On High-Rate Cryptographic Compression Functions
|
|
- Luke Lawrence
- 5 years ago
- Views:
Transcription
1 On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, Bratislava, Slovak Republic {ostertag, stanek}@dcs.mph.uniba.sk Abstract. The security o iterated hash unctions relies on the properties o underlying compression unctions. We study highly eicient compression unctions based on block ciphers. We propose a model or highrate compression unctions, and give an upper bound or the rate o any collision resistant compression unction in our model. In addition, we show that natural generalizations o constructions by Preneel, Govaerts, and Vandewalle to the case o rate-2 compression unctions are not collision resistant. Key words: Hash unctions, compression unctions, block ciphers, provable security. 1 Introduction Cryptographic hash unctions are basic building blocks in many security constructions digital signatures, message authentication codes, etc. Almost all modern hash unctions are built by iterating a compression unction according the Merkle-Damgård paradigm [3, 5]. Moreover, these compression unctions are oten based on some underlying block cipher. Even dedicated hash unction like SHA-1 is based on a block cipher called SHACAL-1 [4]. The irst systematic study o 64 block cipher based hash unctions was done by Preneel, Govaerts, and Vandewalle [6]. Subsequently, Black, Rogaway, and Shrimpton [2] analyzed these constructions in black box model and proved that 20 o them are collision resistant up to the birthday-attack bound. An important property o a hash unction is perormance. Thereore, one would like to maximize the rate o hash unction the number o message blocks processed with one block cipher transormation. Another way to design ast hash unctions is the usage o keys rom a small ixed set o keys in all block cipher transormations, thus enabling a pre-scheduling o keys. Classical constructions [6] are rate-1 and require rekeying or every message block. Recently, Black, We appreciate any comments and suggestions.
2 Cochran, and Shrimpton [1] shown, that it is impossible to construct (block cipher based) provably secure rate-1 iterated hash unction that use small ixed set o keys. Our contribution. We analyze the existence o high-rate compression unctions. Our contribution is twoold: 1. We propose a general model o (block cipher based) high-rate compression unctions, and show an upper bound or rate o provably secure compression unctions. 2. We show that generalizations o rate-1 constructions by Preneel, Govaerts, and Vandewalle [6] to the case o rate-2 compression unctions are not collision resistant. Remark 1. We ocus solely on collision resistance as the most problematic property o cryptographic hash unctions. Moreover, the results o our analysis are mostly negative, so there is no need to study other properties. The paper is structured as ollows. Section 2 contains notions and deinitions used in the paper. In addition, we present our model o high-rate compression unctions. In Section 3 we give an upper bound or rate o collision resistant compression unctions in the model. The analysis o rate-2 compression unctions is presented in Section 4. 2 Background and Deinitions The notation used in the paper ollows closely the notation introduced in [1, 2]. Let V m be a set o all m-ary binary vectors, i.e. V m = {0, 1} m. Let k and n be positive integers. A block cipher is a unction E : V k V n V n, where or each key K V k, the unction E K ( ) = E(K, ) is a permutation on V n. Let Bloc(k, n) be the set o all block ciphers E : V k V n V n. The inverse o block cipher E is denoted by E 1. A (block cipher based) compression unction is a unction : Bloc(k, n) (V a V b ) V c, where a, b, and c are positive integers such that a + b c. An iterated hash o compression unction : Bloc(k, n) (V a V b ) V a is the hash unction H : Bloc(k, n) Vb V a deined by H E (m 1... m l ) = h l, where h i = E (h i 1, m i ) and h 0 is a ixed element rom V a. We set H E (ε) = h 0 or empty string ε. We oten omit superscripts E to and H. I the computation o E (h, m) uses e queries o E then (and its iterated hash H) is rate-r, where r = (b/n)/e. Oten n b, and the rate represents the average number o message blocks processed by single E transormation. For example, or b/n = 3 and e = 2 we get compression unction o rate-(3/2). The experiment o choosing a random element x rom the inite set S will be denoted by x $ S.
3 Black-box model. An adversary A is given access to oracles E and E 1 where E is a block cipher. We write these oracles as superscripts, i.e. A E,E 1. We omit the superscripts when the oracles are clear rom context. The adversary s task is attacking the collision resistance o a hash unction H. We measure the adversary s eort o inding collision as a unction o the number o E or E 1 queries it makes. Notice that we assume inormation-theoretic adversary, i.e. the computational power o the adversary is not limited in any way. Attacks in this model treat the block cipher as a black box. The only structural property o the block cipher captured by the model is the invertibility. The model cannot guarantee the security o block cipher based hash unctions instantiated with block ciphers having signiicant structural properties (e.g. weak keys). On the other hand, the black-box model is stronger that treating the block cipher as a random unction, because the adversary s ability to compute E 1. We deine the advantage o an adversary in inding collisions in a compression unction : Bloc(k, n) (V a V b ) V c. Naturally (h, m) and (h, m ) collide under i they are distinct and E (h, m) = E (h, m ). We also take into account a collision with empty string, i.e. producing (h, m) such that E (h, m) = h 0. We look at the number o queries that the adversary makes compare this with the probability o inding a collision. Deinition 1 (Collision resistance o a compression unction [2]). Let be a block cipher based compression unction, : Bloc(k, n) (V a V b ) V c. Fix a constant h 0 V c and an adversary A. Then the advantage o inding collisions in is the probability Adv comp (A) = Pr [ E $ Bloc(k, n); ((h, m), (h, m )) A E,E 1 : (h, m) (h, m ) E (h, m) = E (h, m ) E (h, m) = h 0 ] For q 0 we write Adv comp (q) = max A {Adv comp (A)} where the maximum is taken over all adversaries that ask at most q oracle (E or E 1 ) queries. Deinition 2 (Collision resistance o a hash unction [2]). Let H be a block cipher based hash unction, and let A be an adversary. Then the advantage o inding collisions in H is the probability [ Adv coll H (A) = Pr E $ Bloc(k, n); (M, M ) A E,E 1 : ] M M H E (M) = H E (M ) For q 0 we write Adv coll H (q) = max A {Adv coll H (A)} where the maximum is taken over all adversaries that ask at most q oracle (E or E 1 ) queries. The ollowing theorem orms a basis or construction o iterated hash unctions (Merkle-Damgård paradigm). It shows that the collision resistance o compression unction is suicient or the collision resistance o its iterated hash unction.
4 Theorem 1 (Merkle-Damgård [3, 5]). Let : Bloc(k, n) V n V n V n be a compression unction and let H be an iterated hash o. Then Adv coll H (q) Adv comp (q) or any q 1. Remark 2. Birthday attack is a generic collision-inding attack on a compression/hash unction. The advantage o birthday attack is Θ(q 2 /2 n ), where q is number o evaluations o the unction and n is the length o output. Usually, a compression unction (hash unction H) is called collision resistant up to the birthday-attack bound, or simply collision resistant i Adv comp (q) = Θ(q 2 /2 n ) (Adv coll H (q)) = Θ(q 2 /2 n )). 2.1 A Model o High-Rate Compression Function We deine a model o high-rate compression unction : Bloc(k, n) (V a V b ) V a. The model assumes ollowing: The evaluation o compression unction uses a single query E to compute (h, m). The length o m is an integer multiple o the E s block length n, i.e. b = rn where r 1. According to the second condition the compression unction is rate-r. Let 1 : V a V rn V n, 2 : V a V rn V k, and 3 : V a V rn V n V a be arbitrary unctions. The computation o the compression unction : Bloc(k, n) (V a V nr ) V a is deined as: unction E (h, m) : X 1 (h, m) K 2 (h, m) Y E(K, X) return 3 (h, m, Y ) When convenient we express m as a concatenation o n bit blocks. These r blocks are denoted by m (1),..., m (r). Our model o high-rate compression unction used in iterated hash is depicted in Fig. 1. m (1),..., m (r) h i 1 1 E 3 h i 2 key Fig. 1. Model o high-rate compression unction
5 The model is quite general it covers all compression unctions that takes r blocks o a message and process them using exactly one encryption transormation E. Notice that all rate-1 schemes rom [6] (we call them PGV) are special instances o the model. 3 An Upper Bound or the Rate o Compression Function In the ollowing theorem, we present an attack on collision resistance o compression unction. This attack works on any compression unction belonging to the model. As a by-product we obtain an upper bound or rate o any collision resistant compression unction. Theorem 2 (Upper bound or rate o a compression unction). Let E Bloc(n, k). Let 1 : V a V rn V n, 2 : V a V rn V k, and 3 : V a V rn V n V a be arbitrary unctions. Let : V a V rn V a be a compression unction deined as (h, m) = 3 (h, m, E 2 (h,m)( 1 (h, m))). Let r > 1+k/n. Then Adv comp (1) = 1. Proo. We describe an adversary A that asks exactly one oracle query. For any X V n, and K V k we denote by D X,K the set o all pairs (h, m) such that 1 (h, m) = X, and 2 (h, m) = K, i.e. D X,K = (X) 2 (K). Adversary A proceeds as ollows: 1. A inds such X V n, and K V k that D X,K is maximal. 2. A computes Y = E K (X). 3. A inds a collision in the set D X,K, i.e. (h, m), (h, m ) D X,K : (h, m) (h, m ) 3 (h, m, Y ) = 3 (h, m, Y ). One can easily check that (h, m) and (h, m ) orm a collision or compression unction : (h, m) = 3 (h, m, E 2 (h,m)( 1 (h, m))) = 3 (h, m, E K (X)) = = 3 (h, m, E K (X)) = 3 (h, m, E 2 (h,m )( 1 (h, m ))) = (h, m ) Now, we argue that A succeeds in the third step o the attack. First, we show that D X,K 2 a+n(r 1) k. Let us assume the opposite holds: D X,K < 2 a+n(r 1) k or all X V n, K V k. Then X V n, K V k D X,K < 2 n+k 2 a+n(r 1) k = 2 a+nr. On the other hand X V n, K V k D X,K = X V n (X) 2 (K) = 1 1 (X) = 2a+nr, K V k X V n a contradiction. Thus, the adversary selects X, K with D X,K 2 a+n(r 1) k in the irst step o the attack. Since the range o compression unction has 2 a
6 elements (the range is the same as the range o 3 ), the adversary succeeds in inding collision i D X,K > 2 a. The inequality is satisied i 2 a+n(r 1) k > 2 a, or equivalently r > 1 + k/n. Adversary A produces a collision in compression unction with probability 1 (assuming r > 1 + k/n). Moreover, the adversary asks exactly one oracle (E) query during the attack. Thus, Adv comp (1) = 1. Remark 3. Recall that the adversary was not computationally limited and the attack has exponential time complexity (more precisely, steps 1 and 3). The theorem gives an upper bound 1 + k/n or the rate o collision resistant compression unction. Compression unctions with higher rate cannot be collision resistant (at least compression unctions in our model). However, the theorem says nothing about collision resistance o compression unctions with rate r 1 + k/n. A natural question is whether this upper bound or collision resistant compression unctions can be achieved. A negative answer or a class o compression unctions is given in the ollowing section. 4 PGV-like Rate-2 Compression Functions The constructions o compression unctions rom block cipher oten assume equal key and block lengths [6], i.e. k = n. Then the upper bound rom Theorem 2 simpliies to r 2. Similarly, the output o compression unction has usually the same length as the block, i.e. a = n. Thus, we consider rate-2 compression unctions o the orm : V n V 2n V n. Preneel, Govaerts, and Vandewalle [6] studied rate-1 compression unctions. They considered all 64 compression unctions o the orm (h, m) = E a (b) c where a, b, c {h, m, h m, v} (v is a ixed constant). As showed in [2], 12 compression unction are collision resistant, and additional 8, though not collision resistant, orm collision resistant hash unctions. A natural extension o above constructions to the case o rate-2 compression unctions is the ollowing scheme: (h, (m (1), m (2) )) = E a (b) c, (1) where a, b, c {h, m (1), m (2), h m (1), h m (2), m (1) m (2), h m (1) m (2), v}. This way we obtain 512 compression unctions. Remark 4. Notice that the compression unctions instantiated in the scheme all in our model 1 (h, m) = b, 2 (h, m) = a, and 3 (h, m, Y ) = Y c. We show that no compression unction o the orm (1) is collision resistant (or any unction there exists an adversary that inds a collision and asks at most two queries). We partition these unctions into distinct classes according attacks that ind (at least one) collision. Summary o the classes is given in Table 1. For each class the table shows the number o compression unctions in the class, and the number o oracle queries needed in collision inding attack.
7 Table 1. Collision classes o rate-2 compression unctions class unctions queries 1 Superluous Variables Balanced Combinations Compensations Hard Core 60 2, 0 Remark 5. There are compression unctions that are vulnerable to multiple attacks using e.g. superluous variables or balanced combinations. In such situation we assign particular unction to the class with lowest number. 4.1 Class 1 Superluous Variables First class contains all those compression unctions that do not depend on all input vectors, i.e. at least one o h, m (1), m (2) is not required or computing the unction. Examples o such compression unctions are E h (h m (1) ) h, E m (2)(v) m (1) m (2), or E v (h m (2) ) h m (2). Trivially, one can ind many collisions in compression unctions rom this class. It suices to vary the superluous variable. Moreover, no oracle queries are needed to produce collisions. 4.2 Class 2 Balanced Combinations Our second class consists o those compression unctions that are not in class 1, and have a balanced combination o two input vectors. Let x 1, x 2 {h, m (1), m (2) } be two distinct input vectors, i.e. x 1 x 2. We call a combination x 1 x 2 balanced in compression unction, i every occurrence o x 1 in s parameters a, b or c implies x 2 occurrence in the same parameters (and vice versa). Examples o compression unctions in this class are: E h m (1) m (2)(m(1) m (2) ) v, E m (2)(h m (1) ) h m (1), E h m (2)(h m (1) m (2) ) h m (1) m (2). It can be easily seen that collisions can be ind without any oracle queries. Balanced combination x 1 x 2 allows choosing 2 n values pairs (x 1, x 2 ) without changing parameters a, b, and c. Hence, the value o does not change either. 4.3 Class 3 Compensations Third class o compression unctions contains those unctions (not in classes 1 and 2) that have some input vector solely in either parameter b or parameter c.
8 Let x {h, m (1), m (2) } be such input vector. Let x appears only in s parameter b, i.e. input o block cipher transormation. An adversary can ind collision in the ollowing way. He sets the output o to some ixed value z. Similarly he sets the values o all input vectors except x randomly. Using a query to E 1 oracle the adversary can compute suitable x value. Repeating this procedure or dierent random choice o input vectors values and the same ixed z, the adversary obtains a collision or. The situation or x appearing solely in parameter c is treated analogously. Examples o compression unctions in this class are: E m (2)(m (1) ) h m (2), E m (1)(m (2) ) h m (1) m (2), E h m (1)(m (1) m (2) ) v. 4.4 Class 4 Hard Core There are 60 compression unctions let ater sorting the unctions into classes 1, 2, and 3. Let us denote this set C. We call two unctions 1, 2 permutationequivalent, i 1 can be obtained rom 2 by some permutation o its inputs. It can be easily observed that Adv comp 1 (q) = Adv comp 2 (q) or any permutationequivalent compression unctions 1, 2, and any q 0. Thereore the set C can be partitioned to equivalence classes. Since every equivalence class has 6 members, it suices to analyze the collision resistance o any 10 permutationnonequivalent compression unctions (each one drawn rom dierent equivalence class). One selection o these 10 unctions is shown in Table 2. Table 2. Permutation-nonequivalent compression unctions o hard core class i a b c 1 m (1) m (2) h h m (2) 2 m (1) m (2) h m (2) h 3 m (1) m (2) h m (2) h m (2) 4 m (1) m (2) h m (2) h m (1) 5 m (1) m (2) h m (2) h m (1) m (2) 6 m (1) m (2) h m (1) m (2) h m (2) 7 h m (1) m (2) m (2) m (1) 8 h m (1) m (2) m (2) m (1) m (2) 9 h m (1) m (2) m (1) m (2) m (2) 10 h m (1) m (2) m (1) m (2) h m (2) Now we show collisions in all 10 permutation-nonequivalent compression unctions. Hence, all 60 unctions rom set C are not collision resistant. We
9 reer compression unctions rom Table 2 as 1,..., 10. For brevity, let 0 (1) be all-zero (all-one) vector in V n, respectively. Let A be ollowing collision inding adversary: 1. A sets (h, m (1), m (2) ) = (0, 0, 0), i.e. i (h, m (1), m (2) ) = E 0 (0). 2. A asks two oracle queries and computes x = E 0 (0) E 1 (0). 3. A solves ollowing equations (a, b, c denote corresponding linear combinations o h, m (1), m (2) or compression unction i ): a = 1 b = 0 c = x For any solution (h, m (1), m (2) ) we have i (h, m (1), m (2) ) = E a (b ) c = E 1 (0) E 0 (0) E 1 (0) = E 0 (0). Hence any solution dierent rom (0, 0, 0) yields a collision. Let us illustrate adversary s computation on 1. Adversary A solves ollowing equations in step 3: m (1) m (2) = 1 h = 0 h m (2) = x Solution is (h, m (1), m (2) ) = (0, 1 x, x) (0, 0, 0), and A obtains a collision. Adversary A can successully ind collisions or all unctions 1,..., 10, see Table 3, except or 3 and 4 due to the linear dependence o a, b, and c. We produce collisions or these unctions separately (moreover, no oracle queries are needed). It can be easily veriied that 3 (0, 0, 0) = 3 (1, 1, 1), and 4 (0, 0, 0) = 4 (1, 1, 1). Summarizing attacks rom this section we obtain ollowing theorem: Theorem 3. Let E Bloc(n, k). Let : V n V 2n V n be a compression unction deined as (h, (m (1), m (2) )) = E a (b) c, where a, b, c {h, m (1), m (2), h m (1), h m (2), m (1) m (2), h m (1) m (2), v}. Then Adv comp (2) = 1. Remark 6. The attacks presented in this section do not use the ull strength o black-box model a computationally unbounded adversary. These attacks require just polynomially bounded adversary asking constant number oracle queries. 5 Conclusion Many interesting questions arise rom the results presented in the paper. We state two most prominent ones as open problems: 1. Are there any collision resistant compression unctions with rate > 1?
10 Table 3. Collisions or (0, 0, 0) produced by adversary A i h m (1) m (2) x x 2 x 1 x x x x 1 x 6 1 x 1 x 7 1 x x x x x x x 1 x 2. Collision resistance o compression unction is suicient, but not necessary condition or collision resistance o iterated hash [2]. Are there any PGV-like rate-2 compression unctions that result in collision resistant iterated hash unction? Reerences 1. Black, J., Cochran, M., Shrimpton, T.: On the Impossibility o Highly-Eicient Blockcipher-Based Hash Functions, In Advances in Cryptology Eurocrypt 05, LNCS 3494, Springer-Verlag, Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis o the block-cipher-based hash-unction constructions rom PGV, In Advances in Cryptology CRYPTO 02, LNCS 2442, Springer-Verlag, Damgård, I.: A design principle or hash unctions, In Advances in Cryptology CRYPTO 89, LNCS 435, Springer-Verlag, Handschuh, H., Knudsen, L., Robshaw, M.: Analysis o SHA-1 in encryption mode, In Advances in Cryptology CT-RSA 01, LNCS 2020, Springer-Verlag, Merkle, R.: One way hash unctions and DES, In Advances in Cryptology CRYPTO 89, LNCS 435, Springer-Verlag, Preneel, B., Govaerts, R., Vandewalle, J.: Hash unctions based on block ciphers: A synthetic approach, In Advances in Cryptology CRYPTO 93, LNCS 773, Springer-Verlag, 1994.
Provably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationA new Design Criteria for Hash-Functions
A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationBlack-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV J. Black P. Rogaway T. Shrimpton May 31, 2002 Abstract Preneel, Govaerts, and Vandewalle [7] considered the 64 most basic
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationCryptanalysis of the GOST Hash Function
Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationNew Results on Boomerang and Rectangle Attacks
New Results on Boomerang and Rectangle Attacks Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haia 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics Department,
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationOptimal Collision Security in Double Block Length Hashing with Single Length Key
Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.
More informationConstrained Keys for Invertible Pseudorandom Functions
Constrained Keys or Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanord University {dabo,skim13,dwu4}@cs.stanord.edu Abstract A constrained pseudorandom unction (PRF) is a secure
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationMerkle-Damgård Revisited : how to Construct a Hash Function
Merkle-Damgård Revisited : how to Construct a Hash Function Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University of Luxembourg coron@clipper.ens.fr 2 New-York
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-Sébastien Coron 1, Jacques Patarin 2, and Yannick Seurin 2,3 1 University of Luxembourg 2 University of Versailles 3 Orange Labs Abstract.
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationConstruction of universal one-way hash functions: Tree hashing revisited
Discrete Applied Mathematics 155 (2007) 2174 2180 www.elsevier.com/locate/dam Note Construction of universal one-way hash functions: Tree hashing revisited Palash Sarkar Applied Statistics Unit, Indian
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationQuantum Chosen-Ciphertext Attacks against Feistel Ciphers
Quantum Chosen-Ciphertext Attacks against eistel Ciphers Gembu Ito 1, Akinori Hosoyamada 1,2, Ryutaroh Matsumoto 1,3, Yu Sasaki 2, and Tetsu Iwata 1 1 Nagoya University, Nagoya, Japan g itou@echo.nuee.nagoya-u.ac.jp,
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationKey words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance.
Cryptographic ash-function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance Phillip Rogaway 1 and Thomas Shrimpton 2 1 Dept.
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationNew Attacks against Standardized MACs
New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationAdaptive Preimage Resistance and Permutation-based Hash Functions
daptive Preimage Resistance and Permutation-based ash Functions Jooyoung Lee, Je ong Park The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationBetter Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions
Better Than Advertised: Improved Collision-Resistance Guarantees or MD-Based Hash Functions Mihir Bellare University o Caliornia San Diego La Jolla, Caliornia mihir@eng.ucsd.edu Joseph Jaeger University
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationMJH: A Faster Alternative to MDC-2
MJH: A Faster Alternative to MDC-2 Jooyoung Lee 1 and Martijn Stam 2 1 Sejong University, Seoul, Korea, jlee05@sejongackr 2 University of Bristol, Bristol, United Kingdom, martijnstam@bristolacuk Abstract
More informationProblem Set. Problems on Unordered Summation. Math 5323, Fall Februray 15, 2001 ANSWERS
Problem Set Problems on Unordered Summation Math 5323, Fall 2001 Februray 15, 2001 ANSWERS i 1 Unordered Sums o Real Terms In calculus and real analysis, one deines the convergence o an ininite series
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationOn the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model
On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We
More informationCS 361 Meeting 28 11/14/18
CS 361 Meeting 28 11/14/18 Announcements 1. Homework 9 due Friday Computation Histories 1. Some very interesting proos o undecidability rely on the technique o constructing a language that describes the
More informationEME : extending EME to handle arbitrary-length messages with associated data
EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationBuilding a Collision-Resistant Compression Function from Non-Compressing Primitives
Building a Collision-Resistant Compression Function from Non-Compressing Primitives Thomas Shrimpton 1 and Martijn Stam 2 1 University of Lugano and Portland State University thomas.shrimpton@unisi.ch
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationTheImpactofCarriesontheComplexityof Collision Attacks on SHA-1
TheImpactoCarriesontheComplexityo Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute or Applied Inormation Processing and Communications
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationDomain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration
Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road,
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationDesign of Iteration on Hash Functions and its Cryptanalysis
Design of Iteration on Hash Functions and its Cryptanalysis MRIDUL NANDI Applied Statistics Unit Indian Statistical Institute Kolkata - 700108 India. 1 Design of Iteration on Hash Functions and its Cryptanalysis
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More information