Results 1 
7 of
7
Amplifying Collision Resistance: A ComplexityTheoretic Treatment
 Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture
"... Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collisi ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good tradeoff between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.
Multicollision Attacks on a Class of Hash Functions
 IACR PREPRINT ARCHIVE
, 2005
"... In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper, we first try to fix the attack by introducing a natural and wide class hash functions. However, we show that the multicollision attacks also exist in this general class. Thus, we rule out a natural and a wide class of hash functions as candidates for multicollision secure hash functions.
Multicollision Attacks on Generalized Hash Functions
, 2004
"... In a recent paper in crypto04, A. Joux [6] showed a multicollision attacks on the classical iterated hash function. He also showed how the multicollision attack can be used to get a collision attack on the concatenated hash function. In this paper we have shown that the multicollision attacks e ..."
Abstract
 Add to MetaCart
In a recent paper in crypto04, A. Joux [6] showed a multicollision attacks on the classical iterated hash function. He also showed how the multicollision attack can be used to get a collision attack on the concatenated hash function. In this paper we have shown that the multicollision attacks exist in a general class of sequential or tree based hash functions even if message blocks are used twice unlike the classical hash function.
�Dean/Kelsey/Schneier Attacks �SquareFree Sequences – ProuhetThueMorse Sequences – Towers of Hanoi �Abelian SquareFree Sequences –Keränen’s Sequence �Dithering �Open Questions �Conclusions Typical Iterated hashing
"... 1 h0 h1 h2 hL2 hL1 H(M) � Message extended with 10 * & length (MD) � f is compression function. � h1 is initialization vector (IV) � h i is ith chaining variable � Last chaining variable h L1 is hash output H(M) Dean/Kelsey/Schneier Attacks M0 M1 M2 ML1 h f f f f1 h0 h1 h2 hL2 hL1 H(M) � ..."
Abstract
 Add to MetaCart
1 h0 h1 h2 hL2 hL1 H(M) � Message extended with 10 * & length (MD) � f is compression function. � h1 is initialization vector (IV) � h i is ith chaining variable � Last chaining variable h L1 is hash output H(M) Dean/Kelsey/Schneier Attacks M0 M1 M2 ML1 h f f f f1 h0 h1 h2 hL2 hL1 H(M) � Assumes one can find fixpoint h for f,M*: h = f(h,M*) � Can then have message expansion attacks that find second preimage by – Finding many fixpoint pairs (h,M) – Finding a fixpoint h in actual chain for given message – Finding another shorter path from h 0 to some chaining variable – Creating second preimage with this new starting path using message expansion to handle MerkleDamgard strengtheningDithering �Make hash function round dependent on round index i as well as h i1 and M i �Dithering: include dither input di compression function: hi = f(hi1,Mi,di) toIterated hashing with dithering M0 M1 M2 ML1 h f f f f1 h0 h1 h2 hL2 hL1 H(M)
A note on the security proof of KnudsenPreneel construction of a hash function
"... In this paper two attacks on a multiple length hash function whose construction is proposed by Knudsen and Preneel. One can violates the security bound claimed in the proposal paper [6] if t = 1 and d> 3. ..."
Abstract
 Add to MetaCart
In this paper two attacks on a multiple length hash function whose construction is proposed by Knudsen and Preneel. One can violates the security bound claimed in the proposal paper [6] if t = 1 and d> 3.
Locally Computable UOWHF with Linear Shrinkage ∗
"... We study the problem of constructing locally computable Universal OneWay Hash Functions (UOWHFs) H: {0, 1} n → {0, 1} m. A construction with constant output locality, where every bit of the output depends only on a constant number of bits of the input, was established by [Applebaum, Ishai, and Kush ..."
Abstract
 Add to MetaCart
We study the problem of constructing locally computable Universal OneWay Hash Functions (UOWHFs) H: {0, 1} n → {0, 1} m. A construction with constant output locality, where every bit of the output depends only on a constant number of bits of the input, was established by [Applebaum, Ishai, and Kushilevitz, SICOMP 2006]. However, this construction suffers from two limitations: (1) It can only achieve a sublinear shrinkage of n − m = n 1−ɛ; and (2) It has a superconstant input locality, i.e., some inputs influence a large superconstant number of outputs. This leaves open the question of realizing UOWHFs with constant output locality and linear shrinkage of n−m = ɛn, or UOWHFs with constant input locality and minimal shrinkage of n − m = 1. We settle both questions simultaneously by providing the first construction of UOWHFs with linear shrinkage, constant input locality, and constant output locality. Our construction is based on the onewayness of “random ” local functions – a variant of an assumption made by Goldreich (ECCC 2000). Using a transformation of [Ishai, Kushilevitz, Ostrovsky and Sahai, STOC 2008], our UOWHFs give rise to a digital signature scheme with a minimal additive complexity overhead: signing nbit messages with security parameter κ takes only O(n + κ) time instead of O(nκ) as in typical constructions. Previously, such signatures were only known to exist under an exponential hardness assumption. As an additional contribution, we obtain new locallycomputable hardness amplification procedures for UOWHFs that preserve linear shrinkage. 1
Efficient Hashing using the AES Instruction Set
"... Abstract. In this work, we provide a software benchmark for a large range of 256bit blockcipherbased hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider doublebl ..."
Abstract
 Add to MetaCart
Abstract. In this work, we provide a software benchmark for a large range of 256bit blockcipherbased hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider doubleblocklength constructions, as well as (singleblocklength) constructions based on RIJNDAEL256. Although we primarily target architectures supporting AESNI, our framework has much broader applications by estimating the performance of these hash functions on any (micro)architecture given AESbenchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblocklength hash functions in software. 1