Results 1  10
of
20
Hash function balance and its impact on birthday attacks
 Advances in Cryptology – EUROCRYPT ’04, Lecture Notes in Computer Science
, 2004
"... Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of preimages under h; if h is ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of preimages under h; if h is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the “amount of regularity ” of a hash function that we call its balance, and then providing estimates of the successrate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r 1/2 for hash functions of low balance. This leads us to examine popular design principles, such as the MD (MerkleDamg˚ard) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions. 1
Herding hash functions and the Nostradamus attack
 of Lecture Notes in Computer Science
, 2006
"... Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ardMerkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on realworld applications of hash functions. An important lesson from these results is that hash functions susceptible to collisionfinding attacks, especially bruteforce collisionfinding attacks, cannot in general be used to prove knowledge of a secret value. 1
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
Hash Functions Based on Block Ciphers and Quaternary Codes
 Advances in Cryptology ASIACRYPT
, 1996
"... . We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remai ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
. We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an mbit block, and for which finding a collision requires at least 2 m encryptions...
A Generalized Birthday Problem (extended abstract)
 In Advances in Cryptology – CRYPTO 2002
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cuberoot time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.
A cellular automaton based fast oneway hash function suitable for hardware implementation
 In Public Key Cryptography, number 1431 in Lecture Notes in Computer Science
, 1998
"... Abstract. Oneway hash functions are an important toolinachieving authentication and data integrity. The aim of this paper is to propose anovel oneway hash function based on cellular automata whose cryptographic properties have been extensivelystudiedover the past decade or so. Furthermore, securit ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Oneway hash functions are an important toolinachieving authentication and data integrity. The aim of this paper is to propose anovel oneway hash function based on cellular automata whose cryptographic properties have been extensivelystudiedover the past decade or so. Furthermore, security of the proposed oneway hash function is analyzed by the use of very recently published results on applications of cellular automata in cryptography. The analysis indicates that the oneway hash function is secure against all known attacks. An important feature of the proposed oneway hash function is that it is especially suitable for compact and fast implementation in hardware, which is particularly attractive to emerging security applications that employ smart cards, such asdigital identi cation cards and electronic cash payment protocols, 1
On the power of memory in the design of collision resistant hash functions
 Advances in Cryptology, Proc. Auscrypt'92, LNCS 718
, 1993
"... Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff between security and speed. The principles behind the scheme can be used to optimize similar proposals. 1
Collision Attacks on MD5 and SHA1: Is this the “Sword of Damocles" for Electronic Commerce?
 PROCEEDINGS OF AUSCERT ASIA PACIFIC INFORMATION TECHNOLOGY SECURITY CONFERENCE (AUSCERT2006): REFEREED R&D STREAM
, 2006
"... Since Wang et al. announced their results regarding the susceptibility of MD5 (Crypto’04) and SHA1 (Crypto’05) hash functions to collision attacks, there have been many papers advancing further aspects of these attacks. What has been lacking is an analysis of the legal effect of these attacks upon ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Since Wang et al. announced their results regarding the susceptibility of MD5 (Crypto’04) and SHA1 (Crypto’05) hash functions to collision attacks, there have been many papers advancing further aspects of these attacks. What has been lacking is an analysis of the legal effect of these attacks upon electronic commerce transactions. As technological advancements are made, the law will need to adjust so as to take account of these attacks so that there does not arise a total undermining of the electronic commerce environment. The legal implications of these attacks need to be understood so that the courts do not over react and thus destroy any confidence commerce currently has in operating in the electronic commerce environment. This paper explores the legal implications of these attacks where certain software applications rely, in part, upon either MD5 or SHA1.
A Family of Fast Dedicated OneWay Hash Functions Based on Linear Cellular Automata over GF(q)
, 1999
"... This paper proposes a novel oneway hash function that can serve as a tool in achieving authenticity and data integrity. The oneway hash function can be viewed as a representative of a family of fast dedicated oneway hash functions whose construction is based on linear cellular automata over GF(q) ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
This paper proposes a novel oneway hash function that can serve as a tool in achieving authenticity and data integrity. The oneway hash function can be viewed as a representative of a family of fast dedicated oneway hash functions whose construction is based on linear cellular automata over GF(q). The design and analysis of security of the function is accomplished by the use of very recently published results on cellular automata and their applications in cryptography. The analysis indicates that the oneway hash function is secure against all known attacks. A promising property of the proposed oneway hash function is that it is especially suitable for compact and fast implementation.
Improved Impossible Differential Cryptanalysis of CLEFIA ⋆
"... Abstract. This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on 11round CLEFIA192/256, which also firstly works for CLEFIA128. The complexity is about 2 98.1 encryptions and 2 103.1 chosen plaintexts. By putting more constraint conditions on plaintext pairs, we give the first attack on 12round CLEFIA for all three key lengths with 2 114.3 encryptions and 2 119.3 chosen plaintexts. For CLEFIA192/256, our attack is applicable to 13round variant, of which the time complexity is about 2 181, and the data complexity is 2 120. We also extend our attack to 14round CLEFIA256, with about 2 245.4 encryptions and 2 120.4 chosen plaintexts. Moreover, a birthday sieve method is introduced to decrease the complexity of the core precomputation. Key words: Block ciphers, cryptanalysis, impossible differential attack, CLEFIA 1