Results 11 
19 of
19
Hashandsign with Weak Hashing Made Secure
"... Abstract. Digital signatures are often proven to be secure in the random oracle model while hash functions deviate more and more from this idealization. Liskov proposed to model a weak hash function by a random oracle together with another oracle allowing to break some properties of the hash functio ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Digital signatures are often proven to be secure in the random oracle model while hash functions deviate more and more from this idealization. Liskov proposed to model a weak hash function by a random oracle together with another oracle allowing to break some properties of the hash function, e.g. a preimage oracle. To avoid the need for collisionresistance, Bellare and Rogaway proposed to use target collision resistant (TCR) randomized prehashing. Later, Halevi and Krawczyk suggested to use enhanced TCR (eTCR) hashing to avoid signing the random seed. To avoid the increase in signature length in the TCR construction, Mironov suggested to recycle some signing coins in the message preprocessing. In this paper, we develop and apply all those techniques. In particular, we obtain a generic preprocessing which allows to build strongly secure signature schemes when hashing is weak and the internal (textbook) signature is weakly secure. We model weak hashing by a preimagetractable random oracle. 1
Limits of Constructive Security Proofs
, 2008
"... Abstract. The collisionresistance of hash functions is an important foundation of many cryptographic protocols. Formally, collisionresistance can only be expected if the hash function in fact constitutes a parametrized family of functions, since for a single function, the adversary could simply kn ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The collisionresistance of hash functions is an important foundation of many cryptographic protocols. Formally, collisionresistance can only be expected if the hash function in fact constitutes a parametrized family of functions, since for a single function, the adversary could simply know a single hardcoded collision. In practical applications, however, unkeyed hash functions are a common choice, creating a gap between the practical application and the formal proof, and, even more importantly, the concise mathematical definitions. A pragmatic way out of this dilemma was recently formalized by Rogaway: instead of requiring that no adversary exists that breaks the protocol (existential security), one requires that given an adversary that breaks the protocol, we can efficiently construct a collision of the hash function using an explicitly given reduction (constructive security). In this paper, we show the limits of this approach: We give a protocol that is existentially secure, but that provably cannot be proven secure using a constructive security proof. Consequently, constructive security—albeit constituting a useful improvement over the state of the art—is not comprehensive enough to encompass all protocols that can be dealt with using existential security proofs. 1
Towards Securing Interdomain Routing on the Internet
"... The Internet consists of multiple autonomous systems (ASes), each consisting of networks of devices that are prone to malfunction, misconfiguration, or attack by malicious parties, and each controlled by profitseeking businesses with different economic goals. Despite these complex relationships, th ..."
Abstract
 Add to MetaCart
The Internet consists of multiple autonomous systems (ASes), each consisting of networks of devices that are prone to malfunction, misconfiguration, or attack by malicious parties, and each controlled by profitseeking businesses with different economic goals. Despite these complex relationships, the interdomain routing system (that allows ASes to communicate over the global Internet) currently operates under the assumption that all nodes in the network can trust each other. The thesis contributes to the body of works that seeks to remedy this, by considering network protocols that operate correctly even in the presence of adversarial or selfish behavior. We take a principled approach to analyze the types of security guarantees that are possible within the engineering and economic constraints of the Internet’s interdomain routing system. We focus exclusively on protocols that can be used to improve availability in the Internet, i.e., to increase the likelihood that packets arrive uncorrupted at their correct destination, and analyze two broad themes: 1. Which part of the system should be secured? 2. What is the right tradeoff between security and efficiency? To address these questions, we consider securing the following two parts of the system: the
structures to cryptography
, 2009
"... These doctoral studies were conducted under the supervision of Prof. Keith ..."
Abstract
 Add to MetaCart
These doctoral studies were conducted under the supervision of Prof. Keith
What Hashes Make RSAOAEP Secure?
, 2007
"... Firstly, we demonstrate a pathological hash function choice that makes RSAOAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSAOAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actual ..."
Abstract
 Add to MetaCart
Firstly, we demonstrate a pathological hash function choice that makes RSAOAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSAOAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actually necessary for the security of RSAOAEP. Secondly, we consider certain types of reductions that could be used to prove the OWCPA (i.e., the bare minimum) security of RSAOAEP. We apply metareductions that show if such reductions existed, then RSAOAEP would be OWCCA2 insecure, or even worse, that the RSA problem would solvable. Therefore, it seems unlikely that such reductions could exist. Indeed, no such reductions proving the OWCCA2 security of RSAOAEP exist.
MixCompressMix Revisited: Dispensing with Noninvertible Random Injection Oracles
"... Abstract. We revisit the problem of building dualmodel secure (DMS) hash functions that are simultaneously provably collision resistant (CR) in the standard model and provably pseudorandom oracle (PRO) in an idealized model. Designing a DMS hash function was first investigated by Ristenpart and Shr ..."
Abstract
 Add to MetaCart
Abstract. We revisit the problem of building dualmodel secure (DMS) hash functions that are simultaneously provably collision resistant (CR) in the standard model and provably pseudorandom oracle (PRO) in an idealized model. Designing a DMS hash function was first investigated by Ristenpart and Shrimpton (ASIACRYPT 2007); they put forth a generic approach, called MixCompressMix (MCM), and showed the feasibility of the MCM approach with a secure (but inefficient) construction. An improved construction was later presented by Lehmann and Tessaro (ASIACRYPT 2009). The proposed construction by Ristenpart and Shrimpton requires a noninvertible (pseudo) random injection oracle (PRIO) and the LehmannTessaro construction requires a noninvertible random permutation oracle (NIRP). Despite showing the feasibility of realizing PRIO and NIRP objects in theory–using ideal ciphers and (trapdoor) oneway permutations – these constructions suffer from several efficiency and implementation issues as pointed out by their designers and briefly reviewed in this paper. In contrast to the previous constructions, we show that constructing a DMS hash function does not require any PRIO or NIRP, and hence there is no need for additional (trapdoor) oneway permutations. In fact, Ristenpart and Shrimpton posed the question of whether MCM is secure under easytoinvert mixing steps as an open problem in their paper. We resolve this question in the affirmative in the fixedinputlength (FIL) hash setting. More precisely, we show that one can sandwich a provably CR function, which is sufficiently compressing, between two random
On the Indifferentiability of the IntegratedKey Hash Functions
"... Most of today’s popular hash functions are keyless such that they accept variablelength messages and return fixedlength fingerprints. However, recent separation results reported on several serious inherent weaknesses in these functions, motivating the design of hash functions in the keyed setting. ..."
Abstract
 Add to MetaCart
Most of today’s popular hash functions are keyless such that they accept variablelength messages and return fixedlength fingerprints. However, recent separation results reported on several serious inherent weaknesses in these functions, motivating the design of hash functions in the keyed setting. The challenge in this case, however, is that on one hand, it is economically undesirable to abundant the already adopted (keyless) functions in favour of new (keyed) ones, and on the other hand, the process of converting a keyless function to a keyed one is, evidently, nontrivial. A solution to this dilemma is to adopt the ”integratedkey” approach that creates keyed hash functions out of ”unmodified ” keyless primitives. In this paper, we adopt several integratedkey constructions and prove that they are indifferentiable from random oracle, showing in details how to develop indifferentiability proofs at the integratedkey setting. The presented indifferentiability proof is generic and can be applied on other hash functions constructed in this setting with sufficiently similar structures to the constructions in this paper. 1 1
Cryptographic Hash Functions: Recent Design Trends and Security Notions ∗
"... Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a publi ..."
Abstract
 Add to MetaCart
Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a public competition to select the next hash function standard, to be named SHA3. Not surprisingly, the hash function literature has since been rapidly growing in an extremely fast pace. In this paper, we provide a comprehensive, uptodate discussion of the current state of the art of cryptographic hash functions security and design. We first discuss the various hash functions security properties and notions, then proceed to give an overview of how (and why) hash functions evolved over the years giving raise to the current diverse hash functions design approaches. A short version of this paper is in [1]. This version has been thoroughly extended, revised and updated. This