Results 1  10
of
12
Amplifying Collision Resistance: A ComplexityTheoretic Treatment
 Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture
"... Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collisi ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good tradeoff between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.
Nontrivial blackbox combiners for collisionresistant hashfunctions don’t exist
 In Proc. Eurocrypt ’07
, 2007
"... 1 Introduction A function H: f0; 1g ..."
Robust MultiProperty Combiners for Hash Functions Revisited
"... Abstract. A robust multiproperty combiner for a set of security properties merges two hash functions such that the resulting function satisfies each of the properties which at least one of the two starting functions has. Fischlin and Lehmann (TCC 2008) recently constructed a combiner which simultan ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. A robust multiproperty combiner for a set of security properties merges two hash functions such that the resulting function satisfies each of the properties which at least one of the two starting functions has. Fischlin and Lehmann (TCC 2008) recently constructed a combiner which simultaneously preserves collisionresistance, target collisionresistance, message authentication, pseudorandomness and indifferentiability from a random oracle (IRO). Their combiner produces outputs of 5n bits, where n denotes the output length of the underlying hash functions. In this paper we propose improved combiners with shorter outputs. By sacrificing the indifferentiability from random oracles we obtain a combiner which preserves all of the other aforementioned properties but with output length 2n only. This matches a lower bound for blackbox combiners for collisionresistance as the only property, showing that the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the IRO property, slightly increasing the output length to 2n + ω(log n). Finally, we show that a twist on our combiners also makes them robust for onewayness (but at the price of a fixed input length). 1
Robuster Combiners for Oblivious Transfer
"... Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong ass ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong assumptions underlying the candidate schemes. In a recent work Harnik et al. (Eurocrypt 2005) have proposed a (2; 3)robust combiner for oblivious transfer (OT), and have shown that (1; 2)robust OTcombiners of a certain type are impossible. In this paper we propose new, generalized notions of combiners for twoparty primitives, which capture the fact that in many twoparty protocols the security of one of the parties is unconditional, or is based on an assumption independent of the assumption underlying the security of the other party. This finegrained approach results in OTcombiners strictly stronger than the constructions known before. In particular, we propose an OTcombiner which guarantees secure OT even when only one candidate is secure for both parties, and every remaining candidate is flawed for one of the parties. Furthermore, we present an efficient uniform OTcombiner, i.e., a single combiner which is secure simultaneously for a wide range of candidates ’ failures. Finally, our definition allows for a very simple impossibility result, which shows that the proposed OTcombiners achieve optimal robustness.
Compression from collisions, or why CRHF combiners have a long output
 Advances in Cryptology – CRYPTO 2008. Lecture Notes in Computer Science
, 2004
"... Abstract. A blackbox combiner for collision resistant hash functions (CRHF) is a construction which given blackbox access to two hash functions is collision resistant if at least one of the components is collision resistant. In this paper we prove a lower bound on the output length of blackbox co ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. A blackbox combiner for collision resistant hash functions (CRHF) is a construction which given blackbox access to two hash functions is collision resistant if at least one of the components is collision resistant. In this paper we prove a lower bound on the output length of blackbox combiners for CRHFs. The bound we prove is basically tight as it is achieved by a recent construction of Canetti et al [Crypto’07]. The best previously known lower bounds only ruled out a very restricted class of combiners having a very strong security reduction: the reduction was required to output collisions for both underlying candidate hashfunctions given a single collision for the combiner (Canetti et al [Crypto’07] building on Boneh and Boyen [Crypto’06] and Pietrzak [Eurocrypt’07]). Our proof uses a lemma similar to the elegant “reconstruction lemma ” of Gennaro and Trevisan [FOCS’00], which states that any function which is not oneway is compressible (and thus uniformly random function must be oneway). In a similar vein we show that a function which is not collision resistant is compressible. We also borrow ideas from recent work by Haitner et al. [FOCS’07], who show that one can prove the reconstruction lemma even relative to some very powerful oracles (in our case this will be an exponential time collisionfinding oracle). 1
Securityamplifying combiners for collisionresistant hash functions
 In these proceedings
, 2007
"... Abstract. The classical combiner Comb H0,H1 class (M) = H0(M)H1(M) for hash functions H0, H1 provides collisionresistance as long as at least one of the two underlying hash functions is secure. This statement is complemented by the multicollision attack of Joux (Crypto 2004) for iterated hash f ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. The classical combiner Comb H0,H1 class (M) = H0(M)H1(M) for hash functions H0, H1 provides collisionresistance as long as at least one of the two underlying hash functions is secure. This statement is complemented by the multicollision attack of Joux (Crypto 2004) for iterated hash functions H0, H1 with nbit outputs. He shows that one can break the classical combiner in n · T0 + T1 steps if one can 2 find collisions for H0 and H1 in time T0 and T1, respectively. Here we address the question if there are securityamplifying combiners where the security of the building blocks increases the security of the combined hash function, thus beating the bound of Joux. We discuss that one can indeed have such combiners and, somewhat surprisingly in light of results of Nandi and Stinson (ePrint 2004) and of Hoch and Shamir (FSE 2006), our solution is essentially as efficient as the classical combiner. 1
Multiproperty Preserving Combiners for Hash Functions
 In Theory of Cryptography, LNCS
, 2008
"... Abstract. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collisionresistance or pseudorandom ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collisionresistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of multiproperty preserving combiners, clarify some aspects on different definitions for such combiners, and propose a construction that provably preserves collision resistance, pseudorandomness, “randomoracleness”, target collision resistance and message authentication according to our strongest notion. 1
Certificate
, 2007
"... First of all, I would like to express my deepest gratitude to my advisor Prof. Pandu Rangan C, for inspiring me to take up research seriously. He is easily, one of the best professors I have come across in my four years of undergraduate life. His courses and his formal methods of approaching mathema ..."
Abstract
 Add to MetaCart
First of all, I would like to express my deepest gratitude to my advisor Prof. Pandu Rangan C, for inspiring me to take up research seriously. He is easily, one of the best professors I have come across in my four years of undergraduate life. His courses and his formal methods of approaching mathematical problems have helped me obtain a good grasp in the field of theoretical computer science. I thank him for providing the appropriate environment for research in the TCSLab, well known for books, journals and proceedings strewn all around. I would also like to recollect the valuable spree of technical discussions that I have had with him along with the students and interns of the lab on various topics in cryptography during the past 3 years at the lab. I would like to thank my faculty advisor, Prof. C. Siva Ram Murthy for his encouraging words during my initial terms in the department. I would also like to thank Dr. B. Ravindran for helping me broaden my interests in Computer Science through his courses on Operating Systems and Reinforcement learning. I am grateful to Dr. Shankar Balachandran and Prof. G. Srinivasan for they have stood by me and boosted my selfconfidence during my tough times. The teteatete sessions that I had with Shankar in his room and near GC reminded me of my school days and friends. The Cricket talk in the CoffeewithGS sessions every Thursday along
A preliminary version appears in TCC, Lecture Notes in Computer Science, SpringerVerlag, 2008. MultiProperty Preserving Combiners
"... www.minicrypt.de Abstract. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collisionresistanc ..."
Abstract
 Add to MetaCart
www.minicrypt.de Abstract. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collisionresistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of multiproperty preserving combiners, clarify some aspects on different definitions for such combiners, and propose a construction that provably preserves collision resistance, pseudorandomness, “randomoracleness”, target collision resistance and message authentication according to our strongest notion. 1
A preliminary version appears in CTRSA 2010, Lecture Notes in Computer Science, SpringerVerlag, 2010. Hash Function Combiners in TLS and SSL
"... Abstract. The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the socalled handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure tha ..."
Abstract
 Add to MetaCart
Abstract. The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the socalled handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure that the obtained keys are as secure as possible, TLS and SSL deploy hash function combiners for key derivation and the authentication step in the handshake protocol. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. In this work, we analyze the security of the proposed TLS/SSL combiner constructions for pseudorandom functions resp. message authentication codes. 1