The design of secure compression functions is of vital importance to hash function development. In this paper we consider the problem of combining smaller trusted compression functions to build a larger compression fu...
详细信息
ISBN:
(纸本)9783540494751
The design of secure compression functions is of vital importance to hash function development. In this paper we consider the problem of combining smaller trusted compression functions to build a larger compression function. This work leads directly to impossibility results on a range of block cipher-based hash function constructions.
A cryptographic hash function compresses arbitrarily long messages to digests of a short and fixed length. Most of existing hash functions are designed to evaluate a compression function with a finite domain in a mode...
详细信息
A cryptographic hash function compresses arbitrarily long messages to digests of a short and fixed length. Most of existing hash functions are designed to evaluate a compression function with a finite domain in a mode of operation, and the compression function itself is often designed from block ciphers or permutations. This modular design approach allows for a rigorous security analysis via means of both cryptanalysis and provable security. We present a survey on the state of the art in hash function security and modular design analysis. We focus on existing security models and definitions, as well as on the security aspects of designing secure compression functions (indirectly) from either block ciphers or permutations. In all of these directions, we identify open problems that, once solved, would allow for an increased confidence in the use of cryptographic hash functions.
For which sets A does there exist a mapping, computed by a total or partial recursive function, such that the mapping, when its domain is restricted to A, is a 1-to-1, onto mapping to Sigma*? For which sets A does the...
详细信息
For which sets A does there exist a mapping, computed by a total or partial recursive function, such that the mapping, when its domain is restricted to A, is a 1-to-1, onto mapping to Sigma*? For which sets A does there exist such a mapping that respects the lexicographical ordering within A? Both cases are types of perfect, minimal hash functions. The complexity-theoretic versions of these notions are known as compression functions and ranking functions. This paper defines and studies the recursion-theoretic versions of compression and ranking functions, and in particular studies which sets have, or lack, such functions. Thus this is a case where, in contrast to the usual direction of notion transferal, notions from complexity theory are inspiring notions, and an investigation, in computability theory. We show that the rankable and compressible sets broadly populate the 1-truth-table degrees, and we prove that every nonempty coRE cylinder is recursively compressible. (C) 2018 Elsevier Inc. All rights reserved.
The most popular method to construct hash functions is to iterate a compression function on the input message. This method is called Merkle-Damgard method. Most hash functions used in practice such as MD4, MD5, SHA-0,...
详细信息
The most popular method to construct hash functions is to iterate a compression function on the input message. This method is called Merkle-Damgard method. Most hash functions used in practice such as MD4, MD5, SHA-0, SHA-1 are based on this method. However this method is not always the best. For example, this method can not resist multi-collision attack. Recently some modifications of this method are proposed. These modified methods are based on Merkle-Damgard method and some improvements are made. A hash function based on All-or-Nothing property is one of these improvements. All-or-nothing property is an encryption mode for block ciphers. It has the property that one must decrypt all cipher blocks to determine any plain-text block. All-or-nothing hash function is a kind of hash function constructed with the all-or-nothing property. The authors of it claim that it is more secure than those common hash functions. In this paper, we will show that this is not true and there are still some flaws on this improved method.
We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many c...
详细信息
ISBN:
(数字)9783540851745
ISBN:
(纸本)9783540851738
We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three n-bit permutation calls that has collision security N-0.5, where N = 2(n), and we describe 3n-bit to 2n-bit compression functions using five and six permutation calls and having collision security of at least N-0.55 and N-0.63.
The FSB (fast syndrome-based) hash function was submitted to the SHA-3 competition by Augot, Finiasz, Gaborit, Manuel, and Sendrier in 2008, after preliminary designs proposed in 2003, 2005, and 2007. Many FSB paramet...
详细信息
ISBN:
(纸本)9783642219696
The FSB (fast syndrome-based) hash function was submitted to the SHA-3 competition by Augot, Finiasz, Gaborit, Manuel, and Sendrier in 2008, after preliminary designs proposed in 2003, 2005, and 2007. Many FSB parameter choices were broken by Coron and Joux in 2004, Saarinen in 2007, and Fouque and Leurent in 2008, but the basic FSB idea appears to be secure, and the FSB submission remains unbroken. On the other hand, the FSB submission is also quite slow, and was not selected for the second round of the competition. This paper introduces RFSB, an enhancement to FSB. In particular, this paper introduces the RFSB-509 compression function, RFSB with a particular set of parameters. RFSB-509, like the FSB-256 compression function, is designed to be used inside a 256-bit collision-resistant hash function: all known attack strategies cost more than 2 128 to find collisions in RFSB-509. However, RFSB-509 is an order of magnitude faster than FSB-256. On a single core of a Core 2 Quad CPU, RFSB-509 runs at 13.62 cycles/byte: faster than SHA-256, faster than 6 of the 14 second-round SHA-3 candidates, and faster than 2 of the 5 SHA-3 finalists.
Protection of passwords used to authenticate computer systems and networks is one of the most important application of cryptographic hash functions. Due to the application of precomputed memory look up attacks such as...
详细信息
ISBN:
(纸本)9780769549590;9781467358323
Protection of passwords used to authenticate computer systems and networks is one of the most important application of cryptographic hash functions. Due to the application of precomputed memory look up attacks such as birthday and dictionary attacks on the hash values of passwords to find passwords, it is usually recommended to apply hash function to the combination of both the salt and password, denoted salt parallel to password, to prevent these attacks. In this paper, we present the first security analysis of salt parallel to password hashing application. We show that when hash functions based on the compression functions with easily found fixed points are used to compute the salt. password hashes, these hashes are susceptible to precomputed offline birthday attacks. For example, this attack is applicable to the salt parallel to password hashes computed using the standard hash functions such as MD5, SHA-1, SHA-256 and SHA-512 that are based on the popular Davies-Meyer compression function. This attack exposes a subtle property of this application that although the provision of salt prevents an attacker from finding passwords, salts prefixed to the passwords do not prevent an attacker from doing a precomputed birthday attack to forge an unknown password. In this forgery attack, we demonstrate the possibility of building multiple passwords for an unknown password for the same hash value and salt. Interestingly, password parallel to salt (i.e salts suffixed to the passwords) hashes computed using Davies-Meyer hash functions are not susceptible to this attack, showing the first security gap between the prefix-salt and suffix-salt methods of hashing passwords.
We consider the security of compression functions built by combining smaller perfectly secure compression functions modeled as fixed input length random oracles. We give tight security bounds and generic attacks for v...
详细信息
ISBN:
(纸本)9783540746171
We consider the security of compression functions built by combining smaller perfectly secure compression functions modeled as fixed input length random oracles. We give tight security bounds and generic attacks for various parameters of these constructions and apply our results to recent proposals of block cipher-based hash functions.
We consider how to build an efficient compression function from a small number of random, non-compressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal bir...
详细信息
ISBN:
(纸本)9783540705826
We consider how to build an efficient compression function from a small number of random, non-compressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2n-to-n bit compression function based on three independent n-to-n bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Theta(2(n/2) /n(c)) queries for c approximate to 1. This result remains valid if two of the three random functions are replaced by a fixed-key ideal cipher in Davies-Meyer mode (i.e., E-K (x) circle plus x for permutation E-K). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collision-resistant compression function from non -compressing functions. It also relates to an open question from Black et al. (Eurocrypt'05), who showed that compression functions that invoke a single non-compressing random function cannot suffice.
暂无评论