combining compression functions and block cipher based
play

Combining Compression Functions and Block Cipher-Based Hash - PowerPoint PPT Presentation

Dec 11, 2023 •203 likes •655 views

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

  1. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 , Henri Gilbert 1 , Frédéric Muller 2 , Matt Robshaw 1 1 France Télécom R&D 2 HSBC France December 6, 2006 Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  2. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Outline Introduction 1 The Framework 2 Known Generic Attacks Against Multiple Block Length 3 Hashing How to Avoid Known Generic Attacks ? 4 Conclusions 5 Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  3. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Outline Introduction 1 The Framework 2 Known Generic Attacks Against Multiple Block Length 3 Hashing How to Avoid Known Generic Attacks ? 4 Conclusions 5 Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  4. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Reminder of Merkle-Damgård Construction Merkle-Damgård iteration: If h is collision resistant then H is collision resistant. But building a good and efficient compression function is hard ! Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  5. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Reminder of Existing Block Cipher-Based Hash Functions In 1993, Preneel et al. studied several block cipher-based hash functions with single block length output, e.g.: Security proofs in the black-box model provided by Black et al. in 2002. Most hash functions are of dedicated design but recent attacks renewed interest in block cipher-based hashing. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  6. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Reminder of Existing Block Cipher-Based Hash Functions In 1993, Preneel et al. studied several block cipher-based hash functions with single block length output, e.g.: Security proofs in the black-box model provided by Black et al. in 2002. Most hash functions are of dedicated design but recent attacks renewed interest in block cipher-based hashing. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  7. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Reminder of Existing Block Cipher-Based Hash Functions In 1993, Preneel et al. studied several block cipher-based hash functions with single block length output, e.g.: Security proofs in the black-box model provided by Black et al. in 2002. Most hash functions are of dedicated design but recent attacks renewed interest in block cipher-based hashing. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  8. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Need for Double Block Length Hash Functions Level of security provided by block cipher-based hash functions with single block length output is too low. Ideal case: with n -bit output, no attack providing a collision in less than Θ( 2 n / 2 ) or a preimage in less than Θ( 2 n ) evaluations of h . We need double length hash functions or more generally multiple length hash functions if we want for instance AES-based hash functions. Previous work: [KL94], [KP96], [KP97], [KP02], [H04], [H06], [NLSL05]. Many schemes, very few unbroken. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  9. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Outline Introduction 1 The Framework 2 Known Generic Attacks Against Multiple Block Length 3 Hashing How to Avoid Known Generic Attacks ? 4 Conclusions 5 Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  10. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions The Problem We consider modes of operation of compression functions. How to build an ideal multiple length compression function h from t ideal single length with ideal and "independent" compression functions f ( i ) with one block output. We restrict ourselves to "parallel" constructions. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  11. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions The Problem We consider modes of operation of compression functions. How to build an ideal multiple length compression function h from t ideal single length with ideal and "independent" compression functions f ( i ) with one block output. We restrict ourselves to "parallel" constructions. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  12. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions The Problem We consider modes of operation of compression functions. How to build an ideal multiple length compression function h from t ideal single length with ideal and "independent" compression functions f ( i ) with one block output. We restrict ourselves to "parallel" constructions. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  13. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions The Problem We consider modes of operation of compression functions. How to build an ideal multiple length compression function h from t ideal single length with ideal and "independent" compression functions f ( i ) with one block output. We restrict ourselves to "parallel" constructions. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  14. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Our Framework Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  15. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Example Nandi et al. scheme N 1 : c = 2 m = 1 k = 2 t = 3 Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  16. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Motivation of the Framework Name c t k m Very natural framework in MDC -2 2 2 2 1 2 2 2 2 PBGV which every known parallel ABREAST - DM 2 2 3 1 double block length PARALLEL - DM 2 2 2 2 Hirose family 2 2 3 1 scheme fits in. Nandi et al. N 1 2 3 2 1 Nandi et al. N 2 2 3 3 2 Less restrictive than previous frameworks. Allows to easily study all the known generic attacks, and even to find criteria to avoid them. Aim: derive necessary conditions on the parameters of ideal constructions. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  17. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Outline Introduction 1 The Framework 2 Known Generic Attacks Against Multiple Block Length 3 Hashing How to Avoid Known Generic Attacks ? 4 Conclusions 5 Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  18. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions The "DF" Attack The "DF" attack (Degrees of Freedom): possible when one can compute directly a collision or a preimage on some output blocks while keeping some degrees of freedom. works for MDC-2, PGBV and Parallel-DM schemes. Some output blocks can then be attacked independently ! Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

  19. Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Example of the "DF" Attack Choose a random M 1 . Find a collision/preimage on the left side using H 1 . Find a collision/preimage on the right side using H 2 . We obtain a collision/preimage with Θ( 2 n / 2 ) and Θ( 2 n ) function evaluations. Thomas Peyrin, Henri Gilbert, Frédéric Muller, Matt Robshaw Combining Compression Functions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro 1 Introduction Hash Functions and SHA-3 2 Iterated hash functions 3 Block cipher

786 views • 13 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
H were created in the late 18th and 19th centuries; they federated and became the Commonwealth

H were created in the late 18th and 19th centuries; they federated and became the Commonwealth

Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions 1 Introduction On the Design of Hash

324 views • 8 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression

1 Examples of symmetric primitives D. J. Bernstein message len Permutation fixed Compression function fixed Block cipher fixed Tweakable block cipher fixed Hash function variable MAC (without nonce) variable MAC (using nonce)

1.08k views • 107 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

251 views • 12 slides
1 Unroll and Jam Unroll and Jam Example (cont) Unroll the Outer Loop Idea do j = 1,2*n by 2

1 Unroll and Jam Unroll and Jam Example (cont) Unroll the Outer Loop Idea do j = 1,2*n by 2

Tiling: A Data Locality Optimizing Algorithm Loop Unrolling Motivation Previously Reduces loop overhead Kelly & Pugh transformation framework Improves effectiveness of other transformations Affine space partitions for

45 views • 4 slides
Memory Hierarchy 3 Cs and 6 Ways to Reduce Misses Soner Onder Michigan Technological

Memory Hierarchy 3 Cs and 6 Ways to Reduce Misses Soner Onder Michigan Technological

Memory Hierarchy 3 Cs and 6 Ways to Reduce Misses Soner Onder Michigan Technological University Randy Katz & David A. Patterson University of California, Berkeley Four Questions for Memory Hierarchy Designers 2 Q1: Where can a block

1.29k views • 43 slides
Full Boltzmann equations for Leptogenesis (FHW, M. Plmacher, Y.Y.Y Wong: arXiv:0907.0205)

Full Boltzmann equations for Leptogenesis (FHW, M. Plmacher, Y.Y.Y Wong: arXiv:0907.0205)

Full Boltzmann equations for Leptogenesis (FHW, M. Plmacher, Y.Y.Y Wong: arXiv:0907.0205) Florian Hahn-Woernle Max-Planck-Institut fr Physik Mnchen Ringberg Young Scientist Workshop 2009 Florian Hahn-Woernle (MPI-Mnchen) Full

828 views • 54 slides
HPC Challenge Benchmark Piotr Luszczek University of Tennessee Knoxville SC2004, November

HPC Challenge Benchmark Piotr Luszczek University of Tennessee Knoxville SC2004, November

Introduction Overview Details Submissions Future Directions HPC Challenge Benchmark Piotr Luszczek University of Tennessee Knoxville SC2004, November 6-12, 2004, Pittsburgh, PA SC2004; Pittsburgh, PA 1/14 Introduction Overview

263 views • 7 slides
RTP Redundancy Up date Colin P erkins < c.p erkins@cs.ucl.ac.uk > Depa rtment of

RTP Redundancy Up date Colin P erkins < c.p erkins@cs.ucl.ac.uk > Depa rtment of

RTP Redundancy Up date Colin P erkins < c.p erkins@cs.ucl.ac.uk > Depa rtment of Computer Science Universit y College London Go w er Street London W C1E 6BT Status RTP redundancy mechanism published as RF C2198

364 views • 8 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Why blocking? What is blocking? Blocking in

626 views • 14 slides
Web Information Retrieval Lecture 3 Index Construction Index construction This time:

Web Information Retrieval Lecture 3 Index Construction Index construction This time:

Web Information Retrieval Lecture 3 Index Construction Index construction This time: Plan Index construction How do we construct an index? What strategies can we use with limited main memory? Sec. 4.2 RCV1: Our collection for

235 views • 21 slides
Outline Overview of recent work improving performance in most difficult cases:

Outline Overview of recent work improving performance in most difficult cases:

Evaluation of Potential Enhancements to Version 6 Cloud Clearing and Profile Retrieval William J. Blackwell and Michael Pieper AIRS Science Team Meeting April 17, 2008 This work was sponsored by the National Oceanic and Atmospheric

870 views • 30 slides

More recommend