Results 11  20
of
96
Breaking the ICE  finding multicollisions in iterated concatenated and expanded (ICE) hash functions
 In Proceedings of FSE ’06
, 2006
"... Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security pro ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security properties of such functions. At Crypto 2004 Joux showed that in any iterated hash function it is relatively easy to find exponential sized multicollisions, and thus the concatenation of several hash functions does not increase their security. However, in his proof it was essential that each message block is used at most once. In 2005 Nandi and Stinson extended the technique to handle iterated hash functions in which each message block is used at most twice. In this paper we consider the general case and prove that even if we allow each iterated hash function to scan the input multiple times in an arbitrary expanded order, their concatenation is not stronger than a single function. Finally, we extend the result to treebased hash functions with arbitrary tree structures.
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
On the security and the efficiency of the Merkle signature scheme
, 2005
"... This paper builds on the multitime signature scheme proposed by Merkle. We prove that the original scheme is existentially unforgeable under adaptive chosen message attack. Moreover, we present an improved version which has three advantages: It is provably forward secure. The number of signatures t ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
This paper builds on the multitime signature scheme proposed by Merkle. We prove that the original scheme is existentially unforgeable under adaptive chosen message attack. Moreover, we present an improved version which has three advantages: It is provably forward secure. The number of signatures that can be made with one private key is  in a practical sense  unlimited. Finally, the cost for key generation is kept low. The theoretical exposition is complemented...
Do broken hash functions affect the security of timestamping schemes
 In Proc. of ACNS’06, LNCS 3989
, 2006
"... Abstract. We study the influence of collisionfinding attacks on the security of timestamping schemes. We distinguish between clientside hash functions used to shorten the documents before sending them to timestamping servers and serverside hash functions used for establishing one way causal rel ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We study the influence of collisionfinding attacks on the security of timestamping schemes. We distinguish between clientside hash functions used to shorten the documents before sending them to timestamping servers and serverside hash functions used for establishing one way causal relations between time stamps. We derive necessary and sufficient conditions for client side hash functions and show by using explicit separation techniques that neither collisionresistance nor 2nd preimage resistance is necessary for secure timestamping. Moreover, we show that server side hash functions can even be not oneway. Hence, it is impossible by using blackbox techniques to transform collisionfinders into wrappers that break the corresponding timestamping schemes. Each such wrapper should analyze the structure of the hash function. However, these separations do not necessarily hold for more specific classes of hash functions. Considering this, we take a more detailed look at the structure of practical hash functions by studying the MerkleDamg˚ard (MD) hash functions. We show that attacks, which are able to find collisions for MD hash functions with respect to randomly chosen initial states, also violate the necessary security conditions for clientside hash functions. This does not contradict the blackbox separations results because the MD structure is already a deviation from the blackbox setting. As a practical consequence, MD5, SHA0, and RIPEMD are no more recommended to use as clientside hash functions in timestamping. However, there is still no evidence against using MD5 (or even MD4) as serverside hash functions. 1
B.: Provable security of BLAKE with nonideal compression function. Cryptology ePrint Archive
"... Abstract. We analyze the security of the SHA3 finalist BLAKE. The BLAKE hash function follows the HAIFA design methodology, and as such it achieves optimal preimage, second preimage and collision resistance, and is indifferentiable from a random oracle up to approximately 2 n/2 assuming the underly ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We analyze the security of the SHA3 finalist BLAKE. The BLAKE hash function follows the HAIFA design methodology, and as such it achieves optimal preimage, second preimage and collision resistance, and is indifferentiable from a random oracle up to approximately 2 n/2 assuming the underlying compression function is ideal. In our work we show, however, that the compression function employed by BLAKE exhibits a nonrandom behavior and is in fact differentiable in only 2 n/4 queries. Our attack on the indifferentiability of the BLAKE compression function seriously undermines the security strength of BLAKE not only with respect to its overall indifferentiability, but also its collision and (second) preimage security in the ideal model. Our next contribution is the restoration of the security results for BLAKE in the ideal model by refining the level of modularity and assuming that BLAKE’s underlying block cipher is an ideal cipher. We prove that BLAKE is optimally collision, second preimage, and preimage secure (up to a constant). We go on to show that BLAKE is still indifferentiable from a random oracle up to the old bound of 2 n/2 queries, albeit under a weaker assumption: the ideality of its block cipher.
Generic Transformation to Strongly Unforgeable Signatures
 In ACNS’07, LNCS 4521
, 2007
"... Abstract. Recently, there are several generic transformation techniques proposed for converting unforgeable signature schemes (the message in the forgery has not been signed yet) into strongly unforgeable ones (the message in the forgery could have been signed previously). Most of the techniques are ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, there are several generic transformation techniques proposed for converting unforgeable signature schemes (the message in the forgery has not been signed yet) into strongly unforgeable ones (the message in the forgery could have been signed previously). Most of the techniques are based on trapdoor hash functions and all of them require adding supplementary components onto the original key pair of the signature scheme. In this paper, we propose a new generic transformation which converts any unforgeable signature scheme into a strongly unforgeable one, and also keeps the key pair of the signature scheme unchanged. Our technique is based on strong onetime signature schemes. We show that they can be constructed efficiently from any onetime signature scheme that is based on oneway functions. The performance of our technique also compares favorably with that of those trapdoorhashfunctionbased ones. In addition, this new generic transformation can also be used for attaining strongly unforgeable signature schemes in other cryptographic settings which include certificateless signature, identitybased signature, and several others. To the best of our knowledge, similar extent of versatility is not known to be supported by any of those comparable techniques. Finally and of independent interest, we show that our generic transformation technique can be modified to an online/offline signature scheme, which possesses a very efficient signing process. 1
The collision security of TandemDM in the ideal cipher model
"... Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype b ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of TandemDM as an open problem until now. 1
Collision and Preimage Resistance of the Centera Content Address
, 2005
"... Centera uses cryptographic hash functions as a means of addressing stored objects, thus creating a new class of data storage referred to as CAS (content addressed storage). Such hashing serves the useful function of providing a means of uniquely identifying data and providing a global handle to that ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Centera uses cryptographic hash functions as a means of addressing stored objects, thus creating a new class of data storage referred to as CAS (content addressed storage). Such hashing serves the useful function of providing a means of uniquely identifying data and providing a global handle to that data, referred to as the Content Address or CA. However, such a model begs the question: how certain can one be that a given CA is indeed unique? In this paper we describe fundamental concepts of cryptographic hash functions, such as collision resistance, preimage resistance, and secondpreimage resistance. We then map these properties to the MD5 and SHA256 hash algorithms, which are used to generate the Centera content address. Finally, we present a proof of the collision resistance of the Centera Content Address.
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.