Results 1  10
of
11
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
Linearization attacks against syndrome based hashes. Cryptology ePrint Archive, Report 2007/295
, 2007
"... Abstract. In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, afamily of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard averagecase complexity. Inthe ECRYPT 2007 Hash Function Workshop, new versions with essentially the same ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, afamily of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard averagecase complexity. Inthe ECRYPT 2007 Hash Function Workshop, new versions with essentially the same compression function but radically different security parameters andan additional final transformation were presented. We show that hardness of averagecase complexity of the underlying problem is irrelevant in collisionsearch by presenting a linearization method that can be used to produce collisions in a matter of seconds on a desktop PC for the variant of FSB with claimed 2128security.
NonTrivial BlackBox Combiners for CollisionResistant HashFunctions don’t Exist
 Advances in Cryptology — Eurocrypt 2007, Lecture Notes in Computer Science
"... Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the ou ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the output of any ` − k + 1 of the components, unfortunately this is not very practical as the length of the output of the combiner is quite large. We show that this is unavoidable as no blackbox (k, `)robust combiner whose output is significantly shorter than what can be achieved by concatenation exists. This answers a question of Boneh and Boyen (Crypto’06). 1
How to strengthen any weakly unforgeable signature into a strongly unforgeable signature
 CTRSA 2007, volume 4377 of LNCS
"... Abstract. Standard signature schemes are usually designed only to achieve weak unforgeability – i.e. preventing forgery of signatures on new messages not previously signed. However, most signature schemes are randomised and allow many possible signatures for a single message. In this case, it may be ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Standard signature schemes are usually designed only to achieve weak unforgeability – i.e. preventing forgery of signatures on new messages not previously signed. However, most signature schemes are randomised and allow many possible signatures for a single message. In this case, it may be possible to produce a new signature on a previously signed message. Some applications require that this type of forgery also be prevented – this requirement is called strong unforgeability. At PKC2006, Boneh Shen and Waters presented an efficient transform based on any randomised trapdoor hash function which converts a weakly unforgeable signature into a strongly unforgeable signature and applied it to construct a strongly unforgeable signature based on the CDH problem. However, the transform of Boneh et al only applies to a class of socalled partitioned signatures. Although many schemes fall in this class, some do not, for example the DSA signature. Hence it is natural to ask whether one can obtain a truly generic efficient transform based on any randomised trapdoor hash function which converts any weakly unforgeable signature into a strongly unforgeable one. We answer this question in the positive by presenting a simple modification of the BonehShenWaters transform. Our modified transform uses two randomised trapdoor hash functions. Key Words: Digital signature, strong unforgeability, trapdoor hash function, provable security, transform.
Analysis of Multivariate Hash Functions
"... Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce a method inspired from coding theory for solving underdefined systems with a low density of nonlinear monomials, and apply it to find collisions in certain functions. We also study the security of message authentication codes HMAC and NMAC built on multivariate hash functions, and demonstrate that families of lowdegree functions over GF(2) are neither pseudorandom nor unpredictable. 1
Faster and Smoother – VSH Revisited
"... Abstract. We reconsider the provably collision resistant Very Smooth Hash and propose a small change in the design aiming to improve both performance and security. While the original proofs of security based on hardness of factoring or discrete logarithms are preserved, we can base the security on t ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We reconsider the provably collision resistant Very Smooth Hash and propose a small change in the design aiming to improve both performance and security. While the original proofs of security based on hardness of factoring or discrete logarithms are preserved, we can base the security on the ksum problem studied by Wagner and more recently by Minder & Sinclair. The new approach allows to output shorter digests and brings the speed of Fast VSH closer to the range of “classical ” hash functions. The modified VSH is likely to remain secure even if factoring and discrete logarithms are easy, while this would have a devastating effect on the original versions. This observation leads us to propose a variant that operates modulo a power of two to increase the speed even more. A function that offers an equivalent of 128bit collision resistance runs at 68.5 MB/s on a 2.4 GHz Intel Core 2 CPU, more than a third of the speed of SHA256.
Cryptanalysis of FORK256 ⋆
"... Abstract. In this paper we expose a practical attack against a new hash function design, FORK256, which was proposed by Hong et al. at FSE 2006. Our attack allows to find a collision against a 160bit truncated version of the FORK256 compression function with a complexity of 2 49 hash computations ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this paper we expose a practical attack against a new hash function design, FORK256, which was proposed by Hong et al. at FSE 2006. Our attack allows to find a collision against a 160bit truncated version of the FORK256 compression function with a complexity of 2 49 hash computations and with negligible memory. This has to be compared with the theoretical complexity 2 80 hash computations given by the birthday paradox. Additionally, we expose a 1 bit (resp. 2bit) nearcollision attack against the full version of FORK256 running with a complexity of 2 125 (resp. 2 120) and with negligible memory, and exhibit a 22bit near collision. Finally, we discuss very recent independent results about FORK256, and show how our attack strategy can be used to improve upon these results to yield a collision against the complete version of FORK256 with a complexity of 2 106 hash computations and about 2 64 memory. 1
Cryptographic Hash Functions: Recent Design Trends and Security Notions ∗
"... Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a publi ..."
Abstract
 Add to MetaCart
(Show Context)
Recent years have witnessed an exceptional research interest in cryptographic hash functions, especially after the popular attacks against MD5 and SHA1 in 2005. In 2007, the U.S. National Institute of Standards and Technology (NIST) has also significantly boosted this interest by announcing a public competition to select the next hash function standard, to be named SHA3. Not surprisingly, the hash function literature has since been rapidly growing in an extremely fast pace. In this paper, we provide a comprehensive, uptodate discussion of the current state of the art of cryptographic hash functions security and design. We first discuss the various hash functions security properties and notions, then proceed to give an overview of how (and why) hash functions evolved over the years giving raise to the current diverse hash functions design approaches. A short version of this paper is in [1]. This version has been thoroughly extended, revised and updated. This