## Cryptographic Hash Functions: A Survey (1995)

Citations: | 40 - 7 self |

### BibTeX

@TECHREPORT{Bakhtiari95cryptographichash,

author = {S. Bakhtiari and R. Safavi-Naini and J. Pieprzyk},

title = {Cryptographic Hash Functions: A Survey},

institution = {},

year = {1995}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper gives a survey on cryptographic hash functions. It gives an overview of all types of hash functions and reviews design principals and possible methods of attacks. It also focuses on keyed hash functions and provides the applications, requirements, and constructions of keyed hash functions.

### Citations

3231 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... N ), where s and g are elements of a Galois field GF (N ), and N is a prime number or a power of 2. The two most important cryptosystems, based on modular arithmetic, are RSA public key cryptosystem =-=[71]-=- and ElGamal cryptosystem [38]. Hash functions that are based on modular arithmetic can have variable digest length, depending on the size of modulus. Examples of the attack on this type of hash funct... |

1246 | Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ...ts of a Galois field GF (N ), and N is a prime number or a power of 2. The two most important cryptosystems, based on modular arithmetic, are RSA public key cryptosystem [71] and ElGamal cryptosystem =-=[38]-=-. Hash functions that are based on modular arithmetic can have variable digest length, depending on the size of modulus. Examples of the attack on this type of hash functions are: to find fixed points... |

1226 | A logic of authentication, in
- Burrows, Abadi, et al.
- 1989
(Show Context)
Citation Context ...(), which is set to the key K. Note that, the length of H 0 (M ) should be equal to the required length of the input for E(). This scheme is proposed in the CCITT X.509 standard as a standard scheme (=-=[22]-=-). We note that, the first property of Definition 3 slightly suffers from the slow speed of the encryption algorithm. Nested Hash Function Construction There are many ways to construct a keyed hash fu... |

885 |
The MD5 Message-Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ... approach to find collisions seems to be a differential attack (cf. Section 3.2.5). There is a recent attack by Rogier and Chauvaud [72] which can find collisions based on some weaknesses in MD2. MD4 =-=[69]-=- is another MD-family hash function which uses a very simple structure on 32-bit machines, and is believed to be a fast hashing algorithm (cf. Appendix A.2). The resulting message digest length is 128... |

718 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...K 0 (6= K) with H(K;M i ) = H(K 0 ; M i ), for all M i . 4. Without knowledge of K, it is hard to determine H(K;M) for any message M . Universal Hash Functions (UHF) were defined by Carter and Wegman =-=[24]-=- in an attempt to provide an input independent average linear time algorithm for storage and retrieval of keys in associated memories. Definition 5 A class H of functions from a set A to a set B is ca... |

565 | Differential cryptanalysis of DES-like cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...and the reader is referred to [1, 16, 21, 20, 42, 48, 49, 50, 51, 58, 60, 66, 67] for more information. 3.2.5 Differential Cryptanalysis The idea of this attack was first given by Biham and Shamir in =-=[14]-=-. In Differential Cryptanalysis, the correlation between the difference in input and output is studied. In other words, the intruder searches for a particular difference in input that cause a specific... |

358 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...lled universal 2 , if for all x and y in A, ffi H (x; y)sjHj=jBj, where jHj and jBj are the sizes of H and B, respectively, and ffi H (x; y) denotes the number of functions h 2 H with h(x) = h(y). In =-=[25]-=-, they extended their work and defined strongly universal n and almost strongly universal 2 , and showed their application to authentication. Definition 6 A class H of hash functions is strongly unive... |

321 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...ryptosystem based on knapsack problem. Two examples of the hash functions based on knapsack problem are hash functions based on additive knapsacks and hash functions based on multiplicative knapsacks =-=[23, 35, 36, 39, 80]-=- (cf. [63]). 1.3.5 Hash Functions Based on Algebraic Matrices In [41], Harari used Algebraic Matrices to generate keyed one-way functions for authentication. A random t \Theta t matrix K is used as th... |

163 | A Proposal for a New Block Encryption Standard
- Lai, Massey
- 1991
(Show Context)
Citation Context ...the encryption algorithms are Key Collisions, Complementation Property, Weak Keys, and Fixed Points [63]. Details on these weaknesses are beyond the scope of this paper, and the reader is referred to =-=[1, 16, 21, 20, 42, 48, 49, 50, 51, 58, 60, 66, 67]-=- for more information. 3.2.5 Differential Cryptanalysis The idea of this attack was first given by Biham and Shamir in [14]. In Differential Cryptanalysis, the correlation between the difference in in... |

155 | Hiding information and signatures in trapdoor knapsacks
- Merkle, Hellman
- 1978
(Show Context)
Citation Context ...and an integer valued function s : U ! N, is there a subset U 0 ` U such that P u i 2U 0 s(u i ) = B, where B is a given integer? This problem was first used in Merkle-Hellman public key cryptosystem =-=[56]-=-. Although it was broken later, there have been a number of research efforts to find a secure cryptosystem based on knapsack problem. Two examples of the hash functions based on knapsack problem are h... |

134 |
On the Design and Security of Block Ciphers
- Lai
- 1995
(Show Context)
Citation Context ...the encryption algorithms are Key Collisions, Complementation Property, Weak Keys, and Fixed Points [63]. Details on these weaknesses are beyond the scope of this paper, and the reader is referred to =-=[1, 16, 21, 20, 42, 48, 49, 50, 51, 58, 60, 66, 67]-=- for more information. 3.2.5 Differential Cryptanalysis The idea of this attack was first given by Biham and Shamir in [14]. In Differential Cryptanalysis, the correlation between the difference in in... |

128 |
Analysis and Design of Cryptographic Hash Functions
- Preneel
- 1993
(Show Context)
Citation Context ...e previous round. This provides 4 3 = 64 different possibilities for f (), where some of the possibilities should be discarded, as M i should be used at least once in the round function f (). Preneel =-=[63]-=- gives detailed analysis of hash functions based on the above f (), where most of them are found insecure. Unfortunately, there are very few encryption based hash functions that are secure for message... |

116 | Markov ciphers and differential cryptanalysis
- Lai, Massey
- 1991
(Show Context)
Citation Context ...the encryption algorithms are Key Collisions, Complementation Property, Weak Keys, and Fixed Points [63]. Details on these weaknesses are beyond the scope of this paper, and the reader is referred to =-=[1, 16, 21, 20, 42, 48, 49, 50, 51, 58, 60, 66, 67]-=- for more information. 3.2.5 Differential Cryptanalysis The idea of this attack was first given by Biham and Shamir in [14]. In Differential Cryptanalysis, the correlation between the difference in in... |

111 | Message authentication with one-way hash functions
- Tsudik
- 1992
(Show Context)
Citation Context .... 9. H(K;M ) = H 0 (IV; M), where IV = K. 10. H(K;M ) = H 0 (IV; (M \Phi K)), where IV = K. 11. H(K;M ) = H 0 (IV; (M \Phi K 2 )), where IV = K 1 . The first three methods were suggested by Tsudik in =-=[75]-=-, where K has 512-bit length. Other methods are improved versions of the first three ones that are studied in [6], and use only 128-bit keys. Methods 1, 5, and 9 suffer from padding attack. However, v... |

101 |
Collision Free Hash Functions and Public Key Signature
- Damgård
- 1988
(Show Context)
Citation Context ...]. Padding attack can be easily thwarted by pre-pending the message length to the message or by using some fixed suffixes that are not appeared within the message. More examples of this attack are in =-=[29, 33, 34]-=-. Some methods of avoiding this attack are also suggested in [6]. 4 Keyed Hash Functions Keyed hash functions (cf. Definition 3) can be used for message authentication. In this section, applications, ... |

96 | Differential Cryptanalysis of the Full 16-round DES
- Biham, Shamir
- 1993
(Show Context)
Citation Context ...d to almost all cryptosystems, including most dedicated hash functions. In the case of hash functions, the difference in output should be zero to result in collisions. Examples of this attacks are in =-=[9, 11, 14, 15, 16, 17, 51]-=-. 3.2.6 Linear Cryptanalysis Linear Cryptanalysis was proposed by Matsui [54] in early 1993. Although it is inspired by Differential Cryptanalysis, better results are gained compared with Differential... |

81 |
Random sequence generation by cellular automata
- Wolfram
- 1986
(Show Context)
Citation Context ...gorithms and has examined some of their weaknesses. 1.3.3 Hash Functions Based on Cellular Automaton There are some automata based cryptosystems that among them only a few are hash functions. Wolfram =-=[79]-=- has suggested the use of one-dimensional cellular automaton for pseudo-random bit generator. The one-wayness property of such a generator can lead to the design of a hash function. An example of the ... |

74 | Links between differential and linear cryptanalysis
- Chabaud, Vaudenay
- 1995
(Show Context)
Citation Context ...oposed by Matsui [54] in early 1993. Although it is inspired by Differential Cryptanalysis, better results are gained compared with Differential Cryptanalysis (specially on block ciphers such as DES) =-=[12, 13, 26, 43, 54]-=-. For the time being, there is no proposed attack on the hash functions, based on Linear Cryptanalysis. However, the hash functions based on encryption algorithms are expected to be the most vulnerabl... |

62 |
LOKI: A Cryptographic Primitive for Authentication and Secrecy
- Brown, Pieprzyk, et al.
- 1990
(Show Context)
Citation Context |

57 | Performance analysis of MD5
- Touch
- 1995
(Show Context)
Citation Context ...ound is added and each round consists of more operations (cf. Appendix A.3). Although MD5 is considered as one of the most promising hash functions, current technologies demand a faster hash function =-=[74]-=-. For the time being, there is not any successful attack on the full MD5. Berson [9] introduced the idea of differential cryptanalysis modulo 2 32 and applied to MD5. He could find collisions for indi... |

55 | HAVAL — A One-Way Hashing Algorithm with Variable Length of Output
- Zheng, Pieprzyk, et al.
- 1993
(Show Context)
Citation Context ...s and the number of steps per rounds is increased from 16 steps to 20 steps. These changes make SHA slower than both MD4 and MD5. There is not any successful attack on SHA (for the time being). HAVAL =-=[83]-=- is very similar to MD5 with the following advantages: 1. It uses five nonlinear boolean functions with Strict Avalanche Criterion (SAC) property. 2. It has 15 different versions by choosing the numbe... |

46 |
Cryptography: An Introduction to Computer Security
- Seberry, Pieprzyk
- 1989
(Show Context)
Citation Context ...wed. These applications are mostly authentication schemes that use symmetric keys to make the algorithm secure. 4.1.1 Message Authentication between Two Parties Although electronic signature schemes (=-=[73]-=-) can be used for message authentication, they are usually slow and inefficient. They also need key distribution schemes for public keys and therefore the problem remains with the authenticity of the ... |

44 | On Matsui's Linear Cryptanalysis
- Biham
- 1995
(Show Context)
Citation Context ...oposed by Matsui [54] in early 1993. Although it is inspired by Differential Cryptanalysis, better results are gained compared with Differential Cryptanalysis (specially on block ciphers such as DES) =-=[12, 13, 26, 43, 54]-=-. For the time being, there is no proposed attack on the hash functions, based on Linear Cryptanalysis. However, the hash functions based on encryption algorithms are expected to be the most vulnerabl... |

41 | Improving Resistance to Differential Cryptanalysis and the
- Brown, Kwan, et al.
- 1993
(Show Context)
Citation Context |

39 | On the need of multipermutations: cryptanalysis of MD4 and SAFER, Fast Software Encryption
- Vaudenay
- 1995
(Show Context)
Citation Context ...is conjectured by the designer. Boer and Bosselaers [18] have found an attack on the last two rounds of MD4. They can find collisions for MD4, if the first round of the algorithm is omitted. Vaudenay =-=[78]-=- has also shown how to construct collisions for MD4, when the last round is omitted. His attack also finds two close digests (according to Hamming distance) when the full MD4 is used. For the time bei... |

38 |
The MD2 Message-Digest Algorithm
- Kaliski
- 1992
(Show Context)
Citation Context ...hing and are not provably secure. (They are not based on a hard problem such as factorization.) In this section a brief review of these hash functions and the existing attacks (if any) are given. MD2 =-=[47]-=- is one of the MD-family hash functions that were proposed by RSA Data Security Inc. The algorithm generates a 16-byte message digest for an arbitrary length input message. The author has conjectured ... |

33 |
A Fast Software One-Way Hash Function
- Merkle
- 1990
(Show Context)
Citation Context ...digest length (128, 160, 192, 224, or 256 bits). 3. It is 60% faster than MD5 when 3 passes are required, and as fast as MD5 when full 5 passes are required. Other Dedicated Hash Functions are Snefru =-=[55]-=-, RIPE-MD [65, 68, 76], FFT-Hash I and II [8, 30, 77], BCA (Binary Condensing Algorithm), MAA (Message Authentication Algorithm), and DSA (Decimal Shift and Add) that are not included in this paper. T... |

32 | Differential Cryptanalysis of Feal and N-Hash
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...e. Unfortunately, there are very few encryption based hash functions that are secure for message authentication. Examples of some encryption (not necessarily block cipher) based hash functions are in =-=[2, 15, 44, 45, 52]-=-, and the reader is referred to [63] for the study of the weaknesses of these hash functions. 1.3.2 Hash Functions Based on Modular Arithmetic The idea of cryptosystems based on modular arithmetic is ... |

30 |
The knapsack hash function proposed at crypto’89 can be broken
- Camion, Patarin
- 1991
(Show Context)
Citation Context ...ryptosystem based on knapsack problem. Two examples of the hash functions based on knapsack problem are hash functions based on additive knapsacks and hash functions based on multiplicative knapsacks =-=[23, 35, 36, 39, 80]-=- (cf. [63]). 1.3.5 Hash Functions Based on Algebraic Matrices In [41], Harari used Algebraic Matrices to generate keyed one-way functions for authentication. A random t \Theta t matrix K is used as th... |

29 |
Differential Cryptanalysis of Snefru
- Biham, Shamir
- 1992
(Show Context)
Citation Context |

27 |
How to construct pseudorandom permutations and pseudorandom functions
- Luby, Racko
- 1988
(Show Context)
Citation Context ... C = (C 1 k C 2 ) and can be decrypted by a similar method: 1. T = H(K 3 ; C 1 ) \Phi C 2 , 2. P 1 = H(K 2 ; T ) \Phi C 1 , 3. P 2 = H(K 1 ; P 1 ) \Phi T . A similar scheme was originally proposed in =-=[53]-=- and was briefly examined in [3]. Their scheme uses a one-way function and adds a secret key as a part of the input message. 4.2 Requirements for Keyed Hash Functions We consider the following propert... |

26 |
Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard
- Hellman, Merkle, et al.
- 1976
(Show Context)
Citation Context |

24 | Cryptanalysis of multiple modes of operation
- Biham
- 1994
(Show Context)
Citation Context ...oposed by Matsui [54] in early 1993. Although it is inspired by Differential Cryptanalysis, better results are gained compared with Differential Cryptanalysis (specially on block ciphers such as DES) =-=[12, 13, 26, 43, 54]-=-. For the time being, there is no proposed attack on the hash functions, based on Linear Cryptanalysis. However, the hash functions based on encryption algorithms are expected to be the most vulnerabl... |

23 | The classification of hash functions
- Anderson
- 1989
(Show Context)
Citation Context ...ypted by a similar method: 1. T = H(K 3 ; C 1 ) \Phi C 2 , 2. P 1 = H(K 2 ; T ) \Phi C 1 , 3. P 2 = H(K 1 ; P 1 ) \Phi T . A similar scheme was originally proposed in [53] and was briefly examined in =-=[3]-=-. Their scheme uses a one-way function and adds a secret key as a part of the input message. 4.2 Requirements for Keyed Hash Functions We consider the following properties for keyed hash functions. ff... |

23 |
The compression function of MD2 is not collision free," Presented at Selected Areas in Cryptography ’95
- Rogier, Chauvaud
- 1995
(Show Context)
Citation Context ...ded at the final stage. Preneel [63] states that the most successful approach to find collisions seems to be a differential attack (cf. Section 3.2.5). There is a recent attack by Rogier and Chauvaud =-=[72]-=- which can find collisions based on some weaknesses in MD2. MD4 [69] is another MD-family hash function which uses a very simple structure on 32-bit machines, and is believed to be a fast hashing algo... |

20 | A framework for the design of one-way hash functions including cryptanalysis of Damg˚ard’s one-way function based on a cellular automaton
- Daemen, Govaerts, et al.
- 1991
(Show Context)
Citation Context ...it generator. The one-wayness property of such a generator can lead to the design of a hash function. An example of the automata based hash function is Cellhash which was proposed by Daemen et al. in =-=[31, 32]-=-. This hash function is hardware oriented and has some disadvantages [63, Section 7.2.7]. 1.3.4 Hash Functions Based on Knapsack Problem Knapsack problem can be defined, in general, as: Given a set U ... |

20 |
Sadeghiyan B. Design of Hashing Algorithms
- Pieprzyk
- 1993
(Show Context)
Citation Context ...hat are based on a hard problem, such as factorization, are not efficient, and dedicated hash function are being used in practice. The methods of hashing, described in Section 1.3, are Serial Methods =-=[62]-=- or Chaining Methods [63]. In Parallel Method [62] or Tree Approach [63], the hashing process can be sped up, using many processors. A simple parallel construction is as described below. X 1 i = f(M 2... |

16 | A Hardware Design Model for Cryptographic Algorithms
- Daeman, Govaerts, et al.
- 1992
(Show Context)
Citation Context ...it generator. The one-wayness property of such a generator can lead to the design of a hash function. An example of the automata based hash function is Cellhash which was proposed by Daemen et al. in =-=[31, 32]-=-. This hash function is hardware oriented and has some disadvantages [63, Section 7.2.7]. 1.3.4 Hash Functions Based on Knapsack Problem Knapsack problem can be defined, in general, as: Given a set U ... |

15 |
How easy is collision search ? Application to DES
- Quisquater, Delescaille
- 1990
(Show Context)
Citation Context |

14 |
The Design of Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis
- Heys, Tavares
- 1994
(Show Context)
Citation Context |

14 |
How Easy is Collision Search. New Results and Applications to
- Quisquater, Delescaille
- 1989
(Show Context)
Citation Context |

13 |
Cycle Structure of the DES with Weak and Semiweak Keys
- Moore, Simmons
- 1987
(Show Context)
Citation Context |

12 |
FFT Hashing is not Collision-Free
- Baritaud, Gilbert, et al.
- 1993
(Show Context)
Citation Context ...). 3. It is 60% faster than MD5 when 3 passes are required, and as fast as MD5 when full 5 passes are required. Other Dedicated Hash Functions are Snefru [55], RIPE-MD [65, 68, 76], FFT-Hash I and II =-=[8, 30, 77]-=-, BCA (Binary Condensing Algorithm), MAA (Message Authentication Algorithm), and DSA (Decimal Shift and Add) that are not included in this paper. Table 2 gives a comparison of the performance among di... |

10 | 128-bit hash function (N-hash - Miyaguchi, Ohta, et al. - 1990 |

9 |
On the Applicability of Differential Cryptanalysis to Hash Functions," lecture at
- Biham
- 1992
(Show Context)
Citation Context ...d to almost all cryptosystems, including most dedicated hash functions. In the case of hash functions, the difference in output should be zero to result in collisions. Examples of this attacks are in =-=[9, 11, 14, 15, 16, 17, 51]-=-. 3.2.6 Linear Cryptanalysis Linear Cryptanalysis was proposed by Matsui [54] in early 1993. Although it is inspired by Differential Cryptanalysis, better results are gained compared with Differential... |

9 |
A fast cryptographic checksum algorithm based on stream ciphers
- Lai, Rueppel, et al.
- 1993
(Show Context)
Citation Context ...e. Unfortunately, there are very few encryption based hash functions that are secure for message authentication. Examples of some encryption (not necessarily block cipher) based hash functions are in =-=[2, 15, 44, 45, 52]-=-, and the reader is referred to [63] for the study of the weaknesses of these hash functions. 1.3.2 Hash Functions Based on Modular Arithmetic The idea of cryptosystems based on modular arithmetic is ... |

8 |
Differential cryptanalysis mod 2 with applications to MD5
- Berson
- 1992
(Show Context)
Citation Context ... MD5 is considered as one of the most promising hash functions, current technologies demand a faster hash function [74]. For the time being, there is not any successful attack on the full MD5. Berson =-=[9]-=- introduced the idea of differential cryptanalysis modulo 2 32 and applied to MD5. He could find collisions for individual round functions, but the idea could not be extended to the full algorithm. Al... |

8 | FFT-hash-II is not yet collision-free
- Vaudenay
- 1993
(Show Context)
Citation Context ...). 3. It is 60% faster than MD5 when 3 passes are required, and as fast as MD5 when full 5 passes are required. Other Dedicated Hash Functions are Snefru [55], RIPE-MD [65, 68, 76], FFT-Hash I and II =-=[8, 30, 77]-=-, BCA (Binary Condensing Algorithm), MAA (Message Authentication Algorithm), and DSA (Decimal Shift and Add) that are not included in this paper. Table 2 gives a comparison of the performance among di... |

7 |
collisionful hash functions
- Secure
- 1993
(Show Context)
Citation Context ...wledge of K, it is hard to determine H(K;M) for any message M , even when a large set of pairs [M i ; H(K;M i )], where M i 's are selected by the opponent (M 6= M i ; 8M i ), is given. Berson et al. =-=[10]-=- have proposed the idea of Collisionful Hash Functions (CHF), where some degree of collision is desired rather than avoided, to make the key leakage more difficult. Gong's version of the definition of... |

7 |
Analysis of ISO/CCITT Document X.509 Annex D
- Coppersmith
- 1989
(Show Context)
Citation Context ...]. Padding attack can be easily thwarted by pre-pending the message length to the message or by using some fixed suffixes that are not appeared within the message. More examples of this attack are in =-=[29, 33, 34]-=-. Some methods of avoiding this attack are also suggested in [6]. 4 Keyed Hash Functions Keyed hash functions (cf. Definition 3) can be used for message authentication. In this section, applications, ... |