Results 11  20
of
54
On the Security of TandemDM
"... Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blockle ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We provide the first proof of security for TandemDM, one of the oldest and most wellknown constructions for turning a blockcipher with nbit blocklength and 2nbit keylength into a 2nbit cryptographic hash function. We prove, that when TandemDM is instantiated with AES256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2 120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of TandemDM. Interestingly, as there is only one practical construction known (FSE’06, Hirose) turning such an (n,2n)bit blockcipher into a 2nbit compression function that has provably birthdaytype collision resistance, TandemDM is one out of two structures that possess this desirable feature.
New Attacks on all Double Block Length Hash Functions of Hash Rate 1, including the ParallelDM
, 1995
"... . In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
. In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the ParallelDM presented at Crypto'93[3]. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences to the set of binary sequences of some fixed length. An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M1 ; M2 ; :::; Mn ), where M i is of length l, is hashed to the hash value H = Hn of length m by computing recursively H i = h(H i\Gamma1 ; M i ) i = 1; 2; :::; n; (1) where H0 is a specified initial value. The function...
A Synthetic Indifferentiability Analysis of Some BlockCipherBased Hash Functions
, 2007
"... At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefixfree padding. In this article, a synthetic indifferentiability analysis of some blockcipherbased hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in blockcipherbased hash functions. Next, the advantage of indifferentiability is extended by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefixfree padding, the NMAC/HMAC and the chop construction.
Cryptographic Hash Functions
 In Handbook of Information and Communication Security. Peter Stavroulakis, Mark Stamp, Editors. Springer First edition
"... Abstract. 1 This paper presents a new hash function design, which is different from the popular designs of the MD4family. Seen in the light of recent attacks on MD4, MD5, SHA0, SHA1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concre ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. 1 This paper presents a new hash function design, which is different from the popular designs of the MD4family. Seen in the light of recent attacks on MD4, MD5, SHA0, SHA1, and on RIPEMD, there is a need to consider other hash function design strategies. The paper presents also a concrete hash function design named SMASH. One version has a hash code of 256 bits and appears to be at least as fast as SHA256. 1
On the power of memory in the design of collision resistant hash functions
 Advances in Cryptology, Proc. Auscrypt'92, LNCS 718
, 1993
"... Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. Collision resistant hash functions are an important basic tool for cryptographic applications such as digital signature schemes and integrity protection based on “fingerprinting”. This paper proposes a new efficient class of hash functions based on a block cipher that allows for a tradeoff between security and speed. The principles behind the scheme can be used to optimize similar proposals. 1
The collision security of TandemDM in the ideal cipher model
"... Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype b ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. We prove that TandemDM, one of the two “classical ” schemes for turning a blockcipher of 2nbit key into a double block length hash function, has birthdaytype collision resistance in the ideal cipher model. A collision resistance analysis for TandemDM achieving a similar birthdaytype bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of TandemDM as an open problem until now. 1
Cryptanalysis of Tweaked Versions of SMASH and Reparation
"... Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soo ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. In this paper, we study the security of permutation based hash functions, i.e. blockcipher based hash functions with fixed keys. SMASH is such a hash function proposed by Knudsen in 2005 and broken the same year by Pramstaller et al. Here we show that the two tweaked versions, proposed soon after by Knudsen to thwart the attack, can also be attacked in collision in time O(n2 n/3). This time complexity can be reduced to O(2 2 √ n) for the first tweak version, which means an attack against SMASH256 in c ·2 32 for a small constant c. Then, we show that an efficient generalization of SMASH, using two permutations instead of one, can be proved secure against collision in the idealcipher model in Ω(2 n/4) queries to the permutations. In order to analyze the tightness of our proof, we devise a nontrivial attack in O(2 3n/8) queries. Finally, we also prove that our construction is preimage resistant in Ω(2 n/2) queries, which the best security level that can be reached for 2permutation based hash functions, as proved in [12]. 1
Hash functions and RFID tags: Mind the gap
 of Lecture Notes in Computer Science
, 2008
"... Abstract. The security challenges posed by RFIDtag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an ontag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. The security challenges posed by RFIDtag deployments are wellknown. In response there is a rich literature on new cryptographic protocols and an ontag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFIDtag protocol. 1
Cryptanalysis of MDC2
 In A. Joux (Ed.): EUROCRYPT 2009, LNCS 5479
, 2009
"... Abstract. We provide a collision attack and preimage attacks on the MDC2 construction, which is a method (dating back to 1988) of turning an nbit block cipher into a 2nbit hash function. The collision attack is the first below the birthday bound to be described for MDC2 and, with n = 128, it has ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We provide a collision attack and preimage attacks on the MDC2 construction, which is a method (dating back to 1988) of turning an nbit block cipher into a 2nbit hash function. The collision attack is the first below the birthday bound to be described for MDC2 and, with n = 128, it has complexity 2 124.5, which is to be compared to the birthday attack having complexity 2 128. The preimage attacks constitute new time/memory tradeoffs; the most efficient attack requires time and space about 2 n, which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt ’92), having time complexity 2 3n/2 and space complexity 2 n/2, and to a brute force preimage attack having complexity 2 2n.
Multipropertypreserving Domain Extension Using Polynomialbased Modes of Operation
 Advances in cryptology – EUROcrYPT’10, LNCS
"... Abstract. In this paper, we propose a new doublepiped mode of operation for multipropertypreserving domain extension of MACs (message authentication codes), PRFs (pseudorandom functions) and PROs (pseudorandom oracles). Our mode of operation performs twice as fast as the original doublepiped mode ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In this paper, we propose a new doublepiped mode of operation for multipropertypreserving domain extension of MACs (message authentication codes), PRFs (pseudorandom functions) and PROs (pseudorandom oracles). Our mode of operation performs twice as fast as the original doublepiped mode of operation of Lucks [15] while providing comparable security. Our construction, which uses a class of polynomialbased compression functions proposed by Stam [22, 23], makes a single call to a 3nbit to nbit primitive at each iteration and uses a finalization function f2 at the last iteration, producing an nbit hash function H[f1, f2] satisfying the following properties. 1. H[f1, f2] is unforgeable up to O(2 n /n) query complexity as long as f1 and f2 are unforgeable. 2. H[f1, f2] is pseudorandom up to O(2 n /n) query complexity as long as f1 is unforgeable and f2 is pseudorandom. 3. H[f1, f2] is indifferentiable from a random oracle up to O(2 2n/3) query complexity as long as f1 and f2 are public random functions. To our knowledge, our result constitutes the first time O(2 n /n) unforgeability has been achieved using only an unforgeable primitive of nbit output length. (Yasuda showed unforgeability of O(2 5n/6) for Lucks ’ construction assuming an unforgeable primitive, but the analysis is suboptimal; in the appendix, we show how Yasuda’s bound can be improved to O(2 n).) In related work, we strengthen Stam’s collision resistance analysis of polynomialbased compression functions (showing that unforgeability of the primitive suffices) and discuss how to implement our mode by replacing f1 with a 2nbit key blockcipher in DaviesMeyer mode or by replacing f1 with the cascade of two 2nbit to nbit compression functions. 1