Hash Functions from Defective Ideal Ciphers
نویسندگان
چکیده
Motivation • Cryptographic constructions based on lower-level primitives are often analyzed by modeling the primitive as an ideal object – Sometimes, impossible to construct based on standard assumptions – Here: hash functions from block ciphers • When instantiated, the primitive may have " defects " and be far from ideal Motivating example • Related-key attacks on block ciphers – Several such attacks on block ciphers are known – Does not contradict pseudorandomness • Such attacks have been used to attack primitives based on (ideal) ciphers – Collision attack on the hash function used in Microsoft Xbox due to related-key attack on TEA – Attack on the RMAC message authentication code This work • We define a " defective " ideal cipher model incorporating linear related-key attacks – Goal: better understand real-world security of constructions analyzed in the (traditional) ideal-cipher model • We analyze the classical Preneel-Govaerts-Vandewalle (PGV) constructions of hash functions from block ciphers in our model • A (block-cipher-based) compression function í µí±: {0,1} í µí±
منابع مشابه
Security Proofs for the BLT Signature Scheme
We present security proofs for the BLT signature scheme in the model, where hash functions are built from ideal components (random oracles, ideal ciphers, etc.). We show that certain strengthening of the Pre-image Awareness (PrA) conditions like boundedness of the extractor, and certain natural properties (balancedness and the so-called output one-wayness) of the hash function are sufficient fo...
متن کاملComments on the RMAC algorithm
First, regarding the ideal cipher model used in the proof of the (published) RMAC paper: as a researcher who has used both the ideal cipher model and the standard reductionbased proof modes, I must agree that the use of the ideal cipher model is inappropriate where it really is not mandated (because the reduction-based paradigm is sufficient as has been amply demonstrated by several other resea...
متن کاملProvable Security and Indifferentiability
In this thesis we consider different problems related to provable security and indifferentiability framework. Ideal primitives such as random oracles, ideal ciphers are theoretical abstractions of cryptographic hash functions and block ciphers respectively. These idealized models help us to argue security guarantee for various cryptographic schemes, for which standard model security proofs are ...
متن کاملCryptographic Randomness Testing of Block Ciphers and Hash Functions
One of the most basic properties expected from block ciphers and hash functions is passing statistical randomness testing, as they are expected to behave like random mappings. Previously, testing of AES candidate block ciphers was done by concatenating the outputs of the algorithms obtained from various input types. In this work, a more convenient method, namely the cryptographic randomness tes...
متن کاملPseudorandom Recursions: Small and Fast Pseudorandom Number Generators for Embedded Applications
Many new small and fast pseudorandom number generators are presented, which pass the most common randomness tests. They perform only a few, nonmultiplicative operations for each generated number, use very little memory, therefore, they are ideal for embedded applications. We present general methods to ensure very long cycles and show, how to create super fast, very small ciphers and hash functi...
متن کامل