Results 1 
8 of
8
Some Plausible Constructions of DoubleBlockLength Hash Functions
 FSE’06, LNCS 4047
, 2006
"... Abstract. In this article, it is discussed how to construct a compression function with 2nbit output using a component function with nbit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collisionresistant ha ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
Abstract. In this article, it is discussed how to construct a compression function with 2nbit output using a component function with nbit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collisionresistant hash functions: Any collisionfinding attack on them is at most as efficient as a birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced, which we call indistinguishability in the iteration, with a construction satisfying the notion.
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Security of Cyclic Double Block Length Hash Functions including AbreastDM
"... Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AE ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for AbreastDM, one of the oldest and most wellknown constructions for turning a block cipher with nbit block length and 2nbit key length into a 2nbit cryptographic hash function. In particular, we prove that when AbreastDM is instantiated with AES256, i.e. a block cipher with 128bit block length and 256bit key length, any adversary that asks less than 2 124.42 queries cannot find a collision with success probability greater than 1/2. Surprisingly, this about 15 years old construction is one of the few constructions that have the desirable feature of a nearoptimal collision resistance guarantee. We generalize our techniques used in the proof of AbreastDM to a huge class of double block length (DBL) hash functions that we will call cyclic. Using this generalized theorem we are able to derive several DBL constructions that lead to compression functions that even have a higher security guarantee and are more efficient than AbreastDM. Furthermore we give DBL constructions that have the highest security guarantee of all DBL compression functions currently known in literature. We also provide an analysis of preimage resistance for cyclic compression functions. Note that this work has been already presented at Dagstuhl ’09.
Multicollision Attacks on a Class of Hash Functions
 IACR PREPRINT ARCHIVE
, 2005
"... In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper, we first try to fix the attack by introducing a natural and wide class hash functions. However, we show that the multicollision attacks also exist in this general class. Thus, we rule out a natural and a wide class of hash functions as candidates for multicollision secure hash functions.
The security of abreastdm in the ideal cipher model
"... Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of q ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. In this paper, we give a security proof for AbreastDM in terms of collision resistance and preimage resistance. As old as TandemDM, the compression function AbreastDM is one of the most wellknown constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O (2 n). Based on a novel technique using queryresponse cycles, our security proof is simpler than those for MDC2 and TandemDM. We also present a wide class of AbreastDM variants that enjoy a birthdaytype security guarantee with a simple proof. 1
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
More Insights on BlockcipherBased Hash Functions
"... Abstract. In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of SingleBlockLength (SBL) or double call DoubleBlockLength (DBL) compression functions based on (kn, n) blockciphers, where kn is the k ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of SingleBlockLength (SBL) or double call DoubleBlockLength (DBL) compression functions based on (kn, n) blockciphers, where kn is the key length and n is the block length and k is an integer. This criterion is simpler than previous works in the literature. Based on the criterion, we can get many results from this criterion, and we can get a conclusion on such class of blockcipherbased hash functions. We solved the open problem left by Hirose. Our results show that to build a secure double call DBL compression function, it is required k> = m + 1 where m is the number of message blocks. Thus, we can only build rate 1/2 secure double DBL blockcipherbased compression functions if k = = 2. At last, we pointed out flaws in Stam’s theorem about supercharged functions and gave a revision of this theorem and added another condition for the security of supercharged compression functions. 1
Attacks On a Double Length Blockcipherbased Hash Proposal
"... Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack w ..."
Abstract
 Add to MetaCart
Abstract. In this paper we attack a 2nbit double length hash function proposed by Lee et al. This proposal is a blockcipherbased hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of Ω(2 3n/4) and a preimage attack with complexity of Ω(2 n). Our result shows this construction is much worse than an ideal 2nbit hash function. 1