Results 1 
9 of
9
On the impossibility of efficiently combining collision resistant hash functions
 In Proc. Crypto ’06
, 2006
"... Abstract. Let H1, H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better constr ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. Let H1, H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better construction exists, namely, can we hedge our bets without doubling the size of the output? We take a step towards answering this question in the negative — we show that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions. 1
Constructing an Ideal Hash Function from Weak Ideal Compression Functions
 In Selected Areas in Cryptography, Lecture Notes in Computer Science
, 2006
"... Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attack ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by undesirable properties of compression functions. We prove that the construction we give, which we call the “zipper hash, ” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with these weak ideal building blocks. The zipper hash function is relatively simple, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal (strong) compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. Keywords: Hash function, compression function, MerkleDamg˚ard, ideal primitives, nonstreamable hash functions, zipper hash.
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to "behave like " a certain ideal random primitive (e.g. a random function), according to some security notion.
Herding, Second Preimage and Trojan Message Attacks Beyond MerkleDamg˚ard
"... Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Usin ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hashtwice ” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.
unknown title
"... Abstract. An rcollision for a function is a set of r distinct inputs with identical outputs. Actually finding rcollisions for a random map over a finite set of cardinality N requires at least about N (r−1)/r units of time on a sequential machine. For r=2, memoryless and wellparallelisable algorit ..."
Abstract
 Add to MetaCart
Abstract. An rcollision for a function is a set of r distinct inputs with identical outputs. Actually finding rcollisions for a random map over a finite set of cardinality N requires at least about N (r−1)/r units of time on a sequential machine. For r=2, memoryless and wellparallelisable algorithms are known. The current paper describes memoryefficient and parallelisable algorithms for r ≥ 3. The main results are: (1) A sequential algorithm for 3collisions, roughly using memory N α and time N 1−α for α ≤ 1/3. I.e., given N 1/3 units of storage, on can find 3collisions in time N 2/3. Note that there is a timememory tradeoff which allows to reduce the memory consumption. (2) A parallelisation of this algorithm using N 1/3 processors running in time N 1/3. Each single processor only needs a constant amount of memory. (3) An generalisation of this second approach to rcollisions for r ≥ 3: given N s parallel processors, on can generate rcollisions roughly in time N ((r−1)/r)−s, using memory N ((r−2)/r)−s on every processor.
Author manuscript, published in "SAC, Calgary: Canada (2009)" Herding, Second Preimage and Trojan Message Attacks Beyond MerkleDamg˚ard
, 2009
"... Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Usin ..."
Abstract
 Add to MetaCart
Abstract. In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical MerkleDamg˚ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hashtwice ” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.
Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier
"... A hash function secure in the indifferentiability framework (TCC 2004) is able to resist all meaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multicollision type attacks on the MerkleD ..."
Abstract
 Add to MetaCart
A hash function secure in the indifferentiability framework (TCC 2004) is able to resist all meaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multicollision type attacks on the MerkleDamgård mode (Crypto 1989), Lucks proposed widening the size of the internal state of hash functions. More specifically, he suggested that hash functions h: {0, 1} ∗ → {0, 1} n use underlying primitives of the form C: {0, 1} a → {0, 1} 2n (Asiacrypt 2005). The Fast Wide Pipe (FWP) hash mode was introduced by Nandi and Paul at Indocrypt 2010, as a faster variant of Lucks ’ Wide Pipe mode. Despite the higher speed, the proven indifferentiability bound of the FWP mode has so far been only up to the birthday barrier of n/2 bits. The main result of this paper is the improvement of the FWP bound to 2n/3 bits (up to an additive constant). The 2n/3bit bound for FWP comes with two important implications. Many popular hash modes use primitives with a = 2n, that is C: {0, 1} 2n → {0, 1} 2n. For this
Collisions on SHA0 in one hour
"... Abstract. At Crypto 2007, Joux and Peyrin showed that the boomerang attack, a classical tool in block cipher cryptanalysis, can also be very useful when analyzing hash functions. They applied their new theoretical results to SHA1 and provided new improvements for the cryptanalysis of this algorithm ..."
Abstract
 Add to MetaCart
Abstract. At Crypto 2007, Joux and Peyrin showed that the boomerang attack, a classical tool in block cipher cryptanalysis, can also be very useful when analyzing hash functions. They applied their new theoretical results to SHA1 and provided new improvements for the cryptanalysis of this algorithm. In this paper, we concentrate on the case of SHA0. First, we show that the previous perturbation vectors used in all known attacks are not optimal and we provide a new 2block one. The problem of the possible existence of message modifications for this vector is tackled by the utilization of auxiliary differentials from the boomerang attack, relatively simple to use. Finally, we are able to produce the best collision attack against SHA0 so far, with a measured complexity of 2 33,6 hash function calls. Finding one collision for SHA0 takes us approximatively one hour of computation on an average PC. Key words: hash functions, SHA0, boomerang attack.
XSAstrengthening: Strengthening MD5 and Other Iterated Hash Functions Through Variablelength External Message Expansion
"... In recent years, it has been demonstrated that collisions can be systematically constructed for some popular cryptographic hash algorithms, such as MD5 and SHA1. Various ways of enhancing these hash functions via message preprocessing or external message expansion have been proposed to make them r ..."
Abstract
 Add to MetaCart
In recent years, it has been demonstrated that collisions can be systematically constructed for some popular cryptographic hash algorithms, such as MD5 and SHA1. Various ways of enhancing these hash functions via message preprocessing or external message expansion have been proposed to make them resistant to known collision attacks. Message preprocessing/expansion is a way of creating a new hash function from an original one. It has the advantage of being backwardcompatible with the original hash function, and therefore, may extend the useful life of the original hash function. In this paper, we examine a novel approach to message preprocessing/expansion, which we call eXtremeShrinking ARC4 Strengthening (or XSAstrengthening). XSAstrengthening is based on the idea of the selfshrinking generator, the ARC4 cipher, and MDstrengthening and can be applied to any MerkleDamg˚ard iterated hash function. XSAstrengthening is deterministic, has small space and computational overhead, and can be efficiently implemented. We believe that it can be a useful tool for strengthening MerkleDamg˚ard iterated hash functions.