51 research outputs found
On the Design of Secure and Fast Double Block Length Hash Functions
In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered.
Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose's two examples which were left as an open problem. Therefore, although all the rate-1 hash functions in this general class are failed to be optimally (second) preimage resistant, the necessary conditions are refined for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the refined conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in
the compression function has the key length is equal to the block length, while the other is doubled
Provably Secure Double-Block-Length Hash Functions in a Black-Box Model
In CRYPTOā89, Merkle presented three double-block-length
hash functions based on DES. They are optimally collision resistant in
a black-box model, that is, the time complexity of any collision-finding
algorithm for them is Ī©(2^<l/2>) if DES is a random block cipher, where
l is the output length. Their drawback is that their rates are low. In
this article, new double-block-length hash functions with higher rates
are presented which are also optimally collision resistant in the blackbox
model. They are composed of block ciphers whose key length is twice
larger than their block length
Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with -Bit Block and -Bit Key
In this paper, we make attacks on DBL (Double-Block-Length) hash
modes of block ciphers with -bit key and -bit block. Our
preimage attack on the hash function of MDC-4 scheme requires the
time complexity , which is significantly improved compared
to the previous results. Our collision attack on the hash function
of MJH scheme has time complexity less than for .
Our preimage attack on the compression function of MJH scheme find a
preimage with time complexity of . It is converted to a
preimage attack on the hash function with time complexity of
. Our preimage attack on the compression function of
Mennink\u27s scheme find a preimage with time complexity of .
It is converted to a preimage attack on the hash function with time
complexity of . These attacks are helpful for understanding the security of the hash
modes together with their security proofs
Optimal Collision Security in Double Block Length Hashing with Single Length Key
The idea of double block length hashing is to construct a compression function on 2n bits using a block cipher with an n-bit block size. All optimally secure double length hash functions known in the literature employ a cipher with a key space of double block size, 2n-bit. On the other hand, no optimally secure compression functions built from a cipher with an n-bit key space are known. Our work deals with this problem. Firstly, we prove that for a wide class of compression functions with two calls to its underlying n-bit keyed block cipher collisions can be found in about 2n/2 queries. This attack applies, among others, to functions where the output is derived from the block cipher outputs in a linear way. This observation demonstrates that all security results of designs using a cipher with 2n-bit key space crucially rely on the presence of these extra n key bits. The main contribution of this work is a proof that this issue can be resolved by allowing the compression function to make one extra call to the cipher. We propose a family of compression functions making three block cipher calls that asymptotically achieves optimal collision resistance up to 2n(1-Īµ) queries and preimage resistance up to 23n(1-Īµ)/2 queries, for any Īµ > 0. To our knowledge, this is the first optimally collision secure double block length construction using a block cipher with single length key space. Ā© International Association for Cryptologic Research 2012.status: publishe
New Preimage Attack on MDC-4
In this paper, we provide some cryptanalytic results for
double-block-length (DBL) hash modes of block ciphers, MDC-4. Our
preimage attacks follow the framework of Knudsen et al.\u27s
time/memory trade-off preimage attack on MDC-2. We find how to apply
it to our objects. When the block length of the underlying block
cipher is bits, the most efficient preimage attack on MDC-4
requires time and space about , which is to be compared to
the previous best known preimage attack having time complexity of
. Additionally, we propose an enhanced version of MDC-4,
MDC-4 based on a simple idea. It is secure against our preimage
attack and previous attacks and has the same efficiency as MDC-4
The Collision Security of MDC-4
There are four somewhat classical double length block cipher based compression functions known: MDC-2, MDC-4, Abreast-DM, and Tandem-DM. They all have been developed over 20 years ago. In recent years, cryptographic research has put a focus on block cipher based hashing and found collision security results for three of them (MDC-2, Abreast-DM, Tandem-DM). In this paper, we add MDC-4, which is part of the IBM CLiC cryptographic module (FIPS 140-2 Security Policy for IBM CrytoLite in C, October 2003), to that list by showing that - \u27instantiated\u27 using an ideal block cipher with 128 bit key/plaintext/ciphertext size - no adversary asking less than queries can find a collision with probability greater than . This is the first result on the collision security of the hash function MDC-4.
The compression function MDC-4 is created by interconnecting two MDC-2 compression functions but only hashing one message block with them instead of two. The developers aim for MDC-4 was to offer a higher security margin, when compared to MEDC-2, but still being fast enough for practical purposes.
The MDC-2 collision security proof of Steinberger (EUROCRYPT 2007) cannot be directly applied to MDC-4 due to the structural differences. Although sharing many commonalities, our proof for MDC-4 is much shorter and we claim that our presentation is also easier to grasp
The Security of Abreast-DM in the Ideal Cipher Model
In this paper, we give a security proof for Abreast-DM in terms of collision resistance and preimage resistance. As old as Tandem-DM, the compression function Abreast-DM is one of the most well-known constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O(2^n). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and Tandem-DM. We also present a wide class of Abreast-DM variants that enjoy a birthday-type security guarantee with a simple proof
- ā¦