Results 11  20
of
85
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Heuristic Design of Cryptographically Strong Balanced Boolean Functions
 Eurocrypt 98, LNCS 1403
, 1998
"... Abstract. Advances in the design of Boolean functions using heuristic techniques are reported. A genetic algorithm capable of generating highly nonlinear balanced Boolean functions is presented. Hill climbing techniques are adapted to locate balanced, highly nonlinear Boolean functions that also a ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Abstract. Advances in the design of Boolean functions using heuristic techniques are reported. A genetic algorithm capable of generating highly nonlinear balanced Boolean functions is presented. Hill climbing techniques are adapted to locate balanced, highly nonlinear Boolean functions that also almost satisfy correlation immunity. The definitions for some cryptographic properties are generalised, providing a measure suitable for use as a fitness function in a genetic algorithm seeking balanced Boolean functions that satisfy both correlation immunity and the strict avalanche criterion. Results are presented demonstrating the effectiveness of the methods. 1
Fast Evaluation, Weights and Nonlinearity of RotationSymmetric Functions
 Discrete Mathematics
, 2000
"... We study the nonlinearity and the weight of the rotationsymmetric (RotS) functions defined by Pieprzyk and Qu [6]. We give exact results for the nonlinearity and weight of 2degree RotS functions with the help of the semibent functions [2] and we give the generating function for the weight of the ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
We study the nonlinearity and the weight of the rotationsymmetric (RotS) functions defined by Pieprzyk and Qu [6]. We give exact results for the nonlinearity and weight of 2degree RotS functions with the help of the semibent functions [2] and we give the generating function for the weight of the 3degree RotS function. Based on the numerical examples and our observations we state a conjecture on the nonlinearity and weight of the 3degree RotS function. Keywords: Boolean functions; nonlinearity; bent; semibent; hash functions 1 Motivation Hash functions are used to map a large collection of messages into a small set of message digests and can be used to generate e#ciently both signatures and message authentication codes, and they can be also used as oneway # State University of New York at Bu#alo, Department of Mathematics, Bu#alo, NY 142602900, email: cusick@math.bu#alo.edu + Auburn University Montgomery, Department of Mathematics, Montgomery, AL 361244023, email: stanpan@...
On Recent Results for MD2, MD4 and MD5
 RSA Laboratories’ Bulletin
, 1996
"... . Recent cryptanalytic results on the properties of three popular hash functions have raised questions about their security. This note summarizes these results, gives our assessment of their implications and offers our recommendations for product planners and developers who may be using these algori ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
. Recent cryptanalytic results on the properties of three popular hash functions have raised questions about their security. This note summarizes these results, gives our assessment of their implications and offers our recommendations for product planners and developers who may be using these algorithms. 1. Introduction A hash function (or more accurately a cryptographic hash function or messagedigest algorithm) operates on an input string of arbitrary length and generates an output string of fixed length. This output is commonly called a hash value or a message digest. While much of the motivation for the design of a hash function comes from its usefulness in optimizing the process of digitally signing some document, hash functions can be used for a wide range of purposes. MD2 [13], MD4 [20] and MD5 [21] are hash functions that were developed by Ron Rivest at MIT for RSA Data Security. A description of these hash functions can be found in RSA Laboratories Technical Report TR101 [...
Towards Secure and Fast Hash Functions
, 1999
"... this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
this paper [15], [16] (m, 2m) block cipher this paper this paper Suppose that
Hash Functions Based on Block Ciphers and Quaternary Codes
 Advances in Cryptology ASIACRYPT
, 1996
"... . We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remai ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
. We consider constructions for cryptographic hash functions based on mbit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an mbit block, and for which finding a collision requires at least 2 m encryptions...
Constructing an Ideal Hash Function from Weak Ideal Compression Functions
 In Selected Areas in Cryptography, Lecture Notes in Computer Science
, 2006
"... Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attack ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by undesirable properties of compression functions. We prove that the construction we give, which we call the “zipper hash, ” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with these weak ideal building blocks. The zipper hash function is relatively simple, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal (strong) compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. Keywords: Hash function, compression function, MerkleDamg˚ard, ideal primitives, nonstreamable hash functions, zipper hash.
Breaking the ICE  finding multicollisions in iterated concatenated and expanded (ICE) hash functions
 In Proceedings of FSE ’06
, 2006
"... Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security pro ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today (including the MD and SHA families) have an iterated design, it is important to study the general security properties of such functions. At Crypto 2004 Joux showed that in any iterated hash function it is relatively easy to find exponential sized multicollisions, and thus the concatenation of several hash functions does not increase their security. However, in his proof it was essential that each message block is used at most once. In 2005 Nandi and Stinson extended the technique to handle iterated hash functions in which each message block is used at most twice. In this paper we consider the general case and prove that even if we allow each iterated hash function to scan the input multiple times in an arbitrary expanded order, their concatenation is not stronger than a single function. Finally, we extend the result to treebased hash functions with arbitrary tree structures.
Communications security for the twentyfirst century: The advanced encryption standard
 Notices of the AMS
, 2000
"... Editor’s Note: This article is the second in a twopart series by the author in the Notices. The first article in the series is “Standing the Test of Time: The Data Encryption Standard”, which appeared in the March 2000 Notices, pages 341–349. Cryptography was once the domain of generals and small c ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Editor’s Note: This article is the second in a twopart series by the author in the Notices. The first article in the series is “Standing the Test of Time: The Data Encryption Standard”, which appeared in the March 2000 Notices, pages 341–349. Cryptography was once the domain of generals and small children, but the advent of the Information Age changed that. In the early 1970s the National Security Agency (NSA) and the National Bureau of Standards (NBS) realized that noncombatant adults needed to protect their sensitive, but unclassified, information. Though NSA is the usual government agency for building cryptosystems, the agency was unwilling to design a cryptosystem for public consumption. Instead, NBS issued a public solicitation for a cryptographic algorithm. IBM responded. The company submitted a cryptosystem with a 56bit key. (An assumption, first codified by Kerckhoffs in the nineteenth century, holds that security of a cryptosystem should rest entirely in the secrecy of the key and not in the secrecy of the algorithm. A conventional cryptosystem is considered secure when its work factor—the amount of time needed to decrypt—is about 2 key length.) The new algorithm became the Data Encryption Standard (DES). In the first article of the twopart series, I described DES and the design principles behind “blockstructured algorithms”. The box in the present article briefly defines some technical terms that were introduced in my DES article; more detail about these definitions may be found in that article. In the present article I describe the mathematics and politics behind DES’s successor: the Advanced Encryption