A Generalized Birthday Problem
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Differential Collisions in SHA-0
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Proceedings of the Third International Workshop on Fast Software Encryption
Security analysis of a 2/3-rate double length compression function in the black-box model
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Efficient collision search attacks on SHA-0
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Collisions of SHA-0 and reduced SHA-1
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Second preimages on n-bit hash functions for much less than 2n work
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
On the impossibility of highly-efficient blockcipher-based hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Provably secure double-block-length hash functions in a black-box model
ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Collision Resistance of Double-Block-Length Hash Function against Free-Start Attack
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Security of Cyclic Double Block Length Hash Functions
Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
Attacking the Knudsen-Preneel compression functions
FSE'10 Proceedings of the 17th international conference on Fast software encryption
Combining compression functions and block cipher-based hash functions
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Some plausible constructions of double-block-length hash functions
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
A secure distance-based RFID identification protocol with an off-line back-end database
Personal and Ubiquitous Computing
Weimar-DM: a highly secure double-length compression function
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Security analysis of constructions combining FIL random oracles
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
| Hi-index | 0.00 |
At FSE 2005, Nandi et al proposed a method to turn an n-bit compression function into a 2n-bit compression function. In the black-box model, the security of this double length hash proposal against collision attacks is proven, if no more than Ω(22n/3) oracle queries to the underlying n-bit function are made. We explore the security of this hash proposal regarding several classes of attacks. We describe a collision attack that matches the proven security bound and we show how to find preimages in time 2n. For optimum security the complexities of finding collisions and preimages for a 2n-bit compression function should be respectively of 2n and 22n. We also show that if the output is truncated to s≤ 2n bits, one can find collisions in time roughly 2s/3 and preimages in time roughly 2s/2. These attacks illustrate some important weaknesses of the FSE 2005 proposal, while none of them actually contradicts the proof of security.