## The security of abreast-dm in the ideal cipher model

Citations: | 6 - 3 self |

### BibTeX

@MISC{Lee_thesecurity,

author = {Jooyoung Lee and Daesung Kwon},

title = {The security of abreast-dm in the ideal cipher model},

year = {}

}

### OpenURL

### Abstract

Abstract. In this paper, we give a security proof for Abreast-DM in terms of collision resistance and preimage resistance. As old as Tandem-DM, the compression function Abreast-DM is one of the most well-known constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O (2 n). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and Tandem-DM. We also present a wide class of Abreast-DM variants that enjoy a birthday-type security guarantee with a simple proof. 1

### Citations

217 | H.: 'How to Break MD5 and Other Hash Functions - Wang, Yu |

104 | Black-box analysis of the block-cipher-based hash-function construction from
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...A ⊢Q B, if there exist query-response pairs (X1, K1, Y1), (X2, K2, Y2) ∈ Q, satisfying the following equations. (X1, K1) = (A1, A2|A3), (1) (X2, K2) = (A2, A3|A1), (2) B1 = A1 ⊕ Y1, (3) B2 = A2 ⊕ Y2. =-=(4)-=- Informally, A ⊢Q B means that the query history Q determines the evaluation F : A ↦→ B. Now the collision-finding advantage of A is defined to be Adv coll [ F (A) = Pr Exp coll ] A = 1 . (5) The prob... |

72 | Hash functions based on block ciphers: A synthetic approach - Preneel, Govaerts, et al. - 1994 |

54 | function based on block ciphers
- Lai, Massey
- 1992
(Show Context)
Citation Context ...t optimally secure in terms of collision resistance and preimage resistance [8, 9, 12]. The most classical DBL compression functions of rate less than 1 include MDC-2, MDC-4, Tandem-DM and Abreast-DM =-=[5, 13]-=-. In 2007, 20 years after its original proposal, Steinberger first proved the collision resistance of MDC-2 in the ideal cipher model [23]. The author showed that an adversary asking less than 2 3n/5 ... |

36 | Some plausible construction of double-block-length hash functions
- Hirose
- 2006
(Show Context)
Citation Context ...ndem-DM is estimated in terms of a parameter, say, α. Optimizing the parameter, they proved the collision resistance of Tandem-DM up to the birthday bound. Currently, TandemDM and the Hirose’s scheme =-=[11]-=- are the only rate 1/2 DBL compression functions that are known to have a birthday-type security guarantee.Results We give a security proof for Abreast-DM in terms of collision resistance and preimag... |

27 | On the impossibility of highly-efficient blockcipher-based hash functions
- Black, Cochran, et al.
- 2005
(Show Context)
Citation Context ... and B = (B1, B2) ∈ I 2 n, we write A ⊢Q B, if there exist query-response pairs (X1, K1, Y1), (X2, K2, Y2) ∈ Q, satisfying the following equations. (X1, K1) = (A1, A2|A3), (1) (X2, K2) = (A2, A3|A1), =-=(2)-=- B1 = A1 ⊕ Y1, (3) B2 = A2 ⊕ Y2. (4) Informally, A ⊢Q B means that the query history Q determines the evaluation F : A ↦→ B. Now the collision-finding advantage of A is defined to be Adv coll [ F (A) ... |

24 |
Provably secure double-block-length hash functions in a black-box model
- Hirose
- 2005
(Show Context)
Citation Context ...luations from a single cycle ∆ i determines a collision, (8) E i,j ⇔ two evaluations from ∆ i and ∆ j determine a collision. (9) Then it follows that ⎛ q∑ Pr [E] = ⎝Pr [ E i] ∑i−1 + Pr [ E i,j] ⎞ ⎠ . =-=(10)-=- i=1 j=1Algorithm B E,E−1 Q∆ ← ∅ Run A if A makes a fresh query for E(A1, A2|A3) then Make queries for Y1 = E(A1, A2|A3), Y2 = E(A2, A3|A1), Y3 = E(A3, A1|A2), Y4 = E(A1, A2|A3), Y5 = E(A2, A3|A1), Y... |

23 | K.: Finding preimages in full md5 faster than exhaustive search - Sasaki, Aoki - 2009 |

22 |
Data Authentication Using Modification Detection Codes Based on Public One Way Function
- Brachtl, Coppersmith, et al.
- 1990
(Show Context)
Citation Context ...t optimally secure in terms of collision resistance and preimage resistance [8, 9, 12]. The most classical DBL compression functions of rate less than 1 include MDC-2, MDC-4, Tandem-DM and Abreast-DM =-=[5, 13]-=-. In 2007, 20 years after its original proposal, Steinberger first proved the collision resistance of MDC-2 in the ideal cipher model [23]. The author showed that an adversary asking less than 2 3n/5 ... |

21 |
Attacks on fast double block length hash functions
- Knudsen, Lai, et al.
- 1998
(Show Context)
Citation Context ...of the underlying blockciphers. Unfortunately, it turned out that a wide class of DBL compression functions of rate 1 are not optimally secure in terms of collision resistance and preimage resistance =-=[8, 9, 12]-=-. The most classical DBL compression functions of rate less than 1 include MDC-2, MDC-4, Tandem-DM and Abreast-DM [5, 13]. In 2007, 20 years after its original proposal, Steinberger first proved the c... |

19 | Constructing cryptographic hash functions from fixed-key blockciphers - Rogaway, Steinberger - 2008 |

19 | Finding collisions - Wang, Yin, et al. - 2005 |

15 | Analysis of step-reduced SHA-256 - Mendel, Pramstaller, et al. - 2006 |

15 |
The collision intractability of MDC-2 in the ideal-cipher model
- Steinberger
- 2008
(Show Context)
Citation Context ...less than 1 include MDC-2, MDC-4, Tandem-DM and Abreast-DM [5, 13]. In 2007, 20 years after its original proposal, Steinberger first proved the collision resistance of MDC-2 in the ideal cipher model =-=[23]-=-. The author showed that an adversary asking less than 2 3n/5 queries has only a negligible chance of finding a collision. Motivated by this work, Fleischmann et. al. proved the security of Tandem-DM ... |

13 | Beyond uniformity: Better security/efficiency tradeoffs for compression functions - Stam - 2008 |

12 | MD4 is not one-way - Leurent - 2008 |

12 | How to build a hash function from any collision-resistant function - Ristenpart, Shrimpton - 2007 |

8 |
Analysis of double block length hash functions
- Hattori, Hirose, et al.
(Show Context)
Citation Context ...of the underlying blockciphers. Unfortunately, it turned out that a wide class of DBL compression functions of rate 1 are not optimally secure in terms of collision resistance and preimage resistance =-=[8, 9, 12]-=-. The most classical DBL compression functions of rate less than 1 include MDC-2, MDC-4, Tandem-DM and Abreast-DM [5, 13]. In 2007, 20 years after its original proposal, Steinberger first proved the c... |

3 |
On the security of Tandem-DM
- Fleischmann, Gorski, et al.
- 2009
(Show Context)
Citation Context .... The author showed that an adversary asking less than 2 3n/5 queries has only a negligible chance of finding a collision. Motivated by this work, Fleischmann et. al. proved the security of Tandem-DM =-=[7]-=-. Similar to MDC-2, the security of Tandem-DM is estimated in terms of a parameter, say, α. Optimizing the parameter, they proved the collision resistance of Tandem-DM up to the birthday bound. Curren... |

3 |
A security analysis of double-block-length hash functions with the rate 1
- Hirose
(Show Context)
Citation Context ...of the underlying blockciphers. Unfortunately, it turned out that a wide class of DBL compression functions of rate 1 are not optimally secure in terms of collision resistance and preimage resistance =-=[8, 9, 12]-=-. The most classical DBL compression functions of rate less than 1 include MDC-2, MDC-4, Tandem-DM and Abreast-DM [5, 13]. In 2007, 20 years after its original proposal, Steinberger first proved the c... |

3 | Security/efficiency tradeoffs for permuation-based hashing - Rogaway, Steinberger - 2008 |

3 | Building a collision-resistant function from non-compressing primitives - Shrimpton, Stam - 2008 |