Results 1  10
of
53
G.V.: On the Indifferentiability of the Sponge Construction
 In: Advances in Cryptology – Eurocrypt
, 2008
"... Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for ..."
Abstract

Cited by 68 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we prove that the sponge construction introduced in [4] is indifferentiable from a random oracle when being used with a random transformation or a random permutation and discuss its implications. To our knowledge, this is the first time indifferentiability has been shown for a construction calling a random permutation (instead of an ideal compression function or ideal block cipher) and for a construction generating outputs of any length (instead of a fixed length). 1
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
A Framework for Iterative Hash Functions: HAIFA
 In Proceedings of Second NIST Cryptographic Hash Workshop, 2006 . Available from: www.csrc.nist.gov/pki/HashWorkshop/2006/program_2006.htm
"... Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the MerkleDamg˚ard construction. Recently, several flaws in this construction were identified, allowing for second preimage attacks and cho ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the MerkleDamg˚ard construction. Recently, several flaws in this construction were identified, allowing for second preimage attacks and chosen target preimage attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent proposals such as randomized hashing, the enveloped MerkleDamg˚ard, and the RMC and ROX modes can be all be instantiated as part of the HAsh
Security/Efficiency Tradeoffs for PermutationBased Hashing
"... Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Abstract. We provide attacks and analysis that capture a tradeoff, in the idealpermutation model, between the speed of a permutationbased hash function and its potential security. We show that any 2nbit to nbit compression function will have unacceptable collision resistance it makes fewer than three nbit permutation invocations, and any 3nbit to 2nbit compression function will have unacceptable security if it makes fewer than five nbit permutation invocations. Any rateα hash function built from nbit permutations can be broken, in the sense of finding preimages as well as collisions, in about N 1−α queries, where N =2 n. Our results provide guidance when trying to design or analyze a permutationbased hash function about the limits of what can possibly be done. 1
M.: Indifferentiable security analysis of popular hash functions with prefixfree padding
 ASIACRYPT 2006. LNCS
, 2006
"... Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Abstract. Understanding what construction strategy has a chance to be a good hash function is extremely important nowadays. In TCC’04, Maurer et al. [13] introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. In Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in generic analysis of hash functions and started by suggesting four constructions which enable eliminating all possible generic attacks against iterative hash functions. In this paper we continue this initial suggestion and we give a formal proof of indifferentiability and indifferentiable attack for prefixfree MD hash functions (for single block length (SBL) hash and also some double block length (DBL) constructions) in the random oracle model and in the ideal cipher model. In particular, we observe that there are sixteen PGV hash functions (with prefixfree padding) which are indifferentiable from random oracle model in the ideal cipher model. 1
Hardware implementation of the compression function for selected SHA3 candidates
, 2009
"... ..."
(Show Context)
Constructing an Ideal Hash Function from Weak Ideal Compression Functions
 In Selected Areas in Cryptography, Lecture Notes in Computer Science
, 2006
"... Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attack ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by undesirable properties of compression functions. We prove that the construction we give, which we call the “zipper hash, ” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with these weak ideal building blocks. The zipper hash function is relatively simple, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal (strong) compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. Keywords: Hash function, compression function, MerkleDamg˚ard, ideal primitives, nonstreamable hash functions, zipper hash.
Domain extension of public random functions: Beyond the birthday barrier
 In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science
, 2007
"... Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multicollision attack, Kelsey and Schneier's secondpreimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to &quot;behave like &quot; a certain ideal random primitive (e.g. a random function), according to some security notion.
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
SHA3 proposal BLAKE
"... version 1.3 BLAKE is our proposal for SHA3. BLAKE entirely relies on previously analyzed components: it uses the HAIFA iteration mode and builds its compression function on the ChaCha core function. BLAKE resists generic secondpreimage attacks, length extension, and sidechannel attacks. Theoretica ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
version 1.3 BLAKE is our proposal for SHA3. BLAKE entirely relies on previously analyzed components: it uses the HAIFA iteration mode and builds its compression function on the ChaCha core function. BLAKE resists generic secondpreimage attacks, length extension, and sidechannel attacks. Theoretical and empirical security guarantees are given, against structural and differential attacks. BLAKE hashes on a Core 2 Duo at 12 cycles/byte, and on a 8bit PIC microcontroller at 400 cycles/byte. In hardware BLAKE can be implemented in less than 9900 gates, and reaches a throughput of 6 Gbps.