28 research outputs found
The Lane hash function
We propose the cryptographic hash function Lane as a candidate for the SHA-3 competition organised by NIST.
Lane is an iterated hash function supporting multiple digest sizes.
Components of the AES block cipher are reused as building blocks.
Lane aims to be secure, easy to understand, elegant and flexible in implementation
Whirlwind: a new cryptographic hash function
A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6
Finding Bugs in Cryptographic Hash Function Implementations
Cryptographic hash functions are security-critical algorithms with many practical applications, notably in digital signatures. Developing an approach to test them can be particularly difficult, and bugs can remain unnoticed for many years. We revisit the NIST hash function competition, which was used to develop the SHA-3 standard, and apply a new testing strategy to all available reference implementations. Motivated by the cryptographic properties that a hash function should satisfy, we develop four tests. The Bit-Contribution Test checks if changes in the message affect the hash value, and the Bit-Exclusion Test checks that changes beyond the last message bit leave the hash value unchanged. We develop the Update Test to verify that messages are processed correctly in chunks, and then use combinatorial testing methods to reduce the test set size by several orders of magnitude while retaining the same fault-detection capability. Our tests detect bugs in 41 of the 86 reference implementations submitted to the SHA-3 competition, including the rediscovery of a bug in all submitted implementations of the SHA-3 finalist BLAKE. This bug remained undiscovered for seven years, and is particularly serious because it provides a simple strategy to modify the message without changing the hash value returned by the implementation. We detect these bugs using a fully-automated testing approach
A Study on RAM Requirements of Various SHA-3 Candidates on Low-cost 8-bit CPUs
In this paper, we compare the implementation costs of various
SHA-3 candidates on low-cost 8-bit CPUs by estimating RAM/ROM
requirements of them. As a first step toward this kind of research, in
our comparison, we make reasonable estimations of RAM/ROM requirements
of them which can be done without implementation
FPGA Implementations of SHA-3 Candidates:CubeHash, Grøstl, L{\sc ane}, Shabal and Spectral Hash
Abstract: Hash functions are widely used in, and form an important part of many cryptographic protocols. Currently, a public competition is underway to find a new hash algorithm(s) for inclusion in the NIST Secure Hash Standard (SHA-3). Computational efficiency of the algorithms in hardware will form one of the evaluation criteria. In this paper, we focus on five of these candidate algorithms, namely CubeHash, Grøstl, L{\sc ane}, Shabal and Spectral Hash. Using Xilinx Spartan-3 and Virtex-5 FPGAs, we present architectures for each of these hash functions, and explore area-speed trade-offs in each design. The efficiency of various architectures for the five hash functions is compared in terms of throughput per unit area. To the best of the authors\u27 knowledge, this is the first such comparison of these SHA-3 candidates in the literature
Blockchains in public administration
Tässä tutkielmassa käsittelemme lohkoketjujen julkiseen hallintoon sopivia sovelluksia. Ensiksi
esittelemme lohkoketjuteknologiaan liittyviä komponentteja. Itse tutkimuksessa arvioimme erityisesti
todistusaineiston eheyteen ja arviointiin, sähköisen äänestämiseen sekä terveystietojen
käsittelyyn liittyviä kysymyksiä.
Aluksi käsittelemme hajautusfunktioita ja lohkoketjun yleistä rakennetta. Tämän jälkeen esittelemme
lohkoketjuteknologian esimerkkinä kryptovaluutta Bitcoinin. Todistusaineiston eheyteen
liittyviä kysymyksiä tarkastellaan arvioimalla kolmea eri tutkimusta. Tämän jälkeen syvennymme
kolmeen äänestysten luotettavuuteen ja turvallisuuteen liittyvään tutkimukseen.
Lopuksi tarkastellaan terveystietojen käsittelyä lohkoketjuteknologialla niin ikään kolmen eri
tutkimuksen kautta.
Esitämme myös yleisen arvion lohkoketjuteknologian soveltuvuudesta kuhunkin kolmeen aihepiiriin
arvioitujen tutkimusten valossa. Lisäksi esittelemme joitakin muita mahdollisia lohkoketjuteknologian
sovellutuksia. Viimeiseksi esitämme tarkasteltujen sovellusten valossa yleisen
arvion lohkoketjuteknologian soveltuvuudesta julkishallintoon ja muut johtopäätökset.In this thesis, we cover blockchain applications in public administration. First we cover components
related to blockchain technology. We cover especially issues related to management of
digital evidence, electronic voting, and health data.
In the beginning we cover hash functions and the general structure of the blockchain. Then we
cover the cryptocurrency Bitcoin as an example of the blockchain technology. The management
of the digital evidence is covered by evaluating three published studies. Likewise, the applications
related to voting are evaluated in the light of three publications. Lastly, the management
of health data is covered by evaluating three publications.
For each of the three areas, we present an estimation of the applicability of the blockchain
technology, in the form presented in the evaluated publications. Additionally, we cover a few
other potential blockchain application areas. Finally, we present the general evaluation of
blockchain applicability to the public administration and the conclusion
Efficient Hashing Using the AES Instruction Set
In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL-256. Although we primarily target architectures supporting AES-NI, our framework has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblock- length hash functions in software
Differential and invertibility properties of BLAKE (full version)
BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1.5 rounds we present an algorithm that finds preimages faster than in previous attacks. Discovered properties lead us to describe large classes of impossible differentials for two rounds of BLAKE’s internal permutation, and particular impossible differentials for five and six rounds, respectively for BLAKE- 32 and BLAKE-64. Then, using a linear and rotation-free model, we describe near-collisions for four rounds of the compression function. Finally, we discuss the problem of establishing upper bounds on the probability of differential characteristics for BLAKE
A New Algorithm for the Unbalanced Meet-in-the-Middle Problem
A collision search for a pair of -bit unbalanced functions (one is times more expensive than the other) is an instance of the meet-in-the-middle problem, solved with the familiar standard algorithm that follows the tradeoff , where and are time and memory complexities and .
By combining two ideas, unbalanced interleaving and Oorschot-Wiener parallel collision search, we construct an alternative algorithm that follows , where .
Among others, the algorithm solves the well-known open problem: how to reduce the memory of unbalanced collision search
The Sum Can Be Weaker Than Each Part
In this paper we study the security of summing the outputs of two
independent hash functions, in an effort to increase the security of the
resulting design, or to hedge against the failure of one of the hash
functions. The exclusive-or (XOR) combiner H1(M)+H2(M) is one of the
two most classical combiners, together with the concatenation combiner
H1(M)||H2(M). While the security of the concatenation of two hash
functions is well understood since Joux\u27s seminal work on
multicollisions, the security of the sum of two hash functions has been
much less studied.
The XOR combiner is well known as a good PRF and MAC combiner, and is
used in practice in TLS versions 1.0 and 1.1. In a hash function
setting, Hoch and Shamir have shown that if the compression functions
are modeled as random oracles, or even weak random oracles (i.e. they
can easily be inverted -- in particular H1 and H2 offer no security),
H1+H2 is indifferentiable from a random oracle up to the birthday bound.
In this work, we focus on the preimage resistance of the sum of two
narrow-pipe n-bit hash functions, following the Merkle-Damgård or HAIFA
structure (the internal state size and the output size are both n bits).
We show a rather surprising result: the sum of two such hash functions,
e.g. SHA-512+Whirlpool, can never provide n-bit security for preimage
resistance. More precisely, we present a generic preimage attack with a
complexity of O(2^5n/6). While it is already known that the XOR
combiner is not preserving for preimage resistance (i.e. there might be
some instantiations where the hash functions are secure but the sum is
not), our result is much stronger: for any narrow-pipe functions, the
sum is not preimage resistant.
Besides, we also provide concrete preimage attacks on the XOR combiner
(and the concatenation combiner) when one or both of the compression
functions are weak; this complements Hoch and Shamir\u27s proof by showing
its tightness for preimage resistance.
Of independent interests, one of our main technical contributions is a
novel structure to control simultaneously the behavior of independent
hash computations which share the same input message. We hope that
breaking the pairwise relationship between their internal states will
have applications in related settings