Dedicated hash functions are cryptographically secure compression functions which are designed specifically for hashing. They intend to form a practical alternative for hash functions based on another cryptographic primitive like a block cipher or modular squaring. About a dozen of dedicated hash functions have been proposed in the literature. This paper discusses the design principles on which these hash functions are based.

Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general free-start attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences of some specified minimum length or greater to the set of binary sequences of some fixed length. In cryptographic applications, hash functions are used within digital signature schemes and within schemes to provide data integrity (e.g., to detect modification of a message). An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M 1 ; M 2 ; :::; M n ), where M i...

Abstract. In this paper we study the strength of two hash functions which are based on Generalized Feistels. We describe a new kind of attack based on a cancellation property in the round function. This new technique allows to efficiently use the degrees of freedom available to attack a hash function. Using the cancellation property, we can avoid the non-linear parts of the round function, at the expense of some freedom degrees. Our attacks are mostly independent of the round function in use, and can be applied to similar hash functions which share the same structure but have different round functions. We start with a 22-round generic attack on the structure of Lesamnta, and adapt it to the actual round function to attack 24-round Lesamnta (the full function has 32 rounds). We follow with an attack on 9-round SHAvite-3 512 which also works for the tweaked version of SHAvite-3 512. 1

At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefix-free padding. In this article, a synthetic indifferentiability analysis of some block-cipher-based hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in block-cipher-based hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefix-free padding, the NMAC/HMAC and the chop construction. 1

Abstract. We revisit the rate-1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre- and postprocessing is considered. This leads to a clearer understanding of the current classification of rate-1 blockcipher based schemes as introduced by Preneel et al. and refined by Black et al. In addition, we also gain insight in chopped, overloaded and supercharged compression functions. In the latter category we propose two compression functions based on a single call to a blockcipher whose collision resistance exceeds the birthday bound on the cipher’s blocklength. 1

Abstract. The security challenges posed by RFID-tag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an on-tag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFID-tag protocol. 1

Abstract. The Feistel structure is well-known as a good structure for building block ciphers, due to its property of invertibility. It can be made non-invertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function construction. This paper uses the structure to build a hash function called F-Hash, which is immune to recent attack styles. Generally the security of such structures is discussed using Random Oracle Models. In this paper, a more precise evaluation method, based upon conditional probability, is given.

A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of Merkel-Damagård structure, wide-pipe hash, double-pipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.

We propose a new infinite family of cryptographic hash functions, Edon–R, based on a recently defined candidate one-way function. Edon–R is a class of hash functions with variable output lengths. It is defined using quasigroups and quasigroup string transformations.

Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH-256 in c ·2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the ideal-cipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a non-trivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2-permutation based hash functions, as proved in [12]. 1