Results 1  10
of
11
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
A new mode of operation for block ciphers and lengthpreserving MACs
 of Lecture Notes in Computer Science
, 2008
"... Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC a ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC and other known modes. Most notably, it yields the first constantrate Variable Input Length (VIL) MAC from any length preserving Fixed Input Length (FIL) MAC. This answers the question of Dodis and Puniya from Eurocrypt 2007. Further, our mode is a secure domain extender for PRFs (with basically the same security as encrypted CBC). This provides a hedge against the security of the block cipher: if the block cipher is pseudorandom, one gets a VILPRF, while if it is “only ” unpredictable, one “at least ” gets a VILMAC. Additionally, our mode yields a VIL random oracle (and, hence, a collisionresistant hash function) when instantiated with lengthpreserving random functions, or even random permutations (which can be queried from both sides). This means that one does not have to rekey the block cipher during the computation, which was critically used in most previous constructions (analyzed in the ideal cipher model). 1
Domain Extension for MACs Beyond the Birthday Barrier. Eurocrypt 2011. Full version of this paper available at http://people.csail.mit.edu/dodis/ps/optimalmac.pdf
"... Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain exte ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Given an nbit to nbit MAC (e.g., a fixed key blockcipher) with MAC security ε against q queries, we design a variablelength MAC achieving MAC security O(εqpoly(n)) against queries of total length qn. In particular, our construction is the first to break the “birthday barrier ” for MAC domain extension from noncompressing primitives, since our security bound is meaningful even for q = 2 n /poly(n) (assuming ε is the best possible O(1/2 n)). In contrast, the previous best construction for MAC domain extension for nbit to nbit primitives, due to Dodis and Steinberger [13], achieved MAC security of O(εq 2 (log q) 2), which means that q cannot cross the “birthday bound ” of 2 n/2.
A Modular Design for Hash Functions: Towards Making the MixCompressMix Approach Practical
, 2009
"... The design of cryptographic hash functions is a very complex and failureprone process. For this reason, this paper puts forward a completely modular and faulttolerant approach to the construction of a fullfledged hash function from an underlying simpler hash function H and a further primitive F ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
The design of cryptographic hash functions is a very complex and failureprone process. For this reason, this paper puts forward a completely modular and faulttolerant approach to the construction of a fullfledged hash function from an underlying simpler hash function H and a further primitive F (such as a block cipher), with the property that collision resistance of the construction only relies on H, whereas indifferentiability from a random oracle follows from F being ideal. In particular, the failure of one of the two components must not affect the security property implied by the other component. The MixCompressMix (MCM) approach by Ristenpart and Shrimpton (ASIACRYPT 2007) envelops the hash function H between two injective mixing steps, and can be interpreted as a first attempt at such a design. However, the proposed instantiation of the mixing steps, based on block ciphers, makes the resulting hash function impractical: First, it cannot be evaluated online, and second, it produces larger hash values than H, while only inheriting the collisionresistance guarantees for the shorter output. Additionally, it relies on a trapdoor oneway permutation, which seriously compromises the use of the resulting hash function for random oracle instantiation in certain scenarios. This paper presents the first efficient modular hash function with online evaluation and short output length. The core of our approach are novel blockcipher based designs for the mixing steps of the MCM approach which rely on significantly weaker assumptions: The first mixing step is realized without any computational assumptions (besides the underlying cipher being ideal), whereas the second mixing step only requires a oneway permutation without a trapdoor, which we prove to be the minimal assumption for the construction of injective random oracles.
Revisiting the Indifferentiability of PGV Hash Functions
, 2009
"... In this paper, first we point out some flaws in the existing indifferentiability simulations of the pfMD and the NMAC constructions, and provide new differentiable attacks on the hash functions based these schemes. Afterthat, the indifferentiability of the 20 collision resistant PGV hash functions, ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
In this paper, first we point out some flaws in the existing indifferentiability simulations of the pfMD and the NMAC constructions, and provide new differentiable attacks on the hash functions based these schemes. Afterthat, the indifferentiability of the 20 collision resistant PGV hash functions, which are padded under the pfMD, the NMAC/HMAC and the chopMD constructions, are reconsidered. Moreover, we disclose that there exist 4 PGV schemes can be differentiable from a random oracle with the pfMD among 16 indifferentiable PGV schemes proven by Chang et al. Finally, new indifferentiability simulations are provided for 20 collisionresistant PGV schemes. The simulations exploit that 20 collisionresistant PGV hash functions, which implemented with the NMAC/HMAC and the chopMD, are indifferentiable from a random oracle. Our result implies that same compression functions under MD variants might have the same security bound with respect to the collision resistance, but quite different in the view of indifferentiability. 1
Indifferentiability Results and Proofs for Some Popular Cryptographic Constructions
, 2014
"... The notion of indifferentiability, which is a stronger version of the classic notion of indistinguishability, was introduced by Maurer et al. in [MRH03]. Indifferentiability, among other things, gives us a way of “securely replacing ” a random oracle of one type by a random oracle of a different typ ..."
Abstract
 Add to MetaCart
(Show Context)
The notion of indifferentiability, which is a stronger version of the classic notion of indistinguishability, was introduced by Maurer et al. in [MRH03]. Indifferentiability, among other things, gives us a way of “securely replacing ” a random oracle of one type by a random oracle of a different type. Most indifferentiability proofs in the literature are very complicated, which makes them difficult to verify and in some cases, has even resulted in them being erroneous [CPS08]. In this paper, we use a simple yet rigorous proof technique for proving indifferentiability theorems. This technique is a generalization of the indistinguishability proof technique used by Bernstein in [Ber05] to prove the security of the Cipher Block Chaining (CBC) construction. We use this technique to prove the indifferentiability result for a very simple construction which processes just two blocks of input. This construction can be viewed as bearing close resemblance to the so called Sponge construction [BDPVA11a], on which the winner of SHA3 competition [BDPVA11b] is based. Also as a warm up, we prove the indistinguishability result for this construction using the coupling argument from probability theory. We also prove the nonindifferentiability result for the CBC construction and some of its standard variants, and survey the indifferentiability and nonindifferentiability results for the MerkleDamg̊ard (MD) construction, some of its standard variants, and the Feistel construction, from the literature. 1
Various Security Analysis of a pfCMMD Hash Domain Extension and Applications based on the Extension
"... Abstract. We propose a new hash domain extension a prefixfreeCounterMaskingMD (pfCMMD). And, among security notions for the hash function, we focus on the indifferentiable security notion by which we can check whether the structure of a given hash function has any weakness or not. Next, we cons ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We propose a new hash domain extension a prefixfreeCounterMaskingMD (pfCMMD). And, among security notions for the hash function, we focus on the indifferentiable security notion by which we can check whether the structure of a given hash function has any weakness or not. Next, we consider the security of HMAC, two new prf constructions, NIST SP 80056A key derivation function, and the randomized hashing in NIST SP 800106, where all of them are based on the pfCMMD. Especially, due to the counter of the pfCMMD, the pfCMMD are secure against all of generic secondpreimage attacks such as KelseySchneier attack [20] and Elena et al. ’ attck [1]. Our proof technique and most of notations follow those in [6, 3, 4]. 1
A New Design for LowDepth Compression Functions from Length Preserving Public Random Functions
, 2009
"... A public random function R: {0, 1}m → {0, 1}n is a function chosen uniformly at random from the set of all mbit to nbit functions, and is accessible by every party, including the adversary. It is a typical model in the design of hash functions. In this paper we investigate compression functions c ..."
Abstract
 Add to MetaCart
(Show Context)
A public random function R: {0, 1}m → {0, 1}n is a function chosen uniformly at random from the set of all mbit to nbit functions, and is accessible by every party, including the adversary. It is a typical model in the design of hash functions. In this paper we investigate compression functions constructed from lengthpreserving public random functions (m = n), and we aim to achieve optimal collision resistance and preimage resistance while maintaining lowdepth, i.e. minimizing the number of random functions connected in series. In particular, we present a 2nbit to nbit compression function consisting of two layers and makes a total of 3t calls to the underlying public random functions. For t ≥ 2, the construction has optimal collision resistance and a preimage resistance of Θ(2 t+1 t+2n) queries against nonadaptive adversaries. We also conjecture the same preimage resistance for adaptive adversaries.
Efficient Pseudorandom Functions via OntheFly Adaptation
"... Abstract. Pseudorandom functions (PRFs) are one of the most fundamental building blocks in cryptography with numerous applications such as message authentication codes and private key encryption. In this work, we propose a new framework to construct PRFs with the overall goal to build efficient PRF ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Pseudorandom functions (PRFs) are one of the most fundamental building blocks in cryptography with numerous applications such as message authentication codes and private key encryption. In this work, we propose a new framework to construct PRFs with the overall goal to build efficient PRFs from standard assumptions with an almost tight proof of security. The main idea of our framework is to start from a PRF for any small domain (i.e. polysized domain) and turn it into an `bounded pseudorandom function, i.e., into a PRF whose outputs are pseudorandom for the first ` distinct queries to F. In the second step, we apply a novel technique which we call onthefly adaptation that turns any bounded PRF into a fullyfledged (large domain) PRF. Both steps of our framework have a tight security reduction, meaning that any successful attacker can be turned into an efficient algorithm for the underlying hard computational problem without any significant increase in the running time or loss of success probability. Instantiating our framework with specific number theoretic assumptions, we construct a PRF based on kLIN (and thus DDH) that is faster than all known constructions, which reduces almost tightly to the underlying problem, and which has shorter keys. Instantiating our framework with general assumptions, we construct a PRF with very flat circuits whose security tightly reduces to the security of some small domain PRF.