Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions

M Stam

doi:10.1007/978-3-540-85174-5_22

Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions

M Stam

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

46 Citations (Scopus)

Abstract

Suppose we are given a perfect n + c-to-n bit compression function f and we want to construct a larger m + s-to-s bit compression function H instead. What level of security, in particular collision resistance, can we expect from H if it makes r calls to f? We conjecture that typically collisions can be found in 2(nr + cr − m)/(r + 1) queries. This bound is also relevant for building a m + s-to-s bit compression function based on a blockcipher with k-bit keys and n-bit blocks: simply set c = k, or c = 0 in case of fixed keys. We also exhibit a number of (conceptual) compression functions whose collision resistance is close to this bound. In particular, we consider the following four scenarios:

Translated title of the contribution	Better Security/Efficiency Tradeoffs for Compression Functions
Original language	English
Title of host publication	Advances in Cryptology - CRYPTO 2008
Publisher	Springer Berlin Heidelberg
Pages	397 - 412
Number of pages	16
Volume	5157
ISBN (Print)	9783540851738
DOIs	https://doi.org/10.1007/978-3-540-85174-5_22
Publication status	Published - 2008

Bibliographical note

Conference Proceedings/Title of Journal: Advances in Cryptology - CRYPTO 2008

Access to Document

10.1007/978-3-540-85174-5_22

http://www.springerlink.com/content/9711178k30j617m1/

Handle.net

Persistent link

Cite this

@inproceedings{727c0acb34534f44b30126664069d572,

title = "Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions",

abstract = "Suppose we are given a perfect n + c-to-n bit compression function f and we want to construct a larger m + s-to-s bit compression function H instead. What level of security, in particular collision resistance, can we expect from H if it makes r calls to f? We conjecture that typically collisions can be found in 2(nr + cr − m)/(r + 1) queries. This bound is also relevant for building a m + s-to-s bit compression function based on a blockcipher with k-bit keys and n-bit blocks: simply set c = k, or c = 0 in case of fixed keys. We also exhibit a number of (conceptual) compression functions whose collision resistance is close to this bound. In particular, we consider the following four scenarios:",

author = "M Stam",

note = "Conference Proceedings/Title of Journal: Advances in Cryptology - CRYPTO 2008",

year = "2008",

doi = "10.1007/978-3-540-85174-5\_22",

language = "English",

isbn = "9783540851738",

volume = "5157",

pages = "397 -- 412",

booktitle = "Advances in Cryptology - CRYPTO 2008",

publisher = "Springer Berlin Heidelberg",

address = "Germany",

}

TY - GEN

T1 - Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions

AU - Stam, M

N1 - Conference Proceedings/Title of Journal: Advances in Cryptology - CRYPTO 2008

PY - 2008

Y1 - 2008

N2 - Suppose we are given a perfect n + c-to-n bit compression function f and we want to construct a larger m + s-to-s bit compression function H instead. What level of security, in particular collision resistance, can we expect from H if it makes r calls to f? We conjecture that typically collisions can be found in 2(nr + cr − m)/(r + 1) queries. This bound is also relevant for building a m + s-to-s bit compression function based on a blockcipher with k-bit keys and n-bit blocks: simply set c = k, or c = 0 in case of fixed keys. We also exhibit a number of (conceptual) compression functions whose collision resistance is close to this bound. In particular, we consider the following four scenarios:

AB - Suppose we are given a perfect n + c-to-n bit compression function f and we want to construct a larger m + s-to-s bit compression function H instead. What level of security, in particular collision resistance, can we expect from H if it makes r calls to f? We conjecture that typically collisions can be found in 2(nr + cr − m)/(r + 1) queries. This bound is also relevant for building a m + s-to-s bit compression function based on a blockcipher with k-bit keys and n-bit blocks: simply set c = k, or c = 0 in case of fixed keys. We also exhibit a number of (conceptual) compression functions whose collision resistance is close to this bound. In particular, we consider the following four scenarios:

UR - https://www.scopus.com/pages/publications/51849094862

U2 - 10.1007/978-3-540-85174-5_22

DO - 10.1007/978-3-540-85174-5_22

M3 - Conference Contribution (Conference Proceeding)

SN - 9783540851738

VL - 5157

SP - 397

EP - 412

BT - Advances in Cryptology - CRYPTO 2008

PB - Springer Berlin Heidelberg

ER -

Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions

Abstract

Bibliographical note

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this