Results 1  10
of
12
Cryptographic HashFunction Basics: Definitions, Implications, and Separations for Preimage Resistance, SecondPreimage Resistance, and Collision Resistance
, 2004
"... We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among ..."
Abstract

Cited by 73 (3 self)
 Add to MetaCart
We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concretesecurity, provablesecurity framework.
Hash Functions in the DedicatedKey Setting: Design Choices and MPP Transforms
 In ICALP ’07, volume 4596 of LNCS
, 2007
"... In the dedicatedkey setting, one starts with a compression function f: {0, 1} k ×{0, 1} n+d → {0, 1} n and builds a family of hash functions H f: K × M → {0, 1} n indexed by a key space K. This is different from the more traditional design approach used to build hash functions such as MD5 or SHA1, ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
In the dedicatedkey setting, one starts with a compression function f: {0, 1} k ×{0, 1} n+d → {0, 1} n and builds a family of hash functions H f: K × M → {0, 1} n indexed by a key space K. This is different from the more traditional design approach used to build hash functions such as MD5 or SHA1, in which compression functions and hash functions do not have dedicated key inputs. We explore the benefits and drawbacks of building hash functions in the dedicatedkey setting (as compared to the more traditional approach), highlighting several unique features of the former. Should one choose to build hash functions in the dedicatedkey setting, we suggest utilizing multipropertypreserving (MPP) domain extension transforms. We analyze seven existing dedicatedkey transforms with regard to the MPP goal and propose two simple
A Parallelizable Design Principle for Cryptography Hash Functions
 INDOCRYPT 2001, LNCS 2247
, 2001
"... We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parall ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parallel rounds required to hash a message of length L is b t c + t + 2. Further, our algorithm is incrementally parallelizable in the following sense: given a digest produced using a binary tree of 2 processors, we show that the same digest can also be produced using a binary tree of 2 (0 t t) processors.
Domain Extenders for UOWHF: A Generic Lower Bound on Key Expansion And Finite Binary Tree Algorithm
, 2003
"... We obtain a generic lower bound on the key expansion required for securely extending the domain of a UOWHF. Our lower bound holds over a large class of "natural" domain extending algorithms. A consequence of our result is the fact that the key length expansion in Shoup's algorithm is optimal for thi ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
We obtain a generic lower bound on the key expansion required for securely extending the domain of a UOWHF. Our lower bound holds over a large class of "natural" domain extending algorithms. A consequence of our result is the fact that the key length expansion in Shoup's algorithm is optimal for this class. Our second contribution is to obtain a finite binary tree algorithm to extend the domain of a UOWHF. The associated key length expansion is only a constant number of bits more than the minimum possible. Our finite binary tree algorithm is the first practical parallel algorithm to securely extend the domain of a UOWHF. Also the speedup obtained by our algorithm is approximately proportional to the number of processors.
New Parallel Domain Extenders for UOWHF
 Lecture Notes in Computer Science
"... Abstract. We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disad ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. We present two new parallel algorithms for extending the domain of a UOWHF. The first algorithm is complete binary tree based construction and has less key length expansion than Sarkar’s construction which is the previously best known complete binary tree based construction. But only disadvantage is that here we need more key length expansion than that of Shoup’s sequential algorithm. But it is not too large as in all practical situations we need just two more masks than Shoup’s. Our second algorithm is based on noncomplete lary tree and has the same optimal key length expansion as Shoup’s which has the most efficient key length expansion known so far. Using the recent result [9], we can also prove that the key length expansion of this algorithm and Shoup’s sequential algorithm are the minimum possible for any algorithms in a large class of “natural ” domain extending algorithms. But its parallelizability performance is less efficient than complete tree based constructions. However if l is getting larger, then the parallelizability of the construction is also getting near to that of complete tree based constructions. We also give a sufficient condition for valid domain extension in sequential domain extension.
Construction of UOWHF: Tree Hashing Revisited
, 2002
"... We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously be ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously best known binary tree algorithm required a key length expansion of m 2(t 1) bits. We also obtain the lower bound that any binary tree based algorithm must make a key length expansion of 2m bits if t = 2 and a key length expansion of m (t + 1) bits for t 3. Hence for 2 t 6 our algorithm makes optimal key length expansion and for practical sized processor trees the key length expansion is close to the lower bound.
Masking Based Domain Extenders for UOWHFs: Bounds and Constructions
 CRYPTOLOGY EPRINT ARCHIVE
, 2003
"... We study the class of masking based domain extenders for UOWHFs. Our first contribution is to show that any correct masking based domain extender for UOWHF which invokes the compression UOWHF s times must use at least ⌈log 2 s⌉ masks. As a consequence, we obtain the key expansion optimality of sev ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We study the class of masking based domain extenders for UOWHFs. Our first contribution is to show that any correct masking based domain extender for UOWHF which invokes the compression UOWHF s times must use at least ⌈log 2 s⌉ masks. As a consequence, we obtain the key expansion optimality of several known algorithms among the class of all masking based domain extending algorithms. Our second contribution is to present a new parallel domain extender for UOWHF. The new algorithm achieves asymptotically optimal speedup over the sequential algorithm and the key expansion is almost everywhere optimal, i.e., it is optimal for almost all possible number of invocations of the compression UOWHF. Our algorithm compares favourably with all previously known masking based domain extending algorithms.
Higher Order Universal OneWay Hash Functions
 Asiacrypt'04, LNCS 3329
, 2004
"... Abstract. Universal OneWay Hash Functions (UOWHFs) are families of cryptographic hash functions for which first a target input is chosen and subsequently a key which selects a member from the family. Their main security property is that it should be hard to find a second input that collides with th ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Universal OneWay Hash Functions (UOWHFs) are families of cryptographic hash functions for which first a target input is chosen and subsequently a key which selects a member from the family. Their main security property is that it should be hard to find a second input that collides with the target input. This paper generalizes the concept of UOWHFs to UOWHFs of order r. We demonstrate that it is possible to build UOWHFs with much shorter keys than existing constructions from fixedsize UOWHFs of order r. UOWHFs of order r can be used both in the linear (r + 1)round MerkleDamg˚ard construction and in a tree construction.
Y.: An Investigation of the Enhanced Target Collision Resistance Property for Hash Functions. Cryptology ePrint Archive, Report 2009/506
, 2009
"... Abstract. We revisit the enhanced target collision resistance (eTCR) property as a newly emerged notion of security for dedicatedkey hash functions, which has been put forth by Halevi and Krawczyk at CRYPTO’06, in conjunction with the Randomized Hashing mode to achieve this property. Our contributi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We revisit the enhanced target collision resistance (eTCR) property as a newly emerged notion of security for dedicatedkey hash functions, which has been put forth by Halevi and Krawczyk at CRYPTO’06, in conjunction with the Randomized Hashing mode to achieve this property. Our contribution is twofold. Firstly, we provide a full picture of the relationships between eTCR and each of the seven security properties for a dedicatedkey hash function, considered by Rogaway and Shrimpton at FSE’04; namely, collision resistance (CR), the three variants of secondpreimage resistance (Sec, aSec, eSec) and the three variants of preimage resistance (Pre, aPre, ePre). The results show that, for an arbitrary dedicatedkey hash function, eTCR is not implied by any of these seven properties, and it can only imply three of the properties; namely, eSec (TCR), Sec, Pre. In the second part of the paper, we analyze the eTCR preservation capabilities of several domain extension transforms (a.k.a. modes of operation) for hash functions, including (Plain, Strengthened, and Prefixfree) MerkleDamg˚ard, Randomized Hashing, Shoup, Enveloped Shoup, XOR Linear Hash (XLH), and Linear Hash (LH). From this analysis it turns out that, with the exception of a nested variant of LH, none of the investigated transforms can preserve the eTCR property.
A Sufficient Condition and an Optimal Domain Extension of UOWHF
, 2004
"... In this paper we will provide a nontrivial sufficient condition for UOWHFpreserving domain extension which will be very easy to verify. Using this result we can prove very easily that all known domain extension algorithms are valid. This will be a nice technique to prove a domain extension is vali ..."
Abstract
 Add to MetaCart
In this paper we will provide a nontrivial sufficient condition for UOWHFpreserving domain extension which will be very easy to verify. Using this result we can prove very easily that all known domain extension algorithms are valid. This will be a nice technique to prove a domain extension is valid. We also propose an optimal (w.r.t. both time complexity and key size) domain extension algorithm based on an incomplete binary tree. In Asiacrypt'03 [6] (also in [5]) author proposed a binary tree based domain extension of UOWHF. We will show that the binary tree based construction [5] is optimal in a subclass of full binary tree based domain extension. A full binary tree based...