M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO 97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....(say, O(k) where k is the security parameter) as it directly contributes to the binder length which we aim to minimize. Now, however, we also need the description of a UOWHF H to be small, as it is also part of the binder. Unfortunately, the best known constructions of UOWHFs for long messages [9, 29] have jHj O(k log jmj) where k is the security parameter and jmj jhj is the length of the input to H . While the logarithmic dependence on the message length is not bad in theory in particular, we still get jb j jmj this is a big drawback as compared to the previous CRHF based ....

M. BELLARE AND P. ROGAWAY, "Collision-Resistant Hashing: Towards Making UOWHFs Practical," In Crypto '97, pp. 470--484, LNCS Vol. 1294, 1997.

....a oracle relative to which UOWHFs exist but collision resistant hash functions do not exist. See [6] for a survey on hash functions and [11] for some properties and reductions between di erent kinds of hash functions. The study of UOWHF was later undertaken by several authors. Bellare and Rogaway [1] showed that it is possible to build practical and provably secure hash then sign schemes, where the hashing is done using a UOWHF. The paper also addresses the problem of constructing UOWHFs. Like most basic cryptographic primitives it is virtually impossible to de ne a family fh k g k2K and ....

....and provably secure hash then sign schemes, where the hashing is done using a UOWHF. The paper also addresses the problem of constructing UOWHFs. Like most basic cryptographic primitives it is virtually impossible to de ne a family fh k g k2K and prove it to be a UOWHF. The idea suggested in [1] is to use one of the standard hash functions like SHA or RIPEMD in a keyed mode and assume it to be a UOWHF. It seems more reasonable to make this assumption when the domain is a short string rather than an arbitrarily long string. This leads to the question of extending the domain of a UOWHF ....

[Article contains additional citation context not shown here]

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. Proceedings of CRYPTO 1997, pp 470-484.

.... satisfying the strong definition of security [12] may trivially be used as a one time signature scheme) If m is the length of the message to be signed, the best known construction of a signature scheme based on one way permutations requires log S) invocations of a permutation with security S ([2], building on [18] We prove that, for any construction of a signature scheme, the verification algorithm must query the permutation m log S) times. As before, we show that any construction beating this bound can be used to give an explicit construction of a one way function. 3 1.2 ....

M. Bellare and P. Rogaway. Collision-Resistant Hashing: Toward Making UOWHFs Practical. Crypto '97.

.... Important extensions from FIL to VIL include Cipher Block Chaining (CBC) BKR94,BDJR97] extending pseudo random permutations (ciphers) and MAC functions, and the Merkle Damgrd cascade, extending pseudo random functions [BCK96F] and often used to extend collision resistant hash functions [Da89,Me89,BR97]. Most other constructions of advanced cryptographic mechanisms from one way functions, e.g. HILL99,NY89] are too wasteful in resources and security to be of practical use. In this paper we focus on an alternative, direct approach for achieving (proven) cryptanalysis tolerance, namely ....

....of Theorem 1. 3.3. Integrity of 2 3 Commit Hash Composition We now define the integrity (binding) property of commit hash functions, namely collision resistance. Again, for simplicity, we focus on VIL commit hash functions. We slightly modify the definitions of any collision resistance from [BR97] and collision resistance of [Da89] to accommodate the additional input of a randomizer to commit hash functions. Namely, a collision for commit hash function C with key K is a set of two pairs, m,r , m ,r such that m#m and C[K] m; r) C[K] m ; r ) Notice that the values of the ....

Mihir Bellare and Phillip Rogaway, Collision-Resistant Hashing: Towards Making UOWHFs Practical, Extended abstract was in Advances in Cryptology- Crypto 97 Proceedings, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed, Springer-Verlag, 1997. Full paper available at http://www.cs.ucsd.edu/users/mihir/papers/tcr-hash.html.

....the existence of a one way function sufficient for the construction of a provably secure RKES Note that a collision intractable hash function is used in our constructions and that it is not known how to build such a hash function based only on the assumption that a one way function exists. See [4] for a discussion of the desirability of using UOWHFs instead of collision intractable hash functions. Acknowledgments We thank Omer Reingold for useful discussions and the Eurocrypt 98 Program Committee members for their comments. ....

M. Bellare and P. Rogaway, "Collision Resistant Hashing, Towards Making UOWHFs practical," in Advances in Cryptology -- Crypto '97, Lecture Notes in Computer Science, vol. 1294, Springer, Berlin, pp. 470--484, 1997.

....so the loss probability of a signature packet is reduced to 1 . The average per packet overhead in this case is 40 bytes. 0.96 0.94 0.92 0.90 . 0 500 1000 1500 2000 Figure 11. The verification probability for the extended scheme including periodic signature packets. 3.4 Case Study on Two Settings We consider two different cases of stream distribution and we analyze the overhead of applying EMSS to ensure the non repudiation of the streamed data. Case I: Streamed Distribution of Traffic Data Assume that a municipality has traffic sensors distributed over ....

....contains the same hash value, we consider that packet as verified, if the current packet can be verified. Alternatively, we could build a deterministically computable random graph over the packets, and the receiver would reconstruct it. This alternative would require a packet id in each packet. 13 packet losses are uncorrelated if they are sent within a delay, the probability that one of them arrives is approximately 1 0.62 = 0.64. Since the packet loss is so high and veri fication delay relatively short, we send a a signature packet every 200 packets. This translates to about 2.5 ....

[Article contains additional citation context not shown here]

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Burr Kaliski, editor, Advances in Cryptology - Crypro '97, pages 470-484, Berlin, 1997. Springer-Verlag. Lecture Notes in Computer Science Volume 1294.

....ed, the adversary s task is more dicult than in the case of CRHF and hence a UOWHF is a weaker primitive. In fact, Simon [8] has shown that there is an oracle relative to which UOWHFs exist but not CRHFs. There is another important practical reason for preferring UOWHFs to CRHFs. As mentioned in [1], the birthday attack does not apply to UOWHFs. Hence the size of the message digest can be signi cantly shorter. From the above discussion it follows that it is important to look for ecient constructions of UOWHFs. However, like most basic cryptographic primitives (say symmetric ciphers) it is ....

....it is important to look for ecient constructions of UOWHFs. However, like most basic cryptographic primitives (say symmetric ciphers) it is virtually impossible to construct a keyed family of hash functions and prove it to be a UOWHF. In view of this, the approach suggested by Bellare and Rogaway [1] is to key one of the standard hash functions like SHA 1 or RIPEMD 160 and assume it to be a UOWHF. It seems more reasonable to make this assumption when the input is a short xed length string rather than in the case where the input can be arbitrarily long strings. This brings us to the problem ....

[Article contains additional citation context not shown here]

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. Proceedings of CRYPTO 1997, pp 470-484. 14

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO 97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO 97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO 97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.

No context found.

M. Bellare and P. Rogaway, Collision-Resistant Hashing: Towards Making UOWHFs Practical, In Crypto '97, LNCS Vol. 1294.

No context found.

Mihir Bellare and Phillip Rogaway, Collision-Resistant Hashing: Towards Making UOWHFs Practical, Extended abstract was in Advances in Cryptology- Crypto 97 Proceedings, Lecture Notes in Computer Science Vol. 1294, B. Kaliski ed, Springer-Verlag, 1997. Full paper available at http://www.cs.ucsd.edu/users/mihir/papers/tcr-hash.html.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. In Advances in Cryptology--Crypto '97, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. In Advances in Cryptology{Crypto '97, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In B. Kaliski, editor, Proc. Crypto '97, volume 1294 of LNCS, pages 470--

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. Lecture Notes in Computer Science, Proceedings of CRYPTO 1997, pp 470-484.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. Proceedings of CRYPTO 1997, pp 470-484.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. Proceedings of CRYPTO 1997, pp 470-484. 9

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: Towards making UOWHFs practical. In Advances in Cryptology -- CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 470--484, 1997.

No context found.

M. Bellare, P. Rogaway, "Collision-resistant hashing: towards making UOWHFs practical," Proc. of CRYPTO 97, pp. 470--484, Full version of this paper is available from http://www-cse.ucsd.edu/users/mihir/, 1997.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: toward making UOWHFs practical. Crypto '97.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical. Proceedings of CRYPTO 1997, pp 470-484.

No context found.

M. Bellare and P. Rogaway. Collision-resistant hashing: towards making UOWHFs practical, Advances in Cryptology - Crypto'97, Lecture Notes in Computer Science, Vol. 1294, Springer-Verlag, pp. 470-484, 1997.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC