We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework.

Abstract. There is a foundational problem involving collision-resistant hash-functions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collision-finding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitly-given reduction, normally a black-box one. We illustrate this approach using well-known examples involving digital signatures, pseudorandom functions, and the Merkle-Damg˚ard construction. Key words. Collision-free hash function, Collision-intractable hash function, Collision-resistant hash function, Cryptographic hash function, Provable security. 1

Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosen-message attacks. The sufficient conditions include (i) a uniformity property and collision-resistance for the underlying hash function, (ii) pseudo-randomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.

We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parallel rounds required to hash a message of length L is b t c + t + 2. Further, our algorithm is incrementally parallelizable in the following sense: given a digest produced using a binary tree of 2 processors, we show that the same digest can also be produced using a binary tree of 2 (0 t t) processors.

In a recent paper, A. Joux [7] showed multicollision attacks on the classical iterated hash function. (A multicollision is a set of inputs whose hash values are same.) He also showed how the multicollision attacks can be used to get a collision attack on the concatenated hash function. In this paper, we first try to fix the attack by introducing a natural and wide class hash functions. However, we show that the multicollision attacks also exist in this general class. Thus, we rule out a natural and a wide class of hash functions as candidates for multicollision secure hash functions.

We present a binary tree based parallel algorithm for extending the domain of a UOWHF. The key length expansion is 2m bits for t = 2; m(t+1) bits for 3 t 6 and m(t+blog 2 (t 1)c) bits for t 7, where m is the length of the message digest and t 2 is the height of the binary tree. The previously best known binary tree algorithm required a key length expansion of m 2(t 1) bits. We also obtain the lower bound that any binary tree based algorithm must make a key length expansion of 2m bits if t = 2 and a key length expansion of m (t + 1) bits for t 3. Hence for 2 t 6 our algorithm makes optimal key length expansion and for practical sized processor trees the key length expansion is close to the lower bound.

We study the problem of securely extending the domain of a collision resistant compression function. Our rst contribution is to show that given an arbitrary directed acyclic graph and a collision resistant compression function, it is possible to construct a collision resistant hash function. Next we introduce a new technique for constructing a hash function which can handle arbitrary length strings. The amount of padding and the number of invocations of the compression function required by our algorithm is asymptotically smaller compared to the Merkle-Damgard algorithm. Our third contribution is to provide some concrete examples and hence derive the foundation for the design of a secure parallel hash algorithm.

Abstract. The cryptographic hash function literature has numerous hash function definitions and hash function requirements, and many of them disagree. This survey talks about the various definitions, and takes steps towards cleaning up the literature by explaining how the field has evolved and accurately depicting the research aims people have today. 1

Nodes in ad hoc networks generally transmit data at regular intervals over long periods of time. Recently, ad hoc network nodes have been built that run on little power and have very limited memory. In ad hoc networks authentication can be a significant challenge, even without consideringsize and power constraints. Assuming idealized hashing, this paper examines lower bounds for ad hoc broadcast authentication for µ-TESLA-like protocols. In particular, this paper focuses on idealized hashing for generating preimages of hash chains. In particular, using variations on these idealized hash functions, this paper gives an idealized timespace product \Omega (t2 log4 n) bit operation lower-bound for optimal preimage hash chain generation. Where n is the total length of the hash chain and the hash elements are t-wise independent. Given our foundations, these results follow as corollaries to a lower bound of Coppersmith and Jakobsson.

Abstract:- In many network communications it is crucial to be able to authenticate both the contents and the origin of a message. Digital signatures based on public key schemas are used for such authentication. In order to provide message authentication the signature must depend on the contents of the message being signed. Since the public key-based signature schemes take too much time to compute, hash functions that map messages to short digests h(M) are used. Among other desirable properties of hash functions, an interesting one is that it should be collision-resistant, that is it should be difficult to find two messages with the same hash value. To find a collision the birthday attack is used, which shows that attacker may not need to examine too many messages before he finds a collision. Even worse, in estimates of attack successfulness it is always assumed that the hash function is regular, meaning that all points in the range have the same number of preimages under h. If h is not regular, fewer trials are required to find a collision. In this paper we first compute tighter upper and lower bounds for the number of birthday attack trials when the hash function is regular. Then we examine different types of irregularity of the hash function and the quantitative changes in the required number of trials to find a collision which then compromises the digital signature system. Key-Words:- Digital signature, Birthday attack, Irregular hash function, Hash collision 1