Results 1 
8 of
8
A failurefriendly design principle for hash functions
, 2005
"... Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security ..."
Abstract

Cited by 42 (5 self)
 Add to MetaCart
Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the widepipe hash, internally using a wbit compression function, and the doublepipe hash, with w = 2n and an nbit compression function used twice in parallel.
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
Improved Collision and Preimage Resistance Bounds on PGV Schemes
"... most basic ways to construct a hash function from a block cipher, and regarded 12 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and quantitative treatment of those 64 constructions and proved that, in blackbox model, the 12 schemes ( group − 1) that PGV singl ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
most basic ways to construct a hash function from a block cipher, and regarded 12 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and quantitative treatment of those 64 constructions and proved that, in blackbox model, the 12 schemes ( group − 1) that PGV singled out as secure really are secure. By stepping outside of the MerkleDamg˚ard[4] approach to analysis, an additional 8 (group − 2) of the 64 schemes are just as collision resistant as the first group of schemes. Tight upper and lower bounds on collision resistance of those 20 schemes were given. In this paper, those collision resistance and preimage resistance bounds are improved, which shows that, in black box model, collision bounds of those 20 schemes are same. In Group − 1 schemes, 8 out of 12 can find fixed point easily. Bounds on second preimage, multicollisions of Joux[6], fixedpoint multicollisons[8] and combine of the two kinds multicollisions are also given. From those bound, Group − 1 schemes can also be deviled into two group. Key Words: Hash Function, Block Cipher, MD Construction 1
More Insights on BlockcipherBased Hash Functions
"... Abstract. In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of SingleBlockLength (SBL) or double call DoubleBlockLength (DBL) compression functions based on (kn, n) blockciphers, where kn is the k ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of SingleBlockLength (SBL) or double call DoubleBlockLength (DBL) compression functions based on (kn, n) blockciphers, where kn is the key length and n is the block length and k is an integer. This criterion is simpler than previous works in the literature. Based on the criterion, we can get many results from this criterion, and we can get a conclusion on such class of blockcipherbased hash functions. We solved the open problem left by Hirose. Our results show that to build a secure double call DBL compression function, it is required k> = m + 1 where m is the number of message blocks. Thus, we can only build rate 1/2 secure double DBL blockcipherbased compression functions if k = = 2. At last, we pointed out flaws in Stam’s theorem about supercharged functions and gave a revision of this theorem and added another condition for the security of supercharged compression functions. 1
Some properties of an FSE 2005 Hash Proposal
, 2005
"... We consider the hash function proposals by Mridul et al. presented at FSE 2005. For the proposed 2nbit compression functions it is proved that collision attacks require#q ) queries of the functions in question. In this note it is shown that with ) queries one can distinguish the proposed com ..."
Abstract
 Add to MetaCart
We consider the hash function proposals by Mridul et al. presented at FSE 2005. For the proposed 2nbit compression functions it is proved that collision attacks require#q ) queries of the functions in question. In this note it is shown that with ) queries one can distinguish the proposed compression functions from a randomly chosen 2nbit function with very good probability. Finally we note that our results do not seem to contradict any statements made the designers of the compression functions.
Chinese Academy of Sciences
"... The most popular method to construct hash functions is to iterate a compression function on the input message. This method is called MerkleDamgård method. Most hash functions used in practice such as MD4, MD5, SHA0, SHA1 are based on this method. However this method is not always the best. For ex ..."
Abstract
 Add to MetaCart
The most popular method to construct hash functions is to iterate a compression function on the input message. This method is called MerkleDamgård method. Most hash functions used in practice such as MD4, MD5, SHA0, SHA1 are based on this method. However this method is not always the best. For example, this method can not resist multicollision attack. Recently some modifications of this method are proposed. These modified methods are based on MerkleDamgård method and some improvements are made. A hash function based on AllorNothing property is one of these improvements. Allornothing property is an encryption mode for block ciphers. It has the property that one must decrypt all cipher blocks to determine any plaintext block. Allornothing hash function is a kind of hash function constructed with the allornothing property. The authors of it claim that it is more secure than those common hash functions. In this paper, we will show that this is not true and there are still some flaws on this improved method.
Attacks On a Double Length Blockcipherbased Hash Proposal
"... Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack w ..."
Abstract
 Add to MetaCart
Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of Ω(2 3n/4) and a preimage attack with complexity of Ω(2 n). Our result shows this construction is much worse than an ideal 2nbit hash function. 1