Bellare and Micciancio’s MuHASH applies a pre-existing hash function to map indexed message blocks into a secure group. The resulting hash is the product. Bellare and Micciancio proved, in the random oracle model, that MuHASH is collision-resistant if the group’s discrete logarithm problem is infeasible. MuHASH, however, relies on a pre-existing hash being collision resistant. In this paper, we...

We consider basic notions of security for cryptographic hash functions: collision resistance,preimage resistance, and second-preimage resistance. We give seven different definitions thatcorrespond to these three underlying ideas, and then we work out all of the implications andseparations among these seven definitions within the concrete-security, provable-security frame-wor...

One of the key topics in robot reasoning is motion planning. Most of the research in this domain has focused on the topological and geometrical problem of finding a collision-free path connecting two configurations of the robot among obstacles, by assuming complete and accurate prior knowledge of the robot workspace and perfect control of the robot. But there exists a variety of robot operation...

This paper deals with definitional aspects of the herding attack of Kelsey and Kohno, and investigates the provable security of several hash functions against herding attacks. Firstly, we define the notion of chosen-target-forced-midfix (CTFM) as a generalization of the classical herding (chosen-target-forced-prefix) attack to the cases where the challenge message is not only a prefix but may a...

Hamsi is one of the 14 second-stage candidates in NIST’s SHA-3 competition. The only previous attack on this hash function was a very marginal attack on its 256-bit version published by Thomas Fuhr at Asiacrypt 2010, which is better than generic attacks only for very short messages of fewer than 100 32-bit blocks, and is only 26 times faster than a straightforward exhaustive search attack. In t...

In this paper, we propose a new lightweight hash function supporting three different digest sizes: 80, 96 and 128 bits, providing preimage security from 64 to 120 bits, second preimage and collision security from 40 to 60 bits. LHash requires about 817 GE and 1028 GE with a serialized implementation. In faster implementations based on function T , LHash requires 989 GE and 1200 GE with 54 and 7...

We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three “classical” double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must ma...

This paper gives an online algorithm for generating Jakobsson’s fractal hash chains [14]. Our new algorithm compliments Jakobsson’s fractal hash chain algorithm for preimage traversal since his algorithm assumes the entire hash chain is precomputed and a particular list of ⌈logn⌉ hash elements or pebbles are saved. Our online algorithm for hash chain traversal incrementally generates a hash cha...

MD2 is an early hash function developed by Ron Rivest for RSA Security, that produces message digests of 128 bits. In this paper, we show that MD2 does not reach the ideal security level of 2. We describe preimage attacks against the underlying compression function, the best of which has complexity of 2. As a result, the full MD2 hash can be attacked in preimage with complexity of 2.