [Mer90,Dam90]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property preservation for the first two properties in the standard security model and the third Pre security property is proved in the random oracle model. Similar to earlier known hash constructions that achieve a form of Sec (eSec [RS04]) property preservation [BR97,Sho00], we make use of fixed key material in the iteration. But while these hashes employ keys of size at least logarithmic in the message length (in blocks), we only need a small constant key size. Another advantage of our construction is that the underlying compression function is instantiated as a keyless primitive. The Sec security of our hash scheme, however, relies heavily on the standard definitional assumption that the target messages are sufficiently random. An example of a practical application that requires Sec security and satisfies this definitional premise on the message inputs is the popular Cramer-Shoup encryption scheme [CS03]. Still, in practice we have other hashing applications where the target messages are not sampled from spaces with uniform distribution. And while our scheme is Sec preserving for uniform message distributions, we show that this is not always the case for other distributions. 1

Abstract. We revisit the enhanced target collision resistance (eTCR) property as a newly emerged notion of security for dedicated-key hash functions, which has been put forth by Halevi and Krawczyk at CRYPTO’06, in conjunction with the Randomized Hashing mode to achieve this property. Our contribution is twofold. Firstly, we provide a full picture of the relationships between eTCR and each of the seven security properties for a dedicatedkey hash function, considered by Rogaway and Shrimpton at FSE’04; namely, collision resistance (CR), the three variants of second-preimage resistance (Sec, aSec, eSec) and the three variants of preimage resistance (Pre, aPre, ePre). The results show that, for an arbitrary dedicated-key hash function, eTCR is not implied by any of these seven properties, and it can only imply three of the properties; namely, eSec (TCR), Sec, Pre. In the second part of the paper, we analyze the eTCR preservation capabilities of several domain extension transforms (a.k.a. modes of operation) for hash functions, including (Plain, Strengthened, and Prefix-free) Merkle-Damg˚ard, Randomized Hashing, Shoup, Enveloped Shoup, XOR Linear Hash (XLH), and Linear Hash (LH). From this analysis it turns out that, with the exception of a nested variant of LH, none of the investigated transforms can preserve the eTCR property.

• We have to deploy new hash functions — if not today, at some point soon • We try for algorithm-agility in our protocols — but certificates are a special case • Certificates rely on hashes • Goal: maintain security while new code is deployed • Did we get it right? • No...

This document is intended as a response to the call for comments by NIST related to the establishment of design and evaluation criteria for the upcoming hash competition. We start by presenting a list of specific recommendations for NIST’s consideration and then follow with an article that expands on these recommendations and their rationale. We intend the list of recommendations also as an “executive summary ” of the article for those not interested in the full details of our discussion. Our approach is that due to the wide range of cryptographic applications for which the new hash function is intended (as implied by the FIPS 180-2 hash standard), NIST should select a relatively small set of core functionalities to serve as the basis for applicability of the new function, and derive from it a corresponding set of core security requirements that will serve as design and evaluation criteria in the competition. Moreover, we strongly recommend that NIST requires submitters of new functions to explicitly specify how to use the proposed function to achieve each one of the core functionalities, including the specification of how to key the function in keyed applications (for example, how to use the hash function to implement a PRF). We include detailed rationale for our recommendations as well as specific suggestions and considerations relevant to the planning of the upcoming hash competition.

Abstract. We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 2 39 calls to the MD5 compression function, for any two chosen message prefixes P and P ′ , suffixes S and S ′ can be constructed such that the concatenated values P ‖S and P ′ ‖S ′ collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf.

Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze. Skein is fast. Skein-512—our primary proposal—hashes data at 6.1 clock cycles per byte on a 64-bit CPU. This means that on a 3.1 GHz x64 Core 2 Duo CPU, Skein hashes data at 500 MBytes/second per core—almost twice as fast as SHA-512 and three times faster than SHA-256. An optional hashtree mode speeds up parallelizable implementations even more. Skein is fast for short messages, too; Skein-512 hashes short messages in about 1000 clock cycles. Skein is secure. Its conservative design is based on the Threefish block cipher. Our current best attack on Threefish-512 is on 25 of 72 rounds, for a safety factor of 2.9. For comparison, at a similar stage in the standardization process, the AES encryption algorithm had an attack on 6 of 10 rounds, for a safety factor of only 1.7. Additionally, Skein has a number of provably secure properties, greatly increasing confidence in the algorithm. Skein is simple. Using only three primitive operations, the Skein compression function can be easily understood and remembered. The rest of the algorithm is a straightforward iteration of this function.

Abstract—Mobile users are increasing fast in numbers, new types of services and applications become available, and new mobile systems (e.g., for intelligent transportation) emerge. Meanwhile, the need for securing communication in such large scale, highly dynamic systems grows. But the organizational complexity and operational costs make traditional security solutions hard to deploy at the rate new mobile applications are rolled out. The challenge that lies ahead is how to provide versatile security compatible with the large deployed mobile networking infrastructure. We propose a novel approach to establish cryptographic keys. Our basic observation is that users are often very mobile and, as they interact with the infrastructure, each of them can leave a unique trace behind. Unlike many works that seek to identify structure in the mobility of a population, we leverage the inherent randomness of the mobility of individuals (and thus the randomness of mobile-infrastructure interactions) to establish shared secret keys between each mobile node and the infrastructure. With an underlying readily available source of uncertainty, such keys can be generated as needed, on the fly, to enhance the system and user security in many ways. We find that with no or little change to existing mobile communication systems, users can generate a common secret with the infrastructure at a rate of roughly 0.1 bits per second. I.

Abstract: A Web-based multi purpose contractual management system can provide support to contractual process workflows for different types of contractual process of unilateral, bilateral or multilateral contracts. These processes can be done on-line i.e. Web-based without the need for all actors to be synchronously present with respect to both time and space. Different contractual processes of initialization, negotiation, agreement, signing (witness), and archive are managed within the application securely by analyzing data-flow between actors, ushering actors to perform their duties in a timely manner and employing appropriate cryptographic techniques on every step of the way. The implementation must deliver a management system that provides operational properties of authenticity, privacy, trustworthy, reliability, verifiability, and linkability.