No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
How to swindle Rabin
Abstract
a computational short-cut is shown, which can compromise the security of Rabin's digital signature system.
... We encrypted 2 23 plaintext blocks generated uniformly at random using an arbitrary key and observed the output carry (c out ) generated at the end of each encryption. 5 Using Algorithm 12, we set k 21(i) as 0, where 15 ≥ i ≥ 0, if B i was lying within the confidence interval of β i , or 1 otherwise. 6 This process was repeated 2 × 10 4 times. ...
... Instead of performing an exhaustive search over the entire space, our search is limited 5 Since x and y are independent and distributed uniformly at random, y ′ u ∥ x ′ l and x ′ , which constitute the chosen x's, are also uniformly distributed. The definitions of y ′ u , x ′ l and x ′ are given in Algorithm 15. 6 Success probability := 1 4 · 1 + 3 4 · 2 3 = 0.75. ...
... 5) ν j+1 = LFΓ(ν j ⊕ C j ) , for j = 0, 1, . . . , 12, and constants C j .(5.6) ...
This thesis is devoted to the security analysis of some popular symmetric-key cryptographic algorithms --- including lightweight constructions --- and their software implementations. It begins with a review of the related-key distinguishing attacks on the stream ciphers Py, Pypy, TPy, TPypy, RCR-64 and RCR-32 proposed in a paper published in the Journal of Universal Computer Science. We show that the computations that led to the alleged attacks are flawed and establish the non-existence of the keystream biases detected in the Py family of stream ciphers. Following this, we present distinguishing attacks on the Welch-Gong family of stream ciphers which includes two subfamilies of patented (ultra-)lightweight ciphers. Our attacks exploit the input-output correlations in the nonlinear transformations used by these ciphers. These are the first attacks on these ciphers. Next, carry flag attacks on the unprotected implementations of SPECK family of lightweight block ciphers and HMAC-Streebog family of MAC algorithms are discussed. SPECK is an ISO/IEC standard for RFID devices developed by Beaulieu et al. of the NSA. HMAC–Streebog is a MAC algorithm based on the Streebog, a family of hash functions defined in the Russian cryptographic standard GOST R 34.11–2012. These symmetric-key algorithms use modular addition, making them vulnerable to carry flag attacks. To the best of our knowledge, this thesis presents the first results analysing the resistance of unprotected implementations of the SPECK and the HMAC-Streebog to carry flag attacks. Our attacks, which work on the full SPECK, are comparatively more feasible than the other attacks applicable on the full ciphers. We present two types of side-channel attacks on the HMAC-Streebog: passive attacks without fault injections and active attacks with fault injections. Our passive attack is the best non-fault attack on HMAC-Streebog-256. Similarly, our active attacks fare better than the existing fault attacks on HMAC–Streebog. In the final part of this thesis, we analyse the RCR family of stream ciphers and their software implementations. The RCR ciphers have remained unbroken since they were published in 2007. We present arguments that not only support the designers' security claims but suggest, in general, that the ciphers are secure against several classes of cryptanalytic attacks. We also suggest ways to protect software implementations of the RCR ciphers against (cache-)timing and processor flag attacks. Our performance evaluation suggests that the protected implementation of the RCR-64 encrypts long messages at speeds comparable to some of the fastest stream ciphers available today. This is the first work to present a detailed study on the security and performance of the RCR ciphers.
... The first ones who pointed to hash functions functionality as a digital signature were Diffie and Hellman. However, the ones who provided definitions, analysis and constructions of cryptographic hash functions during 1970s were Rabin [10], Yuval [11], and Merkle [9]. In specific, Rabin proposed a hash function based on DES, Yuval took the analysis part and showed that the birthday paradox could find collisions in the hash function, while Merkle proposed the basic definitions that are used today (collision resistance, pre-image resistance, and second pre-image resistance). ...
... A common part between both standards is composed of the physical and medium layers known as IEEE 802. 11. Both ITS standards (IEEE 1609 [220] and ETSI TC ITS [241]) are very similar in several terms such as offered networking, application management functionalities, and security. ...
... 11: Process of digital signing and verification. ...
Living in an era where new devices are astonishing considering their high capabilities, new visions and terms have emerged. Moving to smart phones, Wireless Sensor Networks, high-resolution cameras, pads and much more, has mandated the need to rethink the technological strategy that is used today. Starting from social media, where apparently everything is being exposed, moving to highly powerful surveillance cameras, in addition to real time health monitoring, it can be seen that a high amount of data is being stored in the Cloud and servers. This introduced a great challenge for their storage and transmission especially in the limited resourced platforms that are characterized by: (a) limited computing capabilities, (b) limited energy and source of power and (c) open infrastructures that transmit data over wireless unreliable networks. One of the extensively studied platforms is the Vehicular Ad-hoc Networks which tends to have many limitations concerning the security field. In this dissertation, we focus on improving the security of transmitted multimedia contents in different limited platforms, while preserving a high security level. Limitations of these platforms are taken into consideration while enhancing the execution time of the secure cipher. Additionally, if the proposed cipher is to be used for images, the intrinsic voluminous and complex nature of the managed images is also taken into account. In the first part, we surveyed one of the limited platforms that is interesting for many researchers, which is the Vehicular Ad-hoc Networks. In order to pave the way for researchers to find new efficient security solutions, it is important to have one reference that can sum most of the recent works. It almost investigates every aspect in this field shedding the light over different aspects this platform possesses. Then, in order to propose any new security solution and validate its robustness and the level of randomness of the ciphered image, a simple and efficient test is proposed. This test proposes using the randomness tools, TestU01 and Practrand, in order to assure a high level of randomness. After running these tests on well known ciphers, some flaws were exposed. Proceeding to the next part, a novel proposal for enhancing the well-known ultra lightweight cipher scheme, Speck, is proposed. The main contribution of this work is to obtain a better version compared to Speck. In this proposal, 26 rounds in Speck were reduced to 7 rounds in Speck-R while enhancing the execution time by at least 50%. First, we validate that Speck-R meets the randomness tests that are previously proposed. Additionally, a dynamic substitution layer adds more security against key related attacks and highly fortifies the cipher. Speck-R was implemented on different limited arduino chips and in all cases, Speck-R was ahead of Speck. Then, in order to prove that this cipher can be used for securing images, especially in VANETS/IoV, where images can be extensively re/transmitted, several tests were exerted and results showed that Speck-R indeed possesses the high level of security desired in any trusted cipher. Extensive experiments validate our proposal from both security and performance point of views and demonstrate the robustness of the proposed scheme against the most-known types of attacks.
... In their analysis [1,2], Bellare and Kohno only consider the case where the domain points are chosen independently and uniformly at random from all m-bit strings (therefore jDj D 2 m ). Yuval [26] instead suggests using q minor modifications of a message, in such a way that all messages are meaningful. Using distinguished points, Quisquater and Delescaille [18] showed that collisions for meaningful messages can also be found with negligible memory requirements, i.e. without storing all .x ...
... Based on the mathematics of the birthday problem, Yuval proposed the birthday attack for hash functions [26]. In the attack, a large number of messages are generated, until two messages are found that result in the same hash value. ...
At EUROCRYPT 2004, Bellare and Kohno presented the concept of a regular hash function. For a hash function to be regular, every hash value must have the same number of preimages in the domain. The findings of their paper re-mained unchallenged for over six years, and made their way into several research papers and textbooks. In their paper, Bellare and Kohno claim that regular hash functions are more resistant against the birthday attack than random hash func-tions. We counter their arguments, by showing that the success probability of the birthday attack against a regular hash function can be made arbitrarily close to that of a random hash function (for the same number of trials). Our analysis uses the fact that the choices of the attacker can be limited to any subset of the domain. Furthermore, we prove that it is not possible to construct a hash func-tion that is regular for only a small fraction of subsets of the domain. In order to avoid these problems, we propose to model hash functions as random functions. Compared to regular functions, we argue that the statistics of random functions are more similar to hash functions used in practice, regardless of how the attacker chooses the domain points.
... Therefore, the MD construction demands at least 64 bits to ensure security. Bart Preneel suggested MD hash functions should at least gain 70 bits, to ensure security [17], [18] [20]. He proved the attack could be applied on any hash system susceptible to possible collisions. ...
The term data security revolves around two radical things namely data protection and data integrity. The advent of cloud solutions has completely transformed the data storage and access mechanisms. Today, technology permits the user to store and access data through the internet without much access restriction. Therefore, conserving the integrity of data becomes the most grueling task than it was thought formerly. The digest functions come in aid to provide a comprehensive solution for the integrity violations of remote data. But, the cryptographic attacks on the digest functions like MD4, MD5, RIPEMD, and SHA-160 algorithms made the research community to reconsider the design principles of the digest functions for the cryptographic use. This work attempts to perform a functional analysis of the standard keyless-digest functions like MD-5, SHA-160, SHA-2 Family, and SHA-3 family in the perspective of security.
... The birthday attack was presented on hash functions first by Yuval[Yuv79] and on MACs by Preneel and van Oorschot[PvO95] (cf.[MvOV96]). ...
Recent parallelizable message authentication codes (MACs) have demonstrated the benefit of tweakable block ciphers (TBCs) for authentication with high security guarantees. With ZMAC, Iwata et al. extended this line of research by showing that TBCs can simultaneously increase the number of message bits that are processed per primitive call. However, ZMAC and previous TBC-based MACs needed more memory than sequential constructions. While this aspect is less an issue on desktop processors, it can be unfavorable on resource-constrained platforms. In contrast, existing sequential MACs limit the number of message bits to the block length of the primitive n or below.This work proposes DoveMAC, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, where n is the state size, t the tweak length, and k the key length of the underlying primitive. DoveMAC provides (n+min(n+t))/2 bits of security, and processes n+t bits per primitive call. Our construction is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call. By reserving a single tweak bit for domain separation, we derive a single-key variant DoveMAC1k.
... Let us take the situation whether any two students in a class have the same birthday. Suppose that the Yuval [123] proposed the following strategy in DS application (Fig. 3.14) to exploit the birthday paradox in a collision resistant attack without attempting to recover the secret key K : ...
The hash functions are the most useful primitives in cryptography. They play an important role in data integrity, message authentication, digital signature and authenticated encryption. Thus, the design of secure hash functions is crucial. In this thesis, we designed, implemented, and analyzed the performance of two architectures, each with two keyed hash function structures based on chaotic maps and neural networks (KCNN). The first architecture is based on the Merkle-Dåmgardconstruction, while the second uses the Sponge function. The first structure of the first architecture consists of two KCNN layers with three different output schemes (CNN-Matyas-Meyer-Oseas, Modified CNN-Matyas-Meyer-Oseas and CNN-Miyaguchi-Preneel). The second structure is composed of a KCNN layer followed by a combination layer of nonlinear functions. The first structure of the second architecture is formed of two KCNN layers with two hash value lengths 256 and 512. The second structure is similar to that used in the first architecture. The chaotic system is used to generate KCNN parameters. The results obtained by the statistical tests, as well as the cryptanalytical analysis, demonstrate the security of the proposed KCNN hash functions. Finally, we are currently working on the KCNN-DUPLEX structure integrating the proposed KCNN hashing functions (Sponge-based) for use in an authenticated encryption application.
... Intuitively, this is necessary to prevent precomputed collision attacks. Indeed, since only the message data is fed into the hash function G, an attacker could mount a Yuval-style attack (YUVAL, 1979), preparing beforehand two sets of semantically equivalent messages, the first favorable to the signer and the second unfavorable, and looking for a collision between a favorable message data and an unfavorable one data , finally presenting data to the signer and data to an arbitrating third party after a valid signature is obtained that holds for both messages. ...
The conventional digital signature schemes widely used today may have their security
threatened with the possibility of the rising of a large quantum computer. Moreover,
such schemes are not entirely suitable for utilization on very constrained-resource
platforms. Therefore, there is a need to look at alternatives that present reasonable security
in the medium and long term, in addition to attaining acceptable performance
when few resources are available.
This work provides more efficient multivariate and hash-based post-quantum digital
signatures and targets the deployment in scenarios like Internet of Things and Wireless
Sensor Networks where the typical devices are very resource-constrained. In the
context of multivariate quadratic digital signatures we describe a new technique that
attempts to minimize the main drawbacks of these schemes, the large key sizes. The
new technique explores certain structured compact matrix rings. Some of the analyzed
matrix rings are not secure (one of the attacks runs in polynomial time). Other less
compact matrix rings are investigated and they apparently do not suffer a polynomial
time attack, but unfortunately are still far from deployment on very constrained platforms.
On the other hand, this work describes a method for hash-based signatures providing
a ≈ 2/3 reduction of the signature sizes in the Merkle-Winternitz multi-time
signature scheme. In fact, the signature sizes constitute the main bottleneck of these
schemes. The improvement also leads to a ≈ 2/3 reduction in the run times (key generation,
signing and verifying) and in energy consumption for all these operations on
an AVR ATmega128L microcontroller, typically found in Wireless Sensor Networks.
This result is much more promising for the deployment in an IoT scenario.
... If the hash function has good collision resistance, it should be impossible to find the same hash value with a different message using the hash function. An ideal hash function with an n-bit hash takes the computation of about 2n = 2 messages to get back the same hash value with any pair of messages [1], which is called a "birthday attack." In 1990, the fast and efficient MD4 hash function [2] was developed but had collision issues [3], [4], [5]. ...
In cryptographic applications, hashing techniques are used for data integrity checking, authentication and, where digital signatures are involved, to detect modifications during storage and transmission. The chaos-based hash function (CBHF) and Xun-Yi hash Function have been implemented and compared. Both techniques are based on a chaotic tent map, which is rich in significance, sensitivity, ergodicity, random behaviour, and unstable periodic orbits. In terms of the overall performance with a consideration for the security levels, the Xun-Yi hash Function is the best algorithm. Our implementations also show analyses for both hash functions.
... . A direct application of this paradox is the collision finding problem for hash functions, first pointed out by Yuval [243] in 1979. For a hash function with n-bit message digests, the number of message digests one needs to observe before a collision is found is approximately 2 n/2 . ...
Cryptographic primitives are the basic components of any cryptographic tool. Block ciphers, stream ciphers and hash functions are the fundamental primitives of symmetric cryptography. In symmetric cryptography, the communicating parties perform essentially the same operation and use the same key, if any. This thesis concerns cryptanalysis of stream ciphers and hash functions. The main contribution of this work is introducing the concept of probabilistic neutrality for the arguments of a function, a generalization of the definition of neutrality. An input argument of a given function is called neutral if it does not affect the output of the function. This simple idea has already been implicitly used in key recovery cryptanalysis of block ciphers and stream ciphers. However, in 2004, Biham and Chen explicitly used the idea of neutrality to speed up collision finding algorithms for hash functions. We call an input argument of a function probabilistic neutral if it does not have a "significant" influence on the output of the function. Simply stated, it means that if the input argument is changed, the output of the function stays the same with a probability "close" to one. We will exploit the idea of probabilistic neutrality to assess the security of several stream ciphers and hash functions. Interestingly, all our cryptanalyses rely on neutrality and/or probabilistic neutrality. In other words, these concepts will appear as a common ingredient in all of our cryptanalytic algorithms. To the best of our knowledge, this is the first time that the probabilistic neutrality has found diverse applications in cryptanalysis.
... Intuitively, this is necessary to prevent precomputed collision attacks. Indeed, since only the message data is fed into the hash function G, an attacker could mount a Yuval-style attack [23], preparing beforehand two sets of semantically equivalent messages, the rst favorable to the signer and the second unfavorable, and looking for a collision between a favorable message data and an unfavorable one data ′ , nally presenting data to the signer and data ′ to an arbitrating third party after a valid signature is obtained that holds for both messages. ...
We describe an efficient hash-based signature scheme that yields shorter signatures than the state of the art. Signing and verification are faster as well, and the overall scheme is suitable for constrained platforms typical of the Internet of Things. We describe an efficient implementation of our improved scheme and show memory, time, and energy consumption benchmarks over a real device, i.e. the ATmega128l 8-bit AVR microcontroller embedded in MICAz, a typical sensor node used in wireless sensor networks.
... The birthday attack was first introduced, in relation to hash functions, by Yuval in [77]. The attack specifies the expected number of random messages one must try before finding a preimage for a given digest or a collision between two messages. ...
... The minimum amount of work required by an attacker to violate the preimage or second-preimage resistance property for an -bit output hash function should be 2 . The minimum amount of work to violate the collision resistance property (due to the birthday paradox [6]) should be 2 . [7] For example, SHA-1 has a 160-bit output, so any attack that finds a preimage or second preimage in less than 2 or a collision in less than 2 demonstrates that SHA-1 provides less security than a random oracle. ...
This paper discusses modern hash function construction using the NIST SHA-3 competition as a survey of modern hash function construction properties. Three primary hash function designs are identified based on the designs of SHA-3 candidates submitted as part of the NIST SHA-3 competition. These designs are Wide-pipe, Sponge, and HAsh Iterated FrAmework (HAIFA).
... In the remainder of this thesis, we will usually omit the constant factor and use the asymptotic complexity Θ(2 n/2 ) or simply 2 n/2 instead. A straightforward implementation [Yuv79] of the birthday attack chooses random inputs x i for f (x), computes f (x i ) and stores the results in a sorted list L. If a result f (x i ) is already a member of the list L, we have found a collision. To avoid the additional complexity of sorting the list L, we can use a hash table (or another appropriate data structure) to find entries in L efficiently. ...
... Since this statement is applicable to any hash function it dictates a lower bound on collision resistance. One of the first attacks based on the birthday paradox is accordingly called the birthday attack by G. Yuval [7]. ...
This work deals with methods to construct a hash function containing a compression function that is built from a block cipher. There are many schemes to turn a block cipher into a compression function, here the most known are presented including Merkle-Damgård Construction. Such schemes can produce either single-length-block or double-length-block hash functions according to the underlying block cipher with certain properties. At the end security considerations are outlined to convey what signifies a secure hash function that is built from a block cipher.
... It should be widely approved and secure. The best known general attack against hashes is the birthday attack, which enables finding collisions [22] with the lowest computational effort. For the hash function H(.) we define the collision as finding two messages m 1 and m 2 such that: Of course, the occurrence of collisions is very undesirable. ...
Message freshness and time synchronization are nowadays essential services in secure communication. Many network protocols can work correctly only when freshness of messages sent between participants is assured and when internal clocks protocol's parties are adjusted. In this paper we present a novel, secure and fast procedure which can be used to ensure data freshness and clock synchronization between two communicating parties. Next, we show how this solution can be used in cryptographic protocols. As an example we apply our approach to the Oakley key determination protocol providing it with time synchronization without any additional communication overhead.
... More generally, randomly chosen √ 2N (out of possible N ) elements are unlikely to be all different, because there are N possible pairs. Therefore, as first was noted by Yuval [Yuv79], one can generate a collision for an n-bit hash function by hashing and sorting about 2 n/2 messages. There also exist memoryless modifications of this method, which are only marginally slower (Section 5.1). ...
We describe systematically methods of symmetric cryptanalysis
... In 1979 Merkle [10, pp. 12-13] and Gideon Yuval [12] independently observed that because of the "birthday" paradox-the well-known result that in a group of twenty-three people, the probability that two people share the same birthday is slightly more than half-on average one needs to search only square root of the search space to find a collision. Thus hash functions of n bits are at best n/2 bits secure against collision attacks. ...
the unreasonable effectiveness of mathematics, delightful, and unex-pected, applications of theory to the real world. In the world of the In-ternet, we've seen it in the use of number theory in public-key cryptography (the Diffie-Hellman sys-tem, the RSA algorithm, elliptic curve cryptosys-tems), in the utilization of graph theory in net-work design. In the world of Internet data security, currently we face the opposite situation: a problem in search of mathematical theory. The problem is hash functions. A hash function is an easy-to-compute com-pression function that takes a variable-length input and converts it to a fixed-length output. The hashes in which we are interested, called cryptographic hash functions, are "one-way", which is to say, they should be easy to compute and "hard", or compu-tationally expensive, to invert,. Hash functions are used as a compact representation of a longer piece of data, a digital fingerprint, and to provide mes-sage integrity. The way hashes are used to provide integrity is that the hash value of a particular piece of data, h0, is computed at an initial time t0.When the data needs to be used later at time t1, the hash, h1, is recomputed. If the two hashes are equal, then the data has not been altered. Ralph Merkle, a co-inventor of public-key cryptography, calls hashes the "duct tape" of cryptography. Among other things, hashes are used to ascertain soft-ware integrity, in digital signatures, in message
... Collisions can be considered a special case of near-collisions with the parameter ǫ = 0. The generic method for finding collisions for a given hash function is based on the birthday paradox and attributed to Yuval [22]. There are well established cycle-finding techniques (due to Floyd, Brent, Nivasch, cf. ...
In this paper we discuss the problem of generically finding near-collisions
for cryptographic hash functions in a memoryless way. A common approach is to
truncate several output bits of the hash function and to look for collisions of
this modified function. In two recent papers, an enhancement to this approach
was introduced which is based on classical cycle-finding techniques and
covering codes. This paper investigates two aspects of the problem of
memoryless near-collisions. Firstly, we give a full treatment of the trade-off
between the number of truncated bits and the success-probability of the
truncation based approach. Secondly, we demonstrate the limits of cycle-finding
methods for finding near-collisions by showing that, opposed to the collision
case, a memoryless variant cannot match the query-complexity of the
"memory-full" birthday-like near-collision finding method.
This chapter introduces several techniques, mathematical and otherwise, developed for the breaking of modern ciphers and other components of crypto‐systems used in real‐life applications and protocols. In cryptanalysis, various existing probable pieces of information are pieced together in order to determine the secret key or the message. The chapter provides a comprehensive overview of the most common attacks on privacy, namely brute‐force attack, man‐in‐the‐middle attacks, relay attacks, known plain text attacks, known cipher text attacks, chosen plain text attacks, replay attacks, birthday attacks, attacks on the Rivest–Shamir–Adleman algorithm, timing attack, and cold boot attacks. Differential cryptanalysis works in a similar way to the chosen plain text attack. The attack consists of looking at differences produced in the cipher text by known differences in the plain text. An attacker’s ability to preprocess information has to be taken into account when analyzing the security of any cryptographic protocol.
Abstract A nominative signature (NS) is a cryptographic primitive where two parties collude to produce a signature. It is a user certification system and has applications in a variety of sectors where nominee cannot trust heavily on the nominator to validate the nominee's certificate and only targeted entities are allowed to verify the signature on sensitive data. A new construction for NS from standard assumptions on lattice is provided. The authors’ construction relies on collision‐resistant preimage sampleable function and symmetric key primitives like collision‐resistant pseudorandom function and zero knowledge proof system ZKB++ for Boolean circuits. The authors provide detailed security analysis and show that their construction achieves security under unforgeability, invisibility, impersonation, and non‐repudiation in the existing model. Furthermore, our construction exhibits non‐transferability. The security under non‐repudiation is achieved in the quantum random oracle model using Unruh transform to ZKB++.
We present a general signature scheme which uses any pair of trap-door permutations (f0, f1) for which it is infeasible to find any x, y with f0(x) = f1(y). The scheme possesses the novel property of being robust against an adaptive chosen message attack: no adversary who first asks for and then receives signatures for messages of his choice (which may depend on previous signatures seen) can later forge the signature of even a single additional message.
For a specific instance of our general scheme, we prove that
1. forging signatures is provably equivalent to factoring, while
2. adaptive chosen message attacks are of no help to an "enemy" who wishes to forge a signature.
Such a scheme is "paradoxical" since the above two properties were believed (and even "proven" in the folklore) to be contradictory.
The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are not too long.
The cryptographic community has widely acknowledged that the emergence of large quantum computers will pose a threat to most current public-key cryptography. Primitives that rely on order-finding problems, such as factoring and computing Discrete Logarithms, can be broken by Shor’s algorithm ([49]).
In this paper we consider the problem of finding near- collisions with Hamming distance bounded by r in generic n-bit hash functions. In 2011, Lamberger and Rijmen proposed a modified version of Pollard’s rho method, and in 2012 Leurent improved this memoryless algorithm by using any available memory to store chain endpoints. Both algorithms use a perfect error correcting code to change near-collisions into full-collisions, but such codes are rare and have very small distance. In this paper we propose using randomly chosen linear codes, whose decoding can be made efficient by using some of the available memory to store error-correction tables. Compared to Leurent’s algorithm, we experimentally verified an improvement ratio of about 3 in a small example with n=160 and r=33 which we implemented on a single PC, and mathematically predicted a significant improvement ratio of about 730 in a larger example with n=1024 and r=100, using memory.
This paper proposes a novel one-way hash function that can serve as a tool in achieving authenticity and data integrity. The one-way hash function can be viewed as a representative of a family of fast dedicated one-way hash functions whose construction is based on linear cellular automata over GF(q). The design and analysis of security of the function is accomplished by the use of very recently published results on cellular automata and their applications in cryptography. The analysis indicates that the one-way hash function is secure against all known attacks. a promising property of the proposed one-way hash function is that it is especially suitable for compact and fast implementation.
A cryptographic hash function compresses arbitrarily long messages to digests of a short and fixed length. Most of existing hash functions are designed to evaluate a compression function with a finite domain in a mode of operation, and the compression function itself is often designed from block ciphers or permutations. This modular design approach allows for a rigorous security analysis via means of both cryptanalysis and provable security. We present a survey on the state of the art in hash function security and modular design analysis. We focus on existing security models and definitions, as well as on the security aspects of designing secure compression functions (indirectly) from either block ciphers or permutations. In all of these directions, we identify open problems that, once solved, would allow for an increased confidence in the use of cryptographic hash functions.
We show that, in practice, a network adversary can achieve decidedly non-negligible advantage in attacking provable key-protection properties; e.g., the “existential key recovery” security and “multi-key hiding” property of typical nonce-based symmetric encryption schemes whenever these schemes are implemented with standard block ciphers. We also show that if a probabilistic encryption scheme uses certain standard block ciphers (e.g., two-key 3DES), then enforcing the security bounds necessary to protect against network adversary attacks will render the scheme impractical for network applications that share group keys amongst many peers. The attacks presented here have three noteworthy implications. First, they help identify key-protection properties that separate the notion of indistinguishability from random bits (IND$) from the strictly weaker notion of indistinguishability of ciphertexts (IND); also, they help establish new relationships among these properties. Second, they show that nonce-based symmetric encryption schemes are typically weaker than probabilistic ones. Third, they illustrate the need to account for the Internet-level growth of adversary capabilities when establishing the useful lifetime of standard block-cipher parameters.
Noncryptographic hash functions have an immense number of important practical applications owing to their powerful search properties. However, those properties critically depend on good designs: Inappropriately chosen hash functions are a very common source of performance losses. On the other hand, hash functions are difficult to design: They are extremely nonlinear and counterintuitive, and relationships between the variables are often intricate and obscure. In this work, we demonstrate the utility of genetic programming (GP) and avalanche effect to automatically generate noncryptographic hashes that can compete with state-of-the-art hash functions. We describe the design and implementation of our system, called GP-hash, and its fitness function, based on avalanche properties. Also, we experimentally identify good terminal and function sets and parameters for this task, providing interesting information for future research in this topic. Using GP-hash, we were able to generate two different families of noncryptographic hashes. These hashes are able to compete with a selection of the most important functions of the hashing literature, most of them widely used in the industry and created by world-class hashing experts with years of experience.
The MAC with enveloped method using MD5 is recommended as an Internet proposed standard RFC 1828. So far no distinguishing attack on it is presented. In this paper, we firstly proposes an adaptive chosen message distinguishing attack on the MAC with enveloped method using MD5, of which the time complexity and data complexity are both 2^96 and table size is 2^89 with a success rate 0.87. Then we relax the adaptive chosen message distinguishing attack to a chosen message distinguishing attack, of which the data complexity is increased to 2^113, but the table size is reduced to 2^66 with the same success rate.
This paper is intended to serve as an introduction to the exciting developments in secret codes that have taken place in the last ten years. David Kahn’s interesting book The Codebreakers appeared in 1967 [29], which unfortunately was just before IBM described its Lucifer encryption scheme [11], [20], [51] and triggered the developments that I am going to describe.
Hash functions were introduced in cryptology in the late seventies as a tool to protect the authenticity of information. Soon it became clear that they were a very useful building block to solve other security problems in telecommunication and computer networks. This paper sketches the history of the concept, discusses the applications of hash functions, and presents the approaches that have been followed to construct hash functions. In addition, it tries to provide the information which is necessary to choose a practical hash function. An overview of practical constructions and their performance is given and some attacks are discussed. Special attention is paid to standards dealing with hash functions.
In 1990 Rivest introduced the hash function MD4. Two years later RIPEMD, a European proposal, was designed as a stronger mode of MD4. Recently we have found an attack against two of three rounds of RIPEMD. As we shall show in the present note, the methods developed to attack RIPEMD can be modified and supplemented such that it is possible to break the full MD4, while previously only partial attacks were known. An implementation of our attack allows to find collisions for MD4 in a few seconds on a PC. An example of a collision is given demonstrating that our attack is of practical relevance.
ResearchGate has not been able to resolve any references for this publication.