Xuejia Lai,James L. Massey

DOI: https://doi.org/10.1007/3-540-47555-9_5

2007-01-01

Abstract:Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing m -bit and 2 m -bit hash round functions from m -bit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple (in both directions) invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2 m -bit hash round functions are formulated. Finally, three new hash round functions based on an m -bit block cipher with a 2 m -bit key are proposed.

Lars R. Knudsen,Xuejia Lai,Bart Preneel

DOI: https://doi.org/10.1007/s001459900035

1994-01-01

Abstract:The security of hash functions based on a block cipher with a block length of m bits and a key length of k bits, where \(k\leq m\) , is considered. New attacks are presented on a large class of iterated hash functions with a 2m -bit hash result which processes in each iteration two message blocks using two encryptions. In particular, the attacks break three proposed schemes: Parallel-DM, the PBGV hash function, and the LOKI DBH mode.

Zheng Gong,Xuejia Lai,Kefei Chen

2008-01-01

Abstract:In this work the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of n-bit and a key length of 2n-bit, is reconsidered. Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose uncovered flaws in the necessary conditions given by Satoh et al. and Hirose. Preimage and second preimage attacks are presented on Hirose's two examples which were left as an open problem. Therefore, although all the rate-1 hash functions in this general class are failed to be optimally (second) preimage resistant, the necessary conditions are refined for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the refined conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in the compression function has the key length is equal to the block length, while the other is doubled.

Yiyuan Luo,Xuejia Lai,Tiejun Jia

DOI: https://doi.org/10.1007/s12095-014-0117-2

2014-01-01

Cryptography and Communications

Abstract:In this paper we attack a 2n-bit double length hash function proposed by Lee et al. This proposal is a blockcipher-based hash function with hash rate 2/3. The designers claimed that it could achieve ideal collision resistance and gave a security proof. However, we find a collision attack with complexity of O(23n/4) and a preimage attack with complexity of O(2n). Our result shows this construction is much worse than an ideal 2n-bit hash function.

Yiyuan Luo,Xuejia Lai

2010-01-01

Abstract:In this paper we give more insights on the security of blockcipherbased hash functions. We give a very simple criterion to build a secure large class of Single-Block-Length (SBL) or double call DoubleBlock-Length (DBL) compression functions based on (kn, n) blockciphers, where kn is the key length and n is the block length and k is an integer. This criterion is simpler than previous works in the literature. Based on the criterion, we can get many results from this criterion, and we can get a conclusion on such class of blockcipher-based hash functions. We solved the open problem left by Hirose. Our results show that to build a secure double call DBL compression function, it is required k >= m+ 1 where m is the number of message blocks. Thus, we can only build rate 1/2 secure double DBL blockcipher-based compression functions if k == 2. At last, we pointed out flaws in Stam’s theorem about supercharged functions and gave a revision of this theorem and added another condition for the security of supercharged compression functions.

Huafei Zhu,Lixin Ran,Yumin Wang

IF: 1.019

1999-01-01

Chinese Journal of Electronics

Abstract:Cryptographic hash functions are very important for cryptographic protocols such as signature scheme and message authentication. Based on the pioneer work of X. Lai et al., a new framework of hash algorithm is developed in this paper. In our hash scheme, an extra pseudorandom keystream generator is not needed which may be more conveniently for practical use. We have proved that the security of the new hash scheme is equivalent to that of feedback shift registers (FSRs) controlled by 2m - bit security keys.

Lin Da,Lei Duo,Matt Henricksen,Chao Li

DOI: https://doi.org/10.1007/s12204-008-0664-9

2008-01-01

Abstract:For the 64 most basic ways to construct a hash function H : {0, 1}* → {0, 1} n from a block cipher E : {0, 1} n × {0, 1} n → {0, 1} n , Black et al. provided a formal and quantitative treatment of the 64 constructions, and proved that 20 schemes are collision resistant. This paper improves the upper and lower bounds and make contrast with a hash constructed from a random oracle. These 20 schemes have only one kind of collision resistance upper and lower bounds. In addition, we present new advantages for finding second preimages.

Gong Zheng,Luo Yiyuan,Lai Xuejia,Chen Kefei

IF: 1.019

2012-01-01

Chinese Journal of Electronics

Abstract:The security of double-block-length hash functions with rate 1, which are based on a block cipher with a block length of n bits and a key length of 2n bits, was analyzed by Satoh et al. and Hirose. In this paper, we reconsider the security of this general class of hash functions (named FDBL-II for brevity). The new counter-examples and attacks are presented on FDBL-II, which reveal some flaws in the necessary conditions proposed by Satoh et al. and Hirose. Moreover, our analysis shows that all rate-1 hash functions in FDBL-II fail to be optimally (second) preimage resistant. Finally, the necessary conditions are revised for ensuring that a subclass of hash functions in FDBL-II can be optimally secure against collision attacks.

bozhong liu,zheng gong,xiaohong chen,weidong qiu,dong zheng

DOI: https://doi.org/10.1109/ITAPP.2010.5566639

2010-01-01

Abstract:Hash functions are widely used in authentication. In this paper, the security of Lin et al.'s efficient block-cipher-based hash function is reviewed. By using Joux's multicollisions and Kelsey et al.'s expandable message techniques, we find the scheme is vulnerable to collision, preimage and second preimage attacks. Some modifications are recommended to avoid those security flaws in Lin et al.'s hash construction.

Lars R. Knudsen,Xuejia Lai

DOI: https://doi.org/10.1007/bfb0053455

1994-01-01

Abstract:In this paper attacks on double block length hash functions using a block cipher are considered. We present attacks on all double block length hash functions of hash rate 1, that is, hash functions where in each round the block cipher is used twice, s.t. one encryption is needed per message block. In particular, our attacks break the Parallel-DM presented at Crypto'93[3].

Maokang Du,Bo He,Yong Wang,JianJun Wu,Di Xiao

DOI: https://doi.org/10.1109/ebiss.2009.5138020

2009-01-01

Abstract:Although a variety of hash functions have been proposed, few of them works efficiently in parallel computing environment. An algorithm for parallel hash function construction based on block cipher is proposed. Not only message blocks but also the orders of them are considered in the process of constructing hash values. This hash function can be expected to have the same computational security against target attack, free-start target attack, collision attack, semi-free-start collision attack, and free-start collision attack as DM scheme. Theoretical analysis and computer simulation indicate that the proposed algorithm can satisfy the performance requirements of hash function. It is simple, efficient, practicable, and reliable. These properties make it a good choice for hash on parallel computing platform for E-commerce.

Gaoli Wang

DOI: https://doi.org/10.1007/978-3-642-25243-3_19

2011-01-01

Abstract:Extended MD4 is a hash function proposed by Rivest in 1990 with a 256-bit hash value. The compression function consists of two different and independent parallel lines called Left Line and Right Line, and each line has 48 steps. The initial values of Left Line and Right Line are denoted by IV0 and IV1 respectively. Dobbertin proposed a collision attack for the compression function of Extended MD4 with a complexity of about 2(40) under the condition that the value for IV0 = IV1 is prescribed. In this paper, we gave a collision attack on the full Extended MD4 with a complexity of about 2(37). Firstly, we propose a collision differential path for both lines by choosing a proper message difference, and deduce a set of sufficient conditions that ensure the differential path hold. Then by using some precise message modification techniques to improve the success probability of the attack, we find two-block collisions of Extended MD4 with less than 2(37) computations. This work provides a new reference to the collision analysis of other hash functions such as RIPEMD-160 etc. which consist of two lines.

Jun Peng,Du Zhang,Yongguo Liu,Xiaofeng Liao

DOI: https://doi.org/10.1109/COGINF.2008.4639189

2008-01-01

Abstract:A novel iterated hash function based on double-pipe structure and the combination of Chebyshev chaotic map and piecewise linear chaotic map (PWLCM) is described in this paper. This function encodes a message of arbitrary length into a hash value with a fixed 128-bit length. For the proposed function, we conduct the following performance analyses: one-way property analysis, statistic analysis of diffusion and confusion, attacks resistance analysis and key space analysis. The results indicate that the function has desirable security properties which make it a suitable choice for data integrity applications.

Yusuke Naito

DOI: https://doi.org/10.1007/978-3-030-30530-7_4

2019-01-01

Abstract:Existing double-block-length (DBL) hash functions, in order to achieve optimal indifferentiable security (security up to O(2n)documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$O(2^n)$$end{document} query complexity), require a block cipher with ndocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$n$$end{document}-bit blocks and kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$k$$end{document}-bit keys such that 2n≤kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$2nle k$$end{document}, and a post-processing function with two block cipher calls. In this paper, we consider the indifferentiability of MDPHdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {MDPH}$$end{document}, a combination of the MDP domain extender and Hirose’s compression function. MDPHdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {MDPH}$$end{document} does not require the post-processing function (thus has better efficiency), and supports block ciphers with n<kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$n< k$$end{document}. We show that MDPHdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$mathsf {MDPH}$$end{document} achieves (nearly) optimal indifferentiable security. To the best of our knowledge, this is the first result for DBL hashing with optimal indifferentiable security, with support for block ciphers with n<kdocumentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$n< k$$end{document}, and without the post-processing function.

Jiang Zhang,Yu Chen,Zhenfeng Zhang

DOI: https://doi.org/10.1007/s00145-023-09488-w

2023-12-01

Journal of Cryptology

Abstract:Driven by the open problem raised by Hofheinz and Kiltz (J Cryptol 25(3):484–527, 2012), we study the formalization of lattice-based programmable hash function (PHF) and give three types of concrete constructions by using several techniques such as a novel combination of cover-free sets and lattice trapdoors. Under the inhomogeneous small integer solution (ISIS) assumption, we show that any (non-trivial) lattice-based PHF is a collision-resistant hash function, which gives a direct application of this new primitive. We further demonstrate the power of lattice-based PHF by giving generic constructions of signature and identity-based encryption (IBE) in the standard model, which not only provide a way to unify several previous lattice-based schemes using the partitioning proof techniques, but also allow us to obtain new short signature schemes and IBE schemes from (ideal) lattices. Specifically, by instantiating the generic constructions with our Type-II and Type-III PHF constructions, we immediately obtain two short signatures and two IBE schemes with asymptotically much shorter keys. A major downside which inherits from our Type-II and Type-III PHF constructions is that we can only prove the security of the new signatures and IBEs in the bounded security model that the number Q of the adversary's queries is required to be known in advance. Another downside is that the computational time of our new signatures and IBEs is a linear function of Q , which is large for typical parameters. To overcome the above limitations, we also give a refined way of using Type-II and Type-III PHFs to construct lattice-based short signatures with short verification keys in the full security model. In particular, our methods depart from the confined guessing technique of Böhl et al. (Eurocrypt'13) that was used to construct previous standard model short signature schemes with short verification keys by Ducas and Micciancio (Crypto'14) and by Alperin-Sheriff (PKC'15) and allow us to achieve much tighter security from weaker hardness assumptions.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2016.i1.13-32

2016-01-01

Abstract:Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).

Zhuosheng Lin,Christophe Guyeux,Simin Yu,Qianxue Wang

DOI: https://doi.org/10.48550/arXiv.1706.08101

2017-06-25

Abstract:Investigating how to construct a secure hash algorithm needs in-depth study, as various existing hash functions like the MD5 algorithm have recently exposed their security flaws. At the same time, hash function based on chaotic theory has become an emerging research in the field of nonlinear information security. As an extension of our previous research works, a new chaotic iterations keyed hash function is proposed in this article. Chaotic iterations are used both to construct strategies with pseudorandom number generator and to calculate new hash values using classical hash functions. It is shown that, by doing so, it is possible to apply a kind of post-treatment on existing hash algorithms, which preserves their security properties while adding Devaney's chaos. Security performance analysis of such a post-treatment are finally provided.

Cryptography and Security

Harshvardhan Tiwari,Dr. Krishna Asawa

DOI: https://doi.org/10.48550/arXiv.1003.1492

2010-03-08

Abstract:Cryptographic hash functions play a central role in cryptography. Hash functions were introduced in cryptology to provide message integrity and authentication. MD5, SHA1 and RIPEMD are among the most commonly used message digest algorithm. Recently proposed attacks on well known and widely used hash functions motivate a design of new stronger hash function. In this paper a new approach is presented that produces 192 bit message digest and uses a modified message expansion mechanism which generates more bit difference in each working variable to make the algorithm more secure. This hash function is collision resistant and assures a good compression and preimage resistance.

Cryptography and Security

DU Pei,WANG Weike,HE Zhanhong,LI Lin,WANG Xiang

DOI: https://doi.org/10.13700/j.bh.1001-5965.2017.0311

2018-01-01

Abstract:Linear layer of lightweight hash functions is ordinarily too simple to resist statistical saturation attack.A novel lightweight hash function is proposed,which is based on the sponge structure and inspired by affine transformation S-box.The affine transformation S-box inherit the excellent cryptographic properties of original S-box,and offset lack of simple linear layer to a great extent as well.The original 4 bit S-box is selected by computing numbers of differential pairs with the largest differential probability,masks with the best linear approximation and maximum branch number of optimal S-box affine equivalent classes.Security of holis-tic and internal primitives is analyzed with differential and linear cryptanalysis,and especially statistical satu-ration attack.The control logic of affine transformation structure and the serial／parallel hardware architecture are designed and synthesized by Design Compiler.The results show that in case of adding a few control logic, the lightweight hash function with affine transformation S-box increases difficulty of tracing specific bit in diffusion trail,that is,structures of affine transformations increase confusion of linear diffusion layer and im-prove the ability against statistical saturation attack.

Tao Peng,Christopher Leckie,Kotagiri Ramamohanarao

DOI: https://doi.org/10.1109/ATNAC.2007.4665307

2007-01-01

Abstract:Malicious users can launch denial-of-service attacks to any hash-based application by enforcing continuous hash collisions. In this paper, we propose a generalized attack-resistant hashing algorithm that is immune to these attacks. Experimental results show that our secure hashing algorithms are efficient and robust against hash collision attacks.