Advertisement

Cryptographic Primitives for Information Authentication — State of the Art

  • Bart Preneel
Chapter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1528)

Abstract

This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the first class can be divided into Manipulation Detection Codes (MDCs, also known as one-way and collision resistant hash functions) and Message Authentication Codes (or MACs). The theoretical background is sketched, but most attention is paid to overview the large number of practical constructions for hash functions and to the recent developments in their cryptanalysis. It is also explained to what extent the security of these primitives can be reduced in a provable way to realistic assumptions.

Keywords

Hash Function Smart Card Signature Scheme Block Cipher Message Authentication Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    V. Afanassiev, C. Gehrmann, B. Smeets, “Fast message authentication using efficient polynomial evaluation,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 190–204.CrossRefGoogle Scholar
  2. 2.
    G.B. Agnew, R.C. Mullin, S.A. Vanstone, “Common application protocols and their security characteristics,” CALMOS CA34C168 Application Notes, U.S. Patent Number 4,745,568, August 1989.Google Scholar
  3. 3.
    A.V. Aho, J.E. Hopcroft, J.D. Ullman, “The Design and Analysis of Computer Algorithms,” Addison-Wesley, 1974.Google Scholar
  4. 4.
    W. Aiello, R. Venkatesan, “Foiling birthday attacks in length-doubling transformations. Benes: a non-reversible alternative to Feistel,” Advances in Cryptology, Proceedings Eurocrypt’96, LNCS 1070, U. Maurer, Ed., Springer-Verlag, 1996, pp. 307–320.Google Scholar
  5. 5.
    W. Aiello, S. Haber, R. Venkatesan, “New constructions for secure hash functions,” Fast Software Encryption, LNCS 1372, S. Vaudenay, Ed., Springer-Verlag, 1998, pp. 150–167.CrossRefGoogle Scholar
  6. 6.
    M. Ajtai, “Generating hard instances of lattice problems,” Proc. 28th ACM Symposium on the Theory of Computing, 1996, pp. 99–108.Google Scholar
  7. 7.
    R. Anderson, E. Biham, “Tiger: A new fast hash function,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 89–97.Google Scholar
  8. 8.
    ANSI X9.9-1986 (Revised), “American National Standard for Financial Institution Message Authentication (Wholesale),” ANSI, New York.Google Scholar
  9. 9.
    ANSI X9.19 “Financial Institution Retail Message Authentication,” American Bankers Association, August 13, 1986.Google Scholar
  10. 10.
    M. Bellare, R. Canetti, H. Krawczyk, “Keying hash functions for message authentication,” Advances in Cryptology, Proceedings Crypto’96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 1–15. Full version: http://www.research.ibm.com/security/.Google Scholar
  11. 11.
    M. Bellare, R. Canetti, H. Krawczyk, “Pseudorandom functions revisited: The cascade construction and its concrete security,” Proc. 37th Annual Symposium on the Foundations of Computer Science, IEEE, 1996, pp. 514–523. Full version via http://www-cse.ucsd.edu/users/mihir.
  12. 12.
    M. Bellare, O. Goldreich, S. Goldwasser, “Incremental cryptography: the case of hashing and signing,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 216–233.Google Scholar
  13. 13.
    M. Bellare, R. Guérin, P. Rogaway, “XOR MACs: new methods for message authentication using block ciphers,” Advances in Cryptology, Proceedings Crypto’95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 15–28.Google Scholar
  14. 14.
    M. Bellare, J. Kilian, P. Rogaway, “The security of cipher block chaining,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 341–358.Google Scholar
  15. 15.
    M. Bellare, D. Micciancio, “A new paradigm for collision-free hashing: incrementality at reduced cost,” Advances in Cryptology, Proceedings Eurocrypt’97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 163–192.Google Scholar
  16. 16.
    M. Bellare, P. Rogaway, “The exact security of digital signatures-how to sign with RSA and Rabin,” Advances in Cryptology, Proceedings Eurocrypt’96, LNCS 1070, U. Maurer, Ed., Springer-Verlag, 1996, pp. 399–416.Google Scholar
  17. 17.
    M. Bellare, P. Rogaway, “Collision-resistant hashing: towards making UOWHFs practical,” Advances in Cryptology, Proceedings Crypto’97, LNCS 1294, B. Kaliski, Ed., Springer-Verlag, 1997, pp. 470–484.Google Scholar
  18. 18.
    E. Biham, “On the applicability of differential cryptanalysis to hash functions,” E.I.S.S. Workshop on Cryptographic Hash Functions, Oberwolfach (D), March 25–27, 1992.Google Scholar
  19. 19.
    E. Biham, A. Shamir, “Differential Cryptanalysis of the Data Encryption Standard,” Springer-Verlag, 1993.Google Scholar
  20. 20.
    D. Bleichenbacher, “Generating ElGamal signatures without knowing the secret key,” Advances in Cryptology, Proceedings Eurocrypt’96, LNCS 1070, U. Maurer, Ed., Springer-Verlag, 1996, pp. 10–18.Google Scholar
  21. 21.
    D. Bleichenbacher, U.M. Maurer, “Directed acyclic graphs, oneway functions and digital signatures,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 75–82.Google Scholar
  22. 22.
    D. Boneh, M. Franklin, “Efficient generation of shared RSA keys,” Advances in Cryptology, Proceedings Crypto’97, LNCS 1294, B. Kaliski, Ed., Springer-Verlag, 1997, pp. 425–439.Google Scholar
  23. 23.
    J. Bos, D. Chaum, “Provably unforgeable signatures,” Advances in Cryptology, Proceedings Crypto’92, LNCS 740, E.F. Brickell, Ed., Springer-Verlag, 1993, pp. 1–14.CrossRefGoogle Scholar
  24. 24.
    B.O. Brachtl, D. Coppersmith, M.M. Hyden, S.M. Matyas, C.H. Meyer, J. Oseas, S. Pilpel, M. Schilling, “Data Authentication Using Modification Detection Codes Based on a Public One Way Encryption Function,” U.S. Patent Number 4,908,861, March 13, 1990.Google Scholar
  25. 25.
    G. Brassard, “On computationally secure authentication tags requiring short secret shared keys,” Advances in Cryptology, Proceedings Crypto’82, D. Chaum, R.L. Rivest, and A. T. Sherman, Eds., Plenum Press, New York, 1983, pp. 79–86.Google Scholar
  26. 26.
    P. Camion, J. Patarin, “The knapsack hash function proposed at Crypto’89 can be broken,” Advances in Cryptology, Proceedings Eurocrypt’91, LNCS 547, D.W. Davies, Ed., Springer-Verlag, 1991, pp. 39–53.Google Scholar
  27. 27.
    C.M. Campbell Jr., “Design and specification of cryptographic capabilities,” D.K. Branstad, Ed., Computer Security and the Data Encryption Standard, NBS Special Publication 500-27, U.S. Department of Commerce, 1977, pp. 54–66.Google Scholar
  28. 28.
    J.L. Carter, M.N. Wegman, “Universal classes of hash functions,” Journal of Computer and System Sciences, Vol. 18, 1979, pp. 143–154.zbMATHMathSciNetCrossRefGoogle Scholar
  29. 29.
    C.C.I.T.T. X.509, “The Directory — Authentication Framework,” Recommendation, 1988, (same as ISO/IEC 9594-8, 1989).Google Scholar
  30. 30.
    F. Chabaud, A. Joux, “Differential collisions: an explanation for SHA1,” Advances in Cryptology, Proceedings Crypto’98, LNCS 1462, H. Krawczyk, Ed., Springer-Verlag, 1998, pp. 56–71.Google Scholar
  31. 31.
    C. Charnes, J. Pieprzyk, “Attacking the SL2 hashing scheme,” Advances in Cryptology, Proceedings Asiacrypt’94, LNCS 917, J. Pieprzyk and R. Safavi-Naini, Eds., Springer-Verlag, 1995, pp. 322–330.CrossRefGoogle Scholar
  32. 32.
    D. Chaum, S. Roijakkers, “Unconditionally-secure digital signatures,” Advances in Cryptology, Proceedings Crypto’90, LNCS 537, S. Vanstone, Ed., Springer-Verlag, 1991, pp. 206–214.Google Scholar
  33. 33.
    D. Chaum, E. van Heijst, B. Pfitzmann, “Cryptographically strong undeniable signatures, unconditionally secure for the signer,” Advances in Cryptology, Proceedings Crypto’91, LNCS 576, J. Feigenbaum, Ed., Springer-Verlag, 1992, pp. 470–484.Google Scholar
  34. 34.
    D. Coppersmith, “Another birthday attack,” Advances in Cryptology, Proceedings Crypto’85, LNCS 218, H.C. Williams, Ed., Springer-Verlag, 1985, pp. 14–17.CrossRefGoogle Scholar
  35. 35.
    D. Coppersmith, “Analysis of ISO/CCITT Document X.509 Annex D,” IBM T.J. Watson Center, Yorktown Heights, N.Y., 10598, Internal Memo, June 11, 1989, (also ISO/IEC JTC1/SC20/WG2/N160).Google Scholar
  36. 36.
    D. Coppersmith, B. Preneel, “Comments on MASH-1 and MASH-2,” February 21, 1995, ISO/IEC JTC1/SC27/N1055.Google Scholar
  37. 37.
    J. Daemen, “Cipher and Hash Function Design. Strategies Based on Linear and Differential Cryptanalysis,” Doctoral Dissertation, Katholieke Universiteit Leuven, 1995.Google Scholar
  38. 38.
    J. Daemen, C. Clapp, “Fast hashing and stream encryption with PANAMA,” Fast Software Encryption, LNCS 1372, S. Vaudenay, Ed., Springer-Verlag, 1998, pp. 60–74.CrossRefGoogle Scholar
  39. 39.
    J. Daemen, R. Govaerts, J. Vandewalle, “A framework for the design of one-way hash functions including cryptanalysis of Damgård’s one-way function based on a cellular automaton,” Advances in Cryptology, Proceedings Asiacrypt’91, LNCS 739, H. Imai, R.L. Rivest, and T. Matsumoto, Eds., Springer-Verlag, 1993, pp. 82–96.Google Scholar
  40. 40.
    I.B. Damgård, “Collision free hash functions and public key signature schemes,” Advances in Cryptology, Proceedings Eurocrypt’87, LNCS 304, D. Chaum and W.L. Price, Eds., Springer-Verlag, 1988, pp. 203–216.Google Scholar
  41. 41.
    I.B. Damgård, “The application of claw free functions in cryptography,” PhD Thesis, Aarhus University, Mathematical Institute, 1988.Google Scholar
  42. 42.
    I.B. Damgård, “A design principle for hash functions,” Advances in Cryptology, Proceedings Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 416–427.CrossRefGoogle Scholar
  43. 43.
    I.B. Damgård, T.P. Pedersen, B. Pfitzmann, “On the existence of statistically hiding bit commitment schemes and fail-stop signatures,” Advances in Cryptology, Proceedings Crypto’93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 250–265.CrossRefGoogle Scholar
  44. 44.
    D. Davies, W.L. Price, “The application of digital signatures based on public key cryptosystems,” NPL Report DNACS 39/80, December 1980.Google Scholar
  45. 45.
    D. Davies, “A message authenticator algorithm suitable for a mainframe computer,” Advances in Cryptology, Proceedings Crypto’84, LNCS 196, G.R. Blakley and D. Chaum, Eds., Springer-Verlag, 1985, pp. 393–400.Google Scholar
  46. 46.
    D. Davies, W.L. Price, “Security for Computer Networks: an Introduction to Data Security in Teleprocessing and Electronic Funds Transfer (2nd edition),” Wiley & Sons, 1989.Google Scholar
  47. 47.
    B. den Boer, A. Bosselaers, “An attack on the last two rounds of MD4,” Advances in Cryptology, Proceedings Crypto’91, LNCS 576, J. Feigenbaum, Ed., Springer-Verlag, 1992, pp. 194–203.Google Scholar
  48. 48.
    B. den Boer, A. Bosselaers, “Collisions for the compression function of MD5,” Advances in Cryptology, Proceedings Eurocrypt’93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, 1994, pp. 293–304.Google Scholar
  49. 49.
    E. De Win, B. Preneel, “Elliptic curve public-key cryptosystems — an introduction,” This Volume, pp. 132–142.Google Scholar
  50. 50.
    W. Diffie, M.E. Hellman, “New directions in cryptography,” IEEE Trans. on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644–654.MathSciNetCrossRefGoogle Scholar
  51. 51.
    H. Dobbertin, “RIPEMD with two-round compress function is not collisionfree,” Journal of Cryptology, Vol. 10, No. 1, 1997, pp. 51–69.zbMATHMathSciNetCrossRefGoogle Scholar
  52. 52.
    H. Dobbertin, “Cryptanalysis of MD4,” Journal of Cryptology, Vol. 11, No. 4, 1998, pp. 253–271. See also Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 53–69.Google Scholar
  53. 53.
    H. Dobbertin, “The status of MD5 after a recent attack,” CryptoBytes, Vol. 2, No. 2, Summer 1996, pp. 1–6.MathSciNetGoogle Scholar
  54. 54.
    H. Dobbertin, “The first two rounds of MD4 are not one-way,” Fast Software Encryption, LNCS 1372, S. Vaudenay, Ed., Springer-Verlag, 1998, pp. 284–292.CrossRefGoogle Scholar
  55. 55.
    H. Dobbertin, A. Bosselaers, B. Preneel, “RIPEMD-160: a strengthened version of RIPEMD,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 71–82. See also http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.Google Scholar
  56. 56.
    C. Dwork, M. Naor, “An efficient existentially unforgeable signature scheme and its applications,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 234–246.Google Scholar
  57. 57.
    T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. on Information Theory, Vol. IT-31, No. 4, 1985, pp. 469–472.MathSciNetCrossRefGoogle Scholar
  58. 58.
    J.H. Evertse, E. Van Heijst, “Which new RSA-signatures can be computed from certain given RSA-signatures?’ Journal of Cryptology, Vol. 5, No. 1, 1992, pp. 41–52.zbMATHMathSciNetCrossRefGoogle Scholar
  59. 59.
    V. Fåk, “Repeated uses of codes which detect deception,” IEEE Trans. on Information Theory, Vol. IT-25, No. 2, 1979, pp. 233–234.CrossRefGoogle Scholar
  60. 60.
    U. Feige, A. Fiat, A. Shamir, “Zero knowledge proofs of identity,” Journal of Cryptology, Vol. 1, No. 2, 1988, pp. 77–94.zbMATHMathSciNetCrossRefGoogle Scholar
  61. 61.
    FIPS 46, “Data Encryption Standard,” Federal Information Processing Standard, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977 (revised as FIPS 46-1:1988; FIPS 46-2:1993).Google Scholar
  62. 62.
    FIPS 81, “DES Modes of Operation,” Federal Information Processing Standard, National Bureau of Standards, US Department of Commerce, Washington D.C., December 1980.Google Scholar
  63. 63.
    FIPS 113, “Computer Data Authentication,” Federal Information Processing Standard, National Bureau of Standards, US Department of Commerce, Washington D.C., May 1985.Google Scholar
  64. 64.
    FIPS 180, “Secure Hash Standard,” Federal Information Processing Standard (FIPS), Publication 180, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., May 11, 1993.Google Scholar
  65. 65.
    FIPS 180-1, “Secure Hash Standard,” Federal Information Processing Standard (FIPS), Publication 180-1, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., April 17, 1995.Google Scholar
  66. 66.
    FIPS 186, “Digital Signature Standard,” Federal Information Processing Standard (FIPS), Publication 186, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., May 19, 1994.Google Scholar
  67. 67.
    Y. Frankel, P. D. MacKenzie, M. Yung, “Robust efficient distributed RSA-key generation,” Proc. 30th ACM Symposium on the Theory of Computing, 1998.Google Scholar
  68. 68.
    A. Fujioka, T. Okamoto, S. Miyaguchi, “ESIGN: an efficient digital signature implementation for smart cards,” Advances in Cryptology, Proceedings Eurocrypt’91, LNCS 547, D.W. Davies, Ed., Springer-Verlag, 1991, pp. 446–457.Google Scholar
  69. 69.
    W. Geiselmann, “A note on the hash function of Tillich and Zémor,” Cryptography and Coding. 5th IMA Conference, C. Boyd, Ed., Springer-Verlag, 1995, pp. 257–263.Google Scholar
  70. 70.
    J.K. Gibson, “Some comments on Damgård’s hashing principle,” Electronic Letters, Vol. 26, No. 15, 1990, pp. 1178–1179.MathSciNetCrossRefGoogle Scholar
  71. 71.
    J.K. Gibson, “Discrete logarithm hash function that is collision free and one way,” IEE Proceedings-E, Vol. 138, No. 6, November 1991, pp. 407–410.Google Scholar
  72. 72.
    E. Gilbert, F. MacWilliams, N. Sloane, “Codes which detect deception,” Bell System Technical Journal, Vol. 53, No. 3, 1974, pp. 405–424.MathSciNetGoogle Scholar
  73. 73.
    M. Girault, “Hash-functions using modulon operations,” Advances in Cryptology, Proceedings Eurocrypt’87, LNCS 304, D. Chaum and W.L. Price, Eds., Springer-Verlag, 1988, pp. 217–226.Google Scholar
  74. 74.
    M. Girault, R. Cohen, M. Campana, “A generalized birthday attack,” Advances in Cryptology, Proceedings Eurocrypt’88, LNCS 330, C.G. Günther, Ed., Springer-Verlag, 1988, pp. 129–156.Google Scholar
  75. 75.
    M. Girault, J.-F. Misarsky, “Selective forgery of RSA signatures using redundancy,” Advances in Cryptology, Proceedings Eurocrypt’97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 495–507.Google Scholar
  76. 76.
    M. Girault, J. Stern, “On the length of cryptographic hash-values used in identification schemes,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 202–215.Google Scholar
  77. 77.
    O. Goldreich, S. Goldwasser, S. Halevi, “Collision-free hashing from lattice problems,” Theory of Cryptography Library, http://philby.ucsd.edu/cryptolib.html, 96-09, July 1996.
  78. 78.
    S. Goldwasser, S. Micali, R.L. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM Journal on Computing, Vol. 17, No. 2, 1988, pp. 281–308.zbMATHMathSciNetCrossRefGoogle Scholar
  79. 79.
    J.A. Gordon, “How to forge RSA certificates,” Electronics Letters, Vol. 21, No. 9, 1985, pp. 377–379.CrossRefGoogle Scholar
  80. 80.
    L.C. Guillou, J.-J. Quisquater, M. Walker, P. Landrock, C. Shaer, “Precautions taken against various potential attacks in ISO/IEC DIS 9796,” Advances in Cryptology, Proceedings Eurocrypt’90, LNCS 473, I.B. Damgård, Ed., Springer-Verlag, 1991, pp. 465–473.Google Scholar
  81. 81.
    S. Halevi, H. Krawczyk, “MMH: Software message authentication in the Gbit/second rates,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 172–189.CrossRefGoogle Scholar
  82. 82.
    M. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, P. Schweitzer, “Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard,” Information Systems Lab., Dept. of Electrical Eng., Stanford Univ., 1976.Google Scholar
  83. 83.
    W. Hohl, X. Lai, T. Meier, C. Waldvogel, “Security of iterated hash functions based on block ciphers,” Advances in Cryptology, Proceedings Crypto’93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 379–390.CrossRefGoogle Scholar
  84. 84.
    R. Impagliazzo, M. Naor, “Efficient cryptographic schemes provably as secure as subset sum,” Journal of Cryptology, Vol. 9, No. 4, 1996, pp. 199–216.zbMATHMathSciNetCrossRefGoogle Scholar
  85. 85.
    ISO 7498-2, “Information processing-Open systems interconnection-Basic reference model-Part 2: Security architecture,” 1987.Google Scholar
  86. 86.
    ISO 8731, “Banking-approved algorithms for message authentication-Part 1: DEA,” 1987. “Part 2, Message Authentication Algorithm (MAA),” 1987.Google Scholar
  87. 87.
    ISO/IEC 9796, “Information technology-Security techniques-Part 1: Digital signature scheme giving message recovery,” 1991, “Part 2: Mechanisms using a hash-function,” 1997.Google Scholar
  88. 88.
    ISO/IEC 9797, “Information technology-Data cryptographic techniques-Data integrity mechanisms using a cryptographic check function employing a block cipher algorithm,” ISO/IEC, 1994.Google Scholar
  89. 89.
    ISO/IEC_10116, “Information technology-Security techniques-Modes of operation of an n-bit block cipher algorithm,” 1996.Google Scholar
  90. 90.
    ISO/IEC 10118, “Information technology-Security techniques-Hash-functions, Part 1: General”, 1994, “Part 2: Hash-functions using an n-bit block cipher algorithm,” 1994, “Part 3: Dedicated hash-functions,” 1998. “Part 4: Hash-functions using modular arithmetic,” (FDIS) 1998.Google Scholar
  91. 91.
    Hash functions using a pseudo random algorithm,” ISO-IEC/JTC1/SC27/WG2 N98, Japanese contribution, 1991.Google Scholar
  92. 92.
    M. Jakubowski, R. Venkatesan, “The chain & sum primitive and its applications to MACs and stream ciphers,” Advances in Cryptology, Proceedings Eurocrypt’98, LNCS 1403, K. Nyberg, Ed., Springer-Verlag, 1998, pp. 281–293.Google Scholar
  93. 93.
    T. Johansson, “Bucket hashing with a small key size,” Advances in Cryptology, Proceedings Eurocrypt’97, LNCS 1233, W. Fumy, Ed., Springer-Verlag, 1997, pp. 149–162.Google Scholar
  94. 94.
    A. Joux, L. Granboulan, “A practical attack against knapsack based hash functions,” Advances in Cryptology, Proceedings Eurocrypt’94, LNCS 950, A. De Santis, Ed., Springer-Verlag, 1995, pp. 58–66.Google Scholar
  95. 95.
    R.R. Jueneman, S.M. Matyas, C.H. Meyer, “Message authentication with Manipulation Detection Codes,” Proc. 1983 IEEE Symposium on Security and Privacy, 1984, pp. 33–54.Google Scholar
  96. 96.
    R.R. Jueneman, “A high speed Manipulation Detection Code,” Advances in Cryptology, Proceedings Crypto’86, LNCS 263, A.M. Odlyzko, Ed., Springer-Verlag, 1987, pp. 327–347.Google Scholar
  97. 97.
    G.A. Kabatianskii, T. Johansson, B. Smeets, “On the cardinality of systematic Acodes via error correcting codes,” IEEE Trans. on Information Theory, Vol. IT-42, No. 2, 1996, pp. 566–578.MathSciNetCrossRefGoogle Scholar
  98. 98.
    B.S. Kaliski, “The MD2 Message-Digest algorithm,” Request for Comments (RFC) 1319, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  99. 99.
    L.R. Knudsen, “New potentially ‘weak’ keys for DES and LOKI,” Advances in Cryptology, Proceedings Eurocrypt’94, LNCS 950, A. De Santis, Ed., Springer-Verlag, 1995, pp. 419–424.Google Scholar
  100. 100.
    L. Knudsen, “Chosen-text attack on CBC-MAC,” Electronics Letters, Vol. 33, No. 1, 1997, pp. 48–49.CrossRefGoogle Scholar
  101. 101.
    L.R. Knudsen, X. Lai, B. Preneel, “Attacks on fast double block length hash functions,” Journal of Cryptology, Vol. 11, No. 1, Winter 1998, pp. 59–72.zbMATHMathSciNetCrossRefGoogle Scholar
  102. 102.
    L.R. Knudsen, B. Preneel, “Fast and secure hashing based on codes,” Advances in Cryptology, Proceedings Crypto’97, LNCS 1294, B. Kaliski, Ed., Springer-Verlag, 1997, pp. 485–498.Google Scholar
  103. 103.
    L. Knudsen, B. Preneel, “MacDES: MAC algorithm based on DES,” Electronics Letters, Vol. 34, No. 9, 1998, pp. 871–873.CrossRefGoogle Scholar
  104. 104.
    H. Krawczyk, “LFSR-based hashing and authentication,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 129–139.Google Scholar
  105. 105.
    H. Krawczyk, “New hash functions for message authentication,” Advances in Cryptology, Proceedings Eurocrypt’95, LNCS 921, L.C. Guillou and J.-J. Quisquater, Eds., Springer-Verlag, 1995, pp. 301–310.Google Scholar
  106. 106.
    X. Lai, “On the Design and Security of Block Ciphers,” ETH Series in Information Processing, Vol. 1, J. Massey, Ed., Hartung-Gorre Verlag, Konstanz, 1992.Google Scholar
  107. 107.
    X. Lai, J.L. Massey, “Hash functions based on block ciphers,” Advances in Cryptology, Proceedings Eurocrypt’92, LNCS 658, R.A. Rueppel, Ed., Springer-Verlag, 1993, pp. 55–70.Google Scholar
  108. 108.
    A. Lenstra, H. Lenstra, L. Lovász, “Factoring polynomials with rational coefficients,” Mathematischen Annalen, Vol. 261, pp. 515–534, 1982.zbMATHCrossRefGoogle Scholar
  109. 109.
    M. Matsui, “The first experimental cryptanalysis of the Data Encryption Standard,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 1–11.Google Scholar
  110. 110.
    J.L. Massey, “Cryptography — A selective survey,” Digital Communications (Proc. 1985 International Tirrenia Workshop), E. Biglieri, G. Prati, Eds., Elsevier Science Publ., 1986, pp. 3–25.Google Scholar
  111. 111.
    J.L. Massey, “An introduction to contemporary cryptology,” in “Contemporary Cryptology: The Science of Information Integrity,” G.J. Simmons, Ed., IEEE Press, 1991, pp. 3–39.Google Scholar
  112. 112.
    S.M. Matyas, C.H. Meyer, J. Oseas, “Generating strong one-way functions with cryptographic algorithm,” IBM Techn. Disclosure Bull., Vol. 27, No. 10A, 1985, pp. 5658–5659.Google Scholar
  113. 113.
    K. Mehlhorn, U. Vishkin, “Randomized and deterministic simulations of PRAMs by parallel machines with restricted granularity of parallel memories,” Acta Informatica, Vol. 21, Fasc. 4, 1984, pp. 339–374.zbMATHMathSciNetCrossRefGoogle Scholar
  114. 114.
    A. Menezes, Elliptic Curve Public-Key Cryptosystems, Kluwer Academic Publishers, 1993.Google Scholar
  115. 115.
    A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography,” CRC Press, 1997.Google Scholar
  116. 116.
    R. Merkle, “Secrecy, Authentication, and Public Key Systems,” UMI Research Press, 1979.Google Scholar
  117. 117.
    R. Merkle, “A certified digital signature,” Advances in Cryptology, Proceedings Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 218–238.CrossRefGoogle Scholar
  118. 118.
    R. Merkle, “One way hash functions and DES,” Advances in Cryptology, Proceedings Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 428–446.CrossRefGoogle Scholar
  119. 119.
    R. Merkle, “A fast software one-way hash function,” Journal of Cryptology, Vol. 3, No. 1, 1990, pp. 43–58.zbMATHMathSciNetCrossRefGoogle Scholar
  120. 120.
    R. Merkle, M. Hellman, “Hiding information and signatures in trapdoor knapsacks,” IEEE Trans. on Information Theory, Vol. IT-24, No. 5, 1978, pp. 525–530.CrossRefGoogle Scholar
  121. 121.
    C.H. Meyer, S.M. Matyas, “Cryptography: a New Dimension in Data Security,” Wiley & Sons, 1982.Google Scholar
  122. 122.
    C.H. Meyer, M. Schilling, “Secure program load with Manipulation Detection Code,” Proc. Securicom 1988, pp. 111–130.Google Scholar
  123. 123.
    C. Mitchell, “Multi-destination secure electronic mail,” The Computer Journal, Vol. 32, No. 1, 1989, pp. 13–15.CrossRefGoogle Scholar
  124. 124.
    S. Miyaguchi, M. Iwata, K. Ohta, “New 128-bit hash function,” Proc. 4th International Joint Workshop on Computer Communications, Tokyo, Japan, July 13–15, 1989, pp. 279–288.Google Scholar
  125. 125.
    S. Miyaguchi, K. Ohta, M. Iwata, “128-bit hash function (N-hash),” Proc. Securicom 1990, pp. 127–137.Google Scholar
  126. 126.
    J.H. Moore, G.J. Simmons, “Cycle structure of the DES for keys having palindromic (or antipalindromic) sequences of round keys,” IEEE Trans. on Software Engineering, Vol. 13, 1987, pp. 262–273.zbMATHCrossRefGoogle Scholar
  127. 127.
    J.H. Moore, “Protocol failures in cryptosystems,” in “Contemporary Cryptology: The Science of Information Integrity,” G.J. Simmons, Ed., IEEE Press, 1991, pp. 543–558.Google Scholar
  128. 128.
    M. Naor, M. Yung, “Universal one-way hash functions and their cryptographic applications,” Proc. 21st ACM Symposium on the Theory of Computing, 1990, pp. 387–394.Google Scholar
  129. 129.
    A.M. Odlyzko, “The rise and fall of knapsack cryptosystems,” Cryptology and Computational Number Theory, C. Pomerance, Ed., Proc. Sympos. Appl. Math., Vol. 42, American Mathematical Society, 1990, pp. 75–88.Google Scholar
  130. 130.
    T. Okamoto, “Provably secure and practical identification schemes and corresponding signature schemes,” Advances in Cryptology, Proceedings Crypto’92, LNCS 740, E.F. Brickell, Ed., Springer-Verlag, 1993, pp. 31–53.CrossRefGoogle Scholar
  131. 131.
    T. Okamoto, K. Ohta, “A modification of the Fiat-Shamir scheme,” Advances in Cryptology, Proceedings Crypto’88, LNCS 403, S. Goldwasser, Ed., Springer-Verlag, 1990, pp. 232–243.Google Scholar
  132. 132.
    J. Patarin, “Collisions and inversions for Damgård’s whole hash function,” Advances in Cryptology, Proceedings Asiacrypt’94, LNCS 917, J. Pieprzyk and R. Safavi-Naini, Eds., Springer-Verlag, 1995, pp. 307–321.CrossRefGoogle Scholar
  133. 133.
    B. Pfitzmann, “Digital Signatures Schemes. General Framework and Fail-Stop Signatures,” LNCS 1100, Springer-Verlag, 1996.Google Scholar
  134. 134.
    B. Preneel, “Analysis and design of cryptographic hash functions,” Doctoral Dissertation, Katholieke Universiteit Leuven, 1993.Google Scholar
  135. 135.
    B. Preneel, R. Govaerts, J. Vandewalle, “Cryptographically secure hash functions: an overview,” ESAT Internal Report, K. U. Leuven, 1989.Google Scholar
  136. 136.
    B. Preneel, R. Govaerts, J. Vandewalle, “On the power of memory in the design of collision resistant hash functions,” Advances in Cryptology, Proceedings Auscrypt’92, LNCS 718, J. Seberry and Y. Zheng, Eds., Springer-Verlag, 1993, pp. 105–121.Google Scholar
  137. 137.
    B. Preneel, R. Govaerts, J. Vandewalle, “Hash functions based on block ciphers: a synthetic approach,” Advances in Cryptology, Proceedings Crypto’93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 368–378.CrossRefGoogle Scholar
  138. 138.
    B. Preneel, V. Rijmen, A. Bosselaers, “Recent developments in the design of conventional cryptographic algorithms,” This Volume, pp. 106–131.Google Scholar
  139. 139.
    B. Preneel, V. Rijmen, P.C. van Oorschot, “A security analysis of the Message Authenticator Algorithm (MAA),” European Transactions on Telecommunications, Vol. 8, No. 5, 1997, pp. 455–470.CrossRefGoogle Scholar
  140. 140.
    B. Preneel, P.C. van Oorschot, “MDx-MAC and building fast MACs from hash functions,” Advances in Cryptology, Proceedings Crypto’95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 1–14.Google Scholar
  141. 141.
    B. Preneel, P.C. van Oorschot, “On the security of two MAC algorithms,” Advances in Cryptology, Proceedings Eurocrypt’96, LNCS 1070, U. Maurer, Ed., Springer-Verlag, 1996, pp. 19–32.Google Scholar
  142. 142.
    B. Preneel, P.C. van Oorschot, “A key recovery attack on the ANSI X9.19 retail MAC,” Electronics Letters, Vol. 32, No. 17, 1996, pp. 1568–1569.CrossRefGoogle Scholar
  143. 143.
    J.-J. Quisquater, J.-P. Delescaille, “How easy is collision search ? Application to DES,” Advances in Cryptology, Proceedings Eurocrypt’89, LNCS 434, J.-J. Quisquater and J. Vandewalle, Eds., Springer-Verlag, 1990, pp. 429–434.Google Scholar
  144. 144.
    J.-J. Quisquater, J.-P. Delescaille, “How easy is collision search. New results and applications to DES,” Advances in Cryptology, Proceedings Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 408–413.CrossRefGoogle Scholar
  145. 145.
    J.-J. Quisquater, L. Guillou, “A “paradoxical” identity-based signature scheme resulting from zero-knowledge,” Advances in Cryptology, Proceedings Crypto’88, LNCS 403, S. Goldwasser, Ed., Springer-Verlag, 1990, pp. 216–231.Google Scholar
  146. 146.
    M.O. Rabin, “Digitalized signatures,” in “Foundations of Secure Computation,” R. Lipton, R. DeMillo, Eds., Academic Press, New York, 1978, pp. 155–166.Google Scholar
  147. 147.
    M.O. Rabin, “Digitalized signatures and public-key functions as intractable as factorization,” Technical Report MIT/LCS/TR-212, Massachusetts Institute of Technology, Laboratory for Computer Science, Cambridge, MA, January 1979.Google Scholar
  148. 148.
    V. Rijmen, B. Preneel, “Improved characteristics for differential cryptanalysis of hash functions based on block ciphers,” Fast Software Encryption, LNCS 1008, B. Preneel, Ed., Springer-Verlag, 1995, pp. 242–248.Google Scholar
  149. 149.
    RIPE, “Integrity Primitives for Secure Information Systems. Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040),” LNCS 1007, A. Bosselaers, B. Preneel, Eds., Springer-Verlag, 1995.Google Scholar
  150. 150.
    R.L. Rivest, “The MD4 message digest algorithm,” Advances in Cryptology, Proceedings Crypto’90, LNCS 537, S. Vanstone, Ed., Springer-Verlag, 1991, pp. 303–311.Google Scholar
  151. 151.
    R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  152. 152.
    R.L. Rivest, “All-or-nothing encryption and the package transform,” Fast Software Encryption, LNCS 1267, E. Biham, Ed., Springer-Verlag, 1997, pp. 210–218.CrossRefGoogle Scholar
  153. 153.
    R.L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications ACM, Vol. 21, February 1978, pp. 120–126.Google Scholar
  154. 154.
    P. Rogaway, “Bucket hashing and its application to fast message authentication,” Advances in Cryptology, Proceedings Crypto’95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 29–42.Google Scholar
  155. 155.
    N. Rogier, P. Chauvaud, “MD2 is not secure without the checksum byte,” Designs, Codes, and Cryptography, Vol. 12, No. 3, 1997, pp. 245–251.zbMATHMathSciNetCrossRefGoogle Scholar
  156. 156.
    J. Rompel, “One-way functions are necessary and sufficient for secure signatures,” Proc. 22nd ACM Symposium on the Theory of Computing, 1990, pp. 387–394.Google Scholar
  157. 157.
    R.A. Rueppel, “Stream ciphers,” in “Contemporary Cryptology: The Science of Information Integrity,” G.J. Simmons, Ed., IEEE Press, 1991, pp. 65–134.Google Scholar
  158. 158.
    C.P. Schnorr, “Efficient identification and signatures for smart cards,” Advances in Cryptology, Proceedings Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 239–252.CrossRefGoogle Scholar
  159. 159.
    C.P. Schnorr, S. Vaudenay, “Parallel FFT-Hashing,” Fast Software Encryption, LNCS 809, R. Anderson, Ed., Springer-Verlag, 1994, pp. 149–156.Google Scholar
  160. 160.
    C.E. Shannon, “Communication theory of secrecy systems,” Bell System Technical Journal, Vol. 28, 1949, pp. 656–715.MathSciNetGoogle Scholar
  161. 161.
    V. Shoup, “On fast and provably secure message authentication based on universal hashing, Advances in Cryptology, Proceedings Crypto’96, LNCS 1109, N. Koblitz, Ed., Springer-Verlag, 1996, pp. 313–328.Google Scholar
  162. 162.
    G.J. Simmons, “A survey of information authentication,” in “Contemporary Cryptology: The Science of Information Integrity,” G.J. Simmons, Ed., IEEE Press, 1991, pp. 381–419.Google Scholar
  163. 163.
    G.J. Simmons, “How to insure that data acquired to verify treat compliance are trustworthy,” in “Contemporary Cryptology: The Science of Information Integrity,” G.J. Simmons, Ed., IEEE Press, 1991, pp. 615–630.Google Scholar
  164. 164.
    D. Simon, “Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?” Advances in Cryptology, Proceedings Eurocrypt’98, LNCS 1403, K. Nyberg, Ed., Springer-Verlag, 1998, pp. 334–345.Google Scholar
  165. 165.
    D.R. Stinson, “The combinatorics of authentication and secrecy codes,” Journal of Cryptology, Vol. 2, No. 1, 1990, pp. 23–49.zbMATHMathSciNetCrossRefGoogle Scholar
  166. 166.
    D.R. Stinson, “Universal hashing and authentication codes,” Designs, Codes, and Cryptography, Vol. 4, No. 4, 1994, pp. 369–380. See also Advances in Cryptology, Proceedings Crypto’91, LNCS 576, J. Feigenbaum, Ed., Springer-Verlag, 1992, pp. 74–85.Google Scholar
  167. 167.
    D.R. Stinson, “Combinatorial characterizations of authentication codes,” Designs, Codes, and Cryptography, Vol. 2, No. 2, 1992, pp. 175–187. See also Advances in Cryptology, Proceedings Crypto’91, LNCS 576, J. Feigenbaum, Ed., Springer-Verlag, 1992, pp. 62–73.Google Scholar
  168. 168.
    J.-P. Tillich, G. Zémor, “Hashing with SL2,” Advances in Cryptology, Proceedings Crypto’94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 40–49.Google Scholar
  169. 169.
    P.C. van Oorschot, M.J. Wiener, “Parallel collision search with application to hash functions and discrete logarithms,” Proc. 2nd ACM Conference on Computer and Communications Security, ACM, 1994, pp. 210–218 (final version to appear in Journal of Cryptology).Google Scholar
  170. 170.
    G.S. Vernam, “Cipher printing telegraph system for secret wire and radio telegraph communications,” Journal American Institute of Electrical Engineers, Vol. XLV, 1926, pp. 109–115.Google Scholar
  171. 171.
    M.N. Wegman, J.L. Carter, “New hash functions and their use in authentication and set equality,” Journal of Computer and System Sciences, Vol. 22, No. 3, 1981, pp. 265–279.zbMATHMathSciNetCrossRefGoogle Scholar
  172. 172.
    A.C. Yao, “Theory and applications of trapdoor functions,” Proc. 23rd IEEE Symposium on Foundations of Computer Science, 1982, pp. 80–91.Google Scholar
  173. 173.
    G. Yuval, “How to swindle Rabin,” Cryptologia, Vol. 3, 1979, pp. 187–189.CrossRefGoogle Scholar
  174. 174.
    G. Zémor, “Hash functions and Cayley graphs,” Designs, Codes, and Cryptography, Vol. 4, No. 4, 1994, pp. 381–394.zbMATHMathSciNetCrossRefGoogle Scholar
  175. 175.
    Y. Zheng, T. Matsumoto, H. Imai, “Connections between several versions of one-way hash functions,” Proc. SCIS90, The 1990 Symposium on Cryptography and Information Security, Nihondaira, Japan, Jan. 31–Feb. 2, 1990.Google Scholar
  176. 176.
    Y. Zheng, J. Pieprzyk, J. Seberry, “HAVAL — a one-way hashing algorithm with variable length output,” Advances in Cryptology, Proceedings Auscrypt’92, LNCS 718, J. Seberry and Y. Zheng, Eds., Springer-Verlag, 1993, pp. 83–104.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Bart Preneel
    • 1
  1. 1.Dept. Electrical Engineering-ESATKatholieke Universiteit LeuvenHeverleeBelgium

Personalised recommendations