## Hash Functions Based on Block Ciphers and Quaternary Codes (1996)

Venue: | Advances in Cryptology ASIACRYPT |

Citations: | 11 - 3 self |

### BibTeX

@INPROCEEDINGS{Knudsen96hashfunctions,

author = {Lars Knudsen and Bart Preneel},

title = {Hash Functions Based on Block Ciphers and Quaternary Codes},

booktitle = {Advances in Cryptology ASIACRYPT},

year = {1996},

pages = {77--90},

publisher = {Springer Verlag}

}

### OpenURL

### Abstract

. We consider constructions for cryptographic hash functions based on m-bit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 2 3m=4 encryptions, which should be compared to 2 m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2 m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(2 2 ) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an m-bit block, and for which finding a collision requires at least 2 m encryptions...

### Citations

2033 |
The theory of error-correcting Codes
- MacWilliams, Sloane
- 1977
(Show Context)
Citation Context ...minimum distance of the quaternary code ensures that the inputs to at least d \Gamma 1 of the last n \Gamma k functions will depend on the inputs to the first k functions. Since n \Gamma ksd \Gamma 1 =-=[17]-=- the result follows immediately. The security bound will be slightly smaller than indicated, since a number of key bits have to be fixed. However, n = O(m), and thus the resulting reduction of the sec... |

1543 | An Introduction to Probability Theory and - FELLER |

388 |
The MD4 message digest algorithm
- Rivest
- 1991
(Show Context)
Citation Context ...n building block for practical cryptography), and have gained more importance due to the recent cryptanalytical successes achieved by H. Dobbertin [7, 8] on custom designed hash functions such as MD4 =-=[26]-=- and MD5 [27]. The main disadvantage of this approach is that specific hash functions are likely to be more efficient. One also has to take into account that legal restrictions on the use and import o... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1990
(Show Context)
Citation Context ...ut transformation is often the identity function. The theoretical work on the security of hash functions has concentrated on the reduction of the security of Hash(\Delta) to that of h(\Delta; \Delta) =-=[5, 16, 19, 21]-=-. For these reductions to work in practice, we need to append an additional block at the end of the input string which contains its length. This operation, proposed independently by R. Merkle [19] and... |

302 |
A Design Principle for Hash Functions
- Damgard
- 1990
(Show Context)
Citation Context ...ut transformation is often the identity function. The theoretical work on the security of hash functions has concentrated on the reduction of the security of Hash(\Delta) to that of h(\Delta; \Delta) =-=[5, 16, 19, 21]-=-. For these reductions to work in practice, we need to append an additional block at the end of the input string which contains its length. This operation, proposed independently by R. Merkle [19] and... |

180 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ... 2 109 encryptions [22]. A further generalization of MDC-2 has been included in ISO/IEC 10118 [12]. -- Merkle's schemes, the best of which has rate 0.276 (for a 64-bit block cipher with a 56-bit key) =-=[19]-=-. A security proof is given which assumes that the 1 This scheme was apparently known to Meyer and Matyas ca 1979. underlying single block length hash function is secure. If DES is used, the rate beco... |

130 |
the Design and Security of Block Ciphers
- Lai, \On
- 1992
(Show Context)
Citation Context ...ut transformation is often the identity function. The theoretical work on the security of hash functions has concentrated on the reduction of the security of Hash(\Delta) to that of h(\Delta; \Delta) =-=[5, 16, 19, 21]-=-. For these reductions to work in practice, we need to append an additional block at the end of the input string which contains its length. This operation, proposed independently by R. Merkle [19] and... |

118 |
Analysis and design of cryptographic hash functions
- Preneel
- 1993
(Show Context)
Citation Context ...ase of DES, m = 64, but the key is only 56 bits long; a collision search requires then only 2 55 encryptions for both schemes, and a preimage can be obtained after 2 83 respectively 2 109 encryptions =-=[22]-=-. A further generalization of MDC-2 has been included in ISO/IEC 10118 [12]. -- Merkle's schemes, the best of which has rate 0.276 (for a 64-bit block cipher with a 56-bit key) [19]. A security proof ... |

79 |
Hash functions based on block ciphers: a synthetic approach
- Preneel, Govaerts, et al.
- 1994
(Show Context)
Citation Context ... it was shown that there exist essentially two secure single block length hash functions in this model, and that 12 different schemes can be obtained by applying a linear transformation to the inputs =-=[24]-=-. One of these schemes has been specified in ISO/IEC 10118 [12]. Since most block ciphers have a block length of m = 64 bits, the need for double block length hash functions became apparent. The goal ... |

70 | EĀ±cient DES key search - Wiener - 1994 |

66 |
Cryptanalysis of MD4
- Dobbertin
- 1998
(Show Context)
Citation Context ...Fund for Scientific Research (Belgium). seen as a main building block for practical cryptography), and have gained more importance due to the recent cryptanalytical successes achieved by H. Dobbertin =-=[7, 8]-=- on custom designed hash functions such as MD4 [26] and MD5 [27]. The main disadvantage of this approach is that specific hash functions are likely to be more efficient. One also has to take into acco... |

65 | Parallel collision search with application to hash functions and discrete logarithms
- Oorschot, Wiener
- 1994
(Show Context)
Citation Context ...ractical disadvantage are the inconvenient block sizes. In summary, the known constructions do not provide an acceptable security level against parallel brute force collision attacks: it follows from =-=[25, 28]-=- that a security level of at least 2 75 : : : 2 80 encryptions is required, which is not offered by any of the current proposals. Moreover, a similar or higher security level for preimage attacks woul... |

62 | Collisions for the compression function of MD5
- Boer, Bosselaers
- 1994
(Show Context)
Citation Context ...ons. The generator matrix of the [8; 5; 3] Hamming code over GF(2 2 ) has the following form: 2 6 6 6 6 4 1 0 0 0 0 0 1 1 0 1 0 0 0 1 0 ff 0 0 1 0 0 1 0 fi 0 0 0 1 0 1 0 1 0 0 0 0 1 1 1 0 3 7 7 7 7 5 =-=(6)-=- here 0 = [00], 1 = [01], ff = [10], and fi = [11]. The order of the chaining variables is chosen to be H 1 i\Gamma1 ; M 1 i ; H 3 i\Gamma1 ; H 4 i\Gamma1 ; H 5 i\Gamma1 ; H 6 i\Gamma1 ; H 7 i\Gamma1 ... |

60 |
LOKI { a cryptographic primitive for authentication and secrecy applications
- Brown, Pieprzyk, et al.
- 1990
(Show Context)
Citation Context ... functions with rate 1 and with an internal memory of 2m bits; most of these constructions have been broken (see for example [14]), a notable exception being the LOKI-DBH mode proposed at Auscrypt'90 =-=[4]-=-. In this paper it will be shown that a collision attack for this hash function requires only 2 3m=4 encryptions; the attack is more general and shows that there are no hash functions in this class fo... |

57 |
The MD5 Message-Digest Algorithm", RFC 1321
- Rivest
- 1992
(Show Context)
Citation Context ...ock for practical cryptography), and have gained more importance due to the recent cryptanalytical successes achieved by H. Dobbertin [7, 8] on custom designed hash functions such as MD4 [26] and MD5 =-=[27]-=-. The main disadvantage of this approach is that specific hash functions are likely to be more efficient. One also has to take into account that legal restrictions on the use and import or export of h... |

48 |
Generating strong one-way functions with cryptographic algorithm
- Matyas, Meyer, et al.
- 1985
(Show Context)
Citation Context ...r decryption. After the publication of several weak proposals in the late 1970s, the first secure constructions for a hash function based on a block cipher were the scheme by Matyas, Meyer, and Oseas =-=[18]-=- and its dual, which is widely known as the Davies-Meyer scheme 1 . Both schemes have rate 1, and give a hash result of only m bits (which explains the name single block length hash functions). Findin... |

35 |
Information technology { Security techniques { Hash-functions, Part 1: General
- ISOIEC
- 1994
(Show Context)
Citation Context ...ock length hash functions in this model, and that 12 different schemes can be obtained by applying a linear transformation to the inputs [24]. One of these schemes has been specified in ISO/IEC 10118 =-=[12]-=-. Since most block ciphers have a block length of m = 64 bits, the need for double block length hash functions became apparent. The goal of these constructions is to achieve a security level against b... |

32 |
How to swindle Rabin
- Yuval
- 1979
(Show Context)
Citation Context ...heme 1 . Both schemes have rate 1, and give a hash result of only m bits (which explains the name single block length hash functions). Finding a collision for such a scheme using the birthday paradox =-=[30]-=- requires about 2 m=2 encryptions, while finding a (second) preimage requires about 2 m encryptions. Later it was shown that there exist essentially two secure single block length hash functions in th... |

23 |
Data authentication using modification detection codes based on a public one way encryption function
- Brachtl, Coppersmith, et al.
- 1990
(Show Context)
Citation Context ...tions; the attack is more general and shows that there are no hash functions in this class for which finding a collision requires more than 2 3m=4 operations. -- MDC-2 (rate 1/2) and MDC-4 (rate 1/4) =-=[2]-=-; their security to brute force collision attacks is about 2 m encryptions, and to preimage attacks about 2 3m=2 respectively 2 2m encryptions. For the important practical case of DES, m = 64, but the... |

23 | Attacks on fast double block length hash functions - Knudsen, Lai, et al. - 1998 |

20 | A key-schedule weakness in SAFER-K64
- Knudsen
- 1995
(Show Context)
Citation Context ...ers may exhibit some weaknesses that are only important if they are used in a hashing mode. The (semi)-weak keys of DES and the corresponding fixed points [20], and the key schedule weakness of SAFER =-=[13]-=- are good illustrations of this fact. We define the hash rate of a hash function based on an m-bit block cipher as the number of m-bit message blocks processed per encryption or decryption. After the ... |

17 |
Security of iterated hash functions based on block ciphers
- Hohl, Lai, et al.
- 1994
(Show Context)
Citation Context ...the DES based hash functions of R. Merkle [19]). For the first class of hash functions (as discussed in x1) it was shown that collisions for the compression function require at most 2 m=2 encryptions =-=[11]-=-; the same result was proved for a large class of related hash functions of rate 1=2. Collisions for the compression function of MDC-2 and MDC-4 can be found in time respectively 2 28 and 2 41 [22]. C... |

14 |
How easy is collision search ? Application to DES
- Quisquater, Delescaille
- 1990
(Show Context)
Citation Context ...ractical disadvantage are the inconvenient block sizes. In summary, the known constructions do not provide an acceptable security level against parallel brute force collision attacks: it follows from =-=[25, 28]-=- that a security level of at least 2 75 : : : 2 80 encryptions is required, which is not offered by any of the current proposals. Moreover, a similar or higher security level for preimage attacks woul... |

10 | Cycle structure of the DES for keys having palindromic (or antipalindromic) sequences of round keys - Moore, Simmons - 1987 |

8 | On the power of memory in the design of collision resistant hash functions
- Preneel, Govaerts, et al.
- 1993
(Show Context)
Citation Context ...This yields constant values also for H 7 i . Find independently 2 m=3 - fold collisions for each of H 2 i ; H 3 i ; and H 4 i . This will require about 3 \Theta 2 4m=3 encryptions of the block cipher =-=[23]-=-. These three sets are combined to a set of 2 m simultaneous collisions for H 2 i ; H 3 i ; and H 4 i . With a high probability one of these collisions yield a collision also for H 6 i and H 8 i . The... |

7 | New attacks on all double block length hash functions of hash rate 1, including the parallel-DM
- Knudsen, Lai
- 1995
(Show Context)
Citation Context ...cryptions. Three main classes of hash functions have been proposed: -- Hash functions with rate 1 and with an internal memory of 2m bits; most of these constructions have been broken (see for example =-=[14]-=-), a notable exception being the LOKI-DBH mode proposed at Auscrypt'90 [4]. In this paper it will be shown that a collision attack for this hash function requires only 2 3m=4 encryptions; the attack i... |

3 |
Data Encryption Standard," Federal Information Processing Standard (FIPS), Publication 46
- FIPS
- 1977
(Show Context)
Citation Context ... the minimization of the design and implementation effort. Additionally, the trust in existing block ciphers can be transferred to hash functions. These arguments are historically very important (DES =-=[10]-=- was ? The work in this paper was initiated while the authors were visiting the Isaac Newton Institute, Cambridge, U.K., February 1996 ?? N.F.W.O. postdoctoral researcher, sponsored by the National Fu... |

2 |
Cryptanalysis of MD5 compress," Presented at the rump session of Eurocrypt'96
- Dobbertin
- 1996
(Show Context)
Citation Context ...Fund for Scientific Research (Belgium). seen as a main building block for practical cryptography), and have gained more importance due to the recent cryptanalytical successes achieved by H. Dobbertin =-=[7, 8]-=- on custom designed hash functions such as MD4 [26] and MD5 [27]. The main disadvantage of this approach is that specific hash functions are likely to be more efficient. One also has to take into acco... |

1 |
The classification of hash functions," Codes and Cyphers: Cryptography and Coding
- Anderson
- 1995
(Show Context)
Citation Context ... the property that the size of the hash result is larger than the security level of the hash function would suggest. This could be a problem in applications where `near collisions' are not acceptable =-=[1]-=- (e.g., it is feasible to find two hash values which have n\Gammad+1 colliding blocks). In that case, an output transformation can be defined which compresses the result of the final iteration. We pre... |

1 |
Linear code bound," http://www.win.tue.nl/win/math/dw/voorlincod.html
- Brouwer
(Show Context)
Citation Context ...ks are even higher than the proven lower bound. The existence of efficient constructions for d = 3 follows from the existence of perfect Hamming codes over GF(2 2 ) (see for example [17, 179--180] or =-=[3]-=-). Theorem 4. Let q be a prime power. The (perfect) Hamming codes over GF(q) have the following parameters: n = q s \Gamma 1 q \Gamma 1 ; k = n \Gamma s; d = 3 : The resulting codes can be shortened w... |