Results 1 
7 of
7
Hash Functions Based on Block Ciphers
 Proc. of EUROCRYPT 92
, 1993
"... . Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing mbit ..."
Abstract

Cited by 53 (7 self)
 Add to MetaCart
. Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing mbit and 2mbit hash round functions from mbit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple #in both directions# invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2mbit hash round functions are formulated. Finally, three new hash round functions based on an mbit block cipher with a 2mbit key are proposed. 1 Introduction This paper is intended to provide a rather rounded treatment of hash functions that are obtained by iterati...
M.: Indifferentiable security analysis of popular hash functions with prefixfree padding
 ASIACRYPT 2006. LNCS
, 2006
"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefixfree MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefixfree padding) which are indifferentiable from random oracle model in the ideal cipher model. 1
New Attacks on all Double Block Length Hash Functions of Hash Rate 1, including the ParallelDM
, 1995
"... . In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
. In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the ParallelDM presented at Crypto'93[3]. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences to the set of binary sequences of some fixed length. An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M1 ; M2 ; :::; Mn ), where M i is of length l, is hashed to the hash value H = Hn of length m by computing recursively H i = h(H i\Gamma1 ; M i ) i = 1; 2; :::; n; (1) where H0 is a specified initial value. The function...
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Attacks on Double Block Length Hash Functions
 in Fast Software Encryption
, 1993
"... Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general freestart attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on d ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general freestart attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences of some specified minimum length or greater to the set of binary sequences of some fixed length. In cryptographic applications, hash functions are used within digital signature schemes and within schemes to provide data integrity (e.g., to detect modification of a message). An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M 1 ; M 2 ; :::; M n ), where M i...
On the Design of Secure and Fast Double Block Length Hash Functions
"... In this work the security of double block length hash functions with rate 1, which are based on a block cipher with a block length of n bits and a key length of 2n bits, is reconsidered. Counterexamples and new attacks are presented on this general class of fast double block length hash functions, ..."
Abstract
 Add to MetaCart
In this work the security of double block length hash functions with rate 1, which are based on a block cipher with a block length of n bits and a key length of 2n bits, is reconsidered. Counterexamples and new attacks are presented on this general class of fast double block length hash functions, which reveal unnoticed flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose’s two examples which were left as an open problem. Our synthetic analysis show that all rate1 hash functions in FDBLII are failed to be optimally (second) preimage resistant. The necessary conditions are refined for ensuring a subclass of hash functions in FDBLII to be optimally secure against collision attacks. In particular, one of Hirose’s two examples, which satisfies our refined conditions, is proven to be indifferentiable from a random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where the key length of one block cipher used in the compression function is equal to the block length, whereas the other is doubled. Key words. Cryptanalysis, Blockcipherbased hash function, Double block length, Indifferentiability. 1
BlockcipherBased DoubleLength Hash Functions for Pseudorandom Oracles
"... Abstract. PRO (Pseudorandom Oracle) is an important security of hash functions because it ensures that the hash function inherits all properties of a random oracle up to the PRO bound (e.g., security against length extension attack, collision resistant security, preimage resistant security and so on ..."
Abstract
 Add to MetaCart
Abstract. PRO (Pseudorandom Oracle) is an important security of hash functions because it ensures that the hash function inherits all properties of a random oracle up to the PRO bound (e.g., security against length extension attack, collision resistant security, preimage resistant security and so on). In this paper, we propose new blockcipherbased doublelength hash functions, which are PROs up to O(2 n) query complexity in the ideal cipher model. Our hash functions use a single blockcipher, which encrypts an nbit string using a 2nbit key, and maps an input of arbitrary length to an nbit output. Since many blockciphers supports a 2nbit key (e.g. AES supports a 256bit key), the assumption to use the 2nbit key length blockcipher is acceptable. To our knowledge, this is the first time doublelength hash functions based on a single (practical size) blockcipher with birthday PRO security.