Collision Resistance of Hash Functions in a Weak Ideal Cipher Model

2012 ◽  
Vol E95-A (1) ◽  
pp. 252-255 ◽  
Author(s):  
Shoichi HIROSE ◽  
Hidenori KUWAKADO
Keyword(s):  
Hash Functions ◽  
Collision Resistance ◽  
Ideal Cipher ◽  
Ideal Cipher Model

scholarly journals Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

2017 ◽  
pp. 1-29 ◽  
Author(s):  
Stefan Kölbl ◽  
Martin M. Lauridsen ◽  
Florian Mendel ◽  
Christian Rechberger
Keyword(s):  
Hash Function ◽  
High Performance ◽  
Hash Functions ◽  
Low Latency ◽  
Design Strategies ◽  
Signature Schemes ◽  
Collision Resistance ◽  
Preimage Resistance ◽  
Function Design ◽  
General Tool

Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials.

The Security of Tandem-DM in the Ideal Cipher Model

2016 ◽  
Vol 30 (2) ◽  
pp. 495-518 ◽  
Author(s):  
Jooyoung Lee ◽  
Martijn Stam ◽  
John Steinberger
Keyword(s):  
Ideal Cipher ◽  
Ideal Cipher Model ◽  
The Ideal

scholarly journals Security of Symmetric Primitives against Key-Correlated Attacks

2019 ◽  
pp. 193-230
Author(s):  
Aisling Connolly ◽  
Pooya Farshim ◽  
Georg Fuchsbauer
Keyword(s):  
Natural Transformation ◽  
Random Oracle Model ◽  
Random Permutation ◽  
Random Oracle ◽  
Dependent Data ◽  
Authenticated Encryption ◽  
Ideal Cipher ◽  
Permutation Model ◽  
Ideal Cipher Model ◽  
The Ideal

We study the security of symmetric primitives against key-correlated attacks (KCA), whereby an adversary can arbitrarily correlate keys, messages, and ciphertexts. Security against KCA is required whenever a primitive should securely encrypt key-dependent data, even when it is used under related keys. KCA is a strengthening of the previously considered notions of related-key attack (RKA) and key-dependent message (KDM) security. This strengthening is strict, as we show that 2-round Even–Mansour fails to be KCA secure even though it is both RKA and KDM secure. We provide feasibility results in the ideal-cipher model for KCAs and show that 3-round Even–Mansour is KCA secure under key offsets in the random-permutation model. We also give a natural transformation that converts any authenticated encryption scheme to a KCA-secure one in the random-oracle model. Conceptually, our results allow for a unified treatment of RKA and KDM security in idealized models of computation.

scholarly journals On chosen target forced prefix preimage resistance

2010 ◽  
Vol 47 (1) ◽  
pp. 115-135 ◽  
Author(s):  
Michal Rjaško
Keyword(s):  
Hash Function ◽  
Hash Functions ◽  
Formal Definition ◽  
Collision Resistance ◽  
Preimage Resistance ◽  
The Family ◽  
Lecture Notes ◽  
Definition Of ◽  
Cryptographic Techniques ◽  
Security Notion

Abstract In this paper we analyze the Chosen Target Forced Prefix (CTFP) preimage resistance security notion for hash functions firstly introduced in [Kelsey, J.-Kohno, T.: Herding hash functions and the Nostradamus attack, in: Advances in Cryptology-EUROCRYPT ’06, 25th Annual Internat. Conf. on the Theory and Appl. of Cryptographic Techniques (S. Vaudenay, ed.), St. Peters- burg, Russia, 2006, Lecture Notes in Comput. Sci., Vol. 4004, Springer-Verlag, Berlin, 2006, pp. 183-200]. We give a formal definition of this property in hash function family settings and work out all the implications and separations be- tween the CTFP preimage resistance and other standard notions of hash function security (preimage resistance, collision resistance, etc.). This paper follows the work of [Rogaway, P.-Shrimpton, T.: Cryptographic hash-function basics: Def- initions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance, in: Fast Software Encryption, 11th Interna- tional Workshop-FSE ’04 (B. Roy et al., eds.), Delhi, India, 2004, Lecture Notes in Comput. Sci., Vol. 3017, Springer-Verlag, Berlin, 2004, pp. 371-388], where they define seven basic notions of hash function security and examine all the relationships among these notions. We also define a new property for security of hash function families-always CTFP preimage resistance, which guarantees CTFP security for all the hash functions in the family.

scholarly journals Security Analysis of BLAKE2’s Modes of Operation

2016 ◽  
pp. 158-176
Author(s):  
Atul Luykx ◽  
Bart Mennink ◽  
Samuel Neves
Keyword(s):  
Hash Function ◽  
Random Function ◽  
Security Analysis ◽  
Building Blocks ◽  
Modes Of Operation ◽  
Compression Function ◽  
Ideal Cipher ◽  
Generic Attacks ◽  
Carry Over ◽  
Ideal Cipher Model

BLAKE2 is a hash function introduced at ACNS 2013, which has been adopted in many constructions and applications. It is a successor to the SHA-3 finalist BLAKE, which received a significant amount of security analysis. Nevertheless, BLAKE2 introduces sufficient changes so that not all results from BLAKE carry over, meaning new analysis is necessary. To date, all known cryptanalysis done on BLAKE2 has focused on its underlying building blocks, with little focus placed on understanding BLAKE2’s generic security. We prove that BLAKE2’s compression function is indifferentiable from a random function in a weakly ideal cipher model, which was not the case for BLAKE. This implies that there are no generic attacks against any of the modes that BLAKE2 uses.

Sign in / Sign up

Export Citation Format

Share Document