How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
A proposal for a new block encryption standard
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Hash functions based on block ciphers: a synthetic approach
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Collisions for the compression function of MD5
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Handbook of Applied Cryptography
Handbook of Applied Cryptography
The Design of Rijndael
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Fast Software Encryption
Hash functions based on block ciphers
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Improved DST Cryptanalysis of IDEA
SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
Known-key distinguishers for some block ciphers
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
MJH: a faster alternative to MDC-2
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
The collision security of tandem-DM in the ideal cipher model
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Combining compression functions and block cipher-based hash functions
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
New cryptanalytic results on IDEA
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Some plausible constructions of double-block-length hash functions
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Provably secure double-block-length hash functions in a black-box model
ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Cryptanalysis of t-function-based hash functions
ICISC'06 Proceedings of the 9th international conference on Information Security and Cryptology
Narrow-Bicliques: cryptanalysis of full IDEA
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Collisions for the WIDEA-8 compression function
CT-RSA'13 Proceedings of the 13th international conference on Topics in Cryptology
Hi-index | 0.00 |
In this article, we study the security of the IDEA block cipher when it is used in various simple-length or double-length hashing modes. Even though this cipher is still considered as secure, we show that one should avoid its use as internal primitive for block cipher based hashing. In particular, we are able to generate instantaneously free-start collisions for most modes, and even semi-free-start collisions, pseudo-preimages or hash collisions in practical complexity. This work shows a practical example of the gap that exists between secret-key and known or chosen-key security for block ciphers. Moreover, we also settle the 20-year-old standing open question concerning the security of the Abreast-DM and Tandem-DM double-length compression functions, originally invented to be instantiated with IDEA. Our attacks have been verified experimentally and work even for strengthened versions of IDEA with any number of rounds.