Results 1  10
of
32
MDxMAC and Building Fast MACs from Hash Functions
 In Crypto 95
, 1995
"... . We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDxMAC) is proposed for transforming any secure hash function of the MD4family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...
Cryptographic HashFunction Basics: Definitions, Implications, and Separations for Preimage Resistance, SecondPreimage Resistance, and Collision Resistance
, 2004
"... We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among ..."
Abstract

Cited by 73 (3 self)
 Add to MetaCart
We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and secondpreimage resistance. We give seven di#erent definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concretesecurity, provablesecurity framework.
Authenticated MultiParty Key Agreement
, 1996
"... We examine multiparty key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous twoparty key agreement schemes and a model for key agreement is presented that provably provides the ..."
Abstract

Cited by 68 (2 self)
 Add to MetaCart
We examine multiparty key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous twoparty key agreement schemes and a model for key agreement is presented that provably provides the properties listed above. A generalization of the BurmesterDesmedt model (Eurocrypt '94) for multiparty key agreement is given, allowing a transformation of any twoparty key agreement scheme into a multiparty scheme. Multiparty schemes (based on the general model and two specific 2party schemes) are presented that reduce the number of rounds required for key computation compared to the specific BurmesterDesmedt scheme. It is also shown how the specific BurmesterDesmedt scheme fails to provide key authentication. 1991 AMS Classification: 94A60 CR Categories: D.4.6 Key Words: multiparty, key agreement, key authentication, key confirmation, forward secrecy. Carleton University, Sc...
Fast Hashing on the Pentium
 Advances in Cryptology, Proceedings Crypto'96, LNCS 1109
, 1996
"... With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4family of hash functions (MD4, MD5, SHA1, RIPEMD160) is to be fast on the 32bit Intel processors. This paper shows that carefully coded im ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
With the advent of the Pentium processor parallelization finally became available to Intel based computer systems. One of the design principles of the MD4family of hash functions (MD4, MD5, SHA1, RIPEMD160) is to be fast on the 32bit Intel processors. This paper shows that carefully coded implementations of these hash functions are able to exploit the Pentium's superscalar architecture to its maximum e#ect: the performance with respect to execution on a nonparallel architecture increases by about 60%. This is an important result in view of the recent claims on the limited data bandwidth of these hash functions.
Some Observations on the Theory of Cryptographic Hash Functions
, 2001
"... In this paper, we study several issues related to the notion of "secure" hash functions. Several necessary conditions are considered, as well as a popular sufficient condition (the socalled random oracle model). We study the security of various problems that are motivated by the notion of a secure ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
In this paper, we study several issues related to the notion of "secure" hash functions. Several necessary conditions are considered, as well as a popular sufficient condition (the socalled random oracle model). We study the security of various problems that are motivated by the notion of a secure hash function. These problems are analyzed in the random oracle model, and we prove that the obvious trivial algorithms are optimal. As well, we look closely at reductions between various problems. In particular, we consider the important question "does preimage resistance imply collision resistance?". Finally, we study the relationship of the security of hash functions built using the MerkleDamgard construction to the security of the underlying compression function.
Improved fast syndrome based cryptographic hash functions
 in Proceedings of ECRYPT Hash Workshop 2007 (2007). URL: http://wwwroc.inria.fr/secret/Matthieu.Finiasz
"... Abstract. Recently, some collisions have been exposed for a variety of cryptographic hash functions [19] including some of the most widely used today. Many other hash functions using similar constrcutions can however still be considered secure. Nevertheless, this has drawn attention on the need for ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
Abstract. Recently, some collisions have been exposed for a variety of cryptographic hash functions [19] including some of the most widely used today. Many other hash functions using similar constrcutions can however still be considered secure. Nevertheless, this has drawn attention on the need for new hash function designs. In this article is presented a familly of secure hash functions, whose security is directly related to the syndrome decoding problem from the theory of errorcorrecting codes. Taking into account the analysis by Coron and Joux [4] based on Wagner’s generalized birthday algorithm [18] we study the asymptotical security of our functions. We demonstrate that this attack is always exponential in terms of the length of the hash value. We also study the workfactor of this attack, along with other attacks from coding theory, for non asymptotic range, i.e. for practical values. Accordingly, we propose a few sets of parameters giving a good security and either a faster hashing or a shorter desciption for the function. Key Words: cryptographic hash functions, provable security, syndrome decoding, NPcompleteness, Wagner’s generalized birthday problem.
Efficient Network Authentication Protocols: Lower Bounds and Optimal Implementations
 Distributed Computing
, 1995
"... . Research in authentication protocols has focused largely on developing and analyzing protocols that are secure against certain types of attacks. There is little and only scattered discussion on protocol efficiency. This paper presents results on the lower bounds on the numbers of messages, rounds, ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
. Research in authentication protocols has focused largely on developing and analyzing protocols that are secure against certain types of attacks. There is little and only scattered discussion on protocol efficiency. This paper presents results on the lower bounds on the numbers of messages, rounds, and encryptions required for network authentication. For each proven lower bound, an authentication protocol achieving the bound is also given, thus proving that the bound is a tight bound if the given optimal protocol is secure. Moreover, we give impossibility results of obtaining protocols that are simultaneously optimal with respect to the numbers of messages and rounds. Key Words: Authentication, key distribution, protocol metrics, lower bound, optimal protocol. 1 Introduction Authentication is by definition a process to verify one's claim of identity. Since authentication is usually a prelude to further communication and computation, an authentication protocol often arranges that the...
Generic Groups, Collision Resistance, and ECDSA
 Designs, Codes and Cryptography
, 2002
"... Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, ( ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.
A Parallelizable Design Principle for Cryptography Hash Functions
 INDOCRYPT 2001, LNCS 2247
, 2001
"... We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parall ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We describe a parallel design principle for hash functions. Given a secure hash function with n 2m, and a binary tree of 2 processors we show how to construct which can hash messages of lengths less than 2 and a secure hash function h which can hash messages of arbitrary length. The number of parallel rounds required to hash a message of length L is b t c + t + 2. Further, our algorithm is incrementally parallelizable in the following sense: given a digest produced using a binary tree of 2 processors, we show that the same digest can also be produced using a binary tree of 2 (0 t t) processors.
Domain Extenders for UOWHF: A Generic Lower Bound on Key Expansion And Finite Binary Tree Algorithm
, 2003
"... We obtain a generic lower bound on the key expansion required for securely extending the domain of a UOWHF. Our lower bound holds over a large class of "natural" domain extending algorithms. A consequence of our result is the fact that the key length expansion in Shoup's algorithm is optimal for thi ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
We obtain a generic lower bound on the key expansion required for securely extending the domain of a UOWHF. Our lower bound holds over a large class of "natural" domain extending algorithms. A consequence of our result is the fact that the key length expansion in Shoup's algorithm is optimal for this class. Our second contribution is to obtain a finite binary tree algorithm to extend the domain of a UOWHF. The associated key length expansion is only a constant number of bits more than the minimum possible. Our finite binary tree algorithm is the first practical parallel algorithm to securely extend the domain of a UOWHF. Also the speedup obtained by our algorithm is approximately proportional to the number of processors.