Advertisement

The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition

  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)

Abstract

The first designs of cryptographic hash functions date back to the late 1970s; more proposals emerged in the 1980s. During the 1990s, the number of hash function designs grew very quickly, but for many of these proposals security flaws were identified. MD5 and SHA-1 were deployed in an ever increasing number of applications, resulting in the name “Swiss army knifes” of cryptography. In spite of the importance of hash functions, only limited effort was spent on studying their formal definitions and foundations. In 2004 Wang et al. perfected differential cryptanalysis to a point that finding collisions for MD5 became very easy; for SHA-1 a substantial reduction of the security margin was obtained. This breakthrough has resulted in a flurry of research, resulting in new constructions and a growing body of foundational research. NIST announced in November 2007 that it would organize the SHA-3 competition, with as goal to select a new hash function family by 2012. From the 64 candidates submitted by October 2008, 14 have made it to the second round. This paper presents a brief overview of the state of hash functions 30 years after their introduction; it also discusses the progress of the SHA-3 competition.

Keywords

Hash Function Block Cipher Random Oracle Compression Function Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings 28th ACM Symposium on the Theory of Computing, pp. 99–108 (1996)Google Scholar
  2. 2.
    Andreeva, E., Neven, G., Preneel, B., Shrimpton, T.: Seven-property-preserving iterated hashing: ROX. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 130–146. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for step-reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Aoki, K., Sasaki, Y.: Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 70–89. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Rijmen, V.: The Whirlpool hashing function. NESSIE submission (September 2000)Google Scholar
  6. 6.
    Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994)Google Scholar
  9. 9.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  11. 11.
    Bellovin, S.M., Rescorla, E.K.: Deploying a new hash algorithm. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, The Internet Society (2006)Google Scholar
  12. 12.
    Benadjila, R., Billet, O., Gueron, S., Robshaw, M.J.B.: The Intel AES instructions set and the SHA-3 candidates. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 162–178. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  15. 15.
    Biham, E., Dunkelman, O.: A framework for iterative hash functions – HAIFA. In: Proceedings Second NIST Hash Functions Workshop 2006, Santa Barbara, CA, USA (August 2006)Google Scholar
  16. 16.
    Biryukov, A., Dunkelman, O., Keller, N., Khovratovich, D., Shamir, A.: Key recovery attacks of practical complexity on AES variants with up to 10 rounds. IACR Eprint 2009/374, August 19 (2009)Google Scholar
  17. 17.
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–355. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Bouillaguet, C., Dunkelman, O., Fouque, P.-A., Joux, A.: On the security of iterated hashing based on forgery-resistant compression functions. IACR Eprint 2009/077, February 6 (2009)Google Scholar
  20. 20.
    Brachtl, B.O., Coppersmith, D., Hyden, M.M., Matyas, S.M., Meyer, C.H., Oseas, J., Pilpel, S., Schilling, M.: Data Authentication Using Modification Detection Codes Based on a Public One Way Encryption Function, U.S. Patent Number 4,908,861, March 13 (1990)Google Scholar
  21. 21.
    Chabaud, F., Joux, A.: Differential collisions: an explanation for SHA-1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)Google Scholar
  22. 22.
    Charles, D.X., Goren, E.Z., Lauter, K.E.: Cryptographic hash functions from expander graphs. In: Proceedings Second NIST Hash Functions Workshop 2006, Santa Barbara, CA, USA (August 2006)Google Scholar
  23. 23.
    Contini, S., Lenstra, A.K., Steinfeld, R.: VSH, an efficient and provable collision-resistant hash function. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 165–182. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Coppersmith, D.: Analysis of ISO/CCITT Document X.509 Annex D. IBM T.J. Watson Center, Yorktown Heights, N.Y., 10598, Internal Memo, June 11 (1989) (also ISO/IEC JTC1/SC20/WG2/N160)Google Scholar
  25. 25.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)Google Scholar
  26. 26.
    Damgård, I.B.: Collision free hash functions and public key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  27. 27.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  28. 28.
    Dean, R.D.: Formal aspects of mobile code security, PhD thesis, Princeton University (January 1999)Google Scholar
  29. 29.
    De Cannière, C., Rechberger, C.: Preimages for reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008)Google Scholar
  30. 30.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  31. 31.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. on In- formation Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  32. 32.
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2), 1–6 (Summer 1996)MathSciNetGoogle Scholar
  33. 33.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: a strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996), http://www.esat.kuleuven.ac.be/~bosselae/ripemd160 Google Scholar
  34. 34.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for practical applications. In: Joux, A. (ed.) Eurocrypt 2008. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  35. 35.
  36. 36.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  37. 37.
    FIPS 46, Data Encryption Standard, Federal Information Processing Standard, NBS, U.S. Department of Commerce (January 1977) (revised as FIPS 46-1(1988); FIPS 46-2(1993), FIPS 46-3(1999))Google Scholar
  38. 38.
    FIPS 180-1, Secure Hash Standard, Federal Information Processing Standard (FIPS), Publication 180-1, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., April 17 (1995)Google Scholar
  39. 39.
    FIPS 180-2, Secure Hash Standard, Federal Information Processing Standard (FIPS), Publication 180-2, National Institute of Standards and Technology, US Department of Commerce, Washington D.C., August 26 (2002) (Change notice 1 published on December 1, 2003)Google Scholar
  40. 40.
    Gauravaram, P., Knudsen, L.R.: On randomizing hash functions to strengthen the security of digital signatures. In: Joux, A. (ed.) EUROCRYPT 2008. LNCS, vol. 5479, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  41. 41.
    Grassl, M., Ilic, I., Magliveras, S., Steinwandt, R.: Cryptanalysis of the Tillich-Zémor hash function, IACR Eprint 2009/376, July 30 (2009)Google Scholar
  42. 42.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. on Information Theory IT-26(4), 401–406 (1980)CrossRefMathSciNetGoogle Scholar
  43. 43.
    Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  44. 44.
    Imai, H., Yamagishi, A.: “Cryptrec”. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security, pp. 119–123 (2005)Google Scholar
  45. 45.
    Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and other non-random properties for step-reduced SHA-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2009. LNCS, vol. 5381, pp. 276–293. Springer, Heidelberg (2009)Google Scholar
  46. 46.
    ISO/IEC 10118, Information technology – Security techniques – Hash-functions, Part 1: General (2000); Part 2: Hash-functions using an n-bit block cipher algorithm (2000); Part 3: Dedicated hash-functions (2003); Part 4: Hash-functions using modular arithmetic (1998)Google Scholar
  47. 47.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  48. 48.
    Joux, A., Peyrin, T.: Hash functions and the (amplified) boomerang attack. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 244–263. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  49. 49.
    Kaliski Jr., B.S.: The MD2 Message-Digest algorithm, Request for Comments (RFC) 1319, Internet Activities Board, Internet Privacy Task Force (April 1992)Google Scholar
  50. 50.
    Kelsey, J., Kohno, T.: Herding hash functions and the Nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  51. 51.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)Google Scholar
  52. 52.
    Knudsen, L.R., Lai, X., Preneel, B.: Attacks on fast double block length hash functions. Journal of Cryptology 11(1), 59–72 (Winter 1998)zbMATHCrossRefMathSciNetGoogle Scholar
  53. 53.
    Knudsen, L.R., Mathiassen, J.E., Muller, F., Thomsen, S.S.: Cryptanalysis of MD2. Journal of Cryptology, 19 p. (in print, 2010)Google Scholar
  54. 54.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  55. 55.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full Whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  56. 56.
    Leurent, G.: MD4 is not one-way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  57. 57.
    Manuel, S., Peyrin, T.: Collisions on SHA-0 in one hour. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 16–35. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  58. 58.
    Matusiewicz, K., Naya-Plasencia, M., Nikolic, I., Sasaki, Y., Schläffer, M.: Rebound attack on the full Lane compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 106–125. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  59. 59.
    Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)Google Scholar
  60. 60.
    Merkle, R.: Secrecy, Authentication, and Public Key Systems. UMI Research Press (1979)Google Scholar
  61. 61.
    Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  62. 62.
    Merkle, R.: A fast software one-way hash function. Journal of Cryptology 3(1), 43–58 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  63. 63.
    Miyaguchi, S., Iwata, M., Ohta, K.: New 128-bit hash function. In: Proceedings 4th International Joint Workshop on Computer Communications, Tokyo, Japan, July 13–15, pp. 279–288 (1989)Google Scholar
  64. 64.
    Moore, J.H., Simmons, G.J.: Cycle structure of the DES for keys having palindromic (or antipalindromic) sequences of round keys. IEEE Transactions on Software Engineering 13, 262–273 (1987)zbMATHCrossRefGoogle Scholar
  65. 65.
    Naito, Y., Yoneyama, K., Wang, L., Ohta, K.: How to confirm cryptosystems security: the original Merkle-Damgård is still alive! In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 382–398. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  66. 66.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings 21st ACM Symposium on the Theory of Computing, pp. 387–394 (1990)Google Scholar
  67. 67.
    NIST SHA-3 Competition, http://csrc.nist.gov/groups/ST/hash/
  68. 68.
    Pal, P., Sarkar, P.: PARSHA-256 – A new parallelizable hash function and a multithreaded implementation. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 347–361. Springer, Heidelberg (2003)Google Scholar
  69. 69.
    Patarin, J.: Collisions and inversions for Damgård’s whole hash function. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 307–321. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  70. 70.
    Pinkas, D.: The need for a standardized compression algorithm for digital signatures. In: Ingemarsson, I. (ed.) Abstracts of Papers: Eurocrypt 1986, A Workshop on the Theory and Application of Cryptographic Techniques, May 20-22, 1986, p. 7 (1986)Google Scholar
  71. 71.
    Preneel, B.: Analysis and design of cryptographic hash functions. Doctoral Dissertation, Katholieke Universiteit Leuven (1993)Google Scholar
  72. 72.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
  73. 73.
    Preneel, B.: NESSIE project. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security, pp. 408–413 (2005)Google Scholar
  74. 74.
    Rabin, M.O.: Digitalized signatures. In: Lipton, R., DeMillo, R. (eds.) Foundations of Secure Computation, pp. 155–166. Academic Press, New York (1978)Google Scholar
  75. 75.
    Rivest, R.L.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  76. 76.
    Rivest, R.L.: The MD5 message-digest algorithm. Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force (April 1992)Google Scholar
  77. 77.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications ACM 21, 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  78. 78.
    Robshaw, M.J.B., Billet, O. (eds.): New Stream Cipher Designs. LNCS, vol. 4986. Springer, Heidelberg (2008)Google Scholar
  79. 79.
    Rogaway, P., Shrimpton, T.: Cryptographic hash function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)Google Scholar
  80. 80.
    Rogaway, P., Steinberger, J.P.: Constructing cryptographic hash functions from fixed-key blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)Google Scholar
  81. 81.
    Saarinen, M.-J.O.: Security of VSH in the real world. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 95–103. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  82. 82.
    Sanadhya, S.K., Sarkar, P.: New collision attacks against up to 24-step SHA-2. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  83. 83.
    Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2008. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  84. 84.
    Simon, D.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  85. 85.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  86. 86.
    Stam, M.: Beyond uniformity: better security/efficiency tradeoffs for compression functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  87. 87.
    Stam, M.: Blockcipher based hashing revisited. In: Dunkelman, O. (ed.) Fast Software Encryption. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  88. 88.
    Steinberger, J.P.: The collision intractability of MDC-2 in the ideal-cipher model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  89. 89.
    Tillich, J.-P., Zémor, G.: Hashing with SL 2. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 40–49. Springer, Heidelberg (1994)Google Scholar
  90. 90.
    Tillich, J.-P., Zémor, G.: Collisions for the LPS expander graph hash function. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 254–269. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  91. 91.
    Van Heurck, P.: Trasec: Belgian security system for electronic funds transfers. Computers & Security 6, 261–268 (1987)CrossRefGoogle Scholar
  92. 92.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  93. 93.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar
  94. 94.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  95. 95.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar
  96. 96.
    Wiener, M.J.: The full cost of cryptanalytic attacks. Journal of Cryptology 17(2), 105–124 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  97. 97.
    Winternitz, R.: A secure one-way hash function built from DES. In: Proceedings IEEE Symposium on Information Security and Privacy, pp. 88–90. IEEE Press, Los Alamitos (1984)Google Scholar
  98. 98.
    Yasuda, K.: How to fill up Merkle-Damgård hash functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 272–289. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  99. 99.
    Yuval, G.: How to swindle Rabin. Cryptologia 3, 187–189 (1979)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Bart Preneel
    • 1
  1. 1.Dept. Electrical Engineering-ESAT/COSICKatholieke Universiteit Leuven and IBBTLeuvenBelgium

Personalised recommendations