Results 1  10
of
108
MerkleDamg˚ard Revisited: How to Construct a Hash Function
 Advances in Cryptology, Crypto 2005
"... The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than col ..."
Abstract

Cited by 79 (8 self)
 Add to MetaCart
The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than collisionresistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixedlength building block is viewed as a random oracle or an ideal blockcipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixedlength primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA1 and MD5 — the (strengthened) MerkleDamg˚ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain MerkleDamg˚ard construction and are easily implementable in practice.
Cryptographic HashFunction Basics: Definitions, Implications, and Separations for Preimage Resistance, SecondPreimage Resistance, and Collision Resistance
, 2004
"... We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among ..."
Abstract

Cited by 76 (3 self)
 Add to MetaCart
We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concretesecurity, provablesecurity framework.
Some Plausible Constructions of DoubleBlockLength Hash Functions
 FSE’06, LNCS 4047
, 2006
"... Abstract. In this article, it is discussed how to construct a compression function with 2nbit output using a component function with nbit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collisionresistant ha ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
Abstract. In this article, it is discussed how to construct a compression function with 2nbit output using a component function with nbit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collisionresistant hash functions: Any collisionfinding attack on them is at most as efficient as a birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced, which we call indistinguishability in the iteration, with a construction satisfying the notion.
Distinguisher and RelatedKey Attack on the Full AES256
 Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science
, 2009
"... Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that th ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
Abstract. In this paper we construct a chosenkey distinguisher and a relatedkey attack on the full 256bit key AES. We define a notion of differential qmulticollision and show that for AES256 qmulticollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct qpseudo collisions for AES256 in DaviesMeyer hashing mode, a scheme which is provably secure in the idealcipher model. We have also computed partial qmulticollisions in time q · 2 37 on a PC to verify our results. These results show that AES256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14round AES256: a relatedkey distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a keyrecovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, relatedkey attack, chosen key distinguisher, DaviesMeyer, ideal cipher.
On the impossibility of highlyefficient blockcipherbased hash functions
 in Advances in Cryptology—EUROCRYPT 2005
, 2005
"... Abstract. Fix a small, nonempty set of blockcipher keys K. We say a blockcipherbased hash function is highlyefficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from K. Although a few highlyefficient constructions have been propose ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
Abstract. Fix a small, nonempty set of blockcipher keys K. We say a blockcipherbased hash function is highlyefficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from K. Although a few highlyefficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the idealcipher model, that it is impossible to construct a highlyefficient iterated blockcipherbased hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner [7] is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.
SuperSbox cryptanalysis: Improved attacks for AESlike permutations
 In FSE’10
, 2010
"... Abstract. In this paper, we improve the recent rebound and startfromthemiddle attacks on AESlike permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
Abstract. In this paper, we improve the recent rebound and startfromthemiddle attacks on AESlike permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named SuperSboxes. We apply this method to two secondround SHA3 candidates Grøstl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the knownkey setting, reaching 8 rounds for the 128bit version. Key words: hash function, cryptanalysis, AES, Grøstl and ECHO. 1
Salvaging MerkleDamg˚ard for Practical Applications
, 2009
"... Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) MerkleDamg˚ard transform applied to a corresponding compression function. Moreover, it is well known tha ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) MerkleDamg˚ard transform applied to a corresponding compression function. Moreover, it is well known that the resulting “structured ” hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (MerkleDamg˚ard based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) MerkleDamg˚ard transform, applied to a “strong enough ” compression function. In particular, we show that a fixedlength compressing random oracle, as well as the currently used DaviesMeyer compression function (the latter analyzed in the ideal cipher model) are “strong enough ” for the two specific weakenings of the random oracle that we develop. These weaker notions, described below, are quite natural and should be interesting in their own right: • Preimage Aware Functions. Roughly, if an attacker found a “later useful ” output y of the function, then it must
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.
Second preimages on nbit hash functions for much less than 2^n work
"... We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RI ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any nbit hash function built using the DamgårdMerkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.