Results 1  10
of
28
Cryptographic HashFunction Basics: Definitions, Implications, and Separations for Preimage Resistance, SecondPreimage Resistance, and Collision Resistance
, 2004
"... We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among ..."
Abstract

Cited by 75 (3 self)
 Add to MetaCart
We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concretesecurity, provablesecurity framework.
Formalizing human ignorance: Collisionresistant hashing without the keys
 In Proc. Vietcrypt ’06
, 2006
"... Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just t ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitlygiven reduction, normally a blackbox one. We illustrate this approach using wellknown examples involving digital signatures, pseudorandom functions, and the MerkleDamg˚ard construction. Key words. Collisionfree hash function, Collisionintractable hash function, Collisionresistant hash function, Cryptographic hash function, Provable security. 1
Generic Groups, Collision Resistance, and ECDSA
 Designs, Codes and Cryptography
, 2002
"... Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, ( ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.
A Parallelizable Design Principle for Cryptography Hash Functions
 INDOCRYPT 2001, LNCS 2247
, 2001
"... We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parall ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parallel rounds required to hash a message of length L is b t c + t + 2. Further, our algorithm is incrementally parallelizable in the following sense: given a digest produced using a binary tree of 2 processors, we show that the same digest can also be produced using a binary tree of 2 (0 t t) processors.
Multicollision Attacks on a Class of Hash Functions
 IACR PREPRINT ARCHIVE
, 2005
"... In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper, we first try to fix the attack by introducing a natural and wide class hash functions. However, we show that the multicollision attacks also exist in this general class. Thus, we rule out a natural and a wide class of hash functions as candidates for multicollision secure hash functions.
A Simple and Generic Construction of Authenticated Encryption With Associated Data
"... Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. We revisit the problem of constructing a protocol for performing authenticated encryption with associated data (AEAD). A technique is described which combines a collision resistant hash function with a protocol for authenticated encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256bit hash function is combined with some known singlepass AE protocols employing either 128bit or 256bit block ciphers. This results in possible efficiency improvement in the processing of the header.
A critical look at cryptographic hash function literature
 ECRYPT Hash Workshop
, 2007
"... Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accur ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accurately depicting the research aims people have today. 1
Domain Extender for Collision Resistant Hash Functions Using a Directed Acyclic Graph
, 2003
"... We study the problem of securely extending the domain of a collision resistant compression function. Our rst contribution is to show that given an arbitrary directed acyclic graph and a collision resistant compression function, it is possible to construct a collision resistant hash function. Nex ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We study the problem of securely extending the domain of a collision resistant compression function. Our rst contribution is to show that given an arbitrary directed acyclic graph and a collision resistant compression function, it is possible to construct a collision resistant hash function. Next we introduce a new technique for constructing a hash function which can handle arbitrary length strings. The amount of padding and the number of invocations of the compression function required by our algorithm is asymptotically smaller compared to the MerkleDamgard algorithm. Our third contribution is to provide some concrete examples and hence derive the foundation for the design of a secure parallel hash algorithm.
Construction of UOWHF: Tree Hashing Revisited
, 2002
"... We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously be ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously best known binary tree algorithm required a key length expansion of m 2(t 1) bits. We also obtain the lower bound that any binary tree based algorithm must make a key length expansion of 2m bits if t = 2 and a key length expansion of m (t + 1) bits for t 3. Hence for 2 t 6 our algorithm makes optimal key length expansion and for practical sized processor trees the key length expansion is close to the lower bound.
Security Properties of Domain Extenders for Cryptographic Hash Functions
"... Abstract — Cryptographic hash functions reduce inputs of arbitrary or very large length to a short string of fixed length. All hash function designs start from a compression function with fixed length inputs. The compression function itself is designed from scratch, or derived from a block cipher or ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract — Cryptographic hash functions reduce inputs of arbitrary or very large length to a short string of fixed length. All hash function designs start from a compression function with fixed length inputs. The compression function itself is designed from scratch, or derived from a block cipher or a permutation. The most common procedure to extend the domain of a compression function in order to obtain a hash function is a simple linear iteration; however, some variants use multiple iterations or a tree structure that allows for parallelism. This paper presents a survey of 17 extenders in the literature. It considers the natural question whether these preserve the security properties of the compression function, and more in particular collision resistance, second preimage resistance, preimage resistance and the pseudorandom oracle property.