Results 1 
9 of
9
Practical Hash Functions Constructions Resistant to Generic Second Preimage Attacks Beyond the Birthday Bound
"... Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg˚ard ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Most cryptographic hash functions rely on a simpler primitive called a compression function, and in nearly all cases, there is a reduction between some of the security properties of the full hash function and those of the compression function. For instance, a celebrated result of Merkle and Damg˚ard from 1989 states that a collision on the hash function cannot be found without finding a collision on the compression function at the same time. This is however not the case for another basic requirement, namely second preimage resistance. In fact, on many popular hash functions it is possible to find a second preimage on the iteration without breaking the compression function. This paper studies the resistance of two practical modes of operations of hash functions against such attacks. We prove that the known generic second preimage attacks against the MerkleDamg˚ard construction are optimal, and that there is no generic second preimage attack faster than exhaustive search on Haifa, a recent proposal by Biham and Dunkelman. Keywords: hash functions, modes of operation, second preimage attacks, provable security 1.
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody
"... Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all (meaningful) generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing N ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all (meaningful) generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing NIST SHA3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode (with nbit digest and 2nbit permutation) has remained remarkably low, only at n/3 bits (FSE 2010), while the other four finalist modes – with comparable parameter values – offer a security guarantee of n/2 bits. In this paper, we improve the indifferentiability security bound for the JH mode to n/2 bits (e.g. from 171 to 256 bits when n = 512). To put this into perspective, our result guarantees the absence of attacks on both JH256 and JH512 hash functions with time less than approximately 2 256 computations of the underlying 1024bit permutation, under the assumption that the basic permutation is structurally strong. Our bounds are optimal for JH256, and the best, so far, for JH512. We obtain this improved bound by establishing an isomorphism of certain queryresponse graphs through a careful design of the simulators and the bad events. Our experimental data strongly supports the theoretically obtained results. 1
Cryptanalysis of the 10Round Hash and Full Compression Function of SHAvite3512 ⋆
"... Abstract. In this paper, we analyze the SHAvite3512 hash function, as proposed and tweaked for round 2 of the SHA3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite3512, and on the full 14 round compression function of SHAvite3512. We show a sec ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we analyze the SHAvite3512 hash function, as proposed and tweaked for round 2 of the SHA3 competition. We present cryptanalytic results on 10 out of 14 rounds of the hash function SHAvite3512, and on the full 14 round compression function of SHAvite3512. We show a second preimage attack on the hash function reduced to 10 rounds with a complexity of 2 497 compression function evaluations and 2 16 memory. For the full 14round compression function, we give a chosen counter, chosen salt preimage attack with 2 384 compression function evaluations and 2 128 memory (or complexity 2 448 without memory), and a collision attack with 2 192 compression function evaluations and 2 128 memory.
Report regarding the winter school on Hash3: Proofs, Analysis and Implementation
, 2009
"... This report outlines the talks presented at the winter school on Hash3: Proofs, Analysis, and Implementation [9]. In general, speakers may not write everything what they talk on the slides. So, this report also outlines such findings following the understanding of the author of this report. The auth ..."
Abstract
 Add to MetaCart
(Show Context)
This report outlines the talks presented at the winter school on Hash3: Proofs, Analysis, and Implementation [9]. In general, speakers may not write everything what they talk on the slides. So, this report also outlines such findings following the understanding of the author of this report. The author of this report would like to disclaim that any mistakes in this report are solely due to author of this report as not all of the technical details are verified with the speakers. The findings presented in this report are solely due to the author’s understanding of the talks at the winter school. For many of the talks, the author of this report has spent some time in understanding some technical details (using prior knowledge and (re)visiting the literature) and explained that in this report. Of course, not all the details are covered while exploring the literature. 0.1 First day: 16/11/2009 0.1.1 Perspective on hash functions Bart discussed overall state of art of hash functions with an emphasis on the
unknown title
"... Abstract. In this document we present SHAvite3, a secure and efficient hash function based on the HAIFA construction and the AES building blocks. SHAvite3 uses a well understood set of primitives such as a Feistel block cipher which iterates a round function based on the AES round. SHAvite3’s com ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this document we present SHAvite3, a secure and efficient hash function based on the HAIFA construction and the AES building blocks. SHAvite3 uses a well understood set of primitives such as a Feistel block cipher which iterates a round function based on the AES round. SHAvite3’s compression functions are secure against cryptanalysis, while the selected mode of iteration offers maximal security against black box attacks on the hash function. SHAvite3 is both fast and resourceefficient, making it suitable for a wide range of environments, ranging from 8bit platforms to 64bit platforms (and beyond). 1
Symmetric Cryptography
, 2009
"... Grøstl is a SHA3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHAfamily. The two permutations are constructed ..."
Abstract
 Add to MetaCart
(Show Context)
Grøstl is a SHA3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHAfamily. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grøstl is a byteoriented SPnetwork which borrows components from the AES. The Sbox used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl. Grøstl is a socalled widepipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grøstl has good performance on a wide range of platforms, and countermeasures against sidechannel attacks are wellunderstood from similar work on the AES. Document version no. 1.1 (updated January 15, 2009). Most important updates in Section 7.2.2. No changes in the design of Grøstl have been made.
Looking Back at a New Hash Function
"... Abstract. We present two (related) dedicated hash functions that deliberately borrow heavily from the block ciphers that appeared in the final stages of the AES process. We explore the computational tradeoff between the key schedule and encryption in a block cipherbased hash function and we illus ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We present two (related) dedicated hash functions that deliberately borrow heavily from the block ciphers that appeared in the final stages of the AES process. We explore the computational tradeoff between the key schedule and encryption in a block cipherbased hash function and we illustrate our approach with a 256bit hash function that has a hashing rate equivalent to the encryption rate of AES128. The design extends naturally to a 512bit hash function. 1
Summary
, 2008
"... Grøstl is a SHA3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHAfamily. The two permutations are constructed ..."
Abstract
 Add to MetaCart
(Show Context)
Grøstl is a SHA3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHAfamily. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grøstl is a byteoriented SPnetwork which borrows components from the AES. The Sbox used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl. Grøstl is a socalled widepipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grøstl has good performance on a wide range of platforms and countermeasures against sidechannel attacks are wellunderstood from similar work on the AES.