Results 1  10
of
13
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
A new mode of operation for block ciphers and lengthpreserving MACs
 of Lecture Notes in Computer Science
, 2008
"... Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC a ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC and other known modes. Most notably, it yields the first constantrate Variable Input Length (VIL) MAC from any length preserving Fixed Input Length (FIL) MAC. This answers the question of Dodis and Puniya from Eurocrypt 2007. Further, our mode is a secure domain extender for PRFs (with basically the same security as encrypted CBC). This provides a hedge against the security of the block cipher: if the block cipher is pseudorandom, one gets a VILPRF, while if it is “only ” unpredictable, one “at least ” gets a VILMAC. Additionally, our mode yields a VIL random oracle (and, hence, a collisionresistant hash function) when instantiated with lengthpreserving random functions, or even random permutations (which can be queried from both sides). This means that one does not have to rekey the block cipher during the computation, which was critically used in most previous constructions (analyzed in the ideal cipher model). 1
The collision security of TandemDM in the ideal cipher model
"... Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype b ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of TandemDM as an open problem until now. 1
A Modular Design for Hash Functions: Towards Making the MixCompressMix Approach Practical
, 2009
"... The design of cryptographic hash functions is a very complex and failureprone process. For this reason, this paper puts forward a completely modular and faulttolerant approach to the construction of a fullfledged hash function from an underlying simpler hash function H and a further primitive F ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The design of cryptographic hash functions is a very complex and failureprone process. For this reason, this paper puts forward a completely modular and faulttolerant approach to the construction of a fullfledged hash function from an underlying simpler hash function H and a further primitive F (such as a block cipher), with the property that collision resistance of the construction only relies on H, whereas indifferentiability from a random oracle follows from F being ideal. In particular, the failure of one of the two components must not affect the security property implied by the other component. The MixCompressMix (MCM) approach by Ristenpart and Shrimpton (ASIACRYPT 2007) envelops the hash function H between two injective mixing steps, and can be interpreted as a first attempt at such a design. However, the proposed instantiation of the mixing steps, based on block ciphers, makes the resulting hash function impractical: First, it cannot be evaluated online, and second, it produces larger hash values than H, while only inheriting the collisionresistance guarantees for the shorter output. Additionally, it relies on a trapdoor oneway permutation, which seriously compromises the use of the resulting hash function for random oracle instantiation in certain scenarios. This paper presents the first efficient modular hash function with online evaluation and short output length. The core of our approach are novel blockcipher based designs for the mixing steps of the MCM approach which rely on significantly weaker assumptions: The first mixing step is realized without any computational assumptions (besides the underlying cipher being ideal), whereas the second mixing step only requires a oneway permutation without a trapdoor, which we prove to be the minimal assumption for the construction of injective random oracles.
Stam’s collision resistance conjecture
 In: EUROCRYPT 2010. LNCS
, 2010
"... Abstract. At CRYPTO 2008 Stam [7] made the following conjecture: if an m + sbit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f. For example, a 2nbit to nbit compressio ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. At CRYPTO 2008 Stam [7] made the following conjecture: if an m + sbit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f. For example, a 2nbit to nbit compression function making two calls to a random function of nbit input cannot have collision security exceeding 2 n/3. We prove this conjecture up to a constant multiplicative factor and under the condition m ′: = (2m − n(r − 1))/(r + 1) ≥ log 2 (17). This covers nearly all cases r = 1 of the conjecture and the aforementioned example of a 2nbit to nbit compression function making two calls to a primitive of nbit input. 1
The preimage security of doubleblocklength compression functions. Cryptology ePrint Archive, Report 2011/210, 2011. http: //eprint.iacr.org
 16 Gatan Leurent, Charles Bouillaguet, and PierreAlain Fouque. SIMD Is a Message Digest
"... Abstract. We give improved bounds on the preimage security of the three “classical ” doubleblocklength, doublecall, blockcipherbased compression functions, these being AbreastDM, TandemDM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 2 2n−5 blockcipher q ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We give improved bounds on the preimage security of the three “classical ” doubleblocklength, doublecall, blockcipherbased compression functions, these being AbreastDM, TandemDM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 2 2n−5 blockcipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For AbreastDM and TandemDM we show that at least 2 2n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 2 2n. 1
Domain Extension for MACs Beyond the Birthday Barrier. Eurocrypt 2011. Full version of this paper available at http://people.csail.mit.edu/dodis/ps/optimalmac.pdf
"... Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain exte ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain extension from noncompressing primitives, since our security bound is meaningful even for q = 2 n /poly(n) (assuming ε is the best possible O(1/2 n)). In contrast, the previous best construction for MAC domain extension for nbit to nbit primitives, due to Dodis and Steinberger [13], achieved MAC security of O(εq 2 (log q) 2), which means that q cannot cross the “birthday bound ” of 2 n/2.
UCL Crypto Group, Université catholique de Louvain, Belgium.
"... Abstract. The pervasive diffusion of electronic devices in security and privacy sensitive applications has boosted research in cryptography. In this context, the study of lightweight algorithms has been a very active direction over the last years. In general, symmetric cryptographic primitives are g ..."
Abstract
 Add to MetaCart
Abstract. The pervasive diffusion of electronic devices in security and privacy sensitive applications has boosted research in cryptography. In this context, the study of lightweight algorithms has been a very active direction over the last years. In general, symmetric cryptographic primitives are good candidates for lowcost implementations. For example, several previous works have investigated the performances of block ciphers on various platforms. Motivated by the recent SHA3 competition, this paper extends these studies to another family of cryptographic primitives, namely hash functions. We implemented different algorithms on an ATMEL AVR ATtiny45 8bit microcontroller, and provide their performance evaluation using different figures. All the implementations were carried out with the goal of minimizing the code size and memory utilization, and evaluated using a common interface. As part of our contribution, we additionally decided to make all the corresponding source codes available on a web page, under an opensource license. We hope that this paper provides a good basis for researchers and embedded system designers who need to include more and more functionalities in next generation smart devices. 1
Stam’s Conjecture and Threshold Phenomena in Collision Resistance
"... Abstract. At CRYPTO 2008 Stam [8] conjectured that if an (m+s)bit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f, which is sometimes less than the birthday bound. Steinb ..."
Abstract
 Add to MetaCart
Abstract. At CRYPTO 2008 Stam [8] conjectured that if an (m+s)bit to sbit compression function F makes r calls to a primitive f of nbit input, then a collision for F can be obtained (with high probability) using r2 (nr−m)/(r+1) queries to f, which is sometimes less than the birthday bound. Steinberger [9] proved Stam’s conjecture up to a constant multiplicative factor for most cases in which r = 1 and for certain other cases that reduce to the case r = 1. In this paper we prove the general case of Stam’s conjecture (also up to a constant multiplicative factor). Our result is qualitatively different from Steinberger’s, moreover, as we show the following novel threshold phenomenon: that exponentially many (more exactly, 2 s−2(m−n)/(r+1)) collisions are obtained with high probability after O(1)r2 (nr−m)/(r+1) queries. This in particular shows that threshold phenomena observed in practical compression functions such as JH are, in fact, unavoidable for compression functions with those parameters. (This is the full version of the sametitled article that appeared at CRYPTO ’12.) 1
Compression Function Design Principles Supporting Variable Output Lengths from a Single Small Function ⋆
"... Abstract. In this paper, we introduce new compression function design principles supporting variable output lengths (multiples of size n). They are based on a function or block cipher with an nbit output size. In the case of the compression function with a (t + 1)nbit output size, in the random or ..."
Abstract
 Add to MetaCart
Abstract. In this paper, we introduce new compression function design principles supporting variable output lengths (multiples of size n). They are based on a function or block cipher with an nbit output size. In the case of the compression function with a (t + 1)nbit output size, in the random oracle and ideal cipher models, their maximum advantages from the perspective of collision resistance are O ( t2 q 2 tn + q2 2 (t+1)n). In the case of t = 1, the advantage is nearoptimal. In the case of t> 1, the advantage is optimal.