Provably Secure Double-Block-Length Hash Functions in a Black-Box Model
|
|
- Scot Sims
- 5 years ago
- Views:
Transcription
1 Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89, Merkle presented three double-block-length hash unctions based on DES. They are optimally collision resistant in a black-box model, that is, the time complexity o any collision-inding algorithm or thes Ω(2 l/2 ) i DES is a random block cipher, where l is the output length. Their drawback is that their rates are low. In this article, new double-block-length hash unctions with higher rates are presented which are also optimally collision resistant in the blackbox model. They are composed o block ciphers whose key length is twice larger than their block length. keywords: double-block-length hash unction, black-box model, block cipher 1 Introduction A cryptographic hash unction is a unction which maps an input o arbitrary length to an output o ixed length. It is one o the most important primitives in cryptography [14] and should satisy preimage resistance, second-preimage resistance and collision resistance. Inormally, preimage resistance means that, given an output, it is ineasible to obtain an input which produces the output. Second-preimage resistance means that, given an input, it is ineasible to obtain another input which produces the same output as the given input. Collision resistance means that it is ineasible to obtain two dierent inputs which produce the same output. For simplicity, a cryptographic hash unction is called a hash unction in this article. A hash unction usually consists o iteration o a compression unction with ixed input/output length and is called an iterated hash unction. Compressionunction constructions are classiied into two types: based on block ciphers and rom scratch. The topic o this article is the ormer. It minimizes design and implementation eort with secure block ciphers. Its major drawback is slow processing speed. However, it is compensated by ast block ciphers such as AES. Furthermore, some recent work has pointed out weakness o SHA amilies [1, 18]. Thus, block-cipher-based hash unctions may become more important. Block-cipher-based hash unctions are classiied into two categories: singleblock-length (SB) and double-block-length (DB). A SB hash unction is a hash unction whose output length is equal to the block length. The output length o a DB hash unction is twice larger than the block length.
2 It is well-known that the birthday attack can ind a collision o a hash unction with time complexity O(2 l/2 ), where l is the output length o the hash unction. The block length o widely used block ciphers is 64 or 128. Thus, SB hash unctions are no longer secure in terms o collision resistance. For DB hash unctions, many constructions have been presented [4, 7 10, 12, 15]. Among them, three DB hash unctions by Merkle [15] have been shown to be optimally collision resistant in a black-box model: the time complexity o any collision-inding algorithm or thes Ω(2 l/2 ), where l is the output length. However, their rates are at most and they are not so eicient. In this article, DB hash unctions are proposed which are more eicient and optimally collision resistant in the black-box model. They can be represented in a simple orm. They are o parallel type and their rates are 1/2. They are based on block ciphers whose key length is twice larger than the block length. Thus, they can be constructed with AES or other previous AES candidates, which support 128-bit blocks and 256-bit keys. The DB hash unctions proposed in this article consist o two dierent block ciphers to be provably secure. Though it seems their drawback, a genuine tweakable block cipher [13] will help obtain virtually two dierent block ciphers with dierent tweaks. Furthermore, it is possible to transorm a DB hash unction with dierent block ciphers to the one with only one block cipher with slightly lower rate by the method used in MDC-2 [4]. Collision resistance as well as preimage resistance o the proposed DB hash unctions is proved in the black-box model. In this model, or the proposed DB hash unctions, second-preimage resistance can be regarded as preimage resistance or the output corresponding to the given input. In the black-box model, a block cipher is assumed to be an invertible keyed random permutation. This is an ideal but still proper assumption in that most o the attacks on blockcipher-based hash unctions do not utilize the internal structure o the block ciphers. The technique in [3] is used in the security proos in this article. It is assumed that two block ciphers are independent in our analysis. The rest o this article is organized as ollows. Section 2 includes notations, deinitions and related work. In Section 3, provably secure DB hash unctions with rate 1/2 consisting o two block ciphers are presented. Security proos are also shown. In Section 4, it is mentioned how to construct provably secure DB hash unctions with one block cipher. A concluding remark is given in Section 5. 2 Preliminaries 2.1 Related Work Preneel, Govaerts and Vandewalle [16] discussed the security o SB hash unctions against several attacks. They considered SB hash unctions with compression unctions represented by h i = e(k, x) z, wheree is an (n, n) block cipher, k, x, z h i 1,,h i 1,v} and v is a constant. They concluded that 12 out o 64(= 4 3 ) hash unctions are secure against the attacks. However, they did not provide any ormal proos.
3 Black, Rogaway and Shrimpton [3] presented a detailed investigation o provable security o SB hash unctions given in [16] in the black-box model. The most important result shown in their paper is that the time complexity o any collision-inding algorithm against 20 hash unctions including the 12 mentioned above is Ω(2 l/2 ), where l is the output length. Knudsen, ai and Preneel [11] discussed the security o DB hash unctions with rate 1 based on (n, n) block ciphers. Hohl, ai, Meier and Waldvogel [7] discussed the security o compression unctions o DB hash unctions with rate 1/2. On the other hand, the security o DB hash unctions with rate 1 based on (n, 2n) block ciphers was discussed by Satoh, Haga and Kurosawa [17] and by Hattori, Hirose and Yoshida [6]. Many schemes with rate less than 1 were also presented. Merkle [15] presented three DB hash unctions based on DES with rates at most They are optimally collision resistant in the black-box model. MDC-2 and MDC-4 [4] are also DB hash unctions based on DES with rates 1/2 and 1/4, respectively. ai and Massey proposed the tandem/abreast Davies-Meyer [12]. They consist o a (n, 2n) block cipher and their rates are 1/2. It is an open question whether the our schemes are optimally collision resistant or not. Knudsen and Preneel studied the schemes to construct secure compression unctions with longer outputs rom secure ones based on error-correcting codes [8 10]. It is also an open question whether optimally collision resistant compression unctions are constructed by their schemes. Recently, Black, Cochran and Shrimpton [2] showed that it is impossible to construct a highly eicient block-cipher-based hash unction provably secure in the black-box model. A block-cipher-based hash unction is highly eicient i it makes exactly one block-cipher call or each message block and all block-cipher calls use a single key. 2.2 Cryptographic Hash Functions A cryptographic hash unction H is a unction which maps an input o arbitrary length to an output o ixed length. H should satisy the ollowing properties. Preimage resistance For a given output y, it is intractable to ind an input x such that y = H(x). Second-preimage resistance For a given input x, it is intractable to ind an input x such that H(x) =H(x )andx x. Collision resistance It is intractable to ind a pair o inputs x and x such that H(x) =H(x )andx x. A hash unction H : 0, 1} 0, 1} l usually consists o a compression unction : 0, 1} l 0, 1} l 0, 1} l andaninitialvalueh 0 0, 1} l.an input s divided into the l -bit blocks m 1,m 2,...,m l. Then, h i = (h i 1, ) is computed successively or 1 i l and h l = H(m). H is called an iterated hash unction.
4 nambiguous padding is applied to its length is not a multiple o l.it is outside the scope o this article and is not described here. 2.3 Block Ciphers and a Black-Box Model A block cipher with the block length n and the key length κ, e : 0, 1} κ 0, 1} n 0, 1} n,iscalledan(n, κ) block cipher. An (n, κ) block cipher is an invertible keyed permutation: e(k, ) is a permutation or every k 0, 1} κ,and it is easy to compute both e(k, ) ande(k, ) 1.Thesetoall(n, κ) block ciphers is denoted by B(n, κ). Most o the attacks on hash unctions based on block ciphers do not utilize the internal structure o the block ciphers. Thus, the security o hash unctions based on block ciphers is oten analyzed in a black-box model, that is, under the assumption that e(k, ) is a randonvertible permutation or each k. In the black-box model, an encryption e and a decryption e 1 can be simulated by the ollowing two oracles. An encryption oracle e returns a randomly selected ciphertext or a query which is a pair o a key and a plaintext. A decryption oracle e 1 returns a randomly selected plaintext or a query which is a pair o a key and a ciphertext. The oracles e and e 1 shareatableotripletso keys, plaintexts and ciphertexts, (k i,x i,y i ) s, which are produced by the queries and the corresponding answers. Reerring to the table, they randomly select an answer to a new query under the restriction that e(k, ) is a permutation or every k. They also add the triplet produced by the query and the answer to the table. Without loss o generality, it is assumed that any adversary with the two oracles e and e 1 asks only once on a triplet o a key, a plaintext and a ciphertext obtained by a query and a corresponding answer: Once the adversary obtains (k, x, y) by a query and the answer, he just keeps it and asks neither (k, x) nor (k, y) aterward. 2.4 DB Hash Functions DB hash unctions with two block-cipher calls in their compression unctions are discussed in the article. et be a compression unction such that (h i,g i )=(h i 1,, ), where h i,g i, 0, 1} n and n is the block length. consists o and such that hi = (h i 1,, ) g i = (h i 1,, ). h i is not ed into and this kind o compression unction is called the parallel type. This type o compression unction is considered in this article.
5 Each o and is composed o a block cipher as ollows: hi = e (k,x ) z g i = e (k,x ) z, where k,x,z and k,x,z are uniquely deined by h i 1,,. The rate r o an iterated hash unction o block-cipher-based is deined by r = (# o block-cipher calls in ) n. It is a measure o the eiciency o block-cipher-based hash unctions. The major dierence should be noticed between the DB hash unctions previously proposed and ones proposed in the article. e and e are identical or the ormer, but are dierent or the latter. 2.5 Deinitions o Security As has been discussed in this section, the security o DB hash unctions is analyzed in the black-box model. Insecurity is quantiied by success probability o an optimal resource-bounded adversary. In the black-box model, the resource is the number o the queries to encryption and decryption oracles. For a set S, z R S represents random sampling rom S under the uniorm distribution. For a probabilistic algorithm M, z R M(x) meansthatz is an output o M with an input x and the output distribution is based on the random choices o M and the input distribution. Collision Resistance. The ollowing experiment FindColHF(A,H) is introduced to deine the collision resistance o a DB hash unction H with two block ciphers e and e. The adversary A is a collision-inding algorithm o H with oracles e,e 1 and e,e 1.ete±1 P represent a pair o oracles e P and e 1 P or P, }. FindColHF(A,H) e R B(n, κ); e R B(n, κ); (m, m ) R A e±1,e±1 ; i m m H(m) =H(m ) return 1; else return 0; FindColHF(A,H) returns 1 i A inds a collision. et Adv coll H (A) bethe probability that FindColHF(A,H) returns 1. The probability is taken over the uniorm distribution on B(n, κ) and coin tosses o A. Deinition 1 (Collision resistance o a hash unction). For q 1, let } Adv coll H (q) =max Adv coll H (A), A where A makes at most q queries to each o e ±1.
6 The ollowing experiment FindColCF(A,,h 0 ) is introduced to deine the collision resistance o a compression unction with two block ciphers e and e. h 0 is an initial value o an iterated hash unction o. FindColCF(A,,h 0 ) e R B(n, κ); e R B(n, κ); ((h, m), (h,m )) R A e±1,e±1 ; i ((h, m) (h,m ) (h, m) =(h,m )) (h, m) =h 0 return 1; else return 0; FindColCF(A,,h 0 ) returns 1 i A inds a collision o or a preimage o h 0. et Adv comp (A) be the probability that FindColCF(A,,h 0 ) returns 1. Deinition 2 (Collision resistance o a compression unction). For q 1, let Adv comp (q) =max A Adv comp } (A), where A asks at most q queries to each o e ±1. Preimage Resistance. The ollowing experiment FindPreImg(A,G) is introduced to deine the preimage resistance o G with two block ciphers e and e. G is a hash unction or a compression unction. FindPreImg(A,G) e R B(n, κ); e R B(n, κ); y R 0, 1} l ; x R A(y) e±1,e±1 ; i G(x) =y return 1; else return 0; FindPreImg(A,G) returns 1 i A inds a preimage o G or an output y chosen randomly. et G (A) be the probability that FindPreImg(A,G) returns 1. Deinition 3 (Preimage resistance). For q 1, let } G (q) =max G (A), A where A makes at most q queries to each o e ±1. Generally speaking, second-preimage resistance is stronger security requirement than preimage resistance. A preimage may have some inormation o another preimage which produces the same output. However, in the black-box model, or the hash unctions or the compression unctions considered in the subsequent sections, a preimage has no inormation useul to ind another preimage. Thus, only preimage resistance is discussed in this article. 3 Provably Secure DB Hash Functions with Two Block Ciphers In this section, the security o DB hash unctions with compression unctions shown in Fig. 1 is analyzed. et be a compression unction such that (h i,g i )=
7 h i 1 x e h i z k 1 k 2 k 1 k 2 z x e g i Fig. 1. A Diagram o Compression Functions with Two Block Ciphers and with Rate 1/2 (h i 1,, )and hi = (h i 1,, ) g i = (h i 1,, ). and consist o (n, 2n) block ciphers e and e, respectively, and are represented as ollows: hi = e (k 1 k 2,x ) z g i = e (k 1 k 2,x ) z, where is the concatenation and k 1,k 2,x,z, k 1,k 2,x,z 0, 1} n are represented by linear combinations o h i 1,, 0, 1} n.namely, k 1 k 1 k 2 x z = h i 1, k 2 x z = h i 1 and both and are 4 3 0, 1}-matrices. 3.1 Collision Resistance In this subsection, a suicient and simple condition o and is presented or an iterated hash unction o to be collision resistant. The collision resistance o compression unctions is ocused on in the remaining part. It has been shown in [5, 15] that an iterated hash unction is collision resistant i its compression unction is. The ollowing lemma states the act in the black-box model.
8 emma 1. [3] et H be an iterated hash unction o. Then, or q 1, Adv coll H (q) Adv comp (q). First, a notation and a simple lemma are given or later use. For 1 r 4, let (r) and(r) denote3 3 0, 1}-matrices obtained by deleting the r-th row o and, respectively. emma 2. I both (3) and (4) are non-singular, then z x,x k 1,x k 2,x k 1 k 2 }. Proo. Since (4) is non-singular, z can be represented by a linear combination o x,k 1,k 2. On the other hand, since (3) is non-singular, z cannot be represented by any linear combinations o k 1,k 2. A suicient condition is given or a compression unction to be collision resistant in the ollowing lemma. emma 3. Suppose that all o (3),(4),(3),(4) are non-singular. Then, or every 1 q 2 n 1 +1, Adv comp (q) q(q +1)/2 2n 1. Proo. et A be a collision-inding algorithm o with oracles e ±1 asks q queries to each o e ±1. Since both (4) and (4) are non-singular and k 1 = (4) h i 1, k 1 = (4) h i 1, k 2 x k 2 x. A the correspondence between (k 1,k 2,x )and(k 1,k 2,x ) is 1-to-1. Thus, once a pair o an input and an output o e,(k 1,k 2,x,y ), is ixed by A s query to e or e 1 and its reply, an input to e,(k 1,k 2,x ), is uniquely determined. Similarly, A s query to e or e 1 and its reply also uniquely determine an input to e. On the other hand, it is necessary to ask a query to each o e ±1 in order to obtain a pair o an input and an output o. The act mentioned above implies that the correspondence between a pair o a query and a reply o e ±1 and that o e ±1 is 1-to-1. Hence, without loss o generality, it is assumed that A asks a query to an oracle and the corresponding query to the other oracle at a time. Since h i = e (k 1 k 2,x ) z = y z and z x,x k 1,x k 2,x k 1 k 2 }
9 rom emma 2, h i depends both on x and on y and one o x and y is determined randomly by a reply o the oracle. Thus, h i is randomly determined by the oracle. g i is also randomly determined by the other oracle. It is assumed that z = x and z = x in the rest o the proo. The proo is similar or the other cases. For every 1 j q, letc j be the event such that (x j y j = h 0 x j y j = g 0 ) j <j(x j y j = x j y j x j y j = x j y j ), where x j,y j and x j,y j correspond to the pairs o the j-th query and its reply o e ±1, respectively. Then, j Pr[C j ] (2 n (j 1)) 2. Thus, i q 2 n 1 +1,then Adv comp (A) Pr[C 1 C q ] = q j=1 q Pr[C j ] j=1 j q (2 n (j 1)) 2 j (2 n 2 n 1 ) 2 j=1 q(q +1) 2 2n 1. The ollowing theores led immediately rom emmas 1 and 3. Theorem 1. et H be an iterated hash unction o. Suppose that all o (3),(4), (3),(4) are non-singular or. Then, Adv coll H (q) q(q +1)/22n 1 or every 1 q 2 n From this theorem, any constant probability o success in inding a collision implies that q = Ω(2 n ). There are many compression unctions satisying the condition given in Theorem 1. The number o s such that (3) and (4) are non-singular is 672. Thus, the number o compression unctions satisying the condition in Theorem 1 is = Preimage Resistance Preimage resistance o iterated hash unctions presented in the previous subsection is discussed here. The ollowing lemma shows the relationship between preimage resistance o an iterated hash unction and that o its compression unction. This lemma is also implicit in [19].
10 emma 4. [3] et H be an iterated hash unction o. Then, or q 1, H (q) Advimg (q). The preimage resistance o compression unctions given in the previous subsection is presented in the ollowing lemma. emma 5. Suppose that all o (3),(4),(3),(4) are non-singular. Then, or every g 1, (q) q/(2 n q) 2. Proo. et A be a preimage-inding algorithm o with oracles e ±1. A asks q queries to each o e ±1.etw be the input o A and w =(w,w ), where w,w 0, 1} n. It is necessary to ask a query to each o e ±1 in order to obtain a pair o an input and an output o. As in the proo o emma 3, the correspondence between a pair o a query and a reply o e ±1 and that o e±1 is 1-to-1. Hence, without loss o generality, it is assumed that A asks a query to an oracle and the corresponding query to the other oracle at a time. Since h i = y z and z x,x k 1,x k 2,x k 1 k 2 } rom emma 2, h i depends both on x and on y and one o x and y is determined randomly by a reply o the oracle. Thus, h i is randomly determined by the oracle. g i is also randomly determined by the other oracle. It is assumed that z = x and z = x in the rest o the proo. The proo is similar or the other cases. For every 1 j q, leti j be the event such that x j y j = w x j y j = w where x j,y j and x j,y j correspond to the pairs o the j-th query and its reply o e ±1, respectively. Then, Thus, Pr[I j ] 1 (2 n (j 1)) 2. (A) Pr[I 1 I q ] q Pr[I j ] j=1 q j=1 1 (2 n (j 1)) 2 q (2 n q) 2.
11 The ollowing theores led immediately rom emmas 4 and 5. Theorem 2. et H be an iterated hash unction o. Suppose that all o (3),(4), (3),(4) are non-singular or. Then, or every q 1, H (q) q (2 n q) 2. Theorem 2 implies nothing about the preimage resistance or q 2 n 2 n/2 +1. It states, however, that the success probability is (asymptotically) negligible as long as q = c 2 n or any positive constant c<1: H (c c 1 2n ) (1 c) 2 2 n. For example, i c =1/2, then H (2n 1 ) 1/2 n 1. 4 Provably Secure DB Hash Functions with One Block Cipher et e be an (n, κ) block cipher and n +2 κ. In this section, the security o DB hash unctions with compression unctions shown in Fig. 2 is analyzed. The let-side unction is ocused on. et us call it. The compression unction is represented as ollows: hi = e( v,h i 1 ) h i 1 g i = e(h i 1 v, ), where 0, 1} l or some 1 l<κ n, andv and v are constants in 0, 1} κ n l such that v v. Since v v, in the black-box model, e with v and e with v can be regarded as two independent random block ciphers. Furthermore, there exists 1-to-1 correspondence between a pair o an input and an output o e with v and that o e with v. From these observations, it is clear that the ollowing lemma can be proved in the similar way as emma 3. emma 6. For the compression unction, i1 q 2 n 1 +1,then Adv comp (q) q(q +1)/2 2n 1. The ollowing theorem states the collision resistance o an iterated hash unction o. This is immediately lead rom emmas 1 and 6.
12 Theorem 3. et H be an iterated hash unction o. Then, Adv coll H (q) q(q +1)/22n 1 or every 1 q 2 n For preimage resistance, similarly, the ollowing theores obtained. Theorem 4. et H be an iterated hash unction o. Then,orq 1, H (q) q (2 n q) 2. In the black-box model, it is suicient that v,v 0, 1} and v v. However, in practice, v,v should be longer in order to avoid weak keys and to increase independence. Suppose that l con be the length o v or v and κ =2n. Then, the rate o H is (1 l con /n)/2. For example, the rate is 7/16 i l con = n/8. The idea that two block ciphers are obtained rom one block cipher by ixing a part o the key with dierent constants is ound in the design o MDC-2 [4]. However, the security proo as shown above does not seem to be applied to MDC-2. h i 1 e h i h i 1 e h i v v v v e g i e g i Fig. 2. Compression Functions with One Block Cipher 5 Conclusion In this article, DB hash unctions provably secure in the black-box model have been presented. They are based on (n, 2n) block ciphers and can be represented in a simple orm. Future work is to explore more eicient DB hash unctions optimally collision resistant. Reerences 1. E. Biham and R. Chen. Near-collisions o SHA-0. Cryptology eprint Archive, Report 2004/146,
13 2. J. Black, M. Cochran, and T. Shrimpton. On the impossibility o highly eicient blockcipher-based hash unctions. Cryptology eprint Archive, Report 2004/062, J. Black, P. Rogaway, and T. Shrimpton. Black-box analysis o the block-cipherbased hash-unction constructions rom PGV. In CRYPTO 2002 Proceedings, pages , ecture Notes in Computer Science B. O. Brachtl, D. Coppersmith, M. M. Hyden, S. M. Matyas Jr., C. H. W. Meyer, J. Oseas, S. Pilpel, and M. Schilling. Data authentication using modiication detection codes based on a public one-way encryption unction, mar S. Patent # 4,908, I. Damgård. A design principle or hash unctions. In CRYPTO 89 Proceedings, pages , ecture Notes in Computer Science M. Hattori, S. Hirose, and S. Yoshida. Analysis o double block length hash unctions. In 9th IMA International Conerence on Cryptography and Coding, pages , ecture Notes in Computer Science W. Hohl, X. ai, T. Meier, and C. Waldvogel. Security o iterated hash unctions based on block ciphers. In CRYPTO 93 Proceedings, pages , ecture Notes in Computer Science Knudsen and B. Preneel. Hash unctions based on block ciphers and quaternary codes. In ASIACRYPT 96 Proceedings, pages 77 90, ecture Notes in Computer Science Knudsen and B. Preneel. Fast and secure hashing based on codes. In CRYPTO 97 Proceedings, pages , ecture Notes in Computer Science Knudsen and B. Preneel. Construction o secure and ast hash unctions using nonbinary error-correcting codes. IEEE Transactions on Inormation Theory, 48(9): , R. Knudsen, X. ai, and B. Preneel. Attacks on ast double block length hash unctions. Journal o Cryptology, 11(1):59 72, X. ai and J.. Massey. Hash unction based on block ciphers. In EROCRYPT 92 Proceedings, pages 55 70, ecture Notes in Computer Science M. iskov, R.. Rivest, and D. Wagner. Tweakable block ciphers. In CRYPTO 2002 Proceedings, pages 31 46, ecture Notes in Computer Science A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook o Applied Cryptography. CRC Press, R. C. Merkle. One way hash unctions and DES. In CRYPTO 89 Proceedings, pages , ecture Notes in Computer Science B. Preneel, R. Govaerts, and J. Vandewalle. Hash unctions based on block ciphers: A synthetic approach. In CRYPTO 93 Proceedings, pages , ecture Notes in Computer Science T. Satoh, M. Haga, and K. Kurosawa. Towards secure and ast hash unctions. IEICE Transactions on Fundamentals, E82-A(1):55 62, X. Wang, D. Feng, X. ai, and H. Yu. Collisions or hash unctions MD4, MD5, HAVA-128 and RIPEMD. Cryptology eprint Archive, Report 2004/199, R. S. Winternitz. A secure one-way hash unction built rom DES. In IEEE Symposium on Security and Privacy, pages 88 90, 1984.
Some Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationA new Design Criteria for Hash-Functions
A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationSecurity of Cyclic Double Block Length Hash Functions including Abreast-DM
Security of Cyclic Double Block Length Hash Functions including Abreast-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks {ewan.fleischmann,michael.gorski,stefan.lucks}@uni-weimar.de Bauhaus-University
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More informationPreimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing
Preimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing Matthias Krause 1, Frederik Armknecht 1, and Ewan Fleischmann 2 1 Arbeitsgruppe Theoretische Informatik und Datensicherheit,
More informationCryptanalysis of the GOST Hash Function
Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationBlack-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV J. Black P. Rogaway T. Shrimpton May 31, 2002 Abstract Preneel, Govaerts, and Vandewalle [7] considered the 64 most basic
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationSecurity Analysis of Constructions Combining FIL Random Oracles
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Telecom R&D, 38-40 rue du Général Leclerc, F-92794 Issy-les-Moulineaux, France Université de Versailles,
More informationCryptanalysis of MDC-2
Cryptanalysis of MDC-2 Lars R. Knudsen 1, Florian Mendel 2, Christian Rechberger 2, and Søren S. Thomsen 1 1 Department of Mathematics, Technical University of Denmark Matematiktorvet 303S, DK-2800 Kgs.
More informationConstructing Cryptographic Hash Functions from Fixed-Key Blockciphers
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers Phillip Rogaway 1 and John Steinberger 2 1 Department of Computer Science, University of California, Davis, USA 2 Department of Mathematics,
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationMJH: A Faster Alternative to MDC-2
MJH: A Faster Alternative to MDC-2 Jooyoung Lee 1 and Martijn Stam 2 1 Sejong University, Seoul, Korea, jlee05@sejongackr 2 University of Bristol, Bristol, United Kingdom, martijnstam@bristolacuk Abstract
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationConstrained Keys for Invertible Pseudorandom Functions
Constrained Keys or Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanord University {dabo,skim13,dwu4}@cs.stanord.edu Abstract A constrained pseudorandom unction (PRF) is a secure
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationOptimal Collision Security in Double Block Length Hashing with Single Length Key
Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationMerkle-Damgård Revisited : how to Construct a Hash Function
Merkle-Damgård Revisited : how to Construct a Hash Function Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University of Luxembourg coron@clipper.ens.fr 2 New-York
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationIntroduction to the Design and. Cryptanalysis of Cryptographic Hash Functions
Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationQuantum Chosen-Ciphertext Attacks against Feistel Ciphers
Quantum Chosen-Ciphertext Attacks against eistel Ciphers Gembu Ito 1, Akinori Hosoyamada 1,2, Ryutaroh Matsumoto 1,3, Yu Sasaki 2, and Tetsu Iwata 1 1 Nagoya University, Nagoya, Japan g itou@echo.nuee.nagoya-u.ac.jp,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationBuilding a Collision-Resistant Compression Function from Non-Compressing Primitives
Building a Collision-Resistant Compression Function from Non-Compressing Primitives Thomas Shrimpton 1 and Martijn Stam 2 1 University of Lugano and Portland State University thomas.shrimpton@unisi.ch
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationMulticollision Attacks on a Class of Hash Functions
Multicollision Attacks on a Class of Hash Functions M. Nandi Applied Statistics Unit Indian Statistical Institute Calcutta, India mridul r@isical.ac.in D. R. Stinson School of Computer Science University
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationFinding good differential patterns for attacks on SHA-1
Finding good differential patterns for attacks on SHA-1 Krystian Matusiewicz and Josef Pieprzyk Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationhold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies
Dierential cryptanalysis o eistel ciphers and dierentially uniorm mappings Anne Canteaut INRIA Projet codes Domaine de Voluceau BP 105 78153 Le Chesnay Cedex rance Abstract In this paper we study the round
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationModes of Operations for Wide-Block Encryption
Wide-Block Encryption p. 1/4 Modes of Operations for Wide-Block Encryption Palash Sarkar Indian Statistical Institute, Kolkata Wide-Block Encryption p. 2/4 Structure of Presentation From block cipher to
More informationAdaptive Preimage Resistance and Permutation-based Hash Functions
daptive Preimage Resistance and Permutation-based ash Functions Jooyoung Lee, Je ong Park The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationAtypical usage of one-way hash functions for data integrityisasfollows. The hash-value corresponding to a particular message M is computed at time t 1
A Fast Cryptographic Hash Function Based on Linear Cellular Automata over GF(q) Miodrag Mihaljevic 1, Yuliang Zheng 2 and Hideki Imai 3 1 Mathematical Institute, Serb. Acad. Sci. & Arts Kneza Mihaila 35,
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationTheImpactofCarriesontheComplexityof Collision Attacks on SHA-1
TheImpactoCarriesontheComplexityo Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute or Applied Inormation Processing and Communications
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationHash Functions. Adam O Neill Based on
Hash Functions Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption) Where we are
More informationType 1.x Generalized Feistel Structures
Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls
ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls Ritam Bhaumik, Indian Statistical Institute, Kolkata Eik List, Bauhaus-Universität Weimar, Weimar Mridul Nandi,
More informationNew Attacks against Standardized MACs
New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-Sébastien Coron 1, Jacques Patarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationDesign of Iteration on Hash Functions and its Cryptanalysis
Design of Iteration on Hash Functions and its Cryptanalysis MRIDUL NANDI Applied Statistics Unit Indian Statistical Institute Kolkata - 700108 India. 1 Design of Iteration on Hash Functions and its Cryptanalysis
More information