## New Integrated proof method on Iterated Hash Structure and New Structures (2006)

Citations: | 2 - 1 self |

### BibTeX

@MISC{Lei06newintegrated,

author = {Duo Lei},

title = {New Integrated proof method on Iterated Hash Structure and New Structures},

year = {2006}

}

### OpenURL

### Abstract

A secure hash structure in Random Oracle Model may not be a secure model in true design. In this paper, we give an integrated proof method on security proof of iterated hash structure. Based on the proof method, we can distinguish the security of Merkel-Damagård structure, wide-pipe hash, double-pipe hash and 3c hash and know the requirement of true design on compression function, and give a new recommend structure. At last, we give new hash structure, MAC structure, encryption model, which use same block cipher round function and key schedule algorithm, the security proofs on those structures are given.

### Citations

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... fixed block length should be |mi| = n.s7 Random Oracle and Conditional Probability The random oracle model has been introduced by Bellare and Rogaway as a ”paradigm for designing efficient protocols”=-=[2]-=-. It assumes that all parties, including the adversary, have access to a public, truly random hash function H. This model has been proven extremely useful for designing simple, efficient and highly pr... |

792 | Communication Theory of Secrecy systems - Shannon - 1949 |

494 | Differential Cryptanalysis of DES‐like Cryposys‐ tems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...s have been given, include wide-pipe hash and double-pipe hash, but the proofs were based on immune against known attack. The main ideas of the recent attacks on hash functions are differential attack=-=[8]-=- and were known in block ciphers years ago, which means the attacks against block ciphers and hash functions are similar. The design criteria of block ciphers have received much attention and had an i... |

476 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
(Show Context)
Citation Context ...e totally differen. Although the collision is more easy to build in compression function F˙0 (·, xh) ∧ xh, in iteration procedure, the collision of H T is more easy to build by append the message ˙ E =-=(4)-=- . 0 2 7 6 4 0 4 5 6 7 3 1 5 1 4 0 7 3 6 2 0 3 2 21 7 5s22 9. F ˙ C (·, xh) = F˙1 (·, xh) ⊕ ˙3, F ˙ D (·, xh) = F˙1 (·, xh) ⊕ ˙5, 10. For G˙7 , we have: 3.2 The Properties of Graph Gm ∀m ∈ I4·∗, H T (... |

288 |
A Design Principle for Hash Functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ...dule algorithm, the security proofs on those structures are given. 1 1 Introduction Most of hash functions are iterated hash function and most of compression functions were iterated by Merkle-Damg˚ard=-=[18, 31]-=- construction(noted M-D construction in this paper) with constant IV[47]. Since the MD5 and SHA1 were attacked by [9][57][58], more and more attentions had been paid on hash function. 1.1 Introduction... |

284 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...9, Fig10 and Fig11, respectively. In this paper, the padding is padding zero at end of message, so we don’t consider the padding, and the figure is drawn similar as the MAC Alred[17]. Luby and Rackoff=-=[30]-=- introduced a model that permits the assessment of the security of some block cipher constructions, in their discussion, only the highlevel structure is considered, while the lower-level operations ar... |

209 | The Design of Rijndael: AES, The Advanced Encryption Standard - Daemen, Rijmen - 2001 |

189 | Administrative theory - E - 1959 |

137 |
Cryptography and computer privacy
- Feistel
- 1973
(Show Context)
Citation Context ...ructionss6 The Feistel Constructions A Feistel structure is a general way of constructing block ciphers from simple functions. The original idea was used in the block cipher, invented by Horst Feistel=-=[22]-=-. The security of the Feistel structure is not obvious, but analysis of DES[23] has shown that it is a good way to construct ciphers. And some new ciphers based on Feistel structure of SPN function ha... |

114 | Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004), available at http://eprint
- Shoup
(Show Context)
Citation Context ...nd build collision. In original discussion about hash function based on sequence of games, the advantage of attacks are an average advantage of success, two summaries of that part were given by Victor=-=[52]-=- and Bellare and Rogaway[6]. In paper[52], the author given some historical remark about ”Hybird arguments” and sequence of games. Generally, the illustration of advantage is an average of success, mo... |

111 |
Analysis and Design of Cryptographic Hash Functions
- Preneel
- 1993
(Show Context)
Citation Context ...probability Pz|M=m0 (z0) are very big, the worst condition is that value equals 1. Then we give a theorem about the graph and conditional probability. The clus4 Duo Lei ter property was discussed in =-=[46, 41]-=-, in this paper, we give a more systematical discussion. Based on previous discussion, we reanalysis the known hash structures, include M-D construction[31, 18], wide-Pipe hash[40], double-pipe hash[4... |

108 | On the design of S-boxes - Webster, Tavares - 1986 |

103 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV - Black, Rogaway, et al. - 2002 |

93 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ...ssumed as not a linear transformation, we prefer the key schedule algorithm itself is pseudo random function, which has been discussed in PHD paper of Rijmen[49]. 6.5 Attacks on F-Hash Multi Collision=-=[27]-=- Suppose the multi collision is possible, for each inner collision H M (mi+1, H M (mi� . . . �m1, x0)) = H M (m ′ i+1 , HM (m ′ i � . . . �m′ 1, x0)), i ∈ [1, t], if the inner collision can make true ... |

75 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance - Rogaway, Shrimpton - 2004 |

74 | Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...t of row and column from 0, the first row is input value xh and the first column is input value xm, the value of column 1 and row 1 means ˙1 = F (˙0, ˙0). Fig7 is the Graph illustrations of G˙i , i ∈ =-=[0, 15]-=-, ˙i ∈ I4. The compression functions y = F (·, xh) are designed with different properties, to illustate the different properties of design principle of compression function, first sub-figure G˙0 is F˙... |

73 | Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption
- Nielsen
- 2003
(Show Context)
Citation Context ...at a security proof in the random oracle model is only a heuristic indication of the security of the system when instantiated with a particular hash function. In fact, many recent ”separation” results=-=[5, 13, 14, 20, 20, 32, 15]-=- illustrated various cryptographic systems secure in the random oracle model but completely insecure for any concrete instantiation of the random oracle. x $ ← Λ mean selecting a random value from Λ, ... |

58 | A block-cipher mode of operation for parallelizable message authentication - Black, Rogaway |

53 | Hash functions based on block ciphers
- Lai, Massey
(Show Context)
Citation Context ...n , in true design only permutation has such property, if the compression function is permutation then it exist inverse function, at least the hash will not immune to meet in middle attack on preimage=-=[41]-=-. The best selection of compression function should be one way permutation, the one way permutation is difficult to build in true design, we always select one way function, if we select a one way func... |

41 |
The random oracle methodology
- Canetti, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...at a security proof in the random oracle model is only a heuristic indication of the security of the system when instantiated with a particular hash function. In fact, many recent ”separation” results=-=[5, 13, 14, 20, 20, 32, 15]-=- illustrated various cryptographic systems secure in the random oracle model but completely insecure for any concrete instantiation of the random oracle. x $ ← Λ mean selecting a random value from Λ, ... |

34 | Decorrelation: a theory for block cipher security
- Vaudenay
(Show Context)
Citation Context ...hods, Patarin[33–37] given the security proof of Feistel structure. Piret given proof of the round function with random permutaion[38, 39], similar conclusions were also given in the paper of Vaudenay=-=[55, 56]-=-. But all the discussions were based on assumption of round functions are independent pseudo random functions. In this paper, we make a assumption of exist a Feistel block cipher is Black Box Model, t... |

28 |
Graph Theory, Springer-Verlag
- Diestel
- 1997
(Show Context)
Citation Context ...ity P ˙ Z|M=mi (z), where mi = mi� . . . �mi, mi ∈ In of hash function z = H M (mi, x), not increase when the message length increased. Let G is a directed graph, the notations about graph G are from =-=[19]-=-. The main conclusions of this section are Assumption1, which implies we can only give the proof of permutation does not existing cluster, and Theorem6, which give the maximum conditional probability ... |

27 |
How to Break MD5
- Wang, Yu
(Show Context)
Citation Context ...function and most of compression functions were iterated by Merkle-Damg˚ard[18, 31] construction(noted M-D construction in this paper) with constant IV[47]. Since the MD5 and SHA1 were attacked by [9]=-=[57]-=-[58], more and more attentions had been paid on hash function. 1.1 Introduction Generally, the security proof on hash structure are based on the Random Oracle Model, which make an assumption of compre... |

22 |
On the random-oracle methodology as applied to length-restricted signature schemes
- Canetti, Goldreich, et al.
- 2004
(Show Context)
Citation Context ...at a security proof in the random oracle model is only a heuristic indication of the security of the system when instantiated with a particular hash function. In fact, many recent ”separation” results=-=[5, 13, 14, 20, 20, 32, 15]-=- illustrated various cryptographic systems secure in the random oracle model but completely insecure for any concrete instantiation of the random oracle. x $ ← Λ mean selecting a random value from Λ, ... |

21 | cryptography: A New Dimension in Data security,Iohn - Meyer, Matyas - 1982 |

21 |
On the Lai-Massey scheme
- Vaudenay
(Show Context)
Citation Context ...hods, Patarin[33–37] given the security proof of Feistel structure. Piret given proof of the round function with random permutaion[38, 39], similar conclusions were also given in the paper of Vaudenay=-=[55, 56]-=-. But all the discussions were based on assumption of round functions are independent pseudo random functions. In this paper, we make a assumption of exist a Feistel block cipher is Black Box Model, t... |

20 | Security of Random Feistel Schemes with 5 or More Rounds - Patarin - 2004 |

17 | FOX: a new family of block ciphers - Junod, Vaudenay - 2004 |

16 | Improved Security Analyses for CBC MACs
- Bellare, Pietrzak, et al.
- 2005
(Show Context)
Citation Context ...cussed similar as F-Hash, since the condition probability of F − Hash is given, we can give the security prove of the MACs and FBC mode. The security of F2-MAC can also be discussed similar as CBC-MAC=-=[1]-=- and the security of FBC mode is similar as that of CBC mode[3], and prohibit the attack based on fixed IV[3]. More precise discussion and true attacks should be based on the assumption of round funct... |

13 |
A New MAC Construction ALRED and a Specific Instance
- Daemen, Rijmen
- 2005
(Show Context)
Citation Context ...are given in Fig8, Fig9, Fig10 and Fig11, respectively. In this paper, the padding is padding zero at end of message, so we don’t consider the padding, and the figure is drawn similar as the MAC Alred=-=[17]-=-. Luby and Rackoff[30] introduced a model that permits the assessment of the security of some block cipher constructions, in their discussion, only the highlevel structure is considered, while the low... |

10 | Recent developments in the design of conventional cryptographic algorithms
- Preneel, Rijmen, et al.
- 1998
(Show Context)
Citation Context ...duction Most of hash functions are iterated hash function and most of compression functions were iterated by Merkle-Damg˚ard[18, 31] construction(noted M-D construction in this paper) with constant IV=-=[47]-=-. Since the MD5 and SHA1 were attacked by [9][57][58], more and more attentions had been paid on hash function. 1.1 Introduction Generally, the security proof on hash structure are based on the Random... |

7 |
K.: New Observation on Camellia
- Lei, Li, et al.
- 2006
(Show Context)
Citation Context ...The most common design of round function with permutation is SPN structure. The SP structure is used in Feistel structure can result in linear part can be moved into previous rotund or posterior round=-=[29]-=-, so we prefer the round function with SPS(SBox-Linear part-Sbox) structure. The key schedule algorithm ψ is assumed as not a linear transformation, we prefer the key schedule algorithm itself is pseu... |

5 |
On the Generic Insecurity
- Dodis, Oliveira, et al.
- 2005
(Show Context)
Citation Context |

3 | 3C—A provably secure pseudorandom function and message authentication code: A new mode of operation for cryptographic hash function,” Cryptology ePrint archive, Rep
- Gauravaram, Millan, et al.
- 2005
(Show Context)
Citation Context ...paper, we give a more systematical discussion. Based on previous discussion, we reanalysis the known hash structures, include M-D construction[31, 18], wide-Pipe hash[40], double-pipe hash[40], and 3C=-=[25]-=-, the conclusions are that, if the compression functions has property of exist xm0 with y = F (xm0 , xh) not a permutation, then cluster may exist in the previous three structured hash functions. But ... |

3 | Security of Random Feistel Scemes with 5 or more rounds, Crypto ’04, Lecture Notes in Computer Science 3152, pp. 106–122, Springer. A Summary of the security results for Benes and Butterfly schemes We summarize the security results on Benes and Butterfly - Patarin |

3 | Analysis and Design of Cryptographic Hash functions, MAC algorithms and - Rompay - 2004 |

2 |
A.Boldyreva and A.Palacio. An Uninstantiable RandomOracle-Model Scheme for a Hybrid-Encryption Problem
- Bellare
- 2004
(Show Context)
Citation Context |

2 |
Recent advances in hash functions-the way to go. Presented at
- Biham
(Show Context)
Citation Context ...re similar. The design criteria of block ciphers have received much attention and had an interesting framework and also block cipher cryptanalysis techniques were partially used against hash functions=-=[7, 21]-=-. More and more attentions have been paid on hash functions be possible to designed by the same technology as block ciphers with same principles and design criteria[7].s1.2 The Motivation on Security ... |

2 |
Ongoing Research Areas in Symmetric Cryptography
- Consortium
- 2005
(Show Context)
Citation Context ...re similar. The design criteria of block ciphers have received much attention and had an interesting framework and also block cipher cryptanalysis techniques were partially used against hash functions=-=[7, 21]-=-. More and more attentions have been paid on hash functions be possible to designed by the same technology as block ciphers with same principles and design criteria[7].s1.2 The Motivation on Security ... |

2 | W.Wu :Block Cipher Analysis and Design - Feng |

2 | Generic Attacks on Feistel Schemes, Available from the author - Patarin |

2 |
Revisited: On the Use of Permutations as Inner Functions of a Feistel Scheme,Designs
- Piret
(Show Context)
Citation Context ...ower-level operations are replaced by random functions. Using such methods, Patarin[33–37] given the security proof of Feistel structure. Piret given proof of the round function with random permutaion=-=[38, 39]-=-, similar conclusions were also given in the paper of Vaudenay[55, 56]. But all the discussions were based on assumption of round functions are independent pseudo random functions. In this paper, we m... |

2 |
Ciphers: Security
- Piret
- 2005
(Show Context)
Citation Context ...ower-level operations are replaced by random functions. Using such methods, Patarin[33–37] given the security proof of Feistel structure. Piret given proof of the round function with random permutaion=-=[38, 39]-=-, similar conclusions were also given in the paper of Vaudenay[55, 56]. But all the discussions were based on assumption of round functions are independent pseudo random functions. In this paper, we m... |

2 | Hash functions based on block ciphers - Preneel, Govaerts, et al. - 1994 |

2 |
D.Feng and H.Yu
- Wang
- 2005
(Show Context)
Citation Context ...tion and most of compression functions were iterated by Merkle-Damg˚ard[18, 31] construction(noted M-D construction in this paper) with constant IV[47]. Since the MD5 and SHA1 were attacked by [9][57]=-=[58]-=-, more and more attentions had been paid on hash function. 1.1 Introduction Generally, the security proof on hash structure are based on the Random Oracle Model, which make an assumption of compressio... |

1 |
Higher Order Universal One-Way
- Hong, Preneel, et al.
- 2004
(Show Context)
Citation Context ...on: AdvInv def $ F (A) = P r[y0 ← In; xm, xh ← In : F (xm, ·) = y0] can be given based on games, we also use games to define our objects and to describe our work, that is based on definition given in =-=[26]-=-. Game(Inv, A, F ) y0 $ ← In A(y0) → (xm, xh) A wins if F (xm, xh) = y0. Definition 1. The definitions about the maximum advantage of A in finding Primage and Collision of function H and compression f... |

1 | Schemes with Six (or More - Patarin - 1998 |

1 | 7 Rounds are Enough for 2n (1−ε - Luby-Rackoff |

1 |
and design of iterated block ciphers, Katholieke Universiteit
- Rijmen
- 1997
(Show Context)
Citation Context ...tructure. The key schedule algorithm ψ is assumed as not a linear transformation, we prefer the key schedule algorithm itself is pseudo random function, which has been discussed in PHD paper of Rijmen=-=[49]-=-. 6.5 Attacks on F-Hash Multi Collision[27] Suppose the multi collision is possible, for each inner collision H M (mi+1, H M (mi� . . . �m1, x0)) = H M (m ′ i+1 , HM (m ′ i � . . . �m′ 1, x0)), i ∈ [1... |