Results 1 
4 of
4
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Cryptanalysis of Tweaked Versions of SMASH and Reparation
"... Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soo ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH256 in c ·2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the idealcipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a nontrivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2permutation based hash functions, as proved in [12]. 1
Attacks on JH, Grøstl and SMASH Hash Functions
"... Abstract. JH and Grøstl hash functions are two of the five finalists in NIST SHA3 competition. JHs and Grøstls are based on a 2n bit compression function and the final output is truncated to s bits, where n is 512 and s can be 224,256,384 and 512. Previous security proofs show that JHs and Grøst ..."
Abstract
 Add to MetaCart
Abstract. JH and Grøstl hash functions are two of the five finalists in NIST SHA3 competition. JHs and Grøstls are based on a 2n bit compression function and the final output is truncated to s bits, where n is 512 and s can be 224,256,384 and 512. Previous security proofs show that JHs and Grøstls are optimal collision resistance without length padding to the last block. In this paper we present significant collision and preimage attacks on JHs and Grøstls. For collision and preimage attack, the adversary needs 2 s/4+l/2+1 and 2 (s+l)/2+1 queries to the underlying compression function respectively, where l denotes the encoded bit length of the message; for JH, l = 128 and for Grøstl, l = 64. If the message length is not padded to the last message block, for s = 224, the attacker only needs 2 57 and 2 113 compression function queries to mount a collision attack and preimage attack respectively. For the real JH and Grøstl, the message length is encoded into 128 and 64 bits respectively. For JH512, the collision and preimage attack needs 2 193 and 2 321 queries to the compression function respectively. For Grøstl512, the collision and preimage attack needs 2 163 and 2 289 queries to the compression function respectively. Our attacks exploit structure flaws in the design of JH and Grøstl. It is easily applied to MJH and SMASH and other generalizations since they have similar structure (we call it EvanMansour structure) as the above hash functions. At the same time the provable security of chopMD in the literature is challenged. Through our attack, it is easy to see that the chopMD mode used in JH or Grøstl does not improve its security. 1
Revisiting Dedicated and Block Cipher based Hash Functions
"... Abstract: A hash function maps a variable length input into a fixed length output. The hash functions that are used in the information security related applications are referred as cryptographic hash functions. Hash functions are being used as building blocks of many complex cryptographic mechanisms ..."
Abstract
 Add to MetaCart
Abstract: A hash function maps a variable length input into a fixed length output. The hash functions that are used in the information security related applications are referred as cryptographic hash functions. Hash functions are being used as building blocks of many complex cryptographic mechanisms and protocols. Construction of a hash function consists of two components. First component is a compression function and the second component is a domain extender. The various hash function design philosophies try to design the compression function from different angles. Two major categories of hash functions are: dedicated hash functions, and block cipherbased hash functions. These two kinds of design philosophies have been revisited in this paper. Two dedicated has functions from MD4 family MD4, and SHA256 constructions have been detailed in this paper. To limit the scope of this paper in this framework, discussions on attacks on hash functions, and SHA3 finalists have been excluded here.