NORWAY
|
|
- Karen Little
- 5 years ago
- Views:
Transcription
1 A Document descriing all modifications made on the Blue Midnight Wish cryptographic hash function efore entering the Second Round of SHA-3 hash competition Danilo Gligoroski 1 and Vlastimil Klima 2 1 Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no 2 Independent cryptologist - consultant, Czech Repulic v.klima@volny.cz Astract. In this document we elaorate changes to the original Blue Midnight Wish, as it will enter the Second Round of SHA-3 competition. Generally, we can say that there are two technical changes (or typo corrections) and two minor tweaks in the design. The first technical change is in correcting a typo in the initial doule pipe value for the 224 and 384 versions, and the second technical change is in correcting a typo in the order of the use of two logical functions s 4 and s 5. The tweaks in the design consist of tweaks in functions f 0 and f 1 and an additional (final) use of the compression function. For us as designers of Blue Midnight Wish it is very important that the tweaks do not introduce any new uilding locks which would need new analysis. The chosen tweaks are quite simple. They use the same uilding locks which were used in the original Blue Midnight Wish hash function. Only the inputs of the uilding locks are changed in a fully transparent manner. The goals of the proposed tweaks are also simple and transparent. For instance the first tweak adds the old doule pipe to the result of the function f 0 and to the key of the function f 1. This strongly decouples the original input M H into two independently acting variales M and H. The second tweak is an additional (final) invocation of the compression function. It also uses the old uilding lock and it is a pivotal security countermeasure against many types of preimage, near, pseudo and other types of attacks. At first glance it may seem that y this additional final invocation of the compression function we have over-designed Blue Midnight Wish. However having in mind the excellent speed performance of oth non-tweaked and tweaked function we can say that this additional final invocation of the compression function rings additional rise in our confidence of the strength and quality of Blue Midnight Wish with only a minor efficiency penalty. In fact, the introduced tweaks do not affect the speed of the hash computation on messages longer than 1000 ytes, ut it ecomes visile on hashing extremely short or short messages, as would e expected. On the other hand, for the optimized versions of the tweaked Blue Midnight Wish we have documented higher operating speed than the speed reported in the documentation for the non-tweaked function. 1 Methodology We will elaorate all changes y the following methodology: 1. We will give the non-tweaked (or non-changed) part in the old sumission, 2. We will give the new tweaked (or changed) part, 3. We will give a rationale for the tweak (technical change). 2 Technical change Nr. 1 The original sumission of Blue Midnight Wish for the 224-it digest size had the initial doule pipe given in Tale 1. Note the value 13 = 0x ! The value should e H(0) 13 = 0x , so the corrected H(0) for BMW224 now is given in Tale 2.
2 0 = 0x = 0x = 0x08090A0B 3 = 0x0C0D0E0F 4 = 0x = 0x = 0x18191A1B 7 = 0x1C1D1E1F 8 = 0x = 0x = 0x28292A2B H(0) 11 = 0x2C2D2E2F 12 = 0x H(0) 13 = 0x = 0x38393A3B H(0) 15 = 0x3C3D3E3F Tale 1. Initial doule pipe for old BMW224 0 = 0x = 0x = 0x08090A0B 3 = 0x0C0D0E0F 4 = 0x = 0x = 0x18191A1B 7 = 0x1C1D1E1F 8 = 0x = 0x = 0x28292A2B H(0) 11 = 0x2C2D2E2F 12 = 0x H(0) 13 = 0x = 0x38393A3B H(0) 15 = 0x3C3D3E3F Tale 2. Initial doule pipe for tweaked BMW224 0 = 0x = 0x08090A0B0C0D0E0F 2 = 0x = 0x18191A1B1C1D1E1F 4 = 0x = 0x28292A2B2C2D2E2F 6 = 0x = 0x38393A3B3C3D3E3F 8 = 0x = 0x48494A4B4C4D4E4F 10 = 0x H(0) 11 = 0x58595A5B5C5D5E5F 12 = 0x H(0) 13 = 0x68696A6B6C6D6E6F 14 = 0x H(0) 15 = 0x78797A7B7C7D7E7F Tale 3. Initial doule pipe for old BMW384 The original sumission of Blue Midnight Wish for the 384-it digest size had the initial doule pipe given in Tale 3. Note the value 6 = 0x ! The value should e 6 = 0x , so the corrected for BMW384 now is given in Tale 4. 0 = 0x = 0x08090A0B0C0D0E0F 2 = 0x = 0x18191A1B1C1D1E1F 4 = 0x = 0x28292A2B2C2D2E2F 6 = 0x = 0x38393A3B3C3D3E3F 8 = 0x = 0x48494A4B4C4D4E4F 10 = 0x H(0) 11 = 0x58595A5B5C5D5E5F 12 = 0x H(0) 13 = 0x68696A6B6C6D6E6F 14 = 0x H(0) 15 = 0x78797A7B7C7D7E7F Tale 4. Initial doule pipe for tweaked BMW384 2
3 3 Tweak Nr. 1 The tweak Nr. 1 was performed to make infeasile finding free-start near collisions and finding pseudopreimages and pseudo-collisions as hard as finding real preimages and real collisions. To achieve that we tweaked oth f 0 and f 1 functions. 3.1 Tweak in f 0 The old f 0 had the following form: f 0 : {0, 1} 2m {0, 1} m Input: Message lock M = (M 0, M 1,..., M 15 ), and the previous doule pipe H(i 1) = (H (i 1) 15 ). Output: First part of the quadruple pipe Q a = (Q 0, Q 1,..., Q 15 ). 1. Biective transform of M H (i 1) : 0 = (M + (M 1 = (M 8 ) + (M 11 H(i 1) 1 (M 2 = (M 0 ) + (M 9 ) (M 12 H(i 1) 1 3 = (M 4 = (M 9 ) (M 11 H(i 1) 11 ) (M 5 = (M 10 H(i 1) 1 12 H(i 1) 1 6 = (M 11 H(i 1) 1 7 = (M 1 ) (M 12 H(i 1) 12 ) (M 8 = (M 2 ) (M 6 ) + (M (M 9 = (M 3 ) + (M = (M 1 ) (M = (M 2 ) (M 5 ) + (M 9 ) = (M 9 ) + (M 10 H(i 1) 10 ) = (M 4 ) + (M 11 H(i 1) 11 ) = (M 5 ) + (M 11 H(i 1) 11 ) (M 12 H(i 1) 12 ) = (M 12 H(i 1) 12 ) (M 9 ) + (M 2. Further iective transform of, = 0,..., 15: Q Q Q Q 12 0 = s 0( 0 4 = s 4( 4 8 = s 3( 8 = s2(w 12 ); Q ); Q ); Q ); Q 13 1 = s 1( 1 5 = s 0( 5 9 = s 4( 9 = s3(w 13 ); Q ); Q ); Q 10 ); Q 14 2 = s 2( 2 6 = s 1( 6 = s0(w 10 = s4(w 14 ); Q ); Q ); Q 11 ); Q 15 3 = s 3( 3 ); 7 = s 2( 7 ); = s1(w 11 ); 15 ); = s0(w Tale 5. Definition of the function f 0 in the old Blue Midnight Wish 3
4 The tweak in f 0 is done in the Step 2: f 0 : {0, 1} 2m {0, 1} m Input: Message lock M = (M 0, M 1,..., M 15 ), and the previous doule pipe H(i 1) = (H (i 1) 15 ). Output: First part of the quadruple pipe Q a = (Q 0, Q 1,..., Q 15 ). 1. Biective transform of M H (i 1) : 0 = (M + (M 1 = (M 8 ) + (M 11 H(i 1) 1 (M 2 = (M 0 ) + (M 9 ) (M 12 H(i 1) 1 3 = (M 4 = (M 9 ) (M 11 H(i 1) 11 ) (M 5 = (M 10 H(i 1) 1 12 H(i 1) 1 6 = (M 11 H(i 1) 1 7 = (M 1 ) (M 12 H(i 1) 12 ) (M 8 = (M 2 ) (M 6 ) + (M (M 9 = (M 3 ) + (M = (M 1 ) (M = (M 2 ) (M 5 ) + (M 9 ) = (M 9 ) + (M 10 H(i 1) 10 ) = (M 4 ) + (M 11 H(i 1) 11 ) = (M 5 ) + (M 11 H(i 1) 11 ) (M 12 H(i 1) 12 ) = (M 12 H(i 1) 12 ) (M 9 ) + (M 2. Further iective transform of, = 0,..., 15: Q 0 = s 0( 0 ) + H(i 1) 1 ; Q 1 = s 1( 1 ) + H(i 1) 2 ; Q 2 = s 2( 2 ) + H(i 1) 3 ; Q 3 = s 3( 3 ) + H(i 1) 4 ; Q 4 = s 4( 4 ) + H(i 1) 5 ; Q 5 = s 0( 5 ) + H(i 1) 6 ; Q 6 = s 1( 6 ) + H(i 1) 7 ; Q 7 = s 2( 7 ) + H(i 1) 8 ; Q 8 = s 3( 8 ) + H(i 1) 9 ; Q 9 = s 4( 9 ) + H(i 1) 10 ; Q 10 Q 12 = s2(w 12 ) + H(i 1) 13 ; Q 13 = s3(w 13 ) + H(i 1) 14 ; Q 14 = s0(w 10 ) + H(i 1) 11 ; Q 11 = s4(w 14 ) + H(i 1) 15 ; Q 15 Tale 6. Definition of the function f 0 of the tweaked Blue Midnight Wish = s1(w 11 ) + H(i 1) 12 ; = s0(w 15 ) + H(i 1) 0 ; If we denote the Step 1 of f 0 as a transformation A 1 : {0, 1} (16 2)w {0, 1} 16w and the Step 2 as a transformation A 2 : {0, 1} (16 2)w {0, 1} 16w, (where w is 32 or 64) then we can descrie the function f 0 as f 0 (M i, H i 1 ) A 2 (A 1 (M i H i 1 )) + ROT L 1 (H i 1 ), where we denote y ROT L 1 (H i 1 ) = (H (i 1) 1, H (i 1) 2,..., H (i 1) 15, H (i 1) 0 ) the rotation y one position to the left of the vector (H (i 1) 15 ). The reason why we put this additional term ROT L 1 (H i 1 ) (see that it is not present in the Round 1 version of Blue Midnight Wish) is that we installed two actions of a decoupling the M i and H i 1 in order to prevent pseudo-attacks that can use the fact that M i H i 1 = 0 iff M i = H i 1. This is the first such decoupling, and the second one is installed in the expansion function f 1. 4
5 3.2 Tweak in f 1 The old function f 1 had the following description: Input: Message lock M = (M 0, M Q a = (Q 0, Q 1,..., Q 15 ). Output: Second part of the quadruple pipe Q f 1 : {0, 1} (16 2)w {0, 1} 16w 1,..., M 15 ), and the first part of quadruple pipe = (Q 16, Q 17,..., Q 31 ). 1. Doule pipe expansion according to the tunale parameters ExpandRounds 1 and ExpandRounds For ii = 0 to ExpandRounds 1 1 Q ii+16 = expand1(ii + 16) 1.2 For ii = ExpandRounds 1 to ExpandRounds 1 + ExpandRounds 2 1 = expand2(ii + 16) Q ii+16 Tale 7. Definition of the old function f 1 The tweaked function f 1 has the following description: f 1 : {0, 1} (16 3)w {0, 1} 16w Input: Message lock M = (M 0, M 1,..., M 15 ), the previous doule pipe H (i 1) = (H (i 1) 15 ) and the first part of the quadruple pipe Q a Output: Second part of the quadruple pipe Q = (Q 16, Q 17,..., Q 31 ). = (Q 0, Q 1,..., Q 15 ). 1. Doule pipe expansion according to the tunale parameters ExpandRounds 1 and ExpandRounds For ii = 0 to ExpandRounds 1 1 Q ii+16 = expand1(ii + 16) 1.2 For ii = ExpandRounds 1 to ExpandRounds 1 + ExpandRounds 2 1 = expand2(ii + 16) Q ii+16 Tale 8. Definition of the tweaked function f 1 of Blue Midnight Wish So in the tweaked f 1 we are also using the values of the previous doule pipe H (i 1) which was not used in the old version od Blue Midnight Wish. We will descrie how concretely we are using the values H (i 1) in the tweaked version y the following comparison. 5
6 The description of logical functions used in old Blue Midnight Wish was the following: BMW224/BMW256 BMW384/BMW512 s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 19 (x) s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 37 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 8 (x) ROT L 23 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 13 (x) ROT L 43 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 12 (x) ROT L 25 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 19 (x) ROT L 53 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 15 (x) ROT L 29 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 28 (x) ROT L 59 (x) s 4 (x) = SHR 1 (x) x s 4 (x) = SHR 1 (x) x s 5 (x) = SHR 2 (x) x s 5 (x) = SHR 2 (x) x r 1 (x) = ROT L 3 (x) r 1 (x) = ROT L 5 (x) r 2 (x) = ROT L 7 (x) r 2 (x) = ROT L 11 (x) r 3 (x) = ROT L 13 (x) r 3 (x) = ROT L 27 (x) r 4 (x) = ROT L 16 (x) r 4 (x) = ROT L 32 (x) r 5 (x) = ROT L 19 (x) r 5 (x) = ROT L 37 (x) r 6 (x) = ROT L 23 (x) r 6 (x) = ROT L 43 (x) r 7 (x) = ROT L 27 (x) r 7 (x) = ROT L 53 (x) AddElement() = M + M +3 M K +16 AddElement() = M + M +3 M K +16 expand 1 () = s 1 (Q 16 ) + s 1 (Q 12 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) 13 ) expand 1 () = s 1 (Q 16 ) 9 ) + s 1 (Q 12 ) 5 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q 13 ) + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q 9 ) + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q 5 ) + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 5(Q 2 ) + s 4(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 5(Q 2 ) + s 4(Q 1 ) Tale 9. Logic functions used in old Blue Midnight Wish. Note that for the function AddElement() index expressions involving the variale for M are computed modulo 16. The new description of the used logical functions is the following: BMW224/BMW256 BMW384/BMW512 s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 19 (x) s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 37 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 8 (x) ROT L 23 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 13 (x) ROT L 43 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 12 (x) ROT L 25 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 19 (x) ROT L 53 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 15 (x) ROT L 29 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 28 (x) ROT L 59 (x) s 4 (x) = SHR 1 (x) x s 4 (x) = SHR 1 (x) x s 5 (x) = SHR 2 (x) x s 5 (x) = SHR 2 (x) x r 1 (x) = ROT L 3 (x) r 1 (x) = ROT L 5 (x) r 2 (x) = ROT L 7 (x) r 2 (x) = ROT L 11 (x) r 3 (x) = ROT L 13 (x) r 3 (x) = ROT L 27 (x) r 4 (x) = ROT L 16 (x) r 4 (x) = ROT L 32 (x) r 5 (x) = ROT L 19 (x) r 5 (x) = ROT L 37 (x) r 6 (x) = ROT L 23 (x) r 6 (x) = ROT L 43 (x) r 7 (x) = ROT L 27 (x) ( r 7 (x) = ROT L 53 (x) ( AddElement() = ROT L (+1) (M ) + ROT L (+4) (M +3 ) AddElement() = ROT L (+1) (M ) + ROT L (+4) (M +3 ) ) ) ROT L (+11) (M +10 ) + K +16 H +7 ROT L (+11) (M +10 ) + K +16 H +7 expand 1 () = s 1 (Q 16 ) + s 1 (Q 12 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) 13 ) expand 1 () = s 1 (Q 16 ) 9 ) + s 1 (Q 12 ) 5 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q 13 ) + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q 9 ) + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q 5 ) + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 4(Q 2 ) + s 5(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 4(Q 2 ) + s 5(Q 1 ) Tale 10. Logic functions used in tweaked Blue Midnight Wish. Note that for the function AddElement() index expressions involving the variale for left rotations, M and H are computed modulo 16. 6
7 By comparing old and new list of logical functions used in f 1 the difference is in the definition of the element AddElement(). The old term was giving a chance an attacker to make changes in the most significant its of the message and due to the operations of addition, those changes were canceling each other up to the last variale Q 31, thus giving free-start near collisions in the compression function. The new (tweaked) expression for AddElement() rotates the values of the message M, and additionally operates with the vector ROT L 7 (H i 1 ) = (H (i 1) 7, H (i 1) 8,..., H (i 1) 5, H (i 1) 6 ) which is a rotation y seven position to the left of the vector (H (i 1) 15 ). This is our second introduction of expressions that decouples the input values of the message M and the chaining doule pipe H (i 1) with the particular values from M and H (i 1) that are repeatedly used in the Blue Midnight Wish expressions. 4 A technical typo correction in f 1 We have corrected another technical typo that was present in the previous version of Blue Midnight Wish. Namely, in the old f 1 we had the following order of using the logical functions s 4 and s 5 in the expression expand 2 () =... + s 5 (Q 2 ) + s 4(Q 1 ) +... The proper order of using s 4 and s 5 should e as it is done in the new tweaked version: 5 Tweak Nr. 2 expand 2 () =... + s 4 (Q 2 ) + s 5(Q 1 ) +... The second tweak consist of an additional (final) use of the compression function. The generic description of the old Blue Midnight Wish had the following structure: Algorithm: Blue Midnight Wish Input: Message M of length l its, and the message digest size n. Output: A message digest Hash, that is long n its. 1. Preprocessing (a) Pad the message M. () Parse the padded message into N, m-it message locks, M (1), M (2),..., M (N). (c) Set the initial value of the doule pipe. 2. Hash computation For i = 1 to N { Q a = f 0(M, H (i 1) ); Q = f 1(M, Q a ); H = f 2(M, Q a, Q ); } 3. Hash =Take n Least Significant Bits(H (N) ). Tale 11. A generic description of the Blue Midnight Wish hash algorithm Together with the tweak introduced in f 0 and f 1 the generic description of the tweaked Blue Midnight Wish has the following structure: 7
8 Algorithm: Blue Midnight Wish Input: Message M of length l its, and the message digest size n. Output: A message digest Hash, that is n its long. 1. Preprocessing (a) Pad the message M. () Parse the padded message into N, m-it message locks, M (1), M (2),..., M (N). (c) Set the initial value of the doule pipe. 2. Hash computation For i = 1 to N { Q a = f 0(M, H (i 1) ); Q = f 1(M, H (i 1), Q a ); H = f 2(M, Q a, Q ); } 3. Finalization Q final a = f 0(H (N), CONST final ); Q final = f 1(H (N), CONST final, Q final a ); H final = f 2(H (N), Q final a, Q final ); 4. Hash =Take n Least Significant Bits(H final ). Tale 12. A generic description of the Blue Midnight Wish hash algorithm As it is shown in Tale 12, in the final invocation of the compression function we have changed the role of the chaining doule pipe and the message. Since there is no more message to e digested, the role that the message data was performing in the previous invocations of the compression function is now given to the last otained doule pipe H (N). In such a case the role of the chaining doule pipe is fixed to a constant that we denote as: CONST final. We have chosen 16 components of the vector CONST final = (CONST final 0,..., CONST final 15 ) to e CONST final = 0xaaaaaaa0 +, = 0, 1,..., 15 for BMW224 and BMW256. CONST final = 0xaaaaaaaaaaaaaaa0 +, = 0, 1,..., 15 for BMW384 and BMW512. By fixing the CONST final we are removing this variale from the attacker s repository, in his attempt to find pseudo collisions and pseudo-preimages. Additionally the final invocation of the compression function is a measure for any attack that can find near collisions or near-pseudo-collisions or near preimages or near-pseudo-preimages of the compression function of Blue Midnight Wish. Acknowledgement We would like to thank Søren S. Thomsen, the memer of Grøstl team, for his analysis and his discovery of near and pseudo attacks on the initial Blue Midnight Wish sumission and to Niels Ferguson, the memer of Skein team, for his remark (send to us privately in his analysis of Edon-R) aout the cryptographic value of having additional final invocation of the compression function. 8
Cryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway
Cryptographic Hash Function BLUE MIDNIGHT WISH Norwegian University of Science and Technology Trondheim, Norway Danilo Gligoroski Vlastimil Klima Svein Johan Knapskog Mohamed El-Hadedy Jørn Amundsen Stig
More informationCryptographic Hash Function
Cryptographic Hash Function EDON-R Norwegian University of Science and Technology Trondheim, Norway Danilo Gligoroski Rune Steinsmo Ødegård Marija Mihova Svein Johan Knapskog Ljupco Kocarev Aleš Drápal
More informationA Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function
A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function Vlastimil Klima 1 and Petr Susil 2 1 Independent cryptologist - consultant, Czech Republic v.klima@volny.cz 2 EPFL PhD
More informationCryptographic Hash Function
Cryptographic Hash Function EDON-R Norwegian University of Science and Technology Trondheim, Norway Danilo Gligoroski Rune Steinsmo Ødegård Marija Mihova Svein Johan Knapskog Ljupco Kocarev Aleš Drápal
More informationPractical consequences of the aberration of narrow-pipe hash designs from ideal random functions
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions Danilo Gligoroski 1 and Vlastimil Klima 2 1 Faculty of Information Technology, Mathematics and Electrical
More informationPseudo-cryptanalysis of the Original Blue Midnight Wish
Pseudo-cryptanalysis of the Original Blue Midnight Wish Søren S. Thomsen DTU Mathematics, Technical University of Denmark September 28, 2009 Abstract The hash function Blue Midnight Wish (BMW) is a candidate
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationCIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CIS 6930/4930 Computer and Network Security Topic 4. Cryptographic Hash Functions 1 The SHA-1 Hash Function 2 Secure Hash Algorithm (SHA) Developed by NIST, specified in the Secure Hash Standard, 1993
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationSHA-1 Algorithm. Pre-process the message pad and end with size: One bit of '1' following message. Pad with 0's to within 64 bits of end of block
Hash Algorithms Hash Algorithms Driven by the slowness of RSA in signing a message. The idea was to create (relatively fast) a digest of a message and sign that. This was the origin of MD and MD2 algorithms
More informationCryptanalysis of Edon-R
Cryptanalysis of Edon-R Dmitry Khovratovich, Ivica Nikolić, and Ralf-Philipp Weinmann University of Luxembourg Abstract. We present various types of attacks on the hash family Edon- R. In a free start
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationImproved Collision Attack on MD5
Improved Collision Attack on MD5 Yu Sasaki* Yusuke Naito* Noboru Kunihiro* Kazuo Ohta* *The University of Electro-Communications, Japan { yu339, tolucky } @ice.uec.ac.jp Abstract In EUROCRYPT2005, a collision
More informationFull-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98
Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98 Donghoon Chang 1, Jaechul Sung 2, Soohak Sung 3,SangjinLee 1,and Jongin Lim 1 1 Center for Information Security
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationPractical Near-Collisions on the Compression Function of BMW
Practical Near-Collisions on the Compression Function of BMW Gaëtan Leurent 1 and Søren S. Thomsen 2 1 University of Luxembourg gaetan.leurent@uni.lu 2 Technical University of Denmark s.thomsen@mat.dtu.dk
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationOn periods of Edon-(2m, 2k) Family of Stream Ciphers
On periods of Edon-2m, 2k Family of Stream Ciphers Danilo Gligoroski,2, Smile Markovski 2, and Svein Johan Knapskog Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University
More informationIntroduction Description of MD5. Message Modification Generate Messages Summary
How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012 Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationTurbo SHA-2. Danilo Gligoroski and Svein Johan Knapskog
SHA-2 Danilo Gligoroski and Svein Johan Knapskog Centre for Quantifiable Quality of Service in Communication Systems, Norwegian University of Science and Technology, O.S.Bragstads plass 2E, N-749 Trondheim,
More informationContributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy
More informationQuantum Preimage and Collision Attacks on CubeHash
Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationPreimage Attack on ARIRANG
Preimage Attack on ARIRANG Deukjo Hong, Woo-Hwan Kim, Bonwook Koo The Attached Institute of ETRI, P.O.Box 1, Yuseong, Daejeon, 305-600, Korea {hongdj,whkim5,bwkoo}@ensec.re.kr Abstract. The hash function
More informationThe MD6 hash function
The MD6 hash function Ronald L. Rivest Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, MA 02139 rivest@mit.edu Benjamin Agre Daniel V. Bailey Sarah
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationCompactness vs Collusion Resistance in Functional Encryption
Compactness vs Collusion Resistance in Functional Encryption Baiyu Li Daniele Micciancio April 10, 2017 Astract We present two general constructions that can e used to comine any two functional encryption
More informationCollision Attack on Boole
Collision Attack on Boole Florian Mendel, Tomislav Nad and Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationAttacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512
Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512 Charles Bouillaguet 1, Orr Dunkelman 2, Gaëtan Leurent 1, and Pierre-Alain Fouque 1 1 Département
More informationPreimage Attacks on 3, 4, and 5-Pass HAVAL
Preimage Attacks on 3, 4, and 5-Pass HAVAL Yu Sasaki and Kazumaro Aoki NTT, 3-9-11 Midoricho, Musashino-shi, Tokyo, 180-8585 Japan Abstract. This paper proposes preimage attacks on hash function HAVAL
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Jiqiang Lu 1, Wun-She Yap 1,2, and Yongzhuang Wei 3,4 1 Institute for Infocomm Research, Agency for Science, Technology and Research
More informationHash Functions and Gröbner Bases Cryptanalysis
Rune Steinsmo Ødegård Hash Functions and Gröbner Bases Cryptanalysis Thesis for the degree of Philosophiae Doctor Trondheim, April 2012 Norwegian University of Science and Technology Faculty of Information
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationA Study of the MD5 Attacks: Insights and Improvements
A Study of the MD5 Attacks: Insights and Improvements John Black 1 and Martin Cochran 1 and Trevor Highland 2 1 University of Colorado at Boulder, USA www.cs.colorado.edu/ jrblack, ucsu.colorado.edu/ cochranm
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationThe MD6 hash function A proposal to NIST for SHA-3
The MD6 hash function A proposal to NIST for SHA-3 Ronald L. Rivest Computer Science and Artificial Intelligence Laboratory Massachusetts Institute of Technology Cambridge, MA 02139 rivest@mit.edu Benjamin
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationDomain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration
Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road,
More informationImproved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl
Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Jian Zou, Wenling Wu, Shuang Wu, and Le Dong Institute of Software Chinese Academy of Sciences Beijing 100190, China
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationNanyang Technological University, Singapore École normale supérieure de Rennes, France
Analysis of BLAKE2 Jian Guo Pierre Karpman Ivica Nikolić Lei Wang Shuang Wu Nanyang Technological University, Singapore École normale supérieure de Rennes, France The Cryptographer s Track at the RSA Conference,
More informationRobot Position from Wheel Odometry
Root Position from Wheel Odometry Christopher Marshall 26 Fe 2008 Astract This document develops equations of motion for root position as a function of the distance traveled y each wheel as a function
More informationHow to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2007 How to Find the Sufficient Collision Conditions for Haval-128 Pass
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationImpact of Rotations in SHA-1 and Related Hash Functions
Impact of Rotations in SHA-1 and Related Hash Functions Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationPhD-FSTC The Faculty of Sciences, Technology and Communication DISSERTATION. Defense held on 23/02/2011 in Luxembourg. to obtain the degree of
PhD-FSTC-2011-03 The Faculty of Sciences, Technology and Communication DISSERTATION Defense held on 23/02/2011 in Luxembourg to obtain the degree of DOCTEUR DE L UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE
More informationRainbow Tables ENEE 457/CMSC 498E
Rainbow Tables ENEE 457/CMSC 498E How are Passwords Stored? Option 1: Store all passwords in a table in the clear. Problem: If Server is compromised then all passwords are leaked. Option 2: Store only
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationFunction Secret Sharing: Improvements and Extensions
Function Secret Sharing: Improvements and Extensions Elette Boyle Niv Giloa Yuval Ishai July 24, 2018 Astract Function Secret Sharing (FSS), introduced y Boyle et al. (Eurocrypt 2015), provides a way for
More informationDynamic Optimization of Geneva Mechanisms
Dynamic Optimization of Geneva Mechanisms Vivek A. Suan and Marco A. Meggiolaro Department of Mechanical Engineering Massachusetts Institute of Technology Camridge, MA 09 ABSTRACT The Geneva wheel is the
More informationCube Test Analysis of the Statistical Behavior of CubeHash and Skein
Cube Test Analysis of the Statistical Behavior of CubeHash and Skein Alan Kaminsky May, 0 Abstract This work analyzes the statistical properties of the SHA- candidate cryptographic hash algorithms CubeHash
More informationTime-memory Trade-offs for Near-collisions
Time-memory Trade-offs for Near-collisions Gaëtan Leurent UCL Crypto Group Gaetan.Leurent@uclouvain.be Abstract. In this work we consider generic algorithms to find nearcollisions for a hash function.
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More informationTwo-Stage Improved Group Plans for Burr Type XII Distributions
American Journal of Mathematics and Statistics 212, 2(3): 33-39 DOI: 1.5923/j.ajms.21223.4 Two-Stage Improved Group Plans for Burr Type XII Distriutions Muhammad Aslam 1,*, Y. L. Lio 2, Muhammad Azam 1,
More informationARIRANG. Designed by CIST ARIRANG. Designed by CIST. Algorithm Name : ARIRANG
ARIRANG Algorithm Name : ARIRANG Principal Submitter : Jongin Lim Tel : +82 2 3290 4044 Fax : +82 2 928 9109 Email : jilim@korea.ac.kr Organization : Korea Univ. Postal address : Center for Information
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationDeterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family
Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family Somitra Kr. Sanadhya and Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute, Kolkata
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationMartin Cochran. August 24, 2008
Notes on the Wang et al. 2 63 SHA-1 Differential Path Martin Cochran August 24, 2008 Abstract Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a2 63 attack by Wang
More informationTesting the Properties of Large Quasigroups
Testing the Properties of Large Quasigroups Eliška Ochodková, Jiří Dvorský, Václav Snášel Department of Computer Science Technical University of Ostrava 17. listopadu 15, Ostrava - Poruba Czech Republic
More informationAdaptively Indistinguishable Garbled Circuits
Adaptively Indistinguishale Garled Circuits Zahra Jafargholi Alessandra Scafuro Daniel Wichs Astract A garling scheme is used to garle a circuit C and an input x in a way that reveals the output C(x ut
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationSolving Systems of Linear Equations Symbolically
" Solving Systems of Linear Equations Symolically Every day of the year, thousands of airline flights crisscross the United States to connect large and small cities. Each flight follows a plan filed with
More informationEfficient Collision Search Attacks on SHA-0
Efficient Collision Search Attacks on SHA-0 Xiaoyun Wang 1,, Hongbo Yu 2, and Yiqun Lisa Yin 3 1 Shandong University, China xywang@sdu.edu.cn 2 Shandong University, China yhb@mail.sdu.edu.cn 3 Independent
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More information