Results 1  10
of
52
How to break MD5 and other hash functions
 In EUROCRYPT
, 2005
"... Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi freestart collision, in which the initial value of the has ..."
Abstract

Cited by 251 (7 self)
 Add to MetaCart
(Show Context)
Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi freestart collision, in which the initial value of the hash function is replaced by a nonstandard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusiveor as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1
MerkleDamg˚ard Revisited: How to Construct a Hash Function
 Advances in Cryptology, Crypto 2005
"... The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than col ..."
Abstract

Cited by 84 (8 self)
 Add to MetaCart
(Show Context)
The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than collisionresistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixedlength building block is viewed as a random oracle or an ideal blockcipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixedlength primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA1 and MD5 — the (strengthened) MerkleDamg˚ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain MerkleDamg˚ard construction and are easily implementable in practice.
Finding Collisions on a OneWay Street: Can Secure Hash Functions be Based on General Assumptions
, 1998
"... We prove the existence of an oracle relative to which there exist seveial wellknown cryptographic primitives, including oneway permutations, but excluding (for a suitably strong definition) collisionintractible hash functions. Thus any proof that such functions can be derived from these weaker ..."
Abstract

Cited by 75 (0 self)
 Add to MetaCart
We prove the existence of an oracle relative to which there exist seveial wellknown cryptographic primitives, including oneway permutations, but excluding (for a suitably strong definition) collisionintractible hash functions. Thus any proof that such functions can be derived from these weaker primitives is necessarily nonrelativizing; in particular, no provable construction of a collisionintractable hash function can exist based solely on a “black box ” oneway permutation. This result can be viewed as a partial justification for the common practice of treating the collisionintractable hash function as a cryptographic primitive, rather than attempting to derive it from a weaker primitive (such as a oneway permutation). Key words: Hash functions, oracle, cryptography, complexity theory 1
Strengthening Digital Signatures Via Randomized Hashing
 In CRYPTO
, 2006
"... Abstract. We propose randomized hashing as a mode of operation for cryptographic hash functions intended for use with standard digital signatures and without necessitating of any changes in the internals of the underlying hash function (e.g., the SHA family) or in the signature algorithms (e.g., RSA ..."
Abstract

Cited by 60 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose randomized hashing as a mode of operation for cryptographic hash functions intended for use with standard digital signatures and without necessitating of any changes in the internals of the underlying hash function (e.g., the SHA family) or in the signature algorithms (e.g., RSA or DSA). The goal is to free practical digital signature schemes from their current reliance on strong collision resistance by basing the security of these schemes on significantly weaker properties of the underlying hash function, thus providing a safety net in case the (current or future) hash functions in use turn out to be less resilient to collision search than initially thought. We design a specific mode of operation that takes into account engineering considerations (such as simplicity, efficiency and compatibility with existing implementations) as well as analytical soundness. Specifically, the scheme consists of a regular use of the hash function with randomization applied only to the message before it is input to the hash function. We formally show the sufficiency of weaker than collisionresistance assumptions for proving the security of the scheme. 1
G.V.: On the Indifferentiability of the Sponge Construction
 In: Advances in Cryptology – Eurocrypt
, 2008
"... Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (instead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length). 1
Limits on the Efficiency of OneWay PermutationBased Hash Functions
 In Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science
, 1999
"... Naor and Yung ([NY89]) show that a onebit compressing universal oneway hash function (UOWHF) can be constructed based on a oneway permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the oneway permutation. We sho ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
Naor and Yung ([NY89]) show that a onebit compressing universal oneway hash function (UOWHF) can be constructed based on a oneway permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the oneway permutation. We show that this construction is not far from optimal, in the following sense: there exists an oracle relative to which there exists a oneway permutation with inversion probability 2 \Gammap(n) (for any p(n) 2 !(log n)), but any construction of an "nbitcompressing UOWHF requires \Omega\Gamma p n=p(n)) invocations of the oneway permutation, on average. (For example, there exists in this relativized world a oneway permutation with inversion probability n \Gamma!(1) , but no UOWHF that invokes it fewer than \Omega\Gamma p n= log n) times.) Thus any proof that a more efficient UOWHF can be derived from a oneway permutation is necessarily nonrelativizing; in particular, no provable construction...
Herding hash functions and the Nostradamus attack
 of Lecture Notes in Computer Science
, 2006
"... Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ardMerkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on realworld applications of hash functions. An important lesson from these results is that hash functions susceptible to collisionfinding attacks, especially bruteforce collisionfinding attacks, cannot in general be used to prove knowledge of a secret value. 1
Second preimages on nbit hash functions for much less than 2^n work
"... We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RI ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any nbit hash function built using the DamgårdMerkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
Structural properties of oneway hash functions
 Advances in cryptology  CRYPTO 90, Lecture Notes in Computer Science
, 1991
"... We study the following two kinds of oneway hash functions: universal oneway hash functions (UOHs) and collision intractable hash functions (CIHs). The main property of the former is that given an initialstring x, it is computationally difficult to find a different string y that collides with x. An ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
We study the following two kinds of oneway hash functions: universal oneway hash functions (UOHs) and collision intractable hash functions (CIHs). The main property of the former is that given an initialstring x, it is computationally difficult to find a different string y that collides with x. And the main property of the latter is that it is computationally difficult to find a pair x � = y of strings such that x collides with y. Our main results are as follows. First we prove that UOHs with respect to initialstrings chosen arbitrarily exist if and only if UOHs with respect to initialstrings chosen uniformly at random exist. Then, as an application of the result, we show that UOHs with respect to initialstrings chosen arbitrarily can be constructed under a weaker assumption, the existence of oneway quasiinjections. Finally, we investigate relationships among various versions of oneway hash functions. We prove that some versions of oneway hash functions are strictly included in others by explicitly constructing hash functions that are oneway in the sense of the former but not in the sense of the latter. 1
Amplifying Collision Resistance: A ComplexityTheoretic Treatment
 Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture
"... Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collisi ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good tradeoff between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.