Results 1  10
of
317
Finding collisions in the full SHA1
 in Advances in Cryptology, CRYPTO’05
, 2005
"... Abstract. In this paper, we present new collision search attacks on the hash function SHA1. We show that collisions of SHA1 can be found with complexity less than 2 69 hash operations. This is the first attack on the full 80step SHA1 with complexity less than the 2 80 theoretical bound. ..."
Abstract

Cited by 247 (7 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present new collision search attacks on the hash function SHA1. We show that collisions of SHA1 can be found with complexity less than 2 69 hash operations. This is the first attack on the full 80step SHA1 with complexity less than the 2 80 theoretical bound.
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 117 (9 self)
 Add to MetaCart
(Show Context)
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
Y.: Efficient Collision Search Attacks on SHA0
 In: Advances in Cryptology (CRYPTO), SpringerVerlag LNCS 3621
, 2005
"... Abstract. In this paper, we present new techniques for collision search in the hash function SHA0. Using the new techniques, we can find collisions of the full 80step SHA0 with complexity less than 2 39 hash operations. ..."
Abstract

Cited by 73 (7 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present new techniques for collision search in the hash function SHA0. Using the new techniques, we can find collisions of the full 80step SHA0 with complexity less than 2 39 hash operations.
MultiPropertyPreserving Hash Domain Extension and the EMD Transform
 Advances in Cryptology – ASIACRYPT 2006
, 2006
"... Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be ..."
Abstract

Cited by 72 (8 self)
 Add to MetaCart
(Show Context)
Abstract We point out that the seemingly strong pseudorandom oracle preserving (PROPr) propertyof hash function domainextension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be even collisionresistant (CR) even though the compression function to which the transform is applied is CR. Not only is this true in general, but we show that all the transformspresented in [12] have this weakness. We suggest that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multiproperty preserving, namelythat one should have a single transform that is simultaneously at least collisionresistance preserving, pseudorandom function preserving and PROPr. We present an efficient new transformthat is proven to be multiproperty preserving in this sense.
Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices
 In TCC
, 2006
"... Abstract The generalized knapsack function is defined as fa(x) = Pi ai * xi, where a = (a1,..., am)consists of m elements from some ring R, and x = (x1,..., xm) consists of m coefficients froma specified subset S ` R. Micciancio (FOCS 2002) proposed a specific choice of the ring R andsubset S for w ..."
Abstract

Cited by 61 (16 self)
 Add to MetaCart
(Show Context)
Abstract The generalized knapsack function is defined as fa(x) = Pi ai * xi, where a = (a1,..., am)consists of m elements from some ring R, and x = (x1,..., xm) consists of m coefficients froma specified subset S ` R. Micciancio (FOCS 2002) proposed a specific choice of the ring R andsubset S for which inverting this function (for random a, x) is at least as hard as solving certainworstcase problems on cyclic lattices. We show that for a different choice of S ae R, the generalized knapsack function is in factcollisionresistant, assuming it is infeasible to approximate the shortest vector in ndimensionalcyclic lattices up to factors ~ O(n). For slightly larger factors, we even get collisionresistancefor any m> = 2. This yields very efficient collisionresistant hash functions having key size andtime complexity almost linear in the security parameter n. We also show that altering S isnecessary, in the sense that Micciancio's original function is not collisionresistant (nor even universal oneway).Our results exploit an intimate connection between the linear algebra of ndimensional cycliclattices and the ring Z [ ff]/(ffn 1), and crucially depend on the factorization of ffn 1 intoirreducible cyclotomic polynomials. We also establish a new bound on the discrete Gaussian distribution over general lattices, employing techniques introduced by Micciancio and Regev(FOCS 2004) and also used by Micciancio in his study of compact knapsacks. 1 Introduction A function family {fa}a2A is said to be collisionresistant if given a uniformly chosen a 2 A, it is infeasible to find elements x1 6 = x2 so that fa(x1) = fa(x2). Collisionresistant hash functions are one of the most widelyemployed cryptographic primitives. Their applications include integrity checking, user and message authentication, commitment protocols, and more. Many of the applications of collisionresistant hashing tend to invoke the hash function only a small number of times. Thus, the efficiency of the function has a direct effect on the efficiency of the application that uses it. This is in contrast to primitives such as oneway functions, which typically must be invoked many times in their applications (at least when used in a blackbox way) [9].
Finding SHA1 Characteristics: General Results and Applications
"... So far, the complex characteristics needed for the recent collision attacks on members of the SHA family have been constructed manually by Wang et al. In this report, we describe a method to search for them automatically. It succeeds for many message differences and also for multiblock attacks. Th ..."
Abstract

Cited by 59 (3 self)
 Add to MetaCart
So far, the complex characteristics needed for the recent collision attacks on members of the SHA family have been constructed manually by Wang et al. In this report, we describe a method to search for them automatically. It succeeds for many message differences and also for multiblock attacks. This answers open questions posed by many researchers in the field. As a proof of concept, we give a twoblock collision for 64step SHA1 based on a new characteristic. The highest number of steps for which a SHA1 collision was published so far was 58. We also give a unified view on the expected work factor of a collision search and the needed degrees of freedom for the search. Until now, no clear view on these parameters was possible, especially in the prominent case of the recent results on SHA1. As a result, our approach can exploit all available degrees of freedom.
Generalized compact knapsacks are collision resistant
 In ICALP (2
, 2006
"... n.A step in the direction of creating efficient cryptographic functions based on worstcase hardness was ..."
Abstract

Cited by 58 (15 self)
 Add to MetaCart
(Show Context)
n.A step in the direction of creating efficient cryptographic functions based on worstcase hardness was
Secure Hybrid Encryption from Weakened Key Encapsulation
, 2007
"... We put forward a new paradigm for building hybrid encryption schemes from constrained chosenciphertext secure (CCCA) keyencapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosenciphertext security is a new security notion for KEMs that we propose. CCCA has less d ..."
Abstract

Cited by 57 (9 self)
 Add to MetaCart
(Show Context)
We put forward a new paradigm for building hybrid encryption schemes from constrained chosenciphertext secure (CCCA) keyencapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosenciphertext security is a new security notion for KEMs that we propose. CCCA has less demanding security requirements than standard chosenciphertext (CCA) security (since it requires the adversary to have a certain plaintextknowledge when making a decapsulation query) yet we can prove that CCCA is sufficient for secure hybrid encryption. Our notion is not only useful to express the KurosawaDesmedt publickey encryption scheme and its generalizations to hashproof systems in an abstract KEM/DEM security framework. It also has a very constructive appeal, which we demonstrate with a new encryption scheme whose security relies on a class of intractability assumptions that we show (in the generic group model) strictly weaker than the Decision DiffieHellman (DDH) assumption. This appears to be the first practical publickey encryption scheme in the literature from an algebraic assumption strictly weaker than DDH.
A failurefriendly design principle for hash functions
, 2005
"... Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
(Show Context)
Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the widepipe hash, internally using a wbit compression function, and the doublepipe hash, with w = 2n and an nbit compression function used twice in parallel.
The PHOTON Family of Lightweight Hash Functions
 CRYPTO, volume 6841 of LNCS
, 2011
"... Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extrem ..."
Abstract

Cited by 52 (9 self)
 Add to MetaCart
(Show Context)
Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a spongelike construction as domain extension algorithm and an AESlike primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AESlike bounds on the number of active Sboxes. This kind of AESlike primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting tradeoffs between speed and preimage security for small messages, the classical usecase in hardware.