## The application of hash . . . structures to cryptography (2009)

### BibTeX

@MISC{Page09theapplication,

author = {Thomas Page},

title = {The application of hash . . . structures to cryptography},

year = {2009}

}

### OpenURL

### Abstract

### Citations

6050 |
E.: A mathematical theory of communication
- SHANNON
- 1948
(Show Context)
Citation Context ... our hash chain allows us to generate a large amount of pseudo-random data then we can conceivably use it for some cryptographic applications where we might use a shared one-time pad (see for example =-=[125]-=-). Later, in Section 3.4.4, we will discuss the issues surrounding this, and a more suitable way of combining hash functions to generate random numbers. The property that any xi can be calculated from... |

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ... leaf is associated with a small group of users. In [117] Reddy and Nalla present a key agreement scheme similar to the logical key hierarchy scheme, which uses the Diffie Hellman key exchange method =-=[34]-=-. Their work is an extension of the two party ID-based authenticated key agreement protocol in [130] to a many party scheme based on a logical key hierarchy. The scheme has advantages over schemes bas... |

2327 | Time, clocks, and the ordering of events in a distributed system
- Lamport
- 1978
(Show Context)
Citation Context ... a timestamp. We look at two very similar schemes which use a counter and a time-dependent variable respectively. If A and B have a synchronised counter then this can be considered as a logical clock =-=[67]-=-. Both entities set their counter value t to zero during the initialisation phase.CHAPTER 4. ENTITY AUTHENTICATION 78 Entity Authentication Scheme 4.6: The basic counter based entity authentication s... |

1878 |
Introduction of Probability Theory and its Applications
- Feller
- 1971
(Show Context)
Citation Context ...nature patterns, each containing exactly one of the leaves. The efficiency (η2) ofCHAPTER 5. SIGNATURES 166 this scheme is log2 (k!) . Since log 3k 2(k!) ≈ k log2(k) − k (by Sterling’s approximation =-=[38]-=-) we can approximate the efficiency by 1 3 (log2(k) − 1), and so it is unbounded as k tends to infinity. We note that in practice this unbounded efficiency is not very relevant, as the application wou... |

1431 |
Reducibility among Combinatorial Problems
- Karp
- 1972
(Show Context)
Citation Context ...e compatible set of minimal verifiable sets.CHAPTER 5. SIGNATURES 144 5.3.3.2 Discussion of Algorithm 10 Finding the largest compatible set of MVSs on a DAG is the same as the maximum clique problem =-=[59]-=- on the graph with MVSs as vertices and edges between pairs of MVSs that are compatible. In [18] Bron and Kerbosch present an algorithm for finding the largest clique in a graph. This method is given ... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...eam generators [8] and encryption key generators (see Section 6.5). Proofs of security often formally model hash functions as “random oracles”, which are effectively functions producing random output =-=[5, 147]-=-. A few authors require pseudo-randomness of output as a property in their definition of a hash function; for example [78] gives the following properties that their definition of a hash function f mus... |

1208 |
Counterspeculation, Auctions, and Competitive Sealed Tenders
- Vickrey
- 1961
(Show Context)
Citation Context ...ns differently; each chain value is used to mask a digit of a user’s bid. In 1961, Vickrey proposed an alternative to the first-price sealed-bid auction, which has become known as the Vickrey auction =-=[143]-=-.CHAPTER 7. OTHER APPLICATIONS AND FUTURE WORK 207 Definition 7.3. A Vickrey auction (or second-price sealed-bid auction) is a two-phase auction in which all bidders privately submit their bids durin... |

878 | Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer
- Shor
- 1997
(Show Context)
Citation Context ...le to continue using the scheme by deploying another hash function instead. If quantum computing becomes more practical then all of the mathematical problems in Table 5.1 may become feasible to solve =-=[113, 126]-=-. A third advantage of one-time signatures over deterministic one-way trapdoor based signatures is that the latter are subject to attacks based on repeated signature use. One-time signatures are not v... |

738 | SPINS: Security protocols for sensor networks
- Perrig, Szewczyk, et al.
(Show Context)
Citation Context ...or the initialisation phase. All of these schemes require A to compute the root value before any entity authentication can take place. We consider the application of a sensor network (for example see =-=[76, 107, 159]-=-), for which the initialisation phase for each sensor is performed by a central computer before the sensors are distributed. We assume that the sensors are required to authenticate to an entity B usin... |

669 |
Cryptography: Theory and Practice
- Stinson
- 1995
(Show Context)
Citation Context ...efine hash functions without preimage resistance or second preimage resistance [127, 131], or with additional properties such as collision resistance [78], or such that the input should include a key =-=[134]-=-. Many more authors use the term hash function without specifying the precise properties they require. Preneel highlights in his thesis [111] the different terms used for output of a hash function. “.... |

476 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
(Show Context)
Citation Context ...the underlying hash function has particular structural properties (for example if the Merkle-Damg˚ard construction is used [84]). These attacks led to the creation of other constructions such as HMAC =-=[4]-=- and these should be considered for any practical implementations. However it is beyond the scope of this thesis to consider the structural design of hash functions, so we simply assume that our hash ... |

473 | Packet leashes: A defense against wormhole attacks in wireless networks
- Hu, Perrig, et al.
- 1976
(Show Context)
Citation Context ...irst scheme we look at is the hash chain entity authentication scheme due to Lamport [69]. Many variations of this are used in the literature, but they all use essentially the same idea as Scheme 4.9 =-=[7, 44, 47, 48, 49, 52, 54, 71, 105]-=-. Entity Authentication Scheme 4.9: The hash chain entity authentication scheme due to Lamport [69]. Initialisation • A creates a key x, and uses it to seed a hash chain of length n. • A A −→ B : f n ... |

471 | A randomized protocol for signing contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ... fairly then with time they would lose the respect attributed to them. Schemes which do not depend on this kind of assumption are outside the scope of this research, but are studied in more detail in =-=[37, 101, 137]-=-. 4.2.5 Summary of one-time entity authentication schemes The elementary one-time entity authentication schemes that we have discussed in this section are summarised in Table 4.2 in terms of: • Comple... |

430 | Secure group communications using key graphs
- Wong, Gouda, et al.
- 1998
(Show Context)
Citation Context ... their leaf to the root. A type of key distribution scheme based on a tree is the logical key hierar-CHAPTER 6. KEY ESTABLISHMENT SCHEMES 190 chy (or LKH) and was independently proposed in [144] and =-=[154]-=-. It was first suggested as being based on an almost perfect tree, but easily generalises to any tree. Users are assigned a leaf of the tree and are privy to all the values along the path from their l... |

397 | Perrig, SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks
- Hu, Johnson, et al.
- 2002
(Show Context)
Citation Context ... from the one-time signature scheme is used (when appropriate) to authenticate another comb skipchain end value (see Figure 4.6). This idea was presented by Hu et al. in [55], which extends work from =-=[53]-=-. In [43] a similar method of joining one-time signature schemes to hash chains is suggested, but it is less suited to entity authentication. The comb skipchain can be used to authenticate an unlimite... |

387 |
Auctions and Bidding, in
- McAfee, McMillan
- 1987
(Show Context)
Citation Context ...aled. We now give a simplified version of their scheme. 1 In fact their scheme is better described as a Dutch auction, which in theory should have the same outcome as a sealed-bid first-price auction =-=[80]-=-. A Dutch Auction is an auction in which the auctioneer starts with a high asking price and gradually lowers it until a bidder is willing to accept the auctioneer’s price.CHAPTER 7. OTHER APPLICATION... |

372 |
Password Authentication with Insecure Communication
- Lamport
- 1981
(Show Context)
Citation Context ...naturally leads to the idea of applying a hash function to its own output. 38CHAPTER 3. HASH STRUCTURES 39 One of the earliest examples of this being used is Lamport’s password authentication scheme =-=[69]-=-, which we discuss in more detail in Chapter 4, but give a summary now. We consider the scenario of a user who wants to log on to a computer remotely, and who has to send the password across an insecu... |

329 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...However, signature schemes can be based on hash functions instead of trapdoor functions. Many such signature schemes are one-time signatureCHAPTER 5. SIGNATURES 112 Signature scheme Full domain hash =-=[6]-=- DSA [93] ECDSA [155] ElGamal signature scheme Rabin signature scheme Underlying mathematical problem The RSA problem Discrete logarithm problem Elliptic curve discrete logarithm problem Discrete loga... |

313 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...ns also raise the problem of formally defining second preimage resistance. One well-known attempt to formally define second preimage resistant functions is the universal one-way hash function (UOWHF) =-=[91]-=-. Essentially, a UOWHF family is such that no adversary is “good” at finding a second preimage for some challenge value x (which it can choose), when the hash function is selected uniformly at random ... |

264 | Authentication and authenticated key exchanges
- DIFFIE, OORSCHOT, et al.
- 1992
(Show Context)
Citation Context ...r will be carried out periodically. Although the literature is not consistent, we choose to define ‘backward secrecy’ and ‘forward secrecy’ in what we believe to be the most standard way (for example =-=[35, 61]-=-). 2 Definition 6.6. A key refreshment scheme has backward secrecy if all subsets of future session keys reveal no information about past session keys. A key refreshment scheme has forward secrecy if ... |

254 | Efficient authentication and signing of multicast streams over lossy channels
- Perrig, Canetti, et al.
- 2000
(Show Context)
Citation Context ...irst scheme we look at is the hash chain entity authentication scheme due to Lamport [69]. Many variations of this are used in the literature, but they all use essentially the same idea as Scheme 4.9 =-=[7, 44, 47, 48, 49, 52, 54, 71, 105]-=-. Entity Authentication Scheme 4.9: The hash chain entity authentication scheme due to Lamport [69]. Initialisation • A creates a key x, and uses it to seed a hash chain of length n. • A A −→ B : f n ... |

250 | Broadcast encryption
- Fiat, Naor
- 1994
(Show Context)
Citation Context ...this KDP there is a sub-key owned by all the users not in A ′ j ∈ X , and so every excluded set of users cannot form any group keys they are not meant to. The trivial exclusion KDP was first given in =-=[39]-=-. 6.2.2 Existing hash-based key predistribution schemes In this section we explore key predistribution schemes based on hash functions. Using some of the hash structures described in Chapter 3 we can ... |

249 |
G.M.: Timestamps in key distribution protocols
- Denning, Sacco
- 1981
(Show Context)
Citation Context ...pplications and feature in relevant ISO standards [57]. 5 This step could be replaced with A → B : (f(x||t); t) as long as B is satisfied with the time-dependent variable being one of a set of values =-=[30, 62]-=-. This relaxes the necessity for accurately synchronised clocks. For example, if A uses the current time to the nearest thousandth of a second then B will probably be satisfied with a variety of diffe... |

220 | PayWord and MicroMint: Two Simple Micropayment Schemes
- Rivest, Shamir
- 1996
(Show Context)
Citation Context ...ically designed to efficiently process large volumes of small payments. One of the most well known micropayment schemes is Payword, which was simultaneously developed by a number of different authors =-=[50, 103, 119]-=-. Note the similarity between this scheme and Entity Authentication Scheme 4.9. 203CHAPTER 7. OTHER APPLICATIONS AND FUTURE WORK 204 Micropayment Scheme 7.1: A simplified version of Payword, with cus... |

215 |
An optimal class of symmetric key generation systems
- Blom
- 1985
(Show Context)
Citation Context ...schemes that have better properties than the fundamental schemes in Section 6.2.1. We also note that there exist many key predistribution schemes that are based on one-way trapdoor functions, such as =-=[13]-=-, [14] and [100]. These schemes are also better, in some respects, than the schemes from Section 6.2.1. However we do not consider them further, as schemes based on hash functions are typically more e... |

215 | How to Break MD5 and Other Hash Functions
- Wang, Yu
- 2005
(Show Context)
Citation Context ...hat as definitions get more rigorous, the gap between theory and practice grows. In recent years, a number of attacks on hash functions have been devised. In particular there have been attacks on MD5 =-=[146]-=- and SHA-1 [145], hash functions which have both been in widespread use. Since NIST (the National Institute of Standards and Technology) was responsible for the standardisation of SHA-1, it took on re... |

214 |
A digital signature based on a conventional encryption function
- Merkle
- 1987
(Show Context)
Citation Context ... tree, but in this thesis it refers to the class of hash trees in Definition 3.4. We note that a Merkle tree as we have defined it here corresponds more closely to the construction given by Merkle in =-=[85]-=-, than our definition of a hash tree. Although Merkle trees are clearly a type of hash tree, it can be useful to think of a Merkle tree as being formed by taking any hash tree, and hashing the leaf va... |

209 | Password Security: A Case History
- Morris, Thompson
- 1979
(Show Context)
Citation Context ...ains access to the hard drive of B’s computer (and learns f(x)) then they still cannot falsely authenticate A to B. The storage of the hash of passwords for this reason is a well established practice =-=[83, 89]-=-. Entity Authentication Scheme 4.2: The basic one-time hash based entity authentication scheme. Initialisation • A picks a value x at random, and computes the hash of it using a preimage-resistant has... |

207 |
Algorithm 457: Finding All Cliques of an Undirected Graph
- Bron, Kerbosch
(Show Context)
Citation Context ...orithm 10 Finding the largest compatible set of MVSs on a DAG is the same as the maximum clique problem [59] on the graph with MVSs as vertices and edges between pairs of MVSs that are compatible. In =-=[18]-=- Bron and Kerbosch present an algorithm for finding the largest clique in a graph. This method is given in Algorithm 10. Algorithm 10: Description: The Bron-Kerbosch algorithm to find the largest cliq... |

199 | Available at rfc1760: The s/key one-time password system
- Haller
- 1995
(Show Context)
Citation Context ...irst scheme we look at is the hash chain entity authentication scheme due to Lamport [69]. Many variations of this are used in the literature, but they all use essentially the same idea as Scheme 4.9 =-=[7, 44, 47, 48, 49, 52, 54, 71, 105]-=-. Entity Authentication Scheme 4.9: The hash chain entity authentication scheme due to Lamport [69]. Initialisation • A creates a key x, and uses it to seed a hash chain of length n. • A A −→ B : f n ... |

197 | Multicast security: a taxonomy and some efficient constructions
- Canetti, Garay, et al.
- 1999
(Show Context)
Citation Context ...d M is a mixing function. The authors suggest that exclusive-or is a suitable choice for the function M, and for simplicity we assume this to be the case. Another adaptation of the LKH is proposed in =-=[19]-=- by Canetti et al. The scheme reduces the overhead required for user add and user revoke by defining all new keys to be related to each other as values in a hash chain. In this way, each user only nee... |

194 | Perfectly-secure key distribution for dynamic conferences
- Blundo, Santis, et al.
- 1992
(Show Context)
Citation Context ...s that have better properties than the fundamental schemes in Section 6.2.1. We also note that there exist many key predistribution schemes that are based on one-way trapdoor functions, such as [13], =-=[14]-=- and [100]. These schemes are also better, in some respects, than the schemes from Section 6.2.1. However we do not consider them further, as schemes based on hash functions are typically more efficie... |

185 | Privacy Preserving Auctions and Mechanism Design
- Naor, Pinkas, et al.
- 1999
(Show Context)
Citation Context ... could insert a bid between the highest and second highest bids in order to increase their revenue. Many Vickrey auction schemes exist, including several that do not depend on public key cryptography =-=[17, 75, 90]-=-. However all of these solutions require multiple independent auctioning authorities, and some reveal private bid values to some of these authorities (ideally in a Vickrey auction only the second high... |

177 | Key establishment in large dynamic groups using one-way functiontrees
- McGrew, Sherman
- 2003
(Show Context)
Citation Context ...rage requirements for each user, but increase the average number of KEKs that must be used to send a message to an arbitrary set of users. 6.3.3.1 Using hash structures for a logical key hierarchy In =-=[82]-=-, McGrew and Sherman proposed an improved version of the logical hierarchy scheme based on [144] and [154]. In it they replace the independent keys at each node with keys formed by a hash tree. The ha... |

175 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...used names for this type of function include “cryptographic hash function” [138, 148], and “secure hash function” [134]. 2.3.1 A traditional formal definition One of the definitions was due to Merkle =-=[86]-=-, who defined a “strong hash function” to be any function f with the following properties: 1. The function f can be applied to an argument of any size. 2. The output of f is a bit string of fixed leng... |

168 | Finding collisions in the full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ...ns get more rigorous, the gap between theory and practice grows. In recent years, a number of attacks on hash functions have been devised. In particular there have been attacks on MD5 [146] and SHA-1 =-=[145]-=-, hash functions which have both been in widespread use. Since NIST (the National Institute of Standards and Technology) was responsible for the standardisation of SHA-1, it took on responsibility for... |

164 | Limits on the provable consequences of one-way permutations
- Impagliazzo, Rudich
- 1989
(Show Context)
Citation Context ...ify how long “sufficiently long” is. Clearly a fixed hash function can never satisfy this definition, but many cryptographers model hash functions as random oracles in order to aid proofs of security =-=[5, 72, 56]-=-. As we have seen, there exist some attempts to define the properties required for a “pseudo-random hash function”, some practical, and some impractical, but we will not try to resolve this complex is... |

160 | Simple and fault-tolerant key agreement for dynamic collaborative groups
- Kim, Perrig, et al.
- 2000
(Show Context)
Citation Context ...r will be carried out periodically. Although the literature is not consistent, we choose to define ‘backward secrecy’ and ‘forward secrecy’ in what we believe to be the most standard way (for example =-=[35, 61]-=-). 2 Definition 6.6. A key refreshment scheme has backward secrecy if all subsets of future session keys reveal no information about past session keys. A key refreshment scheme has forward secrecy if ... |

155 |
Minimization of Boolean Functions
- McCluskey
- 1956
(Show Context)
Citation Context .... . . , k0,N−1, k1,N−1}. This is not a simple problem, and the best method to solve it is outside the scope of this document. 1 1 According to [21], the TA should use the Quine-McCluskey algorithm of =-=[81]-=-.CHAPTER 6. KEY ESTABLISHMENT SCHEMES 192 • The TA broadcasts the encryption ESK(Eκ0(SK ∗ ), . . . , Eκr−1(SK ∗ )). In [21] the authors do not provide a method for user add, but we suggest below an e... |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...ber generators it is clear that the aim should be that output values should bear no correlation to previous output values, but with hash functions there is no obvious ordering of the output words. In =-=[98]-=- Okamoto uses the term “correlation-free one-way hash functions”. In [2] Anderson gives a simplified definition, defining a hash function f as “correlation free” if the best way to find two distinct v... |

130 |
A Cryptanalytic Time – Memory trade-Off
- Hellman
- 1980
(Show Context)
Citation Context ...e if the result is a member of {xl,∗}. If it is, then we find the first value of that row, and hash and reduce until we obtain the preimage p. The precursor to rainbow tables was based on hash chains =-=[51]-=-; however rainbow chains are better suited to this application. 7.6 Conclusions In this chapter we gave an overview of the application of hash structures to micropayments, auctions, pseudo-random numb... |

111 |
Analysis and Design of Cryptographic Hash Functions
- Preneel
- 1993
(Show Context)
Citation Context ...tions and motivation The term “hash function” is due to computer science, and refers to a function which compresses an arbitrary length input bit string to an output bit string of fixed finite length =-=[111, 141]-=-. These functions are primarily used to speed up the process of finding stored data [151]. However the term “hash function” has since been adopted by cryptographers, and desirable properties of crypto... |

110 |
Ein Satz über Untermengen einer endlichen
- Sperner
- 1928
(Show Context)
Citation Context ...r − 1, l, k − i)| if r ≥ 2.CHAPTER 5. SIGNATURES 125 k ≥ 0. From (5.3) and (5.4) we can compute |S(r, l, k)| for all r ≥ 1, l ≥ 0 and In [10] Bleichenbacher and Maurer used the Sperner property from =-=[132]-=- to show that the signature scheme S(r, l, ⌊ rl⌋) is the largest signature scheme 2 that can be formed on r chains of length l. We will refer to the family S(r, l, ⌊ rl⌋) as Vaudenay’s optimal rake on... |

106 |
Protocols for Authentication and Key Establishment
- Boyd, Mathuria
- 2003
(Show Context)
Citation Context .... We end the section by identifying the costs that will be used to assess the schemes in the rest of the chapter. We note that there exists a large amount of research into the field of authentication =-=[15, 28, 31, 83]-=-. 60CHAPTER 4. ENTITY AUTHENTICATION 61 4.1.1 Types of authentication We now summarise the types of authentication as described by Menezes et al. in [83]. Authentication can be divided into two types... |

103 |
Constructing digital signatures from a one-way function
- Lamport
- 1979
(Show Context)
Citation Context ...scheme The first published one-time signature scheme based on hash functions was due to Rabin in 1978 [114]. It is rather inefficient and so we will instead look at Lamport’s similar scheme from 1979 =-=[68]-=-, which is slightly more efficient and much more straightforward. The scheme uses a preimage-resistant hash function f. It is important that an adversary cannot find a preimage, as this would allow th... |

103 |
Modern Cryptography: Theory and Practice
- Mao
- 2003
(Show Context)
Citation Context ...nown as a weak hash function [83]. Other authors define hash functions without preimage resistance or second preimage resistance [127, 131], or with additional properties such as collision resistance =-=[78]-=-, or such that the input should include a key [134]. Many more authors use the term hash function without specifying the precise properties they require. Preneel highlights in his thesis [111] the dif... |

102 | Time-lock puzzles and timed-release crypto
- Rivest, Shamir, et al.
- 1996
(Show Context)
Citation Context ...ce of information such that it can only be read after a certain amount of time has passed. For example, in a sealed-bid auction, a bidder may want to keep their bid secret until the opening phase. In =-=[120]-=- Rivest et al. suggest that a trusted agent T using a hash chain could provide a service where they respond to two types of request. If a user asks for the current hash chain value, T will provide it.... |

96 |
Collision free hash functions and public key signature schemes
- Damgard
- 1988
(Show Context)
Citation Context ...sequently there seems to be a need to define collision resistance in terms of collision-resistant hash function families and then, when needed, a hash function can be chosen from the family. Damg˚ard =-=[25]-=- defined a “collision-free hash function family”, which is a bit misleading as it does actually contain collisions; they are just hard to find. We will refer to the family as a fixed-size collision-re... |

90 |
Cryptographic solution to a problem of access control in a hierarchy
- Akl, Taylor
- 1983
(Show Context)
Citation Context ...est two parameters for any hash function: the output size and the security parameter. The output size is simply the number of bits that the output of the hash function has. The security parameter s ∈ =-=[0, 1]-=- relates the output size to the actualCHAPTER 2. HASH FUNCTIONS 35 security. The simplest way to explain this is with an example. If we have a 0.5-secure 256-bit preimage-resistant hash function then... |

89 | The BiBa one-time signature and broadcast authentication protocol
- Perrig
- 2001
(Show Context)
Citation Context ... that the adversary cannot find the corresponding messages to the revealed signatures. All the k-time hash based signature schemes from the literature that we have seen are both perforated and porous =-=[104, 108, 118]-=-. In the next section we provide a k-time signature scheme that is porous but not perforated, but for which we have not been able to find a signature pattern function. 5.5.3 Towards a porous k-time si... |