Results 1  10
of
67
Blackbox analysis of the blockcipherbased hashfunction constructions from pgv
 In Advances in Cryptology – CRYPTO ’02 (2002
, 2002
"... Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 sc ..."
Abstract

Cited by 126 (16 self)
 Add to MetaCart
(Show Context)
Abstract. Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: {0, 1} ∗ →{0, 1} n from a block cipher E: {0, 1} n ×{0, 1} n →{0, 1} n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 schemes were shown to be subject to various attacks. Here we provide a formal and quantitative treatment of the 64 constructions considered by PGV. We prove that, in a blackbox model, the 12 schemes that PGV singled out as secure really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the MerkleDamg˚ard approach to analysis, we show that an additional 8 of the 64 schemes are just as collision resistant (up to a small constant) as the first group of schemes. Nonetheless, we are able to differentiate among the 20 collisionresistant schemes by bounding their security as oneway functions. We suggest that proving blackbox bounds, of the style given here, is a feasible and useful step for understanding the security of any blockcipherbased hashfunction construction. 1
The PHOTON Family of Lightweight Hash Functions
 CRYPTO, volume 6841 of LNCS
, 2011
"... Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extrem ..."
Abstract

Cited by 50 (9 self)
 Add to MetaCart
(Show Context)
Abstract. RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hashfunction family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a spongelike construction as domain extension algorithm and an AESlike primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AESlike bounds on the number of active Sboxes. This kind of AESlike primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting tradeoffs between speed and preimage security for small messages, the classical usecase in hardware.
Quark: A lightweight hash
 in Mangard and Standaert [21
"... The need for lightweight (that is, compact, lowpower, lowenergy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security an ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
(Show Context)
The need for lightweight (that is, compact, lowpower, lowenergy) cryptographic hash functions has been repeatedly expressed by professionals, notably to implement cryptographic protocols in RFID technology. At the time of writing, however, no algorithm exists that provides satisfactory security and performance. The ongoing SHA3 Competition will not help, as it concerns generalpurpose designs and focuses on software performance. This paper thus proposes a novel design philosophy for lightweight hash functions, based on the sponge construction in order to minimize memory requirements. Inspired by the stream cipher Grain and by the block cipher KATAN (amongst the lightest secure ciphers), we present the hash function family Quark, composed of three instances: uQuark, dQuark, and sQuark. As a sponge construction, Quark can be used for message authentication, stream encryption, or authenticated encryption. Our hardware evaluation shows that Quark compares well to previous tentative lightweight hash functions. For example, our lightest instance uQuark conjecturally provides at least 64bit security against all attacks (collisions, multicollisions, distinguishers, etc.), fits in 1379 gateequivalents, and consumes in average 2.44 µW at 100 kHz in 0.18 µm ASIC. For 112bit security, we propose sQuark, which can be implemented with 2296 gateequivalents with a power consumption of 4.35 µW.
Constructing cryptographic hash functions from fixedkey blockciphers. Full version of this paper
, 2008
"... Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the aut ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a family of compression functions built from fixedkey blockciphers and investigate their collision and preimage security in the idealcipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2nbit to nbit compression function using three nbit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3nbit to 2nbit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipherbased hashing, collisionresistant hashing, compression functions, cryptographic hash functions, idealcipher model. 1
Careful with composition: Limitations of the indifferentiability framework
 EUROCRYPT 2011, volume 6632 of LNCS
, 2011
"... We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic publickey encryption (PKE), passwordbased cryptography, hash function nonmalleability, keydependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiabilitystyle composition theorem covering such multistage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosendistribution attack security (which requires a multistage game) of some important publickey encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton. 1
On the indifferentiability of the Grøstl hash function
 In SCN ’10, LNCS
, 2010
"... Abstract. The notion of indifferentiability, introduced by Maurer et al., is an important criterion for the security of hash functions. Concretely, it ensures that a hash function has no structural design flaws and thus guarantees security against generic attacks up to the proven bounds. In this wor ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
Abstract. The notion of indifferentiability, introduced by Maurer et al., is an important criterion for the security of hash functions. Concretely, it ensures that a hash function has no structural design flaws and thus guarantees security against generic attacks up to the proven bounds. In this work we prove the indifferentiability of Grøstl, a second round SHA3 hash function candidate. Grøstl combines characteristics of the widepipe and chopMerkleDamg˚ard iterations and uses two distinct permutations P and Q internally. Under the assumption that P and Q are random lbit permutations, where l is the iterated state size of Grøstl, we prove that the advantage of a distinguisher to differentiate Grøstl from a random oracle is upper bounded by O((Kq) 4 /2 l), where the distinguisher makes at most q queries of length at most K blocks. This result implies that Grøstl behaves like a random oracle up to q = O(2 n/2) queries, where n is the output size. Furthermore, we show that the output transformation of Grøstl, as well as ‘Grøstail ’ (the composition of the final compression function and the output transformation), are clearly differentiable from a random oracle. This rules out indifferentiability proofs which rely on the idealness of the final state transformation. 1
G.V.: Permutationbased encryption, authentication and authenticated encryption
, 2012
"... Abstract. While mainstream symmetric cryptography has been dominated by block ciphers, we have proposed an alternative based on fixedwidth permutations with modes built on top of the sponge and duplex construction, and our concrete proposal K�����. Our permutationbased approach is scalable and suit ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Abstract. While mainstream symmetric cryptography has been dominated by block ciphers, we have proposed an alternative based on fixedwidth permutations with modes built on top of the sponge and duplex construction, and our concrete proposal K�����. Our permutationbased approach is scalable and suitable for highend CPUs as well as resourceconstrained platforms. The la�er is illustrated by the small K���� � instances and the sponge functions Quark, Photon and Spongent, all addressing lightweight applications. We have proven that the sponge and duplex construction resist against generic a�acks with complexity up to 2 c/2, where c is the capacity. This provides a lower bound on the width of the underlying permutation. However, for keyed modes and bounded data complexity, a security strength level above c/2 can be proven. For MAC computation, encryption and even authenticated encryption with a passive adversary, a security strength level of almost c against generic a�acks can be a�ained. This increase in security allows reducing the capacity leading to a be�er efficiency. We argue that for keyed modes of the sponge and duplex constructions the requirements on the underlying permutation can be relaxed, allowing to significantly reduce its number of rounds. Finally, we present two generalizations of the sponge and duplex constructions that allow more freedom in tuning the parameters leading to even higher efficiency. We illustrate our generic constructions with proposals for concrete instantiations calling reducedround versions of the K����� f [1600] and K����� f [200] permutations. 1
Indifferentiability of PermutationBased Compression Functions and TreeBased Modes of Operation, with Applications to MD6
"... ..."
(Show Context)
Spongent: The design space of lightweight cryptographic hashing. IACR Cryptology ePrint Archive
, 2011
"... Abstract. The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography – optimizing the algorithms to fit the most constrained environments – has received a great deal of attention, the recent research being ma ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography – optimizing the algorithms to fit the most constrained environments – has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being wellinvestigated with only few proposals in the public domain. In this article, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with presenttype permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants – for different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them we provide several ASIC hardware implementations ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.