Results 1  10
of
11
A failurefriendly design principle for hash functions
, 2005
"... Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
(Show Context)
Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the widepipe hash, internally using a wbit compression function, and the doublepipe hash, with w = 2n and an nbit compression function used twice in parallel.
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
Improved Collision and Preimage Resistance Bounds on PGV Schemes
"... most basic ways to construct a hash function from a block cipher, and regarded 12 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and quantitative treatment of those 64 constructions and proved that, in blackbox model, the 12 schemes ( group − 1) that PGV singl ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
most basic ways to construct a hash function from a block cipher, and regarded 12 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and quantitative treatment of those 64 constructions and proved that, in blackbox model, the 12 schemes ( group − 1) that PGV singled out as secure really are secure. By stepping outside of the MerkleDamg˚ard[4] approach to analysis, an additional 8 (group − 2) of the 64 schemes are just as collision resistant as the first group of schemes. Tight upper and lower bounds on collision resistance of those 20 schemes were given. In this paper, those collision resistance and preimage resistance bounds are improved, which shows that, in black box model, collision bounds of those 20 schemes are same. In Group − 1 schemes, 8 out of 12 can find fixed point easily. Bounds on second preimage, multicollisions of Joux[6], fixedpoint multicollisons[8] and combine of the two kinds multicollisions are also given. From those bound, Group − 1 schemes can also be deviled into two group. Key Words: Hash Function, Block Cipher, MD Construction 1
Attacking the KnudsenPreneel compression functions
 In FSE 2010, volume 6147 of LNCS
, 2010
"... Abstract. Knudsen and Preneel (Asiacrypt’96 and Crypto’97) introduced a hash function design in which a linear errorcorrecting code is used to build a widepipe compression function from underlying blockciphers operating in DaviesMeyer mode. Their main design goal was to deliver compression functi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Knudsen and Preneel (Asiacrypt’96 and Crypto’97) introduced a hash function design in which a linear errorcorrecting code is used to build a widepipe compression function from underlying blockciphers operating in DaviesMeyer mode. Their main design goal was to deliver compression functions with collision resistance up to, and even beyond, the block size of the underlying blockciphers. In this paper, we (re)analyse the preimage resistance of the KnudsenPreneel compression functions in the setting of public random functions. We give a new preimage attack that is based on two observations. First, by using the right kind of queries it is possible to mount a nonadaptive preimage attack that is optimal in terms of query complexity. Second, by exploiting the dual code the subsequent problem of reconstructing a preimage from the queries can be rephrased as a problem related to the generalized birthday problem. As a consequence, the time complexity of our attack is intimately tied to the minimum distance of the dual code. Our new attack consistently beats the one given by Knudsen and Preneel (in one case our preimage attack even beats their collision attack) and demonstrates that the gap between their claimed collision resistance and the actual preimage resistance is surprisingly small. Moreover, our new attack falsifies their (conjectured) preimage resistance security bound and shows that intuitive bounds based on the number of ‘active ’ components can be treacherous. Complementing our attack is a formal analysis of the query complexity (both lower and upper bounds) of preimagefinding attacks. This analysis shows that for many concrete codes the time complexity of our attack is optimal. 1
More Insights on BlockcipherBased Hash Functions
"... Abstract. In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of SingleBlockLength (SBL) or double call DoubleBlockLength (DBL) compression functions based on (kn, n) blockciphers, where kn is the k ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of SingleBlockLength (SBL) or double call DoubleBlockLength (DBL) compression functions based on (kn, n) blockciphers, where kn is the key length and n is the block length and k is an integer. This criterion is simpler than previous works in the literature. Based on the criterion, we can get many results from this criterion, and we can get a conclusion on such class of blockcipherbased hash functions. We solved the open problem left by Hirose. Our results show that to build a secure double call DBL compression function, it is required k> = m + 1 where m is the number of message blocks. Thus, we can only build rate 1/2 secure double DBL blockcipherbased compression functions if k = = 2. At last, we pointed out flaws in Stam’s theorem about supercharged functions and gave a revision of this theorem and added another condition for the security of supercharged compression functions. 1
Attacks On a Double Length Blockcipherbased Hash Proposal
"... Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack w ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of Ω(2 3n/4) and a preimage attack with complexity of Ω(2 n). Our result shows this construction is much worse than an ideal 2nbit hash function. 1
Cryptographic Hash Functions  Recent Results on Cryptanalysis and their Implications on System Security
"... Recently, several severe attacks against cryptographic hash functions where discovered. This includes attacks against MD4 and MD5, two rather old hash functions. Very unfortunately, MD5 is still widely used in practice in many software integrity schemes, including, but not limited to the most popula ..."
Abstract
 Add to MetaCart
(Show Context)
Recently, several severe attacks against cryptographic hash functions where discovered. This includes attacks against MD4 and MD5, two rather old hash functions. Very unfortunately, MD5 is still widely used in practice in many software integrity schemes, including, but not limited to the most popular Linux packet formats. This may pose a serious security problem. In this paper we discuss the current state of research on hash functions and some firstaid workarounds. We briefely discuss the trouble “Trusted ” Computting has got into, by trusting the SHA1 hash function which now has been broken.
Coding Theory and Hash Function Design A Case Study: The Lane Hash Function
"... Abstract. We illustrate how coding theory was applied in the design of the cryptographic hash function LANE [8]. The generic structure of the LANE compression function could potentially be vulnerable to a class of meetinthemiddle attacks. While difficult to avoid at first sight, restating the pr ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We illustrate how coding theory was applied in the design of the cryptographic hash function LANE [8]. The generic structure of the LANE compression function could potentially be vulnerable to a class of meetinthemiddle attacks. While difficult to avoid at first sight, restating the problem in the domain of error correcting codes naturally leads to a simple and elegant solution. This ensures that these attacks do not apply to LANE.