Results 1  10
of
371
Security Arguments for Digital Signatures and Blind Signatures
 JOURNAL OF CRYPTOLOGY
, 2000
"... Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the ..."
Abstract

Cited by 374 (41 self)
 Add to MetaCart
Since the appearance of publickey cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the
How to break MD5 and other hash functions
 In EUROCRYPT
, 2005
"... Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi freestart collision, in which the initial value of the has ..."
Abstract

Cited by 315 (7 self)
 Add to MetaCart
(Show Context)
Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi freestart collision, in which the initial value of the hash function is replaced by a nonstandard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusiveor as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1
How to Timestamp a Digital Document
 Journal of Cryptology
, 1991
"... The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to timestamp the data, not the medium. We propose computationally practical ..."
Abstract

Cited by 247 (5 self)
 Add to MetaCart
(Show Context)
The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to timestamp the data, not the medium. We propose computationally practical procedures for digital timestamping of such documents so that it is infeasible for a user either to backdate or to forwarddate his document, even with the collusion of a timestamping service. Our procedures maintain complete privacy of the documents themselves, and require no recordkeeping by the timestamping service. Appeared, with minor editorial changes, in Journal of Cryptology, Vol. 3, No. 2, pp. 99111, 1991. 0 Time's glory is to calm contending kings, To unmask falsehood, and bring truth to light, To stamp the seal of time in aged things, To wake the morn, and sentinel the night, To wrong the wronger till he render right. The Rape of Lucrece, l. 941 1 Introduction ...
How to Sign Digital Streams
, 1997
"... We present a new efficient paradigm for signing digital streams. The problem of signing digital streams to prove their authenticity is substantially different from the problem of signing regular messages. Traditional signature schemes are message oriented and require the receiver to process the enti ..."
Abstract

Cited by 174 (0 self)
 Add to MetaCart
(Show Context)
We present a new efficient paradigm for signing digital streams. The problem of signing digital streams to prove their authenticity is substantially different from the problem of signing regular messages. Traditional signature schemes are message oriented and require the receiver to process the entire message before being able to authenticate its signature. However, a stream is a potentially very long ( or infinite) sequence of bits that the sender sends to the receiver and the receiver is required to consumes the received bits at more or less the input rate and without excessive delay. Therefore it is infeasible for the receiver to obtain the entire stream before authenticating and consuming it. Examples of streams include digitized video and audio files, data feeds and applets. We present two solutions to the problem of authenticating digital streams. The first one is for the case of a finite stream which is entirely known to the sender (say a movie). We use this constraint to devise...
RIPEMD160: A Strengthened Version of RIPEMD
, 1996
"... Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the des ..."
Abstract

Cited by 135 (18 self)
 Add to MetaCart
Abstract. Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation. During the last five years, several fast software hash functions have been proposed; most of them are based on the design principles of Ron Rivest’s MD4. One such proposal was RIPEMD, which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation). Because of recent progress in the cryptanalysis of these hash functions, we propose a new version of RIPEMD with a 160bit result, as well as a plugin substitute for RIPEMD with a 128bit result. We also compare the software performance of several MD4based algorithms, which is of independent interest. 1
Blackbox analysis of the blockcipherbased hashfunction constructions from pgv
 In Advances in Cryptology – CRYPTO ’02 (2002
, 2002
"... Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 sc ..."
Abstract

Cited by 126 (16 self)
 Add to MetaCart
(Show Context)
Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 schemes were shown to be subject to various attacks. Here we provide a formal and quantitative treatment of the 64 constructions considered by PGV. We prove that, in a blackbox model, the 12 schemes that PGV singled out as secure really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the MerkleDamg˚ard approach to analysis, we show that an additional 8 of the 64 schemes are just as collision resistant (up to a small constant) as the first group of schemes. Nonetheless, we are able to differentiate among the 20 collisionresistant schemes by bounding their security as oneway functions. We suggest that proving blackbox bounds, of the style given here, is a feasible and useful step for understanding the security of any blockcipherbased hashfunction construction. 1
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 113 (9 self)
 Add to MetaCart
(Show Context)
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
Pseudorandom functions revisited: The cascade construction and its concrete security
 Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE
, 1996
"... Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we ..."
Abstract

Cited by 107 (23 self)
 Add to MetaCart
(Show Context)
Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we investigate new ways of designing pseudorandom function families. The goal is to find constructions that are both efficient and secure, and thus eventually to bring thebenefits of pseudorandom functions to practice.
MDxMAC and building fast MACs from hash functions
 Advances in Cryptology, Proceedings Crypto'95, LNCS 963
, 1995
"... ..."