Provable Seconde Preimage Resistance Revisited
|
|
- Carol Arnold
- 6 years ago
- Views:
Transcription
1 Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC / 29
2 Cryptographic Hash Functions M ϵ {0,1}* H h ϵ {0,1} n It should behave like a random oracle. In particular, with respect to the ollowing cryptanalysis : Collision attacks : Find M M such that H(M ) = H(M). Ideal security : 2 n/2 Second Preimage attacks : Given M, ind M such that H(M ) = H(M). Ideal security : 2 n Preimage attacks : Given h {0, 1} n, ind M such that H(M) = h. Ideal security : 2 n 2 / 29
3 Second Preimage Notions o Security Usually deined with the execution time (t) and the probability o success (ε) o an adversary. Global complexity : t/ε. Random (l blocks) M M ' Adversary against H Success : M M ', H (M )=H (M ') Figure: Spr[l] notion, or unkeyed hash unctions 3 / 29
4 Second Preimage Notions o Security Usually deined with the execution time (t) and the probability o success (ε) o an adversary. Global complexity : t/ε. Random (l blocks) M, K M ' Adversary against H Success : M M ', H (M, K )=H (M ', K ) Figure: Sec[l] notion, or keyed hash unctions 4 / 29
5 Second Preimage Notions o Security Usually deined with the execution time (t) and the probability o success (ε) o an adversary. Global complexity : t/ε. M (l blocks) Random K M ' Adversary against H Success : M M ', H (M, K )=H (M ', K ) Figure: esec[l] notion, or keyed hash unctions 5 / 29
6 Iterated Hash Functions Most hash unctions are iterated hash unctions. Classical mode : Merkle-Damgård [Merkle Damgård, 1989]. Used in MD5, SHA0, SHA1, SHA2. M m 1 m 2 m l H IV h 6 / 29
7 Iterated Hash Functions Most hash unctions are iterated hash unctions. Classical mode : Merkle-Damgård [Merkle Damgård, 1989]. Used in MD5, SHA0, SHA1, SHA2. M m 1 m 2 m l H IV h Length Strengthening M 7 / 29
8 Provable Security o Modes Generic attacks on hash unctions The attack works on H or any. = the mode o operation itsel is unsecure! How to measure the security against generic attacks? 1 Replace by a Random Oracle 2 Find an upper bound on the advantage o the adversaries against H. One also need to know about the security o H when is a real lie compression unction ( Random Oracle). Reductions in the Standard Model Idea : exhibit a reduction which transorm any adversary against H into an adversary against. For a given security notion, the reduction proves that the property o is preserved by the mode o operations. Example : Merkle-Damgård was published with a reduction which convert any collision on H into a collision on, in linear time. 8 / 29
9 Generic attacks on Merkle-Damgård Generic attacks on Merkle-Damgård: Multi-collisions [Joux, 2004] Second Preimages Attacks [Kelsey and Schneier, 2005] Herding Attacks [Kelsey and Kohno, 2006]. Generic Second Preimage Attack o Kelsey and Schneier Second preimage o messages o l blocks in 2 n l + log(l)2n/2... even or replaced by a random oracle. (Ideal security : 2 n ) Research or new modes wide-pipe modes : extend the internal state [Lucks, 2005] design narrow-pipe modes with proos o resistance to collisions, preimages... and second preimages! We ocus on the second issue. 9 / 29
10 HAIFA mode o operations [Biham Dunkelman, 2006] m i salt #hashed bits h i 1 h i Provable Security in the Random Oracle Model [BDFJ 2009] For a Random Oracle, the success probability o any adversary breaking the Spr[l] notion o H in q queries is lower than q 2 n / 29
11 Reduction in the Standard Model Three narrow-pipe mode with a proo o security in the Standard Model : 1 Shoup s UOWHF, [Shoup, 2000] 2 Backward Chaining Mode, [Andreeva and Preneel, 2008] 3 Split Padding, [Yasuda, 2008] The designers provided a reduction o a notion o second preimage security o which : terminates in t + O (l) time with success probability ε/l. deined or an adversary (t, ε)-breaking a notion o H. 11 / 29
12 Shoup s UOWHF, [Shoup, 2000] m i, K h i 1 h i μ ν(i) Provable Security in the Standard Model I an adversary is able to break the esec[l] notion o H with probability ε in time t, then one can construct an adversary that breaks the esec notion o in time t + O (l), with probability ε/l. 12 / 29
13 Backward Chaining Mode, [Andreeva and Preneel, 2008] m 1 m 2 m l 1 +(0, K 1 ) m l +K 2 IV h m 2 msb +K 1 m 3 msb m l msb +K 2 msb K 3 Provable Security in the Standard Model I an adversary is able to break the Sec[l] notion o H with probability ε in time t, then one can construct an adversary that breaks the Spr notion o in time t + O (l), with probability ε/l. 13 / 29
14 Backward Chaining Mode, [Andreeva and Preneel, 2008] m 1 m 2 m l 1 +(0, K 1 ) m l +K 2 IV h m 2 msb +K 1 m 3 msb m l msb +K 2 msb K 3 Provable Security in the Standard Model I an adversary is able to break the Sec[l] notion o H with probability ε in time t, then one can construct an adversary that breaks the Spr notion o in time t + O (l), with probability ε/l. 14 / 29
15 Objectives M, K,i h i 1 h i Figure: Abstract narrow-pipe mode o operations For the narrow-pipe modes in this abstract model, we provide simple suicient properties to obtain : optimal second preimage security in the Random Oracle Model, optimal second preimage security in the Standard Model, or a narrow-pipe mode,...and keep the proo o Merkle-Damgård that it preserves the collision resistance! 15 / 29
16 Suicient Conditions to Preserve the Collision Resistance Three suicient conditions : Length strengthening : the last input o contains M Message injectivity : M M = i, x i x i Chaining value injectivity : h i 1 h i 1 = x i x i At our knowledge, those properties are veriied by all existing narrow-pipe modes. Any collision between messages o less than l blocks on H can be transormed into a collision on in O (l) computations. 16 / 29
17 Reuse the Proo o Merkle-Damgård I M M, and the last input block involves the message length, then we have a collision at the end. M, K,1 M, K,l 1 M, K,l IV H (M, K ) = IV H (M ', K ) 17 / 29
18 Reuse the Proo o Merkle-Damgård Case M = M. Since M is a second preimage o (M, K), M M and it has a distinct sequence o blocks. The point o connection will be the last index i such that x i x i. I i = l, the collision on H directly implies the collision (x l) = (x l ) = H(M, K) M, K,1 M, K,l 1 M, K,l IV H (M, K ) = IV H (M ', K ) Point o Connection 18 / 29
19 Reuse the Proo o Merkle-Damgård I the point o connection is not the last iteration, since identical inputs o are always due to identical previous chaining values, we obtain a collision too. M, K,i M, K,i+1 H (M, K ) = = H (M ', K ) 19 / 29
20 Reuse the Proo o Merkle-Damgård I the point o connection is not the last iteration, since identical inputs o are always due to identical previous chaining values, we obtain a collision too. M, K,i M, K,i+1 H (M, K ) = = = H (M ', K ) Point o Connection 20 / 29
21 Resistance to Generic Attacks Suppose is a Random Oracle. We want to give an upper bound on the probability that q queries enable an adversary to ind a second preimage M o a random challenge (M, K). i M M, the length strenghtening provide that x l is a preimage o h = H (M, K). With q queries it cannot happen with probability higher than q2 n. i M = M, the point o connection can happen at l distinct positions / 29
22 Domain separation Domain separation o the mode : existence o a generic algorithm (IdxEx) such that or any M, K and any i-th input x o IdxEx(x) = i M, K,1 M, K,i M, K,l IV H (M ) x i IdxEx For HAIFA : IdxEx(x j ) = i #hashed bits block bit length 22 / 29
23 Domain separation I M = M and M is a second preimage o (M, K), there is a point o connection. There was a query x to which veriied (x ) = (x i ) = h i. Block Space x???? h 1 h 2... h l... x h 1 h 2 h l Can succeed as a preimage o any one o a set o l blocks With domain separation : only 1 case Each query has a probability 2 n to bring this point o connection. In q queries, the probability to have at least one such query is 1 (1 2 n ) q q2 n 23 / 29
24 Optimal Resistance to Generic Attacks Theorem Let H ( ) be a narrow-pipe mode with domain separation, length-strengthening, message and chaining value injectivities. This mode has optimal resistance to generic second preimage attacks. Proo. Let ε be the success probability o the adversary against H, is replaced by a Random Oracle. Let M be a second preimage o (M, K) or H. 1 I M M : Length-strenghtening = A ound a preimage o h. Probability q2 n. 2 I M = M : point o connection i = idxex(x i ) Each query x to the oracle can only succeed i (x ) = h idxex(x ). Probability q2 n. ε q(2 n + 2 n ) = q 2 n 1 24 / 29
25 Reduction in the Standard Model Goal : ind a suicient property which permits to design a reduction which convert any adversary o Sec[l] notion o H into an adversary or the notion Spr o. Adversary against x Reduction M,K Adversary Against H x' M' Success : x x ', (x)= (x ' ) The level o security is the lower bound provided on t/ε when is secure or the notion Spr. 25 / 29
26 Embedding o the Challenge into the Query x,i Embedding M, K,i (M, K) IV H (M, K ) Embedding : an eicient algorithm which computes a uniormly distributed challenge (M, K) rom an input (x, i), in time O (l). x 26 / 29
27 Probable Security in the Standard Model A reduction breaking the Spr notion o in t + O (l). Reduction Challenger or the notion Spr o x Random i Embedding Find point o Connection : j M, K M ' Adversary against Sec[l] o H x j ' The reduction succeeds when the adversary succeeds (probability ε) and point o connection = point o embedding (probability 1 l ) The probability o success o the Reduction is ε/l. 27 / 29
28 Unavoidable Security Loss I is secure or Spr notion : t + cl ε/l 2 n This reduction only gives the lower bound t ε 2n l cl ε For long messages, the reduction does not guarantee any security... Question Can we get a better reduction? Is there a narrow-pipe mode with a better reduction? Unortunately, this security loss is unavoidable or a narrow-pipe mode, with this type o reduction. 28 / 29
29 Thanks or your attention! Questions? 29 / 29
Provable Second Preimage Resistance Revisited
Provable Second Preimage Resistance Revisited Charles Bouillaguet 1(B) and Bastien Vayssière 2 1 LIFL, Université Lille-1, Lille, France charles.bouillaguet@lifl.fr 2 PRISM Lab, Université de Versailles/Saint-Quentin-en-Yvelines,
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationIntroduction to the Design and. Cryptanalysis of Cryptographic Hash Functions
Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions,
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationProvable Chosen-Target-Forced-Midfix Preimage Resistance
Provable Chosen-Target-Forced-Midfix Preimage Resistance Elena Andreeva and Bart Mennink Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationSecond Preimage Attacks on Dithered Hash Functions
Second Preimage Attacks on Dithered Hash Functions Charles Bouillaguet 1, Pierre-Alain Fouque 1, Adi Shamir 1,2, and Sebastien Zimmer 1 1 École normale supérieure Département d Informatique 45, rue d Ulm
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationCryptanalysis of the GOST Hash Function
Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications
More informationA new Design Criteria for Hash-Functions
A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationTheory and practice for hash functions
Theory and practice for hash functions Bart Preneel www.ecrypt.eu.org eu Title of Presentation Katholieke Universiteit it it Leuven - COSIC firstname.lastname@esat.kuleuven.be Cambridge, 1 February 2012
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1,Jérémy Jean 1(B),Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationTitle of Presentation
The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Title of Presentation Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationFunctional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions
Functional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions Zhenzhen Bao 1, Jian Guo 1 and Lei Wang 2,3 1 School of Physical and Mathematical Sciences, Nanyang Technological
More informationNew Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafael Chen New Techniques for Cryptanalysis of Cryptographic Hash Functions Research Thesis Submitted in partial fulfillment of the requirements
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationHash Functions: From Merkle-Damgård to Shoup. Ilya Mironov
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov mironov@cs.stanford.edu Computer Science Department, Stanford University, Stanford, CA 94305 Abstract. In this paper we study two possible approaches
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationCryptanalysis of a class of cryptographic hash functions
Cryptanalysis o a class o cryptographic hash unctions Praveen Gauravaram 1 and John Kelsey 2 1 Technical University o Denmark, Denmark Inormation Security Institute, Australia p.gauravaram@gmail.com 2
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationBetter Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions
Better Than Advertised: Improved Collision-Resistance Guarantees or MD-Based Hash Functions Mihir Bellare University o Caliornia San Diego La Jolla, Caliornia mihir@eng.ucsd.edu Joseph Jaeger University
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationIndifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier
Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Dustin Moody NIST, USA dustin.moody@nist.gov Souradyuti Paul NIST, USA, KULeuven, Belgium souradyuti.paul@nist.gov
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationDomain Extension for Enhanced Target Collision-Resistant Hash Functions
Domain Extension for Enhanced Target Collision-Resistant ash Functions Ilya Mironov Microsoft Research, Silicon Valley Campus Abstract. We answer the question of Reyhanitabar et al. from FSE 09 of constructing
More informationDomain Extension for Enhanced Target Collision-Resistant Hash Functions
Domain Extension for Enhanced Target Collision-Resistant ash Functions Ilya Mironov Microsoft Research, Silicon Valley Campus Abstract. We answer the question of Reyhanitabar et al. from FSE 09 of constructing
More informationOn the Complexity of the Herding Attack and Some Related Attacks on Hash Functions
On the Complexity of the Herding Attack and Some Related Attacks on Hash Functions Simon R. Blackburn Department of Mathematics, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationOn the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model
On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationPractical consequences of the aberration of narrow-pipe hash designs from ideal random functions
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions Danilo Gligoroski 1 and Vlastimil Klima 2 1 Faculty of Information Technology, Mathematics and Electrical
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationIntroduction Description of MD5. Message Modification Generate Messages Summary
How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012 Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification
More informationCryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512
Downloaded from orbit.dtu.dk on: Jan 8, 219 Cryptanalysis of the 1-Round Hash and Full Compression Function of SHAvite-3-512 Gauravaram, Praveen; Leurent, Gaëtan; Mendel, Florian; Plasencia, Maria Naya;
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationA (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationImproved indifferentiability security analysis of chopmd Hash Function
Improved indifferentiability security analysis of chopmd Hash Function Donghoon Chang 1 and Mridul Nandi 2 1 Center for Information Security Technologies (CIST) Korea University, Seoul, Korea dhchang@cist.korea.ac.kr
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationMerkle-Damgård Revisited : how to Construct a Hash Function
Merkle-Damgård Revisited : how to Construct a Hash Function Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University of Luxembourg coron@clipper.ens.fr 2 New-York
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationProvable Security of BLAKE with Non-Ideal Compression Function
Provable Security o BLAKE with No-Ideal Compressio Fuctio Elea Adreeva, Atul Luykx, ad Bart Meik (KU Leuve) Selected Areas i Cryptography Widsor, Caada August 17, 2012 1 13 Prelimiaries BLAKE H : {0, 1}
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More information