Results 1  10
of
11
Amplifying Collision Resistance: A ComplexityTheoretic Treatment
 Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture
"... Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collisi ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good tradeoff between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.
Compression from collisions, or why CRHF combiners have a long output
 Advances in Cryptology – CRYPTO 2008. Lecture Notes in Computer Science
, 2004
"... Abstract. A blackbox combiner for collision resistant hash functions (CRHF) is a construction which given blackbox access to two hash functions is collision resistant if at least one of the components is collision resistant. In this paper we prove a lower bound on the output length of blackbox co ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. A blackbox combiner for collision resistant hash functions (CRHF) is a construction which given blackbox access to two hash functions is collision resistant if at least one of the components is collision resistant. In this paper we prove a lower bound on the output length of blackbox combiners for CRHFs. The bound we prove is basically tight as it is achieved by a recent construction of Canetti et al [Crypto’07]. The best previously known lower bounds only ruled out a very restricted class of combiners having a very strong security reduction: the reduction was required to output collisions for both underlying candidate hashfunctions given a single collision for the combiner (Canetti et al [Crypto’07] building on Boneh and Boyen [Crypto’06] and Pietrzak [Eurocrypt’07]). Our proof uses a lemma similar to the elegant “reconstruction lemma ” of Gennaro and Trevisan [FOCS’00], which states that any function which is not oneway is compressible (and thus uniformly random function must be oneway). In a similar vein we show that a function which is not collision resistant is compressible. We also borrow ideas from recent work by Haitner et al. [FOCS’07], who show that one can prove the reconstruction lemma even relative to some very powerful oracles (in our case this will be an exponential time collisionfinding oracle). 1
Securityamplifying combiners for collisionresistant hash functions
 In these proceedings
, 2007
"... Abstract. The classical combiner Comb H0,H1 class (M) = H0(M)H1(M) for hash functions H0, H1 provides collisionresistance as long as at least one of the two underlying hash functions is secure. This statement is complemented by the multicollision attack of Joux (Crypto 2004) for iterated hash f ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. The classical combiner Comb H0,H1 class (M) = H0(M)H1(M) for hash functions H0, H1 provides collisionresistance as long as at least one of the two underlying hash functions is secure. This statement is complemented by the multicollision attack of Joux (Crypto 2004) for iterated hash functions H0, H1 with nbit outputs. He shows that one can break the classical combiner in n 2 · T0 + T1 steps if one can find collisions for H0 and H1 in time T0 and T1, respectively. Here we address the question if there are securityamplifying combiners where the security of the building blocks increases the security of the combined hash function, thus beating the bound of Joux. We discuss that one can indeed have such combiners and, somewhat surprisingly in light of results of Nandi and Stinson (ePrint 2004) and of Hoch and Shamir (FSE 2006), our solution is essentially as efficient as the classical combiner. 1
A preliminary version appears in CTRSA 2010, Lecture Notes in Computer Science, SpringerVerlag, 2010. Hash Function Combiners in TLS and SSL
"... Abstract. The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the socalled handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure tha ..."
Abstract
 Add to MetaCart
Abstract. The TLS and SSL protocols are widely used to ensure secure communication over an untrusted network. Therein, a client and server first engage in the socalled handshake protocol to establish shared keys that are subsequently used to encrypt and authenticate the data transfer. To ensure that the obtained keys are as secure as possible, TLS and SSL deploy hash function combiners for key derivation and the authentication step in the handshake protocol. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. In this work, we analyze the security of the proposed TLS/SSL combiner constructions for pseudorandom functions resp. message authentication codes. 1
Combining properties of cryptographic hash functions ⋆
"... Abstract. A “strong ” cryptographic hash function suitable for practical applications should simultaneously satisfy many security properties, like pseudorandomness, collision resistance and unforgeability. This paper shows how to combine two hash function families each satisfying different security ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. A “strong ” cryptographic hash function suitable for practical applications should simultaneously satisfy many security properties, like pseudorandomness, collision resistance and unforgeability. This paper shows how to combine two hash function families each satisfying different security property into one hash function family, which satisfies both properties. In particular, given two hash function families H1 and H2, where H1 is pseudorandom and H2 is collision resistant, we construct a combiner which satisfies pseudorandomness and collision resistance. We also present a combiner for collision resistance and everywhere preimage resistance. When designing a new hash function family for some particular application, we can use such combiners with existing primitives and thus combine a hash function family satisfying all needed properties. 1
Robust MultiProperty Combiners for Hash
"... Abstract. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collisionresistance or pseudorando ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collisionresistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of robust multiproperty combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collisionresistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2n. This basically matches a known lower bound for blackbox combiners for collisionresistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2n+ ω(log n). Moreover, we show how to augment our constructions in order to make them also robust for the onewayness property, but in this case require an a priory upper bound on the input length.
Certificate
, 2007
"... First of all, I would like to express my deepest gratitude to my advisor Prof. Pandu Rangan C, for inspiring me to take up research seriously. He is easily, one of the best professors I have come across in my four years of undergraduate life. His courses and his formal methods of approaching mathema ..."
Abstract
 Add to MetaCart
(Show Context)
First of all, I would like to express my deepest gratitude to my advisor Prof. Pandu Rangan C, for inspiring me to take up research seriously. He is easily, one of the best professors I have come across in my four years of undergraduate life. His courses and his formal methods of approaching mathematical problems have helped me obtain a good grasp in the field of theoretical computer science. I thank him for providing the appropriate environment for research in the TCSLab, well known for books, journals and proceedings strewn all around. I would also like to recollect the valuable spree of technical discussions that I have had with him along with the students and interns of the lab on various topics in cryptography during the past 3 years at the lab. I would like to thank my faculty advisor, Prof. C. Siva Ram Murthy for his encouraging words during my initial terms in the department. I would also like to thank Dr. B. Ravindran for helping me broaden my interests in Computer Science through his courses on Operating Systems and Reinforcement learning. I am grateful to Dr. Shankar Balachandran and Prof. G. Srinivasan for they have stood by me and boosted my selfconfidence during my tough times. The teteatete sessions that I had with Shankar in his room and near GC reminded me of my school days and friends. The Cricket talk in the CoffeewithGS sessions every Thursday along
On existence of robust combiners for cryptographic hash functions?
"... Abstract. A (k, l)robust combiner for collision resistant hash functions is a construction, which takes l hash functions and combines them so that if at least k of the components are collision resistant, then so is the resulting combination. A blackbox (k, l)robust combiner is robust combiner ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. A (k, l)robust combiner for collision resistant hash functions is a construction, which takes l hash functions and combines them so that if at least k of the components are collision resistant, then so is the resulting combination. A blackbox (k, l)robust combiner is robust combiner, which takes its components as blackboxes. A trivial blackbox combiner is concatenation of any (l−k+1) of the hash functions. Boneh and Boyen [1] followed by Pietrzak [3] proved, that for collision resistance we cannot do much better that concatenation, i.e. there does not exist black box (k, l)robust combiner for collision resistance, whose output is significantly shorter that the output of the trivial combiner. In this paper we analyze whether robust combiners for other hash function properties (e.g. preimage resistance and second preimage resistance) exist. Key words: Cryptographic hash function, robust combiner, preimage resistance, second preimage resistance 1
A FOURCOMPONENT FRAMEWORK FOR DESIGNING AND ANALYZING CRYPTOGRAPHIC HASH ALGORITHMS
"... Abstract: Cryptographic hash algorithms are important building blocks in cryptographic protocols, providing authentication and assurance of integrity. While many different hash algorithms are available including MD5, Tiger, and HAVAL, it is difficult to compare them since they do not necessarily use ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract: Cryptographic hash algorithms are important building blocks in cryptographic protocols, providing authentication and assurance of integrity. While many different hash algorithms are available including MD5, Tiger, and HAVAL, it is difficult to compare them since they do not necessarily use the same techniques to achieve their security goals. This work informally describes a framework in four parts which allows different hash algorithms to be compared based on their strengths and weaknesses. By breaking down cryptographic hash algorithms into their preprocessing, postprocessing, compression function, and internal structure components, weaknesses in existing algorithms can be mitigated and new algorithms can take advantage of strong individual components. 1