Results 1  10
of
33
Hash function balance and its impact on birthday attacks
 Advances in Cryptology – EUROCRYPT ’04, Lecture Notes in Computer Science
, 2004
"... Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of preimages under h; if h is ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of preimages under h; if h is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the “amount of regularity ” of a hash function that we call its balance, and then providing estimates of the successrate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r 1/2 for hash functions of low balance. This leads us to examine popular design principles, such as the MD (MerkleDamg˚ard) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions. 1
Herding hash functions and the Nostradamus attack
 of Lecture Notes in Computer Science
, 2006
"... Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ardMerkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on realworld applications of hash functions. An important lesson from these results is that hash functions susceptible to collisionfinding attacks, especially bruteforce collisionfinding attacks, cannot in general be used to prove knowledge of a secret value. 1
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This e ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
Hash Functions Based on Block Ciphers and Quaternary Codes
 Advances in Cryptology ASIACRYPT
, 1996
"... . We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remai ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
. We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an mbit block, and for which finding a collision requires at least 2 m encryptions...
Construction of secure and fast hash functions using nonbinary errorcorrecting codes
 IEEE Transactions on Information Theory
"... Abstract—This paper considers iterated hash functions. It proposes new constructions of fast and secure compression functions withbit outputs for integers 1 based on errorcorrecting codes and secure compression functions withbit outputs. This leads to simple and practical hash function construct ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract—This paper considers iterated hash functions. It proposes new constructions of fast and secure compression functions withbit outputs for integers 1 based on errorcorrecting codes and secure compression functions withbit outputs. This leads to simple and practical hash function constructions based on block ciphers such as Data Encryption Standard (DES), where the key size is slightly smaller than the block size; IDEA, where the key size is twice the block size; Advanced Encryption Standard (AES), with a variable key size; and to MD4like hash functions. Under reasonable assumptions about the underlying compression function and/or block cipher, it is proved that the new hash functions are collision resistant. More precisely, a lower bound is shown on the number of operations to find a collision as a function of the strength of the underlying compression function. Moreover, some new attacks are presented that essentially match the presented lower bounds. The constructions allow for a large degree of internal parallelism. The limits of this approach are studied in relation to bounds derived in coding theory. Index Terms—Birthday attacks, block ciphers, hash functions, nonbinary codes. I.
A cellular automaton based fast oneway hash function suitable for hardware implementation
 In Public Key Cryptography, number 1431 in Lecture Notes in Computer Science
, 1998
"... Abstract. Oneway hash functions are an important toolinachieving authentication and data integrity. The aim of this paper is to propose anovel oneway hash function based on cellular automata whose cryptographic properties have been extensivelystudiedover the past decade or so. Furthermore, securit ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Oneway hash functions are an important toolinachieving authentication and data integrity. The aim of this paper is to propose anovel oneway hash function based on cellular automata whose cryptographic properties have been extensivelystudiedover the past decade or so. Furthermore, security of the proposed oneway hash function is analyzed by the use of very recently published results on applications of cellular automata in cryptography. The analysis indicates that the oneway hash function is secure against all known attacks. An important feature of the proposed oneway hash function is that it is especially suitable for compact and fast implementation in hardware, which is particularly attractive to emerging security applications that employ smart cards, such asdigital identi cation cards and electronic cash payment protocols, 1
A Generalized Birthday Problem (extended abstract)
 In Advances in Cryptology – CRYPTO 2002
, 2002
"... We study a kdimensional generalization of the birthday problem: given k lists of nbit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We study a kdimensional generalization of the birthday problem: given k lists of nbit values, and some way to choose one element from each list so that the resulting k values xor to zero. For k = 2, this is just the extremely wellknown birthday problem, which has a squareroot time algorithm with many applications in cryptography. In this paper, we show new algorithms for the case k > 2: we show a cuberoot time algorithm for the case of k = 4 lists, and we give an algorithm with subexponential running time when k is unrestricted.
On the power of memory in the design of collision resistant hash functions
 Advances in Cryptology, Proc. Auscrypt'92, LNCS 718
, 1993
"... Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff between security and speed. The principles behind the scheme can be used to optimize similar proposals. 1
Collision Attacks on MD5 and SHA1: Is this the “Sword of Damocles" for Electronic Commerce?
 PROCEEDINGS OF AUSCERT ASIA PACIFIC INFORMATION TECHNOLOGY SECURITY CONFERENCE (AUSCERT2006): REFEREED R&D STREAM
, 2006
"... Since Wang et al. announced their results regarding the susceptibility of MD5 (Crypto’04) and SHA1 (Crypto’05) hash functions to collision attacks, there have been many papers advancing further aspects of these attacks. What has been lacking is an analysis of the legal effect of these attacks upon ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Since Wang et al. announced their results regarding the susceptibility of MD5 (Crypto’04) and SHA1 (Crypto’05) hash functions to collision attacks, there have been many papers advancing further aspects of these attacks. What has been lacking is an analysis of the legal effect of these attacks upon electronic commerce transactions. As technological advancements are made, the law will need to adjust so as to take account of these attacks so that there does not arise a total undermining of the electronic commerce environment. The legal implications of these attacks need to be understood so that the courts do not over react and thus destroy any confidence commerce currently has in operating in the electronic commerce environment. This paper explores the legal implications of these attacks where certain software applications rely, in part, upon either MD5 or SHA1.
A Light Weight Enhancement to RC4 Based Security for Resource Constrained Wireless Devices Abstract
, 2005
"... The Wired Equivalent Privacy (WEP) uses the 64 bit RC4 secret key stream cipher as its layer 2 security protocol. Although the underlying RC4 cipher is secure, the potential reuse of the same key stream by different frames is a weakness in the WEP. One enhancement to WEP is the Temporal Key Integrit ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
The Wired Equivalent Privacy (WEP) uses the 64 bit RC4 secret key stream cipher as its layer 2 security protocol. Although the underlying RC4 cipher is secure, the potential reuse of the same key stream by different frames is a weakness in the WEP. One enhancement to WEP is the Temporal Key Integrity Protocol (TKIP), which acts as a wrapper to the WEP protocol and uses a 128 bit RC4 encryption to eliminate the possibility of key reuse within a given session. However, TKIP cannot be gainfully employed in devices where the 64 bit RC4 encryption is hardwired. Also, with 128 bit encryption TKIP can secure 10 30 frames per session. Comparing this to the typical number of frames per session (5001000), it is easy to see that the use of a 128 bit key causes unnecessary drain of power. The Wifi Protected Access (WPA), uses a 128 bit Advanced Encryption Standard (AES) cipher in the CounterModeCBCMAC Protocol (CCMP). This protocol requires higher computational power than the TKIP and is only intended for devices which possess higher computational power and memory. In this paper, we propose a light weight enhancement to the 64 bit WEP, which provides significant improvement in security (measured as the number of frames securely transmitted before base key change) with small energy and memory overhead. Moreover, our technique can be tailored to the specific needs of resource constrained environments to provide just the necessary level of security. We use the Intrinsyc CerfCube 1 as a resource constrained wireless device and measure the resource consumed by various wireless security protocols on this device. From the experimental results we see that proposed LWE consumes about 62 % less power compared to TKIP and 99 % less power compared CCMP (AES), while pro1