Showing papers on "Collision attack published in 1997"
17 Aug 1997
TL;DR: In this paper, the universal one-way hash functions (UOWHFs) of Naor and Yung were investigated, and the main construction of the XOR tree was proposed.
Abstract: Recent attacks on the cryptographic hash functions MD4 and MD5 make it clear that (strong) collision-resistance is a hard-toachieve goal. We look towards a weaker notion, the universal one-way hash functions (UOWHFs) of Naor and Yung, and investigate their practical potential. The goal is to build UOWHFs not based on number theoretic assumptions, but from the primitives underlying current cryptographic hash functions like MD5 and SHA-1. Pursuing this goal leads us to new questions. The main one is how to extend a compression function to a full-fledged hash function in this new setting. We show that the classic Merkle-Damgard method used in the standard setting fails for these weaker kinds of hash functions, and we present some new methods that work. Our main construction is the “XOR tree.” We also consider the problem of input length-variability and present a general solution.
221 citations
TL;DR: It turns out that the methods developed in this note can be applied to find collisions for the full MD4, and the reduced versions of RIPEMD, where the first or the last round of the compress function is omitted, are not collision-free.
Abstract: In 1990 Rivest introduced the cryptographic hash function MD4. The compress function of MD4 has three rounds. After partial attacks against MD4 were found, the stronger mode RIPEMD was designed as a European proposal in 1992 (RACE project). Its compress function consists of two parallel lines of modified versions of MD4-compress. RIPEMD is currently being considered to become an international standard (ISO/IEC Draft 10118-3). However, in this paper an attack against RIPEMD is described, which leads to comparable results with the previously known attacks against MD4: The reduced versions of RIPEMD, where the first or the last round of the compress function is omitted, are not collision-free. Moreover, it turns out that the methods developed in this note can be applied to find collisions for the full MD4.
81 citations
17 Aug 1997
TL;DR: In this article, a new attack on the compression function of the 128-bit hash function MDC-4 using DES with a complexity far less that one would expect, and proposes new constructions of fast and secure compression functions based on error-correcting codes and m-bit block ciphers with an mbit key.
Abstract: This paper considers hash functions based on block ciphers. It presents a new attack on the compression function of the 128-bit hash function MDC-4 using DES with a complexity far less that one would expect, and proposes new constructions of fast and secure compression functions based on error-correcting codes and m-bit block ciphers with an m-bit key. This leads to simple and practical hash function constructions based on block ciphers such as DES, where the key size is slightly smaller than the block size, IDEA, where the key size is twice the block size and to MD4-like hash functions. Under reasonable assumptions about the underlying block cipher, we obtain collision resistant compression functions. Finally we provide examples of hashing constructions based on both DES and IDEA more efficient than previous proposals and discuss applications of our approach for MD4-like hash functions.
43 citations
Journal Article•
TL;DR: A new attack on the compression function of the 128-bit hash function MDC-4 using DES using DES with a complexity far less that one would expect is presented, and new constructions of fast and secure compression functions based on error-correcting codes and m-bit block ciphers with an m- bit key are proposed.
Abstract: This paper considers hash functions based on block ciphers. It presents a new attack on the compression function of the 128-bit hash function MDC-4 using DES with a complexity far less that one would expect, and proposes new constructions of fast and secure compression functions based on error-correcting codes and m-bit block ciphers with an m-bit key. This leads to simple and practical hash function constructions based on block ciphers such as DES, where the key size is slightly smaller than the block size, IDEA, where the key size is twice the block size and to MD4-like hash functions. Under reasonable assumptions about the underlying block cipher, we obtain collision resistant compression functions. Finally we provide examples of hashing constructions based on both DES and IDEA more efficient than previous proposals and discuss applications of our approach for MD4-Iike hash functions.
42 citations
Journal Article•
TL;DR: The classic Merkle-Damgard method used in the standard setting fails for these weaker kinds of hash functions, and the main construction is the XOR tree, which considers the problem of input length-variability and presents a general solution.
Abstract: Recent attacks on the cryptographic hash functions MD4 and MD5 make it clear that (strong) collision-resistance is a hard-to-achieve goal. We look towards a weaker notion, the universal one-way hash functions (UOWHFs) of Naor and Yung, and investigate their practical potential. The goal is to build UOWHFs not based on number theoretic assumptions, but from the primitives underlying current cryptographic hash functions like MD5 and SHA-1. Pursuing this goal leads us to new questions. The main one is how to extend a compression function to a full-fledged hash function in this new setting. We show that the classic Merkle-Damgard method used in the standard setting fails for these weaker kinds of hash functions, and we present some new methods that work. Our main construction is the XOR tree. We also consider the problem of input length-variability and present a general solution.
18 citations
IBM1
TL;DR: This work describes constructions of several cryptographic primitives, including hash functions, public key cryptosystems, pseudo-random bit generators, and digital signatures, whose security depends on the assumed worst-case or average-case hardness of problems involving lattices.
Abstract: We describe constructions of several cryptographic primitives, including hash functions, public key cryptosystems, pseudo-random bit generators, and digital signatures, whose security depends on the assumed worst-case or average-case hardness of problems involving lattices.
14 citations
07 Jul 1997
TL;DR: A new 2m-bit iterated hash function based on a m-bit block cipher with a 2M-bit key is proposed that can completely resist target attack, collision attack and semi-free-start collision attack.
Abstract: In this paper a new 2m-bit iterated hash function based on a m-bit block cipher with a 2m-bit key is proposed. The hash round function in the new scheme utilizes a single underlying block cipher and can completely resist target attack, collision attack and semi-free-start collision attack. The new scheme can be expected to have ideal computational security against five attacks when the underlying cipher is assumed to have no weakness.
9 citations
09 Sep 1997
TL;DR: This paper presents an algorithm which reduces the number of trials required for finding a solution to a set of nonlinear equations and is approximately 64 times faster than the technique proposed by Dobbertin.
Abstract: Cryptographic hash functions are important cryptographic primitives and are used extensively in cryptographic applications. One such family of hash functions is the MD4 family. This family includes hash functions such as MD5, SHA-1 and RIPEMD-160. In 1995 an attack on the full compress function of MD4 was presented by Dobbertin. This paper builds on the work presented by Dobbertin. The attack of Dobbertin consists out of two components. The first component requires that a solution to a set of nonlinear equations be found. This paper presents an algorithm which reduces the number of trials required for finding a solution to these nonlinear equations. This algorithm is approximately 64 times faster than the technique proposed by Dobbertin. This implies a significant reduction in the effort required for finding collisions for MD4.
6 citations
01 Jan 1997
TL;DR: The results show that the new 2m-bit iterated hash function can completely resist target attack, collision attack and semi-free-start collision attack, and the whole scheme can be expected to have ideal computational security against the five attacks when the underlying cipher is assumed to have no weakness.
Abstract: In this paper, a new 2m-bit iterated hash function based on a m-bit block cipher with a 2m-bit key is firstly presented. Different from previous 2mbit hash function based on block ciphers, the hash round function in our proposal utilizes a single underlying block cipher. Secondly, five attacks on the hash function are treated. The results show that its hash round function can completely resist target attack, collision attack and semi-free-start collision attack and the whole scheme can be expected to have ideal computational security against the five attacks when the underlying cipher is assumed to have no weakness. Finally, the implementation of the new hash function is discussed. For the underlying cipher to be easily implemented in both software and hardware, so is the new hash function because only two basic 64-bit algebraic operations are introduced in the hash round function on basis of the cipher.