On Security Arguments of the Second Round SHA-3 Candidates
Size: px
Start display at page:

Download "On Security Arguments of the Second Round SHA-3 Candidates"

Transcription

1 On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards and Technology NIST) announced a call or the design o a new cryptographic hash algorithm in response to vulnerabilities like dierential attacks identiied in existing hash unctions, such as MD5 and SA-1. NIST received many submissions, 51 o which got accepted to the irst round. 14 candidates were let in the second round, out o which 5 candidates have been recently chosen or the inal round. An important criterion in the selection process is the SA-3 hash unction security. We identiy two important classes o security arguments or the new designs: 1) the possible reductions o the hash unction security to the security o its underlying building blocks, and 2) arguments against dierential attack on building blocks. In this paper, we compare the state o the art provable security reductions or the second round candidates, and review arguments and bounds against classes o dierential attacks. We discuss all the SA-3 candidates at a high unctional level, analyze and summarize the security reduction results and bounds against dierential attacks. Additionally, we generalize the wellknown proo o collision resistance preservation, such that all SA-3 candidates with a suix-ree padding are covered. Keywords SA-3 competition hash unctions classiication security reductions dierential attacks A preliminary version o this paper appeared at ISC 2010 [2]. E. Andreeva A. Bogdanov B. Mennink B. Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium Tel.: Fax: bart.mennink@esat.kuleuven.be C. Rechberger Institut or Matematik Danmarks Tekniske Universitet, Denmark 1 Introduction ash unctions serve a crucial oundation o numerous cryptographic applications, ranging rom key derivation unctions over various security protocols to digital signatures. In 2004, a series o dierential attacks by Wang et al. [81, 82] have exposed security vulnerabilities in the design o the most widely adopted and deployed SA-1 hash unction. As a result, the US National Institute or Standards and Technology NIST) recommended the replacement o SA-1 by the SA-2 hash unction amily and announced a call or the design o a new SA-3 hashing algorithm. The SA-3 hash unction must allow or message digests o length 224,256,384 and 512 bits, it should be eicient, and most importantly it should provide an adequate level o security. In the second round, 14 candidate hash unctions were considered, 5 candidates remaining in the race or the selection o the SA-3 hash unction in the current third round. As a result o the perormed comparative analysis, several classiications o the SA-3 candidates, mostly ocused on hardware perormance, appeared in the literature [43,46, 59, 79]. A classiication based on the NIST-speciied security criteria is however still due. NIST Security Requirements. NIST speciies a number o security requirements [70] to be satisied by the uture SA-3 unction: i) at least one variant o the hash unction must securely support MAC and randomized hashing. Furthermore, or all n-bit digest values, the hash unction must provide ii) preimage resistance o approximately n bits, iii) second preimage resistance o approximately n L bits, where the irst preimage is o length at most 2 L blocks, iv) collision resistance o approximately n/2 bits, and v) all variants must be resistant to the length-extension attack. Finally, vi) or any m n, the hash unction speciied by

2 2 Elena Andreeva et al. taking a ixed subset o m bits o the unction s output is required to satisy properties ii)-v) with n replaced by m. Our Contribution. In this work we provide a survey o the 14 second round SA-3 candidates including the 5 inalists, in which we compare their security reductions, and their resistance against dierential attacks. Regarding security reductions, we consider preimage, second preimage and collision resistance security requirements ii)-iv)) or the n = 256 and n = 512 variants. Most o this security analysis is realized in the ideal model, where one or more o the underlying integral building blocks e.g., the underlying block cipher or permutations)) are assumed to be ideal, i.e. random primitives. To argue collision resistance we extend the standard proo o Merkle-Damgård collision resistance [38, 68] to cover all second round SA-3 candidate hash unction with a suix-ree padding App. B). Notice that the basic Merkle-Damgård proo does not suice in the presence o a inal transormation and/or a chopping. Additionally, we consider the indierentiability o the candidates. Inormally, indierentiability guarantees that a design has no structural design laws [32], and in particular as ormally proven in App. A) an indierentiability result renders upper bounds on the advantage o inding preimages, second preimages and collisions. The provable security analysis in this contribution extends to the indings o Andreeva et al. [2]. Recent substantial progress in the dierential attacks against SA-1 [81] is the main motivation or the SA-3 competition [29], and many o the irst round candidates ell victim to dierential attacks as well, due to their wellelaborated and advanced toolbox. ence we survey known bounds against classes o these attacks. Note that, to the best o current knowledge, inormative bounds exist only or a subset o relevant dierential properties. Also only a subset o all second round SA-3 candidates allow or such bounds by design, which excludes e.g. all ARX-based constructions rom the analysis. Thereore, in this work, we will be mainly considering upper bounds on the expected dierential trail probability EDTP) o hash unction building blocks such as underlying permutations and block ciphers which are based on substitution-permutation networks. Although EDTP proved to be highly inormative in predicting the power o dierential cryptanalysis or keyed block ciphers, or most attacks on hash unctions all inputs to the unction s building blocks are known and can oten even be chosen by the adversary. owever, at some point in most major attack techniques against hash unctions, the adversary cannot control the dierence propagation any more and relies on the dierential trails, EDTP becoming again a good predictor o the attack complexity. Thus, due to the lack o a better universal evaluation tool with respect to dierential attacks on the one hand, and because o the ability o the dierential trails to relect at least some important eatures o such attacks on the other, we have opted to use upper bounds on EDTP in our comparative analysis. Section 2 briely covers the notation, and the basic principles o hash unction design. In Sect. 3, we consider all candidates, both rom a provable security point o view, and rom a cryptanalysis view. We give a high level algorithmic description o each hash unction, and discuss the existing security results. All results are summarized in Table 1 and Table 2. We conclude the paper with Sect. 4 and give some inal remarks on the security comparison. 2 Preliminaries For a positive integer value n N, we denote by Z n 2 the set o bit strings o length n, and by Z n 2 ) the set o strings o length a positive multiple o n bits. We denote by Z 2 the set o bit strings o arbitrary length. I x,y are two bit strings, their concatenation is denoted by x y. By x we denote the length o a bit string x, and or m,n N we denote by m n the encoding o m as an n-bit string. The unction chop n x) chops o the n rightmost bits o a bit string x. Throughout, we use a uniied notation or all candidates. The value n denotes the output size o the hash unction, l the size o the chaining value, and m the number o message bits compressed in one iteration o the compression unction. A padded message is always parsed as a sequence o k 1 message blocks o length m bits: M 1,...,M k ). 2.1 Reductionist Security Notions In this section we investigate the reductionist security o hash unctions in the ideal model and the more classical generic security. Security in the ideal model. In the ideal model, a compressing unction F either on ixed or arbitrary input lengths) that uses one or more underlying building blocks is viewed insecure i there exists a successul inormation-theoretic adversary that has only query access to the idealized underlying primitives o F. The complexity o the attack is measured by the number o queries q to the primitive made by the adversary. In this work it is clear rom the context which o the underlying primitives is assumed to be ideal. The three main security properties required rom the SA-3 hash unction are preimage, second preimage and collision resistance. For each o these three notions, with Adv atk F, where atk {pre, sec, col}, we denote the maximum advantage o an adversary to break the unction F under the security notion atk. The advantage is the probability unction taken over all random choices o the underlying primitives, and the

3 On Security Arguments o the Second Round SA-3 Candidates 3 maximum is taken over all adversaries that make at most q queries to their oracles. Additionally, we consider the indierentiability o the SA-3 candidates. The indierentiability ramework introduced by Maurer et al. [67] is an extension o the classical notion o indistinguishability, and ensures that a hash unction has no structural deects. We denote the indierentiability security o a hash unction by Adv pro, maximized over all distinguishers making at most q queries o maximal length K 0 message blocks to their oracles. We reer to [32] or a ormal deinition. An indierentiability bound guarantees security o the hash unction against speciic attacks. In particular, one can obtain a bound on Adv atk, or any security notion atk: Adv atk Pr atk RO + Advpro, where Pr atk RO denotes the success probability o a generic attack against under atk. This bound is proven in Thm. 1 App. A). Generic security. The generic collision resistance security in the context o this work deals with analyzing the collision resistance o hash unctions in the standard model. A hash unction is called generically t, ε) collision resistant i no adversary running in time at most t can ind two dierent messages M,M such that M) = M ) with advantage the generic collision resistance security o the unction, maximized over all eicient adversaries. We reer the reader to [4,73,74] or a more ormal discussion. To argue generic collision resistance security o the hash unction as domain extenders o ixed input length compression unctions) we use the composition result o Merkle and Damgård [38,68] and extend it to a wider class o suixree hash unctions App. B). This result concludes the collision resistance o the hash unction assuming collision resistance security guarantees rom the underlying compression unctions. We then translate ideal model collision resistance security results on the compression unctions via the latter composition to ideal model collision results on more than ε. We denote by Adv gcol the hash unction expressed by Adv col ). A generic collision result, generally speaking, applies to a wider class o schemes or which no bounds on the collision resistance security o the underlying compression unctions is known, e.g. or BLAKE and BMW. I a compressing unction F outputs a bit string o length n, one expects to ind collisions with high probability ater approximately 2 n/2 queries due to the birthday attack). Similarly, second) preimages can be ound with high probability ater approximately 2 n queries 1. Moreover, inding 1 Kelsey and Schneier [56] describe a second preimage attack on the Merkle-Damgård hash unction that requires at most approximately 2 n L queries, where the irst preimage is o length at most 2 L blocks. second preimages is provably harder than inding collisions, and similar or preimages depending on the speciication o F) [74]. Formally, we have Ωq 2 /2 n ) = Adv col F = O1), Ωq/2 n ) = Adv sec F Adv col F, and Ωq/2 n ) = Adv pre F Adv col F + ε, where ε is negligible i F is a variable input length compressing unction. In the remainder, we will consider these bounds or granted, and only include security results that improve either o these bounds. A bound is called tight i the lower and upper bound are the same up to a constant actor, and optimal i the bound is tight with respect to the original lower bound. 2.2 Compression Function Design Strategies A common way to build compression unctions is to base it on a block cipher [25,72,77], or on a limited number o) permutations) [24, 75, 76]. Preneel et al. [72] analyzed and categorized 64 block cipher based compression unctions. Twelve o them were ormally proven secure by Black et al. [25]. These results have been recently generalized by Stam [77]. Interestingly, the latter result implies security bounds or some compression unctions that do not it in the PGV-model, like ECO, amsi and SIMD. In the ideal model, everywhere second preimage resistance o the compression unction can be proven similar as the preimage resistance, up to a constant the security analysis diers only in that we give the adversary one query or ree). Throughout, by PGVx we denote the x th type compression unction o [72]. We note that PGV1, PGV3 and PGV5 are better known as the Matyas-Meyer-Oseas, the Miyaguchi-Preneel and the Davies-Meyer compression unctions, respectively. In the context o permutation based compression unctions, Black et al. [24] analyzed 2l- to l-bit compression unctions based on one l-bit permutation, and proved them insecure. This result has been generalized by Rogaway and Steinberger [75], Stam [76] and Steinberger [78] to compression unctions with arbitrary input and output sizes, and an arbitrary number o underlying permutations. Their bounds indicate the number o queries required to ind collisions or preimages or permutation based compression unctions. 2.3 ash Function Design Strategies In order to allow the hashing o arbitrarily long strings, all SA-3 candidates employ a speciic mode o operation. Central to all designs is the iterated hash unction principle [62]: on input o an initialization vector IV, the iterated hash This attack does, however, not apply to all SA-3 candidates. In particular, the wide-pipe SA-3 candidates remain mostly unaected due to their increased internal state.

4 4 Elena Andreeva et al. unction based on the compression unction proceeds a padded message M 1,...,M k ) as ollows: IV;M 1,...,M k ) = h k, where: h 0 = IV, h i = h i 1,M i ) or i = 1,...,k. This principle is also called the plain Merkle-Damgård MD) design [38, 68]. Each o the 14 remaining candidates is based on this design, possibly ollowed by a inal transormation FT), and/or a chop-unction 2. The padding unction pad : Z 2 Zm 2 ) is an injective mapping that transorms a message o arbitrary length to a message o length a multiple o m bits the number o message bits compressed in one compression unction iteration). Most o the candidates employ a suiciently strong padding rule c. Fig. 2). Additionally, in some o the designs the message blocks are compressed along with speciic counters or tweaks, which may strengthen the padding rule. We distinguish between preix-ree and/or suix-ree padding. A padding rule is called suix-ree, i or any distinct M,M, there exists no bit string X such that padm ) = X padm). The plain MD design with any suix-ree padding also called MD-strengthening [62]) preserves collision resistance [38, 68]. We generalize this result in Thm. 2 App. B): inormally, this preservation result also holds i the iteration is inalized by a distinct compression unction and/or the chop-unction. Other security properties, like preimage resistance, are however not preserved in the MD design [4]. It is also proven that the MD design with a suixree padding need not necessarily be indierentiable [32]. owever, the MD construction is indierentiable i it ends with a chopping unction or a inal transormation, both when the underlying compression unction is ideal or when the hash unction is based on a PGV compression unction [32, 52, 66]. A padding rule is called preix-ree, i or any distinct M,M, there exists no bit string X such that padm ) = padm) X. It has been proved that the MD design, based on ideal compression unction or ideal PGV construction, with preix-ree padding is indierentiable rom a random oracle [30, 32, 52, 66]. Security notions like collision-resistance, are however not preserved in the MD design with preix-ree only padding. AIFA design. A concrete design based on the MD principle is the AIFA construction [21]. In AIFA the message is padded in a speciic way so as to solve some deiciencies 2 A unction g is a inal transormation i it diers rom, and is applied to the inal state, possibly with the injection o an additional message block. The chop-unction is not considered to be a part o) a inal transormation. o the original MD construction: in the iteration, each message block is accompanied with a ixed optional) salt o s bits and a mandatory) counter C i o t bits. The counter C i keeps track o the number o message bits hashed so ar, and equals 0 by deinition i the i th block does not contain any message bits. Partially due to the properties o this counter, the AIFA padding rule is suix- and preix-ree. As a consequence, the construction preserves collision resistance c. Thm. 2) and the indierentiability results o [32] carry over. For the AIFA design, these indierentiability results are improved in [19]. Furthermore, the AIFA construction is proven secure against second preimage attacks i the underlying compression unction is assumed to behave like an ideal primitive [27]. Wide-pipe design. In the wide-pipe design [65], the iterated state size is signiicantly larger than the inal hash output: at the end o the iteration, a raction o the output o a construction is discarded. As proved in [32], the MD construction with a distinct inal transormation and/or chopping at the end is indierentiable rom a random oracle. Sponge unctions. We do not explicitly consider sponge unctions [16] or their generalization [3] as a speciic type o construction: all SA-3 candidates known to be sponge- like) unctions, Cubeash, Fugue, J, Keccak and Lua, can be described in terms o the chop-md construction possibly with a inal transormation beore or instead o the chopping). 2.4 Concrete Security o ash Functions and Dierential Cryptanalysis All security notions and design approaches mentioned so ar substantially assume the underlying primitives o hash unctions such as compression unctions, permutations or block ciphers) to behave in an idealized way, where the primitive is randomly drawn rom the corresponding class o primitives. owever, any practical setting requires the primitives to be eiciently implementable, their representation being compact. As a matter o act, this does not comply to the random procedure o choice assumed, since it is extremely improbable to select a compactly implementable primitive at random. Thus, once the rule o domain extension has been proven sound assuming the idealness o the underlying primitive, the problem o evaluating the concrete primitive with respect to real-world attacks arises. In this paper, we choose to employ the toolbox o dierential cryptanalysis [23] to address the latter problem, particularly because this analysis approach is also responsible or the attacks on MD5 and SA-1, that are the main motivation or the SA-3 competition. The security o hash unctions with respect to such central requirements as second) preimage and collision resis-

5 On Security Arguments o the Second Round SA-3 Candidates 5 tance can be reormulated in terms o the input and output dierences o the underlying primitives. A large proportion, though not all, o second-round SA-3 candidates ollow design approaches allowing one to eiciently argue the resistance o their primitives compression unctions, permutations, ciphers) to dierential cryptanalysis. These are mainly those candidates relying on the substitution-diusion networks oten similar to AES [44] or even reusing its components) which make proos o some relevant properties in the domain o dierential cryptanalysis possible [34]. Dierentials, DP, EDP. Strictly speaking, or some primitive φ mapping to n bits, we do not want the dierential probability DP) o any non-trivial dierential, ) over φ to signiicantly deviate rom 2 n see [35] or a comprehensive statistical study o this parameter or idealized permutations and unctions). The dierential, ) or primitive φ consists o input dierence and output dierence. Once the parameters o φ are ixed keys, salts, initial vectors, etc.), one speaks about the dierential probability DP as the probability or, ) to hold averaged over all inputs. The expected DP EDP) is the DP averaged over all sets o parameters or φ. Dierential trails, DTP, EDTP. For most practical constructions, however, it is oten impossible to derive any tight and, thus, inormative) upper bounds on DP or even EDP. That is why, to simpliy the analysis, one requently has to revert to dierential trails and their probabilities or the evaluation o designs with respect to dierential cryptanalysis [23,34]. A dierential can be seen as the set o all dierence propagation paths rom to through intermediate dierences corresponding to the iterations o an iterative construction. Each o these paths is called a dierential trail. The probability that a dierential trail holds is reerred to as dierential trail probability DTP). Similarly to dierentials, the expected DTP averaged over all parameters will be denoted as EDTP. For substitution-diusion networks, a common belie is that keeping the number o active S-boxes those involved into the dierence propagation) high is correlated with lower values o EDTPs and EDPs which gave rise to the wide trail design strategy [37] and resulted in the successul design o AES [34]. owever, ormally speaking, the number o active S-boxes and their local DPs do not directly translate to EDP over several rounds o primitives, being only adequate or deriving bounds on single-round EDP. Attempts have been made to compute inormative upper bounds on EDP over several rounds o AES: though it has been possible to compute the exact maximum EDP or two rounds o AES [55], the problem persists or 4 rounds [33]. owever, one can still prove some upper bounds on EDP over more than two rounds, which has been done e.g. to evaluate the security o SAvite-3 and ECO by their respective designers. As applied to SA-3 candidates, we will talk about EDTP whenever the results deal with more rounds than one could cover by a tight upper bound on EDP. Depending on a concrete hash unction among the second round SA-3 candidates, the respective designers deal with distinct deinitions o a dierential trail to derive a bound on EDTP or the building blocks. Such deinitions range rom the S-box level e.g. Fugue, Grøstl, and J) to several AES rounds e.g. ECO and SAvite-3). As a rule, going rom the S-box level to the level o several rounds results in bounds on EDTP closer to EDP. Throughout the paper, we reer to the upper bounds on EDP and EDTP attained or not attained) as MEDP and MEDTP, respectively. 3 SA-3 ash Function Candidates In this section, we analyze the security o the 14 remaining SA-3 candidates in more detail, rom a provable security perspective as well as with respect to the security against classes o dierential attacks. Each paragraph contains an inormal discussion or each candidate, its reductionist security results, and its security against dierential attacks. The mathematical descriptions o the abstracted) designs are given in Fig. 1, and the candidates padding unctions are summarized in Fig. 2. With respect to the reductionist security, or simplicity we only consider the proposals o the SA-3 candidates that output digests o 256 or 512 bits. Observe that in many candidate SA-3 hash unction amilies, the algorithms outputting 224 or 384 bits are the same as the 256- or 512-bits algorithms, except or an additional chopping at the end. Particularly, the results o [32] and Thm. 2 carry over in most o the cases. The same remark applies to requirement vi) o NIST. Requirement i). All designers claim that their proposal can saely be used in MAC mode [12] or or randomized hashing [54], and we do not discuss it here; Requirements ii)-iv). Preimage, second preimage and collision resistance o each hash unction are discussed in this section. Additionally, we also consider the indierentiability o the candidates; Requirement v). All hash unction candidates are secure against the length extension attack, and thus we do not discuss it urther. The reductionist security results or all current candidate hash unctions are summarized in Table 1. With respect to the security against classes o dierential attacks, the primitives o all candidate hash unctions are analyzed. These security results are summarized in Table 2.

6 6 Elena Andreeva et al. BLAKE: n,l,m,s,t) {256,256,512,128,64), 512,512,1024,256,128)} E : Z 2l 2 Zm 2 Z2l 2 a block cipher L : Z l+s+t 2 Z 2l 2, L : Z 2l 2 Zl 2 linear unctions h,m,s,c) = L E M Lh,S,C))) h S S) BLAKEM) = h k, where: M 1,...,M k ) pad 1 M); h 0 IV S Z s 2 ; C i) k i=1 AIFA-counter h i h i 1,M i,s,c i ) or i = 1,...,k BMW: n,l,m) {256,512,512),512,1024,1024)} E : Z m 2 Zl 2 Zm 2 a block cipher L : Z l+m+l 2 Z l 2 a compressing unction h,m) = Lh,M,E h M)) gh) = IV,h) BMWM) = h, where: M 1,...,M k ) pad 2 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop l n [gh k )] Cubeash: n,l,m) {256,1024,256),512,1024,256)} P : Z l 2 Zl 2 a permutation h,m) = Ph M 0 l m )) gh) = P 10 h )) CubeashM) = h, where: M 1,...,M k ) pad 3 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop l n [gh k )] ECO: n,l,m,s,t) {256,512,1536,128,64/128), 512,1024,1024,256,64/128)} 2 a block cipher E : Z Z s+t 2 Z 2048 L : Z Z l 2 a linear unction h,m,s,c) = LE S,C h M) h M)) ECOM) = h, where: M 1,...,M k ) pad 4 M); h 0 IV S Z s 2 ; C i) k i=1 AIFA-counter h i h i 1,M i,s,c i ) or i = 1,...,k h chop l n [h k ] Fugue: n,l,m) {256,960,32),512,1152,32)} P, P : Z l 2 Zl 2 permutations L : Z l 2 Zm 2 Zl 2 a linear unction h,m) = PLh,M)) FugueM) = h, where: M 1,...,M k ) pad 5 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop l n [ Ph k )] Grøstl: n,l,m) {256,512,512),512,1024,1024)} P,Q : Z l 2 Zl 2 permutations h,m) = Ph M) QM) h gh) = Ph) h GrøstlM) = h, where: M 1,...,M k ) pad 6 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop l n [gh k )] amsi: n,l,m) {256,256,32),512,512,64)} P, P : Z 2n 2 Z2n 2 permutations Exp : Z m 2 Zn 2 a linear code h,m) = h chop n [PExpM) h)] gh,m) = h chop n [ PExpM) h)] amsim) = h, where: M 1,...,M k ) pad 7 M); h 0 IV h i h i 1,M i ) or i = 1,...,k 1 h gh k 1,M k ) J: n,l,m) {256,1024,512),512,1024,512)} P : Z l 2 Zl 2 a permutation h,m) = Ph 0 l m M)) M 0 l m ) JM) = h, where: M 1,...,M k ) pad 8 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop l n [h k ] Keccak: n,l,m) {256,1600,1088),512,1600,576)} P : Z l 2 Zl 2 a permutation h,m) = Ph M 0 l m )) KeccakM) = h, where: M 1,...,M k ) pad 9 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop l n [h k ] Lua: n,l,m,w) {256,768,256,3),512,1278,256,5)} P i : Z m 2 Zm 2 i = 1,...,w) permutations L : Z wm+m 2 Z wm 2, L : Z wm 2 Z m 2 linear unctions h,m) = P 1 h 1 ) P wh w)) where h 1,...,h w) = Lh,M) gh) = L h) L h,0 m ))) LuaM) = h, where: M 1,...,M k ) pad 10 M); h 0 IV h i h i 1,M i ) or i = 1,...,k h chop 512 n [gh k )] Shabal: n,l,m) {256,1408,512),512,1408,512)} E : Z Z Z a block cipher h,c,m) = y 1,h 3 M,y 3 ) where h Z l 2 h = h 1,h 2,h 3 ) Z2 384+m+m and y 1,y 3 ) = E M,h3 h C),h 2 + M) ShabalM) = h, where: M 1,...,M k ) pad 11 M); h 0 IV h i h i 1, i 64,M i ) or i = 1,...,k h k+i h k+i 1, k 64,M k ) or i = 1,...,3 h chop l n [h k+3 ] SAvite-3: n,l,m,s,t) {256,256,512,256,64), 512,512,1024,512,128)} E : Z l 2 Zm+s+t 2 Z l 2 a block cipher h,m,s,c) = E M,S,C h) h SAvite-3M) = h k, where: M 1,...,M k ) pad 12 M); h 0 IV S Z s 2 ; C i) k i=1 AIFA-counter h i h i 1,M i,s,c i ) or i = 1,...,k SIMD: n,l,m) {256,512,512),512,1024,1024)} E,Ẽ : Z l 2 Zm 2 Zl 2 block ciphers h,m) = Lh,E M h M)) gh,m) = Lh,Ẽ M h M)) SIMDM) = h, where: M 1,...,M k ) pad 13 M); h 0 IV h i h i 1,M i ) or i = 1,...,k 1 h k gh k 1,M k ) h chop l n [h k ] Skein: n,l,m) {256,256,256),512,512,512)} E : Z m 2 Z128 2 Z l 2 Zm 2 a tweakable block cipher h,t,m) = E h,t M) M SkeinM) = h, where: M 1,...,M k ) pad 14 M); h 0 IV T i ) k i=1 round-speciic tweaks h i h i 1,T i,m i ) or i = 1,...,k h chop l n [h k ] SA-2: n,l,m) {256,256,512),512,512,1024)} E : Z l 2 Zm 2 Zl 2 a block cipher h,m) = E M h) + h SA-2M) = h k, where: M 1,...,M k ) pad 15 M); h 0 IV h i h i 1,M i ) or i = 1,...,k Fig. 1 The padding rules employed by the unctions are summarized in Fig. 2. In all algorithm descriptions, IV denotes an initialization vector, h denotes state values, M denotes message blocks, S denotes a ixed) salt, C denotes a counter and T denotes a tweak. The unctions L,L,Exp underlying BLAKE, BMW, ECO, Fugue, amsi and Lua, are explained in the corresponding section.

7 On Security Arguments o the Second Round SA-3 Candidates 7 BLAKE : pad 1 M) = M 1 0 M t 2 mod m 1 M t, BMW : pad 2 M) = M 1 0 M 65 mod m M 64, Cubeash : pad 3 M) = M 1 0 M 1 mod m, ECO : pad 4 M) = M 1 0 m 1 M +144 mod m) n 16 M 128, Fugue : pad 5 M) = M 0 M mod m M 64, Grøstl : pad 6 M) = M 1 0 M 65 mod l M + 65)/l 64, amsi : pad 7 M) = M 1 0 M 1 mod m M 64, J : pad 8 M) = M M mod m) M 128, Keccak : pad 9 M) = M 1 0 M 2 mod m 1, Lua : pad 10 M) = M 1 0 M 1 mod m)+256, Shabal : pad 11 M) = M 1 0 M 1 mod m, SAvite-3 : pad 12 M) = M 1 0 M t 17 mod m M t n 16, SIMD : pad 13 M) = M 0 M mod m M m, { Skein : pad 14 M) = M 0 M mod m)+m,where M = M i M 0 mod 8, SA-2 : pad 15 M) = { M 1 0 M 65 mod m M 64, or n = 224,256, M 1 0 M 1 mod 8 otherwise. M 1 0 M 129 mod m M 128, or n = 384,512. Fig. 2 The padding rules o all SA-3 hash unction candidates and SA-2 are summarized. All padding unctions output bit strings parsed as sequences o m-bit blocks, where m is the message block length o the corresponding unction. For the hash unctions BLAKE, ECO, Shabal, SAvite-3 and Skein, the complete padding rule o the corresponding hash unction is additionally deined by a counter or tweak as explained in Sect. 3). Particularly, all hash unctions employ an injective padding rule The BLAKE hash unction [8] is a AIFA construction. The message blocks are accompanied with a AIFAcounter, and more generally, the unction employs a suixand preix-ree padding rule. The compression unction is block cipher based 3. It moreover employs an injective linear unction L, and a linear unction L that XORs the irst and second halves o the input. Reductionist security o BLAKE. The compression unction o BLAKE is proven optimally collision, second preimage and preimage resistant [5]. As the mode o operation o BLAKE is based on the AIFA structure, all security properties regarding this type c. Sect. 2.3) hold [21], provided the compression unction is assumed to be ideal. owever, as independently shown by Andreeva et al. [5] and Chang et al. [31], the BLAKE compression unction shows nonrandom behavior: it is dierentiable rom a random compression unction in about 2 n/4 queries, making the abovementioned security properties invalid. Still, Thm. 2 applies to BLAKE, and as a consequence we obtain Adv col =. Additionally, a preimage or BLAKE implies a preimage or its inal transormation, and we obtain Adv pre = Θq/2n ). The hash unction is moreover proven optimally second preimage resistant in the ideal cipher model by Andreeva et al. [5], which gives Adv sec =. Furthermore, the BLAKE hash unction is proven indierentiable rom a random oracle i the underlying block cipher is ideal [5,31]. 3 As observed in [8, Sect. 5], the core part o the compression unction can be seen as a permutation keyed by the message, which we view here as a block cipher. Bounds on DTP or BLAKE. No inormative bounds on DTP are known or BLAKE The Blue Midnight Wish BMW) hash unction [51] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is block cipher based 4, and the inal transormation g consists o the same compression unction with the chaining value processed as a message, and with an initial value as chaining input. The compression unction employs a unction L which consists o two compression unctions with speciic properties as speciied in [51]. Reductionist security o BMW. The compression unction o BMW shows similarities with the PGV3 compression unction [25], but no security results are known or this variant. Theorem 2 applies to BMW, where the inal transormation has no message block as input, and as a consequence we obtain Adv col = i is assumed ideal). Additionally, a preimage or BMW implies a preimage or its inal transormation, and we obtain Adv pre = Θq/2n ). Furthermore, albeit no indierentiability proo or the BMW hash unction is known, we note that BMW can be seen as a combination o the MAC- and the chop-construction, both proven indierentiable rom a random oracle [32]. We remark that a distinguisher or the compression unction o BMW is derived in [7]. 4 As observed in [51], the compression unction can be seen as a generalized PGV3 construction, where the unction 0 o [51] deines the block cipher keyed with the chaining value.

8 8 Elena Andreeva et al. Bounds on DTP or BMW. No inormative bounds on DTP are known or BMW The Cubeash hash unction [15] is a chop-md construction, with a inal transormation beore chopping. The compression unction is permutation based, and the inal transormation g consists o lipping a certain bit in the state and applying 10 more compression unction rounds on zeromessages. Reductionist security o Cubeash. The compression unction o Cubeash is based on one permutation 5, and collisions and preimages or the compression unction can be ound in one query to the permutation [24]. The Cube- ash hash unction is as parazoa design proven indierentiable rom a random oracle i the underlying permutation is assumed to be ideal [3]. Using Thm. 1, this indierentiability bound additionally renders an optimal collision resistance bound or Cubeash, Adv col = Θq ) 2 /2 n ), as well as an improved upper bound O q 2 n + q2 on the preimage 2 l n and second preimage resistance. Note that these bounds are optimal or the n = 256 variant. Bounds on DTP or Cubeash. No inormative bounds on DTP are known or Cubeash The ECO hash unction [14] is a chop-aifa construction. The message blocks are accompanied with a AIFA-counter, and more generally, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based 6. It moreover employs a linear unction L that chops the state in blocks o length l bits, and XORs these. Reductionist security o ECO. The compression unction o ECO is a chopped single call Type-I compression unction in the categorization o [77]. Thereore, the results o [77, Thm. 15] carry over, yielding optimal security bounds or the compression unction. Observe that these results can easily be adjusted to obtain bound Adv col chop =. ECO is a combination o AIFA and chop- MD, but it is unclear whether all AIFA security properties hold ater chopping. Still, Thm. 2 applies to ECO, and as a consequence we obtain Adv col =. Additionally, a preimage or ECO implies a preimage or its last compression unction, and we obtain Adv pre = Θq/2n ). Furthermore, the ECO hash unction would be indierentiable rom a random oracle i the underlying compression unction is assumed to be ideal, due to the chopping unction at the end [32]. owever, the compression unction o ECO 5 Eectively, this permutation consists o one simpler permutation executed 16 times iteratively. 6 As observed in [14], the core part o the compression unction can be seen as a permutation keyed by the salt and counter, which we view here as a block cipher. This cipher is AES-based. is easily dierentiable rom a random oracle [48], and we cannot directly apply the results o [32]. Bounds on DTP or ECO. The primitive or all versions o ECO is ECO.AES with a 2048-bit block size, having 8 and 10 rounds or hash sizes up to 256 and 512 bit, respectively. One underlying unction o ECO.AES is given by the application o two AES rounds. The exact value o the MEDP or two rounds o AES is about One round o ECO.AES provides one active unction. Two rounds provide an upper bound on MEDP o about , an equivalent o our active unctions. Similarly, the bound on the MEDP over 4 rounds yields an equivalent o 16 active unctions. MEDP or ECO is considered averaged over salt and counter. Combining the above results, one obtains upper bounds on the dierential trail probability over up to 10 rounds, outlined in Table 2. Note that a dierential trail in this case is deined as a concatenation o either 1, 2 or 4 rounds o ECO.AES. Correspondingly, the MEDTP is computed under the consideration o the above MEDP values or 1, 2 or 4 rounds o ECO.AES The Fugue hash unction [53] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is permutation based, and the inal transormation consists o a permutation P which diers rom P in the parametrization. The compression unction employs a linear unction L or message injection TIX o [53]). Reductionist security o Fugue. The compression unction o Fugue is based on one permutation, and collisions and preimages or the compression unction can be ound in one query to the permutation [24]. As a consequence, the result o Thm. 2 is irrelevant, even though the padding rule o Fugue is suix-ree. The Fugue hash unction is as parazoa design proven indierentiable rom a random oracle i the underlying permutations P and P are assumed to be ideal [3]. Using Thm. 1, this indierentiability bound additionally renders an optimal collision resistance bound or Fugue, Adv col = Θq 2 )/2 n ), as well as an improved upper bound O q 2 n + q2 on the preimage and second preimage resistance. Note that these bounds are optimal or the n = l m n variant. We remark that a distinguisher or the inal round o Fugue is derived in [9,49]. Bounds on DTP or Fugue. For Fugue a number o arguments against dierential attacks exist that are, compared to all other bounds or candidates discussed in this paper, rather dierent in nature. The main statement or Fugue is a theorem, that assumes that the adversary is given a random pair o states satisying any dierence o his choice. It then investigates whether the adversary would be able to ind a pair o message inputs that converts these states into a ull internal collision ater exactly our round transormations. The theorem proves, under some independence assumption, that

9 On Security Arguments o the Second Round SA-3 Candidates 9 the probability that such message inputs exist is bounded by For a lower number o rounds, the probability will be higher though, while it is not clear how the probability o a higher number o rounds will be The Grøstl hash unction [50] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is permutation based, and the inal transormation g is deined as gh) = Ph) h. Reductionist security o Grøstl. The compression unction o Grøstl is permutation based, and the results o [75, 76] apply. Furthermore, the preimage resistance o the compression unction is analyzed in [47], and an upper bound or collision resistance can be obtained easily. As a consequence, we obtain tight security bounds on the compression unction, Adv pre = Θq 2 /2 l ) and Adv col = Θq 4 /2 l ). In the ideal model, everywhere second preimage resistance o the compression unction can be proven similar as the preimage resistance, up to a constant the security analysis diers only in that we give the adversary one query or ree). Theorem 2 applies to Grøstl, where the inal transormation has no message block as input. Observe that we also have Adv col chop g = Θq2 /2 n ), and as a consequence we obtain Adv col =. Additionally, a preimage or Grøstl implies a preimage or its inal transormation, and we obtain Adv pre = Θq/2n ). The hash unction is moreover proven optimally second preimage resistant in the ideal permutations model [6], which gives Adv sec = Θq/2 n L ), where the irst preimage is o length at most 2 L blocks. Furthermore, the Grøstl hash unction is proven indierentiable rom a random oracle i the underlying permutations are ideal [1]. Bounds on DTP or Grøstl. The compression unction o Grøstl is based on two permutations o size 512 or Grøstl- 224 and Grøstl-256, and is based on two permutations o size 1024 or Grøstl-384 and Grøstl-512. Those permutations are designed according to the wide trail design strategy [37], hence known bounds on the MEDTP carry over as ollows. For 2 rounds, at least 9 S-boxes, or 4 rounds, at least 81 S-boxes are active. A lower bound on the DP o the employed AES S-box is 2 6. From this, the 4-round MEDTP is For the 10-round 512-bit permutation the MEDTP is hence , and or the 14-round 1024-bit permutation the MEDTP is hence The amsi hash unction [60] is a MD construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is permutation based, but the last round is executed with a compression unction g based on a permutation P which diers rom P in the parametrization. The compression unctions employ a linear code Exp or message injection [60]. Reductionist security o amsi. The compression unction o amsi is a chopped single call Type-I compression unction in the categorization o [77]. Thereore, the results o [77, Thm. 15] carry over, yielding optimal security bounds or the compression unction. Observe that these bounds also apply to the unction g. Theorem 2 applies to amsi, and as a consequence we obtain Adv col =. Additionally, a preimage or amsi implies a preimage or its last compression unction, and we obtain Adv pre = Θq/2n ). Furthermore, the amsi hash unction is proven indierentiable rom a random oracle i the underlying permutations are ideal [61]. Bounds on DTP or amsi. No inormative bounds on DTP are known or amsi The J hash unction [83] is a chop-md construction. The hash unction employs a suix-ree padding rule. The compression unction is permutation based. Reductionist security o J. The compression unction o J is based on one permutation, and collisions and preimages or the compression unction can be ound in one query to the permutation [24]. As a consequence, the result o Thm. 2 is irrelevant, even though the padding rule o J is suix-ree. The J hash unction is proven optimally collision resistant [63], and proven preimage) and second preimage resistant up to bound O q 2 n + q2 [6]. Furthermore, 2 l m the J hash unction is proven indierentiable rom a random oracle i the underlying permutation is ideal [20]. Bounds on DTP or J. The J permutation consists o 42 rounds o a generalized AES-like structure. Note the number o rounds has been increased in the 3rd round submission documents or J. The maximum DP o the 4-bit S-box used is 2 2. The speciication document suggests that 17 rounds o the underlying permutation yield at least 296 active S- boxes. Since no ormal treatment o the dierential eect has been conducted, we consider the dierential trails on the S-box level in this work. So the MEDTP or the 2 17 = 34 rounds is at most , which is also the MEDTP value we take or all 42 rounds, as no lower bounds are provided on the number o active S-boxes or less than 17 rounds The Keccak hash unction [18] is a chop-md construction. The compression unction is permutation based. The hash unction output is obtained by chopping o l n bits o the state. Notice that the parameters o Keccak satisy l = 2n + m. Reductionist security o Keccak. The compression unction o Keccak is based on one permutation, and collisions and preimages or the compression unction can be ound in one query to the permutation [24]. The Keccak hash unction is proven indierentiable rom a random oracle i the underlying permutation is assumed to be ideal [17]. Using Thm. 1, this indierentiability bound additionally renders an optimal

10 10 Elena Andreeva et al. collision resistance bound or Keccak, Adv col =, as well as an optimal preimage second preimage resistance bound. Bounds on DTP or Keccak. The Keccak permutation consists o 24 rounds. In [36] or the MEDTP a value o 2 32 is proven or 3 rounds, 2 74 or 6 rounds, and or the ull 24 rounds The Lua hash unction [39] is a chop-md construction, with a inal transormation beore chopping. The compression unction is permutation based, and the inal transormation g is built on this compression unction and a linear unction L that chops the state in blocks o length m bits, and XORs these. The compression unction employs a linear unction L or message injection MI o [39]) 7. Notice that the state size o Lua satisies l = w m. Reductionist security o Lua. The compression unction o Lua is based on w permutations executed independently. As a consequence, collisions and preimages or the compression unction can be ound in at most 5 queries to the permutations [24]. The Lua hash unction borrows characteristics rom the sponge design and is similar to the parazoa design, i the permutation P consisting o the w permutations P i is considered ideal, and ideas rom the indierentiability proos o [3,17] may carry over. owever, or the case o w dierent permutations P i this is not immediately clear. We remark that a distinguisher or the permutation o Lua is derived in [57]. Bounds on DTP or Lua. The Lua permutations consist o 8 rounds. Using an exhaustive search, designers report a minimal number o active S-boxes or 4 rounds o 31. A lower bound on the DP o the employed AES S-box is 2 2, hence the MEDTP or the ull 8-round permutation is The Shabal hash unction [28] is a chop-md construction. The message blocks are accompanied with a counter, and the last block is iterated three times. In particular, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based. Notice that the parameters o Shabal satisy l = m. Reductionist security o Shabal. A bound on the collision resistance o the compression unction o Shabal is derived in [28]. Concretely, it is proven that the Shabal compression unction is collision resistant up to q = 2 l m)/2 queries. Theorem 2 applies to Shabal. Collision and preimage resistance o Shabal are studied in [28], yielding optimal bounds =. Furthermore, the same authors prove the Shabal hash unction to be indierentiable rom a random oracle i the underlying block Adv pre = Θq/2n ) and Adv col 7 We deined the output transormation in a slightly more complicated but uniied way. Essentially, Lua 256 simply outputs L h). Observe that we implicitly captured the extra compression unction call in the adjusted padding. cipher is assumed to be ideal [28]. Using Thm. 1, this indierentiability bound additionally ) renders an improved upper bound O q 2 n + q2 on the second preimage resistance. 2 l m Note that this bound is optimal or the n = 256 variant. We remark that a distinguisher or the block cipher o Shabal is derived in [10, 11, 58, 71, 80]. Bounds on DTP or Shabal. No inormative bounds on DTP are known or Shabal The SAvite-3 hash unction [22] is a AIFA construction. The message blocks are accompanied with a AIFA-counter, and more generally, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based. Reductionist security o SAvite-3. The compression unction o SAvite-3 is the PGV5 compression unction, and the security results o [25] carry over. As a consequence, we obtain optimal security bounds on the compression unction. The mode o operation o SAvite-3 is based on the AIFA structure, and as a consequence all security properties regarding this type hold [21]. In particular, the design preserves collision resistance, and as a consequence we obtain Adv col =. Also, the design is secure against second preimage attacks. Additionally, a preimage or SAvite-3 implies a preimage or its last compression unction, and we obtain Adv pre = Θq/2n ). Finally, the SAvite-3 hash unction is indierentiable rom a random oracle i the underlying block cipher is assumed to be ideal, due to the preix-ree padding [32]. This result has been improved under the assumption that the underlying compression unction is ideal [19]. owever, the compression unction o SAvite-3 is easily dierentiable rom a random oracle due to the presence o ixed-points. Bounds on DTP or SAvite-3. The underlying cipher or SAvite and SAvite is E 256 which operates on two block halves o 128 bit each using the balanced Feistel construction. Every two or three rounds o balanced Feistel add at least one or two active unctions, respectively. The dierential probability o one unction 3 AES rounds) in E 256 is shown to be upper bounded by 2 49 [22]. This leads to at least 8 unctions active within 12 rounds and a dierential trail probability o at most ater 12 rounds o E 256. While the lower bounds o [22] on the number o dierentially active unctions appear to be tight or E 256, this is not the case or E 512, the block cipher underlying SAvite and SAvite which is based on a 4-line type-ii generalized Feistel network structure. One can prove that 2, 3, 4, 5 and 6 rounds o E 512 yield at least 1, 2, 3, 4 and 6 dierentially active unctions, respectively. This result combined with the proven upper bound o on the dierential probability o one unction 4 AES rounds) [22] gives the upper bound o on the dierential trail probability

Similar documents

Security Reductions of the Second Round SHA-3 Candidates

Security Reductions of the Second Round SHA-3 Candidates Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,

More information

Security Reductions of the Second Round SHA-3 Candidates

Security Reductions of the Second Round SHA-3 Candidates Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,

More information

On High-Rate Cryptographic Compression Functions

On High-Rate Cryptographic Compression Functions On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48

More information

Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein

Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT

More information

An introduction to Hash functions

An introduction to Hash functions An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27

More information

Provable Seconde Preimage Resistance Revisited

Provable Seconde Preimage Resistance Revisited Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions

More information

Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions

Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions,

More information

Security Properties of Domain Extenders for Cryptographic Hash Functions

Security Properties of Domain Extenders for Cryptographic Hash Functions Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length

More information

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,

More information

Design Paradigms for Building Multi-Property Hash Functions

Design Paradigms for Building Multi-Property Hash Functions Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security

More information

Lecture 14: Cryptographic Hash Functions

Lecture 14: Cryptographic Hash Functions CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is

More information

Provable Chosen-Target-Forced-Midx Preimage Resistance

Provable Chosen-Target-Forced-Midx Preimage Resistance Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /

More information

A new Design Criteria for Hash-Functions

A new Design Criteria for Hash-Functions A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu

More information

On the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model

On the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We

More information

On the Security of Hash Functions Employing Blockcipher Post-processing

On the Security of Hash Functions Employing Blockcipher Post-processing On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,

More information

The Security of Abreast-DM in the Ideal Cipher Model

The Security of Abreast-DM in the Ideal Cipher Model The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds

More information

Provable Security of Cryptographic Hash Functions

Provable Security of Cryptographic Hash Functions Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties

More information

Cryptanalysis of the GOST Hash Function

Cryptanalysis of the GOST Hash Function Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications

More information

New Results on Boomerang and Rectangle Attacks

New Results on Boomerang and Rectangle Attacks New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,

More information

Avoiding collisions Cryptographic hash functions. Table of contents

Avoiding collisions Cryptographic hash functions. Table of contents Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash

More information

A Composition Theorem for Universal One-Way Hash Functions

A Composition Theorem for Universal One-Way Hash Functions A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme

More information

The Hash Function JH 1

The Hash Function JH 1 The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred

More information

SPCS Cryptography Homework 13

SPCS Cryptography Homework 13 1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001

More information

1 Cryptographic hash functions

1 Cryptographic hash functions CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length

More information

Constrained Keys for Invertible Pseudorandom Functions

Constrained Keys for Invertible Pseudorandom Functions Constrained Keys or Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanord University {dabo,skim13,dwu4}@cs.stanord.edu Abstract A constrained pseudorandom unction (PRF) is a secure

More information

New Preimage Attack on MDC-4

New Preimage Attack on MDC-4 New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks

More information

Security of Permutation-based Compression Function lp231

Security of Permutation-based Compression Function lp231 Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications

More information

Cryptographic Hash Functions Part II

Cryptographic Hash Functions Part II Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build

More information

HASH FUNCTIONS 1 /62

HASH FUNCTIONS 1 /62 HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most

More information

The Impact of Carries on the Complexity of Collision Attacks on SHA-1

The Impact of Carries on the Complexity of Collision Attacks on SHA-1 The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied

More information

How (not) to efficiently dither blockcipher-based hash functions?

How (not) to efficiently dither blockcipher-based hash functions? How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based

More information

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr

More information

New Attacks on the Concatenation and XOR Hash Combiners

New Attacks on the Concatenation and XOR Hash Combiners New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)

More information

1 Cryptographic hash functions

1 Cryptographic hash functions CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length

More information

SEPARATED AND PROPER MORPHISMS

SEPARATED AND PROPER MORPHISMS SEPARATED AND PROPER MORPHISMS BRIAN OSSERMAN The notions o separatedness and properness are the algebraic geometry analogues o the Hausdor condition and compactness in topology. For varieties over the

More information

Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions

Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions Better Than Advertised: Improved Collision-Resistance Guarantees or MD-Based Hash Functions Mihir Bellare University o Caliornia San Diego La Jolla, Caliornia mihir@eng.ucsd.edu Joseph Jaeger University

More information

HASH FUNCTIONS. Mihir Bellare UCSD 1

HASH FUNCTIONS. Mihir Bellare UCSD 1 HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant

More information

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Linearization and Message Modification Techniques for Hash Function Cryptanalysis Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification

More information

Provable Security in Symmetric Key Cryptography

Provable Security in Symmetric Key Cryptography Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X

More information

Known and Chosen Key Differential Distinguishers for Block Ciphers

Known and Chosen Key Differential Distinguishers for Block Ciphers 1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline

More information

Lecture 10 - MAC s continued, hash & MAC

Lecture 10 - MAC s continued, hash & MAC Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy

More information

SEPARATED AND PROPER MORPHISMS

SEPARATED AND PROPER MORPHISMS SEPARATED AND PROPER MORPHISMS BRIAN OSSERMAN Last quarter, we introduced the closed diagonal condition or a prevariety to be a prevariety, and the universally closed condition or a variety to be complete.

More information

Algebraic properties of SHA-3 and notable cryptanalysis results

Algebraic properties of SHA-3 and notable cryptanalysis results Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =

More information

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34 Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:

More information

Roberto s Notes on Differential Calculus Chapter 8: Graphical analysis Section 1. Extreme points

Roberto s Notes on Differential Calculus Chapter 8: Graphical analysis Section 1. Extreme points Roberto s Notes on Dierential Calculus Chapter 8: Graphical analysis Section 1 Extreme points What you need to know already: How to solve basic algebraic and trigonometric equations. All basic techniques

More information

Provable Chosen-Target-Forced-Midfix Preimage Resistance

Provable Chosen-Target-Forced-Midfix Preimage Resistance Provable Chosen-Target-Forced-Midfix Preimage Resistance Elena Andreeva and Bart Mennink Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be

More information

Week 12: Hash Functions and MAC

Week 12: Hash Functions and MAC Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.

More information

Optimal Collision Security in Double Block Length Hashing with Single Length Key

Optimal Collision Security in Double Block Length Hashing with Single Length Key Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.

More information

Crypto Engineering (GBX9SY03) Hash functions

Crypto Engineering (GBX9SY03) Hash functions Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First

More information

Quantum Preimage and Collision Attacks on CubeHash

Quantum Preimage and Collision Attacks on CubeHash Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability

More information

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret

More information

Analysis of Message Injection in Stream Cipher-based Hash Functions

Analysis of Message Injection in Stream Cipher-based Hash Functions Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o

More information

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Cryptanalysis of Tweaked Versions of SMASH and Reparation Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr

More information

TheImpactofCarriesontheComplexityof Collision Attacks on SHA-1

TheImpactofCarriesontheComplexityof Collision Attacks on SHA-1 TheImpactoCarriesontheComplexityo Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute or Applied Inormation Processing and Communications

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among

More information

Cryptographic Hash Functions

Cryptographic Hash Functions Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction

More information

Higher Order Universal One-Way Hash Functions

Higher Order Universal One-Way Hash Functions Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr

More information

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers 1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,

More information

Collapsing sponges: Post-quantum security of the sponge construction

Collapsing sponges: Post-quantum security of the sponge construction Collapsing sponges: Post-quantum security of the sponge construction Dominique Unruh University of Tartu March 27, 2017 Abstract We investigate the post-quantum security of hash functions based on the

More information

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com

More information

Introduction to Cryptography

Introduction to Cryptography B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2

More information

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),

More information

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy

More information

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,

More information

CS 361 Meeting 28 11/14/18

CS 361 Meeting 28 11/14/18 CS 361 Meeting 28 11/14/18 Announcements 1. Homework 9 due Friday Computation Histories 1. Some very interesting proos o undecidability rely on the technique o constructing a language that describes the

More information

Breaking H 2 -MAC Using Birthday Paradox

Breaking H 2 -MAC Using Birthday Paradox Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of

More information

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark

More information

VALUATIVE CRITERIA FOR SEPARATED AND PROPER MORPHISMS

VALUATIVE CRITERIA FOR SEPARATED AND PROPER MORPHISMS VALUATIVE CRITERIA FOR SEPARATED AND PROPER MORPHISMS BRIAN OSSERMAN Recall that or prevarieties, we had criteria or being a variety or or being complete in terms o existence and uniqueness o limits, where

More information

Keccak sponge function family main document

Keccak sponge function family main document Keccak sponge function family main document Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 http://keccak.noekeon.org/ Version 1.1 January 9, 2009 1 STMicroelectronics 2 NXP Semiconductors

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

AURORA: A Cryptographic Hash Algorithm Family

AURORA: A Cryptographic Hash Algorithm Family AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita

More information

Title of Presentation

Title of Presentation The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Title of Presentation Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash

More information

A survey on quantum-secure cryptographic systems

A survey on quantum-secure cryptographic systems A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum

More information

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

Limits on the Efficiency of One-Way Permutation-Based Hash Functions Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)

More information

The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function

The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating

More information

2: Iterated Cryptographic Hash Functions

2: Iterated Cryptographic Hash Functions 2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define

More information

Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier

Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Dustin Moody NIST, USA dustin.moody@nist.gov Souradyuti Paul NIST, USA, KULeuven, Belgium souradyuti.paul@nist.gov

More information

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this

More information

Introduction to Information Security

Introduction to Information Security Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps

More information

12 Hash Functions Defining Security

12 Hash Functions Defining Security 12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint

More information

2. ETA EVALUATIONS USING WEBER FUNCTIONS. Introduction

2. ETA EVALUATIONS USING WEBER FUNCTIONS. Introduction . ETA EVALUATIONS USING WEBER FUNCTIONS Introduction So ar we have seen some o the methods or providing eta evaluations that appear in the literature and we have seen some o the interesting properties

More information

Cryptanalysis of a class of cryptographic hash functions

Cryptanalysis of a class of cryptographic hash functions Cryptanalysis o a class o cryptographic hash unctions Praveen Gauravaram 1 and John Kelsey 2 1 Technical University o Denmark, Denmark Inormation Security Institute, Australia p.gauravaram@gmail.com 2

More information

Theory and practice for hash functions

Theory and practice for hash functions Theory and practice for hash functions Bart Preneel www.ecrypt.eu.org eu Title of Presentation Katholieke Universiteit it it Leuven - COSIC firstname.lastname@esat.kuleuven.be Cambridge, 1 February 2012

More information

New attacks on Keccak-224 and Keccak-256

New attacks on Keccak-224 and Keccak-256 New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending

More information

2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.

2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions. or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks

More information

The Hash Function Fugue

The Hash Function Fugue The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64

More information

RIPEMD-160 MDC-2 SHA-256 SHA-3

RIPEMD-160 MDC-2 SHA-256 SHA-3 Has unctions Introduction to te Design and Cryptanalysis o Cryptograpic Has Functions Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 Tis is an

More information

Numerical Methods - Lecture 2. Numerical Methods. Lecture 2. Analysis of errors in numerical methods

Numerical Methods - Lecture 2. Numerical Methods. Lecture 2. Analysis of errors in numerical methods Numerical Methods - Lecture 1 Numerical Methods Lecture. Analysis o errors in numerical methods Numerical Methods - Lecture Why represent numbers in loating point ormat? Eample 1. How a number 56.78 can

More information

The Deutsch-Jozsa Problem: De-quantization and entanglement

The Deutsch-Jozsa Problem: De-quantization and entanglement The Deutsch-Jozsa Problem: De-quantization and entanglement Alastair A. Abbott Department o Computer Science University o Auckland, New Zealand May 31, 009 Abstract The Deustch-Jozsa problem is one o the

More information

Some Attacks on Merkle-Damgård Hashes

Some Attacks on Merkle-Damgård Hashes Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About

More information

Supplementary material for Continuous-action planning for discounted infinite-horizon nonlinear optimal control with Lipschitz values

Supplementary material for Continuous-action planning for discounted infinite-horizon nonlinear optimal control with Lipschitz values Supplementary material or Continuous-action planning or discounted ininite-horizon nonlinear optimal control with Lipschitz values List o main notations x, X, u, U state, state space, action, action space,

More information

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),

More information

Innovations in permutation-based crypto

Innovations in permutation-based crypto Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,

More information

(C) The rationals and the reals as linearly ordered sets. Contents. 1 The characterizing results

(C) The rationals and the reals as linearly ordered sets. Contents. 1 The characterizing results (C) The rationals and the reals as linearly ordered sets We know that both Q and R are something special. When we think about about either o these we usually view it as a ield, or at least some kind o

More information

New Attacks against Standardized MACs

New Attacks against Standardized MACs New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org

More information

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback