Results 1 
6 of
6
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to &quot;behave like &quot; a certain ideal random primitive (e.g. a random function), according to some security notion.
SecurityFocused Survey on Group Key Exchange Protocols
 HORSTGÖRTZ INSTITUTE, NETWORK AND DATA SECURITY GROUP
, 2006
"... In this paper we overview a large number of currently known group key exchange protocols while focusing on the protocols designed for more than three participants (for an overview of two and threeparty key exchange protocols we refer to [BM03, DB05c]). For each mentioned protocol we briefly desc ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
In this paper we overview a large number of currently known group key exchange protocols while focusing on the protocols designed for more than three participants (for an overview of two and threeparty key exchange protocols we refer to [BM03, DB05c]). For each mentioned protocol we briefly describe the current state of security based on the original analysis as well as later results appeared in the literature. We distinguish between (i) protocols with heuristic security arguments based on informally defined security requirements and (ii) protocols that have been proven secure in one of the existing security models for group key exchange. Note, this paper continues the work started in [Man06] which provides an analytical survey on security requirements and currently known models for group key exchange. We emphasize that the following survey focuses on the security aspects of the protocols and does not aim to provide any efficiency comparison. The reader interested in this kind of surveys we
Feistel networks made public, and applications
 Advances in Cryptology – EUROCRYPT ’07. LNCS
, 2007
"... Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celeb ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method of designing “cryptographically strong ” permutations from corresponding “cryptographically strong ” functions. Up to now, all usages of the Feistel Network, including the celebrated LubyRackoff’s result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round values appearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed. On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a superlogarithmic number of Feistel rounds is necessary and sufficient to guarantee security. This partially explains why practical block ciphers use
Towards Understanding the KnownKey Security of Block Ciphers
"... Abstract. Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of ..."
Abstract
 Add to MetaCart
Abstract. Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propose new generic knownkey attacks on generalized Feistel ciphers. We introduce the notion of knownkey indifferentiability to capture the security of such block ciphers under a known key. To show its meaningfulness, we prove that the knownkey attacks on block ciphers with ideal primitives to date violate security under knownkey indifferentiability. On the other hand, to demonstrate its constructiveness, we prove the balanced Feistel cipher with random functions and the multiple EvenMansour cipher with random permutations knownkey indifferentiable for a sufficient number of rounds. We note that knownkey indifferentiability is more quickly and tightly attained by multiple EvenMansour which puts it forward as a construction provably secure against knownkey attacks.
Verifiable Random Permutations
, 2006
"... Pseudorandom Functions (PRFs), introduced by Goldreich, Goldwasser and Micali [9], allow one to e#ciently simulate the computation of a function which is indistinguishable from a truly random function. A seemingly stronger primitive is that of a (strong) pseudorandom permutation (PRP) [13], which ..."
Abstract
 Add to MetaCart
Pseudorandom Functions (PRFs), introduced by Goldreich, Goldwasser and Micali [9], allow one to e#ciently simulate the computation of a function which is indistinguishable from a truly random function. A seemingly stronger primitive is that of a (strong) pseudorandom permutation (PRP) [13], which allows one to e#ciently simulate a truly random permutation (and its inverse). The celebrated result of Luby and Racko# [13] shows that these primitives are, in fact, equivalent: four rounds of the Feistel transform are necessary and su#cient to turn a PRF into a (strong) PRP.