. Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing m-bit and 2m-bit hash round functions from m-bit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple #in both directions# invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2m-bit hash round functions are formulated. Finally, three new hash round functions based on an m-bit block cipher with a 2m-bit key are proposed. 1 Introduction This paper is intended to provide a rather rounded treatment of hash functions that are obtained by iterati...

. The unforgeability of conventional digital signatures is necessarily based on complexity theoretic assumptions, i.e. even the most secure schemes can be broken by an adversary with unexpected computing abilities. Thus we introduce fail-stop signatures: They are as unforgeable as the best conventional signatures, but if a signature is forged nevertheless, the supposed signer can prove the forgery unconditionally (i.e. without assumptions), with arbitrarily high probability. We construct actual fail-stop signature schemes, called hiding schemes, from arbitrary claw-free pairs of permutations. As a special case, we obtain a rather practical system where forging is as hard as factoring. We also present applications to digital payment systems, and sketch those to reliable broadcast. * Institut für Rechnerentwurf und Fehlertoleranz, Universität Karlsruhe, Postfach 6980, D-W7500 Karlsruhe 1, Fed. Rep. of Germany; Phone: ++49-721-608-4024, Fax: ++49-721370455, E-mail (CSnet): Waidner@Ira.UK...

personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.