Results 1 
9 of
9
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Security/Efficiency Tradeoffs for PermutationBased Hashing
"... Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than three nbit permutation invocations, and any 3nbit to 2nbit compression function will have unacceptable security if it makes fewer than five nbit permutation invocations. Any rateα hash function built from nbit permutations can be broken, in the sense of finding preimages as well as collisions, in about N 1−α queries, where N =2 n. Our results provide guidance when trying to design or analyze a permutationbased hash function about the limits of what can possibly be done. 1
Hash Functions Based on Block Ciphers and Quaternary Codes
 Advances in Cryptology ASIACRYPT
, 1996
"... . We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remai ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
. We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an mbit block, and for which finding a collision requires at least 2 m encryptions...
Construction of secure and fast hash functions using nonbinary errorcorrecting codes
 IEEE Transactions on Information Theory
"... Abstract—This paper considers iterated hash functions. It proposes new constructions of fast and secure compression functions withbit outputs for integers 1 based on errorcorrecting codes and secure compression functions withbit outputs. This leads to simple and practical hash function construct ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract—This paper considers iterated hash functions. It proposes new constructions of fast and secure compression functions withbit outputs for integers 1 based on errorcorrecting codes and secure compression functions withbit outputs. This leads to simple and practical hash function constructions based on block ciphers such as Data Encryption Standard (DES), where the key size is slightly smaller than the block size; IDEA, where the key size is twice the block size; Advanced Encryption Standard (AES), with a variable key size; and to MD4like hash functions. Under reasonable assumptions about the underlying compression function and/or block cipher, it is proved that the new hash functions are collision resistant. More precisely, a lower bound is shown on the number of operations to find a collision as a function of the strength of the underlying compression function. Moreover, some new attacks are presented that essentially match the presented lower bounds. The constructions allow for a large degree of internal parallelism. The limits of this approach are studied in relation to bounds derived in coding theory. Index Terms—Birthday attacks, block ciphers, hash functions, nonbinary codes. I.
Cryptographic Hash Functions
 In Handbook of Information and Communication Security. Peter Stavroulakis, Mark Stamp, Editors. Springer First edition
"... Abstract. 1 This paper presents a new hash function design, which is different from the popular designs of the MD4family. Seen in the light of recent attacks on MD4, MD5, SHA0, SHA1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concre ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. 1 This paper presents a new hash function design, which is different from the popular designs of the MD4family. Seen in the light of recent attacks on MD4, MD5, SHA0, SHA1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as fast as SHA256. 1
1CRYPTOGRAPHIC HASH FUNCTIONS: AN OVERVIEW
"... Cryptographic hash functions are a useful building block for several cryptographic applications. The most important are certainly the protection of information authentication and digital signatures. This overview paper will discuss the de¯nitions, describe some attacks on hash functions, and will gi ..."
Abstract
 Add to MetaCart
(Show Context)
Cryptographic hash functions are a useful building block for several cryptographic applications. The most important are certainly the protection of information authentication and digital signatures. This overview paper will discuss the de¯nitions, describe some attacks on hash functions, and will give an overview of the existing practical constructions. 1
1Cryptographic Primitives for Information Authentication  State of the Art
"... Abstract. This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the ¯rst class can be divided into Manipulation Detection Codes (MDCs, also known as oneway and ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the ¯rst class can be divided into Manipulation Detection Codes (MDCs, also known as oneway and collision resistant hash functions) and Message Authentication Codes (or MACs). The theoretical background is sketched, but most attention is paid to overview the large number of practical constructions for hash functions and to the recent developments in their cryptanalysis. It is also explained to what extent the security of these primitives can be reduced in a provable way to realistic assumptions. 1