Learn More
We prove that Tandem-DM, which is one of the two " classical " schemes for turning a blockcipher of 2n-bit key into a double block length hash function, has birthday-type collision resistance in the ideal cipher model. A collision resistance analysis for Tandem-DM achieving a similar birthday-type bound was already proposed by Fleischmann, Gorski and Lucks(More)
We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three " classical " double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose's scheme. For Hirose's(More)
This paper considers—for the first time—the concept of key-alternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher P X from an n-bit permutation P and two n-bit keys k0 and k1, setting P X k 0 ,k 1 (x) = k1 ⊕ P(More)
A vanishing sum a 0 + a 1 ζn +. .. + a n−1 ζ n−1 n = 0 where ζn is a primitive n-th root of unity and the a i 's are nonnegative integers is called minimal if the coefficient vector (a 0 ,. .. , a n−1) does not properly dominate the coefficient vector of any other such nonzero sum. We show that for every c ∈ N there is a minimal vanishing sum of n-th roots(More)
We consider multiple tilings of Z by translates of a finite multiset A of integers (called a tile). We say that a set of integers T is an A-tiling of level d if each integer can be written in exactly d ways as the sum of an element of T and an element of A. We find new exponential lower bounds on the longest period of A-tiling as a function of the diameter(More)
We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. For collision-uniform, fixed-permutation-order compression functions, we show that any 2n-bit to n-bit construction will have unacceptable collision resistance it makes fewer than three(More)
We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression(More)
A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P 1 ,. .. , P t : {0, 1} n → {0, 1} n and a key k = k 0 · · · k t ∈ {0, 1} n(t+1) by setting E k (x) = k t ⊕P t (k t−1 ⊕P t−1 (· · · k 1 ⊕P 1 (k 0 ⊕ x) · · ·)). The indistinguishability of(More)