A combiner is a construction formed out of two hash functions that is secure if one of the underlying functions is. Conventional combiners are known not to support short outputs: if the hash functions have n-bit outputs the combiner should have at least almost 2n bits of output in order to be robust for collision resistance (Pietrzak, CRYPTO 2008). Mittelbach (ACNS 2013) introduced a relaxed se...

Many security protocols still rely on manual fingerprint comparisons for authentication. The most well-known and widely used key-fingerprint representation are hexadecimal strings as used in various security tools. With the introduction of end-to-end security in WhatsApp and other messengers, the discussion on how to best represent key-fingerprints for users is receiving a lot of interest. We c...

Streebog is a new Russian hash function standard. It follows the HAIFA framework as domain extension algorithm and claims to resist recent generic second-preimage attacks with long messages. However, we demonstrate in this article that the specific instantiation of the HAIFA framework used in Streebog makes it weak against such attacks. More precisely, we observe that Streebog makes a rather po...

In this paper we propose the Grindahl family of hash functions, which is based on components of the Rijndael algorithm. To make collision search sufficiently difficult, this design has the important feature that no low-weight characteristics form collisions, and at the same time it limits access to the state. We also propose two instances of the Grindahl hash family, Grindahl-256 and Grindahl-5...

Symmetric Cryptanalysis Improved (Pseudo) Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-like Compression Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Bingke Ma, Bao Li, Ronglin Hao, and Xiaoqian Li Improvement on the Method for Automatic Differential Analysis and Its Application to Two Lightwe...

Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the sphincs family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of t...

Cryptographic unkeyed hash functions should satisfy preimage resistance, second-preimage resistance and collision resistance. In this article, weak second-preimage resistance and weak collision resistance are defined following the definition of weak one-wayness. Preimage resistance is one-wayness of cryptographic hash functions. The properties of weak collision resistance is discussed in this a...

Abstra t. We develop a new generi long-message se ond preimage atta k, based on ombining the te hniques in the se ond preimage atta ks of Dean [8℄ and Kelsey and S hneier [16℄ with the herding atta k of Kelsey and Kohno [15℄. We show that these generi atta ks apply to hash fun tions using the Merkle-Damgård onstru tion with only slightly more work than the previously known atta k, but allow eno...