## A proposal of a criterion for collision resistance of hash functions

### BibTeX

@MISC{Watanabe_aproposal,

author = {Dai Watanabe and Hirotaka Yoshida},

title = {A proposal of a criterion for collision resistance of hash functions},

year = {}

}

### OpenURL

### Abstract

In this paper we revisit the tequniques for collision attacks and study the relation between maximum differential characteristic probability and a limit of applicability of collision attack. We show that a cryptographic hash function is secure against collision attacks using a single message block based on differential attack if the unequality pD < (1 − e −1)2 −nm−1 is satisfied, where nm is an input length of a compression function and pD is the maximum differential characteristic probability.

### Citations

2717 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1997
(Show Context)
Citation Context ...h/2 inputs. This fact claims that the hash length should be twice as large as that of a block length (of a block cipher) used in the same system. For more detail of a birthday attack, please refer to =-=[11]-=- for example. 2.3 Differential attack Differential attack was proposed by Biham and Shamir for the attack on the block cipher DES (Data Encryption Standard) [3]. In this subsection we give a brief des... |

879 | The MD5 Message-Digest Algorithm - Rivest - 1992 |

363 |
Di®erential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...o SHA-0 and SHA-1 [1, 2]. Both of their attacks are an application of differential attack proposed by Biham and Shamir which was originally applied to the block cipher DES for recovering a secret key =-=[3]-=-. With helps of these newer proposed techniques and their applications, the standing position of the probabilistic approach in collision attack begun to be clear. In this paper, we revisit the known t... |

312 |
A Design Principle for Hash Functions
- Damgård
- 1989
(Show Context)
Citation Context ...ssage M is divided into n blocks M1, . . . , Mn. Merkle and Damg˚ard independently proved that this chaining construction is secure as a hash function if the underlying compression function is secure =-=[5, 12]-=-. 2.2 Security requirements for a hash function Following three conditions are the security requirements for a hash function. One-Wayness For any hash value y it is difficult to find an input x such t... |

251 | How to Break MD5 and Other Hash Functions
- Wang, Yu
(Show Context)
Citation Context ...ock cipher’s case. However Wang et al. showed in the last two years that almost all the currently proposed hash functions (including widely used MD5 and SHA-1) is weak against their collision attacks =-=[16, 17, 18, 19]-=-. Additionally Biham et al. provided a technique to improve the complexity of collision attacks and applied it to SHA-0 and SHA-1 [1, 2]. Both of their attacks are an application of differential attac... |

70 | Near-collisions of sha-0
- Biham, Chen
- 2004
(Show Context)
Citation Context ...D5 and SHA-1) is weak against their collision attacks [16, 17, 18, 19]. Additionally Biham et al. provided a technique to improve the complexity of collision attacks and applied it to SHA-0 and SHA-1 =-=[1, 2]-=-. Both of their attacks are an application of differential attack proposed by Biham and Shamir which was originally applied to the block cipher DES for recovering a secret key [3]. With helps of these... |

70 |
Cryptanalysis of MD4
- Dobbertin
- 1998
(Show Context)
Citation Context ... intermediate differences in a differential path to discuss collision attacks. For example Dobbertin reported that the experimental result shows his collision attack on MD4 works better than expected =-=[6]-=-. More precisely, the success probability of finding collision is higher than what is expected from the differential characteristic probability. He analyzed that this deviance arises from the lack to ... |

58 | Efficient Collision Search Attacks on SHA-0
- Wang, Yu, et al.
- 2005
(Show Context)
Citation Context ...ock cipher’s case. However Wang et al. showed in the last two years that almost all the currently proposed hash functions (including widely used MD5 and SHA-1) is weak against their collision attacks =-=[16, 17, 18, 19]-=-. Additionally Biham et al. provided a technique to improve the complexity of collision attacks and applied it to SHA-0 and SHA-1 [1, 2]. Both of their attacks are an application of differential attac... |

37 | The MD5 Message-digest Algorithm, RFC - Rivest - 1321 |

20 | Integrity Primitives for Secure Information Systems - RIPE - 1995 |

9 |
One-way hash functions and
- Merkle
- 1989
(Show Context)
Citation Context ...ssage M is divided into n blocks M1, . . . , Mn. Merkle and Damg˚ard independently proved that this chaining construction is secure as a hash function if the underlying compression function is secure =-=[5, 12]-=-. 2.2 Security requirements for a hash function Following three conditions are the security requirements for a hash function. One-Wayness For any hash value y it is difficult to find an input x such t... |

4 | Differential collisions - Chabaud, Joux |