Results 1  10
of
84
Cryptographic Approach to "PrivacyFriendly" Tags
 IN RFID PRIVACY WORKSHOP
, 2003
"... Radio frequency identification (RFID) is expected to become an important and ubiquitous infrastructure technology. As RFID tags are a#xed to everyday items, they may be used to support various useful services. However, widespread deployment of RFID tags may create new threats to user privacy, due ..."
Abstract

Cited by 92 (0 self)
 Add to MetaCart
Radio frequency identification (RFID) is expected to become an important and ubiquitous infrastructure technology. As RFID tags are a#xed to everyday items, they may be used to support various useful services. However, widespread deployment of RFID tags may create new threats to user privacy, due to the powerful tracking capability of the tags. There are
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
A failurefriendly design principle for hash functions
, 2005
"... Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security ..."
Abstract

Cited by 42 (5 self)
 Add to MetaCart
Abstract. This paper reconsiders the established MerkleDamg˚ard design principle for iterated hash functions. The internal state size w of an iterated nbit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the widepipe hash, internally using a wbit compression function, and the doublepipe hash, with w = 2n and an nbit compression function used twice in parallel.
Fast Hashing on the Pentium
 Advances in Cryptology, Proceedings Crypto'96, LNCS 1109
, 1996
"... With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4family of hash functions (MD4, MD5, SHA1, RIPEMD160) is to be fast on the 32bit Intel processors. This paper shows that carefully coded im ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4family of hash functions (MD4, MD5, SHA1, RIPEMD160) is to be fast on the 32bit Intel processors. This paper shows that carefully coded implementations of these hash functions are able to exploit the Pentium's superscalar architecture to its maximum e#ect: the performance with respect to execution on a nonparallel architecture increases by about 60%. This is an important result in view of the recent claims on the limited data bandwidth of these hash functions.
Cryptographic Hash Functions: A Survey
, 1995
"... This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.
Design principles for iterated hash functions
 CRYPTOLOGY EPRINT ARCHIVE
, 2004
"... This paper deals with the security of iterated hash functions against generic attacks, such as, e.g., Joux’ multicollision attacks from Crypto 04 [6]. The core idea is to increase the size of the internal state of an nbit hash function to w> n bit. Variations of this core idea allow the use of a c ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
This paper deals with the security of iterated hash functions against generic attacks, such as, e.g., Joux’ multicollision attacks from Crypto 04 [6]. The core idea is to increase the size of the internal state of an nbit hash function to w> n bit. Variations of this core idea allow the use of a compression function with n output bits, even if the compression function itself is based on a block cipher. In a formal model, it is shown that these modifications quantifiably improve the security of iterated hash functions against generic attacks.
Tiger: A Fast New Hash Function
 Fast Software Encryption, Third International Workshop Proceedings
, 1996
"... Among those cryptographic hash function which are not based on block ciphers, MD4 and Snefru seemed initially quite attractive for applications requiring fast software hashing. However collisions for Snefru were found in 1990, and recently a collision of MD4 was also found. This casts doubt on how l ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
Among those cryptographic hash function which are not based on block ciphers, MD4 and Snefru seemed initially quite attractive for applications requiring fast software hashing. However collisions for Snefru were found in 1990, and recently a collision of MD4 was also found. This casts doubt on how long these functions' variants, such as RIPEMD, MD5, SHA, SHA1 and Snefru8, will remain unbroken. Furthermore, all these functions were designed for 32bit processors, and cannot be implemented efficiently on the new generation of 64bit processors such as the DEC Alpha. We therefore present a new hash function which we believe to be secure; it is designed to run quickly on 64bit processors, without being too slow on existing machines.
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
A Keyschedule Weakness in SAFER K64
 Advances in Cryptology, Proceedings Crypto'95, LNCS 963
, 1995
"... . In this paper we analyse SAFER K64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K , such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the cipherte ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
. In this paper we analyse SAFER K64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K , such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the ciphertexts to differ in one of the 8 bytes. Also, the same types of keys encrypt even more pairs of plaintexts different in one byte to ciphertexts different only in the same byte. This enables us to do a relatedkey chosen plaintext attack on SAFER K64, which finds 8 bits of the key requiring from 2 44 to about 2 47 chosen plaintexts. While our observations may have no greater impact on the security of SAFER K64 when used for encryption in practice, it greatly reduces the security of the algorithm when used in hashing modes, which is illustrated. We give collisions for the wellknown secure hash modes using a block cipher. Also we give a suggestion of how to improve the key schedule, such th...
Correlation Matrices
 Fast Software Encryption : Second International Workshop, LNCS 1008
, 1994
"... . In this paper we introduce the correlation matrix of a Boolean mapping, a useful concept in demonstrating and proving properties of Boolean functions and mappings. It is argued that correlation matrices are the "natural" representation for the proper understanding and description of the mechanisms ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
. In this paper we introduce the correlation matrix of a Boolean mapping, a useful concept in demonstrating and proving properties of Boolean functions and mappings. It is argued that correlation matrices are the "natural" representation for the proper understanding and description of the mechanisms of linear cryptanalysis [4]. It is also shown that the difference propagation probabilities and the table consisting of the squared elements of the correlation matrix are linked by a scaled WalshHadamard transform. Key Words: Boolean Mappings, Linear Cryptanalysis, Correlation Matrices. 1 Introduction Most components in encryption schemes are Boolean mappings. In this paper, we establish a relation between Boolean mappings and specific linear mappings over real vector spaces. The matrices that describe these mappings are called correlation matrices. The elements of these matrices consist of the correlation coefficients associated with linear combinations of input bits and linear combin...