Results 1  10
of
15
G.V.: On the Indifferentiability of the Sponge Construction
 In: Advances in Cryptology – Eurocrypt
, 2008
"... Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (instead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length). 1
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
Improved indifferentiability security analysis of chopMD hash function, Fast So�ware Encryption
 Lecture Notes in Computer Science
, 2008
"... Abstract. The classical design principle MerkleDamg̊ard [13, 6] is scrutinized by many ways such as Joux’s multicollision attack, KelseySchneier second preimage attack etc. In TCC’04, Maurer et al. introduced a strong security notion called as “indifferentiability ” for a hash function based on a ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The classical design principle MerkleDamg̊ard [13, 6] is scrutinized by many ways such as Joux’s multicollision attack, KelseySchneier second preimage attack etc. In TCC’04, Maurer et al. introduced a strong security notion called as “indifferentiability ” for a hash function based on a compression function. The classical design principle is also insecure against this strong security notion whereas chopMD hash is secure with the security bound roughly σ2/2s where s is the number of chopped bits and σ is the total number of message blocks queried by a distinguisher. In case of n = 2s where n is the output size of a compression function, the value σ to get a significant bound is 2s/2 which is the birthday complexity, where the hash output size is sbit. In this paper, we present an improved security bound for chopMD. The improved bound shown in this paper is (3(n−s)+1)q/2s+q/2n−s−1+σ2/2n+1 where q is the total number of queries. In case of n = 2s, chopMD is indifferentiablysecure if q = O(2s/(3s + 1)) and σ = O(2n/2) which are beyond the birthday complexity. We also present a design principle for an nbit hash function based on a compression function f: {0, 1}2n+b → {0, 1}n and show that the indifferentiability security bound for this hash function is roughly (3n + 1)σ/2n. So, the new design of hash function is secondpreimage and rmulticollision secure as long as the query complexity (the number of message blocks queried) of an attacker is less than 2n/(3n + 1) or 2n(r−1)/r respectively. 1
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to &quot;behave like &quot; a certain ideal random primitive (e.g. a random function), according to some security notion.
Indifferentiability of PermutationBased Compression Functions and TreeBased Modes of Operation, with Applications to MD6
"... ..."
(Show Context)
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Revisiting the Indifferentiability of PGV Hash Functions
, 2009
"... In this paper, first we point out some flaws in the existing indifferentiability simulations of the pfMD and the NMAC constructions, and provide new differentiable attacks on the hash functions based these schemes. Afterthat, the indifferentiability of the 20 collision resistant PGV hash functions, ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
In this paper, first we point out some flaws in the existing indifferentiability simulations of the pfMD and the NMAC constructions, and provide new differentiable attacks on the hash functions based these schemes. Afterthat, the indifferentiability of the 20 collision resistant PGV hash functions, which are padded under the pfMD, the NMAC/HMAC and the chopMD constructions, are reconsidered. Moreover, we disclose that there exist 4 PGV schemes can be differentiable from a random oracle with the pfMD among 16 indifferentiable PGV schemes proven by Chang et al. Finally, new indifferentiability simulations are provided for 20 collisionresistant PGV schemes. The simulations exploit that 20 collisionresistant PGV hash functions, which implemented with the NMAC/HMAC and the chopMD, are indifferentiable from a random oracle. Our result implies that same compression functions under MD variants might have the same security bound with respect to the collision resistance, but quite different in the view of indifferentiability. 1
Security Analysis and Comparison of the SHA3 Finalists
"... Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got acce ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the first round. At present, 5 candidates are left in the third round of the competition. An important criterion in the selection process is the SHA3 hash function security and more concretely, the possible reductions of the hash function security to the security of its underlying building blocks. At NIST’s second SHA3 Candidate Conference 2010, Andreeva et al. provided a provable security classification of the second round SHA3 candidates in the ideal model. In this work, we revisit this classification for the five SHA3 finalists. We evaluate recent provable security results on the candidates, and resolve remaining open problems for Grøstl, JH, and Skein.
MixCompressMix Revisited: Dispensing with Noninvertible Random Injection Oracles
"... Abstract. We revisit the problem of building dualmodel secure (DMS) hash functions that are simultaneously provably collision resistant (CR) in the standard model and provably pseudorandom oracle (PRO) in an idealized model. Designing a DMS hash function was first investigated by Ristenpart and Shr ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We revisit the problem of building dualmodel secure (DMS) hash functions that are simultaneously provably collision resistant (CR) in the standard model and provably pseudorandom oracle (PRO) in an idealized model. Designing a DMS hash function was first investigated by Ristenpart and Shrimpton (ASIACRYPT 2007); they put forth a generic approach, called MixCompressMix (MCM), and showed the feasibility of the MCM approach with a secure (but inefficient) construction. An improved construction was later presented by Lehmann and Tessaro (ASIACRYPT 2009). The proposed construction by Ristenpart and Shrimpton requires a noninvertible (pseudo) random injection oracle (PRIO) and the LehmannTessaro construction requires a noninvertible random permutation oracle (NIRP). Despite showing the feasibility of realizing PRIO and NIRP objects in theory–using ideal ciphers and (trapdoor) oneway permutations – these constructions suffer from several efficiency and implementation issues as pointed out by their designers and briefly reviewed in this paper. In contrast to the previous constructions, we show that constructing a DMS hash function does not require any PRIO or NIRP, and hence there is no need for additional (trapdoor) oneway permutations. In fact, Ristenpart and Shrimpton posed the question of whether MCM is secure under easytoinvert mixing steps as an open problem in their paper. We resolve this question in the affirmative in the fixedinputlength (FIL) hash setting. More precisely, we show that one can sandwich a provably CR function, which is sufficiently compressing, between two random