This paper introduces and describes new protocols for proving knowledge of secrets without giving them away: if the verifier does not know the secret, he does not learn it. This can all be done while only using one-way hash functions. If also the use of encryption is allowed, these goals can be reached in a more efficient way. We extend and use the GNY authentication logic to prove correctness ...

Often the core diiculty in designing zero-knowledge protocols arises from having to consider every possible cheating veriier trying to extract additional information. We here consider a compiler which transforms protocols proven secure only with respect to the honest veriier into protocols which are secure against any (even cheating) veriier. Such a compiler, which preserves the zero-knowledge ...

This report presents analysis of the compression function of a recently proposed hash function, FORK-256. We exhibit some unexpected differentials existing for the step transformation and show their possible uses in collision-finding attacks on different variants of FORK256. As a simple application of those observations we present a method of finding chosen IV collisions for a variant of FORK-2...

We describe a collision-finding attack on 16 rounds of the Tiger hash function requiring the time for about 2 compression function invocations. This extends to a collision-finding attack on 17 rounds of the Tiger hash function in time of about 2 compression function invocations. Another attack generates circular near-collisions, for 20 rounds of Tiger with work less than that of 2 compression f...

We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three calls to a permuta...

This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about 2 compression function evaluations instead of 2. We present several ...

BLAKE is a hash function selected by NIST as one of the 14 second round candidates for the SHA-3 Competition. In this paper, we follow a bottom-up approach to exhibit properties of BLAKE and of its building blocks: based on differential properties of the internal function G, we show that a round of BLAKE is a permutation on the message space, and present an efficient inversion algorithm. For 1....

While conducting a validation study of proficiency test media we found that applying the same hash algorithm against a single CD using different forensic applications resulted in different hash values. We formulated a series of experiments to determine the cause of the anomalous hash values. Our results suggest that certain write options cause forensic applications to report different hash valu...

Last time we saw an example of an encryption scheme, the “textbook RSA” scheme, which can be one-way secure (that’s exactly the belief expressed in the “RSA assumption”) but is not secure in the sense of indistinguishability. Now we’ll see that any one-way encryption might have some bad characteristics that make it not indistinguishably secure. With these arguments we’ll try to convince you tha...

Recent attacks on hash functions start by constructing a differential characteristic. By finding message pairs that satisfy this characteristic, a collision can be found. This paper describes the method of De Cannière and Rechberger to construct generalized characteristics for SHA-1 in more detail. This method is further generalized and applied to a simplified variant of the HAS-V hash function...