Why narrow-pipe cryptographic hash functions are not a match to wide-pipe cryptographic hash functions?
نویسندگان
چکیده
In the last 7-8 months me and Klima have discovered several deficiencies of narrow-pipe cryptographic hash designs. It all started with a note to the hash-forum list that narrow-pipe hash functions are giving outputs that are pretty different than the output that we would expect from a random oracle that is mapping messages of arbitrary length to hash values of n-bits. Then together with Klima we have investigated the consequences of that aberration to some practical protocols for key derivation that are using iterative and repetitive calls to a hash function. Finally, during the third SHA-3 conference I have shown that narrow-pipe hash functions cannot offer n-bits of security against the length-extension attack (a requirement that NIST has put as one of the conditions for the SHA-3 competition). In this paper we collect in one place and explain in details all these problems with narrow-pipe hash designs and we explain why wide-pipe hash functions such as Blue Midnight Wish do not suffer from the mentioned deficiencies.
منابع مشابه
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions
In a recent note to the NIST hash-forum list, the following observation was presented: narrow-pipe hash functions differ significantly from ideal random functions H : {0, 1} → {0, 1} that map bit strings from a big domain where N = n + m, m ≥ n (n = 256 or n = 512). Namely, for an ideal random function with a big domain space {0, 1} and a finite co-domain space Y = {0, 1}, for every element y ∈...
متن کاملGeneric Collision Attacks on Narrow-pipe Hash Functions Faster than Birthday Paradox, Applicable to MDx, SHA-1, SHA-2, and SHA-3 Narrow-pipe Candidates
In this note we show a consequence of the recent observation that narrow-pipe hash designs manifest an abberation from ideal random functions for finding collisions for those functions with complexities much lower than the so called generic birthday paradox lower bound. The problem is generic for narrow-pipe designs including classic Merkle-Damg̊ard designs but also recent narrow-pipe SHA-3 cand...
متن کاملActive Domain Expansion for Normal Narrow-pipe Hash Functions
Recently several reports of Cryptology ePrint Archive showed the discovering that for a normal iterative hash function the entropy and codomain would reduce greatly,then some conclusions were given: Narrow-pipe hash functions couldn’t resist this reducing (But wide-pipe hash functions could.),and generic collision attacks on narrow-pipe hash functions would be faster than birthday paradox.The d...
متن کامل3C- A Provably Secure Pseudorandom Function and Message Authentication Code.A New mode of operation for Cryptographic Hash Function
We propose a new cryptographic construction called 3C, which works as a pseudorandom function (PRF), message authentication code (MAC) and cryptographic hash function. The 3Cconstruction is obtained by modifying the Merkle-Damg̊ard iterated construction used to construct iterated hash functions. We assume that the compression functions of Merkle-Damg̊ard iterated construction realize a family of ...
متن کاملLightweight 4x4 MDS Matrices for Hardware-Oriented Cryptographic Primitives
Linear diffusion layer is an important part of lightweight block ciphers and hash functions. This paper presents an efficient class of lightweight 4x4 MDS matrices such that the implementation cost of them and their corresponding inverses are equal. The main target of the paper is hardware oriented cryptographic primitives and the implementation cost is measured in terms of the required number ...
متن کامل