Hash函数的使用模式和组件安全性分析
|
摘要
Hash算法是现代密码体制的重要组成部分,也是保密通信协议和信息安全系统的核心模块之一.它广泛应用于数据完整性检测、消息认证、数字签名、密钥交换协议等方面,因此对Hash函数的安全性分析具有重要的理论意义和实用价值.
本文首先介绍了Hash函数的基础理论,总结了Merkle-Damg?rd迭代结构存在的缺陷,之后着重研究了Hash函数的一类基本组件的密码学性质,最后我们对Hash函数的一种使用模式——将Hash函数应用于消息加密和认证的方案进行了安全性分析.本文主要工作如下:
(1)考虑到不同群上的混合运算和T-函数已经作为基本组件用于Hash函数的设计当中,研究了一类基于混和运算的函数的密码学性质,从理论上证明了函数f ( x ) = x + ( x <<< a )∨C m od2n的可逆性,得到了f ( x )可逆的必要条件,并讨论了f ( x )退化为T-函数时的圈性质;
(2)在系统研究了当前流行的消息认证码的构造方式与优缺点后,分析了一类基于Hash函数设计的消息认证码的安全性,指出这类消息认证码在结构上存在极大的安全漏洞,攻击者可根据该消息认证码的结构和使用环境篡改消息.
Hash functions are the fundamental components in modern cryptography and also key modules in communication protocol and information security systems. Hash functions are widely used to achieve certain security goals such as data integrity, message authentication, digital signature, key exchange scheme, etc. Hence security analysis of Hash functions is very important both in theory and in practice.
This thesis firstly introduces the basic theory of Hash functions, and then studies the properties of a new class of functions as Hash function components. Furthermore, when the security of the iterated structure of Hash function is analyzed in detail, we emphasize on studying an important application of Hash functions - constructing message authentication codes (MAC) schemes, and analyzing its security.
This thesis includes the following two aspects of Hash functions:
(1) Mixed-operations and T-functions are used for design of Hash functions. We study the properties of a new class of functions based on mixed-operations and obtain a necessary condition when is invertible. Also we consider the case when ( )f ( x ) = x + ( x <<< a )∨C mod 2nf x degenerates into a T-function.
(2) The constructions and performances of some MACs are introduced. We analyze the security of a class of message authentication codes based on Hash functions. This MAC is so insecure that the attacker can easily forge messages without analyzing the security of Hash functions.
本文首先介绍了Hash函数的基础理论,总结了Merkle-Damg?rd迭代结构存在的缺陷,之后着重研究了Hash函数的一类基本组件的密码学性质,最后我们对Hash函数的一种使用模式——将Hash函数应用于消息加密和认证的方案进行了安全性分析.本文主要工作如下:
(1)考虑到不同群上的混合运算和T-函数已经作为基本组件用于Hash函数的设计当中,研究了一类基于混和运算的函数的密码学性质,从理论上证明了函数f ( x ) = x + ( x <<< a )∨C m od2n的可逆性,得到了f ( x )可逆的必要条件,并讨论了f ( x )退化为T-函数时的圈性质;
(2)在系统研究了当前流行的消息认证码的构造方式与优缺点后,分析了一类基于Hash函数设计的消息认证码的安全性,指出这类消息认证码在结构上存在极大的安全漏洞,攻击者可根据该消息认证码的结构和使用环境篡改消息.
Hash functions are the fundamental components in modern cryptography and also key modules in communication protocol and information security systems. Hash functions are widely used to achieve certain security goals such as data integrity, message authentication, digital signature, key exchange scheme, etc. Hence security analysis of Hash functions is very important both in theory and in practice.
This thesis firstly introduces the basic theory of Hash functions, and then studies the properties of a new class of functions as Hash function components. Furthermore, when the security of the iterated structure of Hash function is analyzed in detail, we emphasize on studying an important application of Hash functions - constructing message authentication codes (MAC) schemes, and analyzing its security.
This thesis includes the following two aspects of Hash functions:
(1) Mixed-operations and T-functions are used for design of Hash functions. We study the properties of a new class of functions based on mixed-operations and obtain a necessary condition when is invertible. Also we consider the case when ( )f ( x ) = x + ( x <<< a )∨C mod 2nf x degenerates into a T-function.
(2) The constructions and performances of some MACs are introduced. We analyze the security of a class of message authentication codes based on Hash functions. This MAC is so insecure that the attacker can easily forge messages without analyzing the security of Hash functions.
引文
[1] W.Diffie and M.E.Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, IT-22, 6, 1976, pp. 644-654.
[2] Advanced Hash Standard Competition, http://csrc.nist.gov/pki/HashWorkshop/
[3] B. Preneel, R. Govaerts, and J. Vandewalle, Hash functions based on block ciphers, In Crypto'93, Springer-Verlag, LNCS 773, pp.368-378.
[4] J. Black, P. Rogaway, and T. Shrimpton, Black-box analysis of the block cipher based hash-function constructions from PGV, In Crypto’2002, LNCS 2442, pp.320–335.
[5] Phillip Rogaway and Thomas Shrimpton, Cryptographic Hash-Function Basics Definitions, Implications and Separations, Fast Software Encryptionin-FSE’04, LNCS 3017, pp.371–388.
[6] Shoichi Hirose, Je Hong Park and Aaram Yun, A Simple Variant of the Merkle- Damgard Scheme with a Permutation, In AsiaCrypto’2007.
[7] Mihir Bellare and Thomas Ristenpart, Multi-Property-Preserving Hash Domain Extension and the EMD Transform, In AsiaCrypt’2006, LNCS 4284, pp.299–314.
[8] Jean-Sebastien Coron, Yevgeniy, Dodis, Cecile Malinaud and Prashant Puniya, Merkle-Damg?rd Revisited: How to Construct a Hash Function, In V. Shoup (Ed.): Crypto’2005, LNCS 3621, pp.430-448.
[9] John P. Steinberger, The Collision Intractability of MDC-2 in the Ideal-Cipher Model, Eurocrypt’2007, LNCS 4515, pp.34–51.
[10] Stefan Lucks, A Failure-Friendly Design Principle for Hash Functions, In AsiaCrypt’2005, Springer, LNCS 3788, pp.474–494.
[11] S. Hirose, Some plausible constructions of double-block-length hash functions, Fast Software Encryptionin-FSE’06, LNCS 4047, pp.231-246.
[12] Rabin M.O., Digitalized Signatures. In R. A. Demillo, D. P. Dopkin, A. K. Jones and R. J. Lipton, editors, Foundations of Secure Computation, Academic Press, pp.155-166, New York, 1978.
[13] R.Anderson and E.Biham, Tiger: A Fast New Hash Function, Fast Software Encryptionin-FSE’96, LNCS 1039, Springer-Verlag, 1996, pp.89-97.
[14] Barreto P. S. L. M. and Rijmen V., The Whirlpool Hashing function. Primitivesubmitted to NESSIE, 2000. http://www.cryptonessie.org/.
[15] Knudsen L., Rechberger C. and Thomsen S., Grindahl– a family of hash functions, Fast Software Encryption-FSE’07, Springer LNCS 4593, pp.39-57.
[16] Rivest R.L., The MD4 message digest algorithm. In Crypto’90, LNCS 537, pp.303-311, Springer-Verlag,1991.
[17] Rivest R.L., The MD5 message digest algorithm. Internet Network Working Group RFC 1321, April 1992.
[18] Zhebg Y., Pieprzyk J. and Seberry J., HAVAL-a one way hashing algorithm with variable length of output. In Auscrypt’92, LNCS 718, pp.83-104, Springer-Verlag, 1993.
[19] Preneel B., The State of Cryptographic Hash Function. In Lecture on Data Security, LNCS 1561, pp.158-182, Springer-Verlag, 1999.
[20] Doobertin H., A. Bosselaers and B. Preneel, RIPMEND-160: A Strengthened Version of RIPMEND, Fast Software Encryption, LNCS 1039, pp.71-82, Springer-Verlag, 1996.
[21] FIPS 180. Secure Hash standard. NIST, US Department of Commerce, Springer 1993 .
[22] FIPS 180-1. Secure Hash standard. NIST, US Department of Commerce, Springer 1996.
[23] Boer B. and Bosselaers A., Collisions for the Compression Function of MD5. In Eurcrypt’93, LNCS 765, pp.293-299, Springer-Verlag, 1993.
[24] Doobertin H., Cryptanalysis of MD4. In D. Gollmann, editor, Proceedings of Fast Software Encryption 1996, LNCS 1039, pp.53-70, Springer-Verlag, 1996.
[25] Preneel B., Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven, 1993
[26] Vaudenay S., On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. Fast Software Encryption, Second International Workshop proceeding, pp.286-308, Springer-Verlag, 1995
[27] Chabaud F. and Joux A., Differential Collisions in SHA-0. In Crypto’98, LNCS 1462, pp.56-71, Springer-Verlag, 1998.
[28] Joux A., Carribault P., Jalby W. and Lemuet C., Collisions in SHA-0. Presented at the rump session of Crypto’2004.
[29] X.Y.Wang, D.G.Feng, X.J.Lai, and H.B.Yu. Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. Rump session of Crypto’04 and IACR Eprint archive, 2004.
[30] X.Y.Wang and H.B.Yu. How to Break MD5 and Other Hash Functions. Advances in Cryptology–Eurocrypt’05, pp.19-35, Springer-Verlag, 2005.
[31] X.Y.Wang. Efficient Collision Search attacks on SHA-0. In Chinese. www. infosec.edu.cn, 1997.
[32] X.Y.Wang and H.B.Yu. Finding Collisions in the Full SHA-1. In: Victor Shoup. Advances in Crypto’2005, Springer LNCS 3621, pp.17-36, 2005.
[33] J. Bierbrauer, T. Johansson, G. Kabatianskii and B. Smeets, On families of hash functions via geometric codes and concatenation, Advances in Crypto’93, LNCS 773, pp.331-342 , Springer-Verlag, 1994.
[34] D. R. Stinson, Universal hashing and authentication codes, Advances in Crypto’91, LNCS 576, pp.74-85, Springer-Verlag, 1992.
[35] D. R. Stinson, R.Wei and L. Zhu, New constructions for perfect hash families and related structures using combinatorial designs and codes, J. Combinatorial Designs, Vol. 8, pp.189-200 (2000).
[36] J. Black, S. Halevi, H. Krawczyk, T. Krovetz and P. Rogaway, UMAC: Fast and Secure Message Authentication, Advances in Crypto '99: pp. 216-245, Springer-Verlag, 1999.
[37] M. Bellare, R. Canetti and H. Krawczyk, Keying Hash Functions for Message Authentication, Advances in Crypto '96, pp. 1-19, Springer-Verlag, 1996.
[38] Sang Uk Shin, Kyung Hyune Rhee, Dae Hyun Ryu and Sang Jin Lee, A New Hash Function Based on MDx-Family and Its Application to MAC, Public Key Cryptography, PKC'98, LNCS 1431, pp. 234-246, Springer-Verlag, 1998.
[39] Bart Preneell Paul C, MDx-MAC and Building Fast MACs from Hash Functions, Advances in Crypto '95, LNCS 963, pp. 1-14, Springer-Verlag, 1995.
[40] J. L. Carter and M. N. Wegman, Universal classes of hash functions, Journal of Computer and System Sciences, 18(1979), pp.143-154.
[41] Bellare, M., New Proofs for NMAC and HMAC: Security Without Collision Resistance. In Crypto’2006. LNCS 4117, pp. 602-619. Springer-Verlag, 2006.
[42] Scott Contini and Yiqun Lisa Yin, Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions, In Asiacrypt’2006, LNCS 4284, pp. 37-53, Springer-Verlag, 2006.
[43] Pierre-Alain Fouque, Gaetan Leurent and Phong Q. Nguyen, Full Key-Recovery Attacks on HMAC-NMAC-MD4 and NMAC-MD5, Advances in Crypto '2007, LNCS 4622, pp. 13-30, Springer-Verlag, 2007.
[44] Computer Data Authentication. Federal Information Processing Standard Publication 113, 1985.
[45] M. Bellark, J. Kilian and P. Rogaway, The security of the cipher block chaining message authentication code, Journal of Computer and System Sciences, 61(2000), pp.362-399.
[46] M. Bellare, R. Guerin and P. Rogaway, XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions, Advances in Crypto '95, pp.15-35, Springer-Verlag, 1995.
[47] Virgil D. Gligor and Pompiliu Donescu, Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes, In FSE 2001 Yokohama, pp. 92-141, Springer-Verlag, 2002.
[48] J. Black and P. Rogaway, A Block-Cipher Mode of Operation for Parallelizable Message Authentication, In Eruocrypt’2002, pp.384-401, Springer-Verlag, 2002.
[49] Kurosawa K and Iwata T. TMAC: Two-key CBC-MAC Proceedings of the CT-RSA 2003. San Francisco, CA, USA, pp.33-49, 2003.
[50] Ballare M. and Rogaway P., Introduction to Modern Cryptography.
[51] R. C. Merkle, One way hash functions and DES, In Crypto’89, Springer LNCS 435, pp. 428-446, 1990.
[52] Damgard I., A design principle for hash functions. Advances in Crypto’89, Springer LNCS 435, pp.416-427, 1990.
[53] Lai X. and Massey J.L., Hash functions based on block ciphers, In Advances in Europcrypt’92, LNCS 658, pp.15-23, Springer-Verlag, 1993.
[54] Joux A., Multicollisions in iterated Hash functions. Application to cascade constructions. In Crypto’2004, LNCS 3152, pp.306-316, Springer-Verlag, 2004.
[55] Dean R.D., Formal Aspects of Mobile Code Security. Ph. D. dissertation, Princeton University,1999.
[56] Kelsey J. and Schneier B., Second preimages on n-bit hash functions for much less than 2n work. In Europcrypt’2005, LNCS 3494, pp.474-490, Springer- Verlag, 2005.
[57] Kelsey J. and Kohno T., Herding Hash Functions and the Nostradamus Attack, In Europcrypt’2006, LNCS 4004, pp.183-200, Springer-Verlag, 2006.
[58] Gauravaram P., Millan W., Neito J.G.. and Dawson E., 3C-A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode ofoperation for Cryptographic Hash Function. The preliminary draft version of this work is available at eprint-2005/390.
[59] Praveen Gauravaram and John Kelsey, Linear-XOR and Additive Checksums Don’t Protect Damg?rd-Merkle Hashes from Generic Attacks, CT-RSA 2008, LNCS 4964, pp.36-51, Springer-Verlag, 2008.
[60] Biham E. and Dunkelman O., A Framework for Iterative Hash Functions- HAIFA, http://www.csrc.nist.gov/pki/HashWorkshop/2006/Papers.
[61] Biham E and Chen R., Near collision for SHA-0, Advances in Crypto'04, LNCS 3152, pp.290-305, Springer-Verlag, 2004.
[62]李瑞林,孙兵,李超.模2n剩余类环上加法运算的差分性质[A].第五届中国信息和通信安全学术会议论文集[C],科学出版社,2007, pp.97-101.
[63] A. Klimov and A. Shamir, A New Class of Invertible Mappings[A]. In Cryptographic Hardware and Embedded Systems-CHES 2002, LNCS 2523, pp.470-483, Springer-Verlag, 2003.
[64] A. Klimov and A. Shamir. Cryptographic Applications of T-functions[A]. In Selected Areas in Cryptography-SAC 2003[C], LNCS 3006, pp.248-261, Springer-Verlag, 2004.
[65] Ilya O.Levin, On Single Cycle Functions, http://www.literatecode.com/get/scfn.pdf.
[66]肖皇培,张国基.基于Hash函数的报文鉴别方法.计算机工程, 2007年3月,第33卷,第6期, pp.101-103.
[2] Advanced Hash Standard Competition, http://csrc.nist.gov/pki/HashWorkshop/
[3] B. Preneel, R. Govaerts, and J. Vandewalle, Hash functions based on block ciphers, In Crypto'93, Springer-Verlag, LNCS 773, pp.368-378.
[4] J. Black, P. Rogaway, and T. Shrimpton, Black-box analysis of the block cipher based hash-function constructions from PGV, In Crypto’2002, LNCS 2442, pp.320–335.
[5] Phillip Rogaway and Thomas Shrimpton, Cryptographic Hash-Function Basics Definitions, Implications and Separations, Fast Software Encryptionin-FSE’04, LNCS 3017, pp.371–388.
[6] Shoichi Hirose, Je Hong Park and Aaram Yun, A Simple Variant of the Merkle- Damgard Scheme with a Permutation, In AsiaCrypto’2007.
[7] Mihir Bellare and Thomas Ristenpart, Multi-Property-Preserving Hash Domain Extension and the EMD Transform, In AsiaCrypt’2006, LNCS 4284, pp.299–314.
[8] Jean-Sebastien Coron, Yevgeniy, Dodis, Cecile Malinaud and Prashant Puniya, Merkle-Damg?rd Revisited: How to Construct a Hash Function, In V. Shoup (Ed.): Crypto’2005, LNCS 3621, pp.430-448.
[9] John P. Steinberger, The Collision Intractability of MDC-2 in the Ideal-Cipher Model, Eurocrypt’2007, LNCS 4515, pp.34–51.
[10] Stefan Lucks, A Failure-Friendly Design Principle for Hash Functions, In AsiaCrypt’2005, Springer, LNCS 3788, pp.474–494.
[11] S. Hirose, Some plausible constructions of double-block-length hash functions, Fast Software Encryptionin-FSE’06, LNCS 4047, pp.231-246.
[12] Rabin M.O., Digitalized Signatures. In R. A. Demillo, D. P. Dopkin, A. K. Jones and R. J. Lipton, editors, Foundations of Secure Computation, Academic Press, pp.155-166, New York, 1978.
[13] R.Anderson and E.Biham, Tiger: A Fast New Hash Function, Fast Software Encryptionin-FSE’96, LNCS 1039, Springer-Verlag, 1996, pp.89-97.
[14] Barreto P. S. L. M. and Rijmen V., The Whirlpool Hashing function. Primitivesubmitted to NESSIE, 2000. http://www.cryptonessie.org/.
[15] Knudsen L., Rechberger C. and Thomsen S., Grindahl– a family of hash functions, Fast Software Encryption-FSE’07, Springer LNCS 4593, pp.39-57.
[16] Rivest R.L., The MD4 message digest algorithm. In Crypto’90, LNCS 537, pp.303-311, Springer-Verlag,1991.
[17] Rivest R.L., The MD5 message digest algorithm. Internet Network Working Group RFC 1321, April 1992.
[18] Zhebg Y., Pieprzyk J. and Seberry J., HAVAL-a one way hashing algorithm with variable length of output. In Auscrypt’92, LNCS 718, pp.83-104, Springer-Verlag, 1993.
[19] Preneel B., The State of Cryptographic Hash Function. In Lecture on Data Security, LNCS 1561, pp.158-182, Springer-Verlag, 1999.
[20] Doobertin H., A. Bosselaers and B. Preneel, RIPMEND-160: A Strengthened Version of RIPMEND, Fast Software Encryption, LNCS 1039, pp.71-82, Springer-Verlag, 1996.
[21] FIPS 180. Secure Hash standard. NIST, US Department of Commerce, Springer 1993 .
[22] FIPS 180-1. Secure Hash standard. NIST, US Department of Commerce, Springer 1996.
[23] Boer B. and Bosselaers A., Collisions for the Compression Function of MD5. In Eurcrypt’93, LNCS 765, pp.293-299, Springer-Verlag, 1993.
[24] Doobertin H., Cryptanalysis of MD4. In D. Gollmann, editor, Proceedings of Fast Software Encryption 1996, LNCS 1039, pp.53-70, Springer-Verlag, 1996.
[25] Preneel B., Analysis and design of cryptographic hash functions. PhD thesis, Katholieke Universiteit Leuven, 1993
[26] Vaudenay S., On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER. Fast Software Encryption, Second International Workshop proceeding, pp.286-308, Springer-Verlag, 1995
[27] Chabaud F. and Joux A., Differential Collisions in SHA-0. In Crypto’98, LNCS 1462, pp.56-71, Springer-Verlag, 1998.
[28] Joux A., Carribault P., Jalby W. and Lemuet C., Collisions in SHA-0. Presented at the rump session of Crypto’2004.
[29] X.Y.Wang, D.G.Feng, X.J.Lai, and H.B.Yu. Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. Rump session of Crypto’04 and IACR Eprint archive, 2004.
[30] X.Y.Wang and H.B.Yu. How to Break MD5 and Other Hash Functions. Advances in Cryptology–Eurocrypt’05, pp.19-35, Springer-Verlag, 2005.
[31] X.Y.Wang. Efficient Collision Search attacks on SHA-0. In Chinese. www. infosec.edu.cn, 1997.
[32] X.Y.Wang and H.B.Yu. Finding Collisions in the Full SHA-1. In: Victor Shoup. Advances in Crypto’2005, Springer LNCS 3621, pp.17-36, 2005.
[33] J. Bierbrauer, T. Johansson, G. Kabatianskii and B. Smeets, On families of hash functions via geometric codes and concatenation, Advances in Crypto’93, LNCS 773, pp.331-342 , Springer-Verlag, 1994.
[34] D. R. Stinson, Universal hashing and authentication codes, Advances in Crypto’91, LNCS 576, pp.74-85, Springer-Verlag, 1992.
[35] D. R. Stinson, R.Wei and L. Zhu, New constructions for perfect hash families and related structures using combinatorial designs and codes, J. Combinatorial Designs, Vol. 8, pp.189-200 (2000).
[36] J. Black, S. Halevi, H. Krawczyk, T. Krovetz and P. Rogaway, UMAC: Fast and Secure Message Authentication, Advances in Crypto '99: pp. 216-245, Springer-Verlag, 1999.
[37] M. Bellare, R. Canetti and H. Krawczyk, Keying Hash Functions for Message Authentication, Advances in Crypto '96, pp. 1-19, Springer-Verlag, 1996.
[38] Sang Uk Shin, Kyung Hyune Rhee, Dae Hyun Ryu and Sang Jin Lee, A New Hash Function Based on MDx-Family and Its Application to MAC, Public Key Cryptography, PKC'98, LNCS 1431, pp. 234-246, Springer-Verlag, 1998.
[39] Bart Preneell Paul C, MDx-MAC and Building Fast MACs from Hash Functions, Advances in Crypto '95, LNCS 963, pp. 1-14, Springer-Verlag, 1995.
[40] J. L. Carter and M. N. Wegman, Universal classes of hash functions, Journal of Computer and System Sciences, 18(1979), pp.143-154.
[41] Bellare, M., New Proofs for NMAC and HMAC: Security Without Collision Resistance. In Crypto’2006. LNCS 4117, pp. 602-619. Springer-Verlag, 2006.
[42] Scott Contini and Yiqun Lisa Yin, Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions, In Asiacrypt’2006, LNCS 4284, pp. 37-53, Springer-Verlag, 2006.
[43] Pierre-Alain Fouque, Gaetan Leurent and Phong Q. Nguyen, Full Key-Recovery Attacks on HMAC-NMAC-MD4 and NMAC-MD5, Advances in Crypto '2007, LNCS 4622, pp. 13-30, Springer-Verlag, 2007.
[44] Computer Data Authentication. Federal Information Processing Standard Publication 113, 1985.
[45] M. Bellark, J. Kilian and P. Rogaway, The security of the cipher block chaining message authentication code, Journal of Computer and System Sciences, 61(2000), pp.362-399.
[46] M. Bellare, R. Guerin and P. Rogaway, XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions, Advances in Crypto '95, pp.15-35, Springer-Verlag, 1995.
[47] Virgil D. Gligor and Pompiliu Donescu, Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes, In FSE 2001 Yokohama, pp. 92-141, Springer-Verlag, 2002.
[48] J. Black and P. Rogaway, A Block-Cipher Mode of Operation for Parallelizable Message Authentication, In Eruocrypt’2002, pp.384-401, Springer-Verlag, 2002.
[49] Kurosawa K and Iwata T. TMAC: Two-key CBC-MAC Proceedings of the CT-RSA 2003. San Francisco, CA, USA, pp.33-49, 2003.
[50] Ballare M. and Rogaway P., Introduction to Modern Cryptography.
[51] R. C. Merkle, One way hash functions and DES, In Crypto’89, Springer LNCS 435, pp. 428-446, 1990.
[52] Damgard I., A design principle for hash functions. Advances in Crypto’89, Springer LNCS 435, pp.416-427, 1990.
[53] Lai X. and Massey J.L., Hash functions based on block ciphers, In Advances in Europcrypt’92, LNCS 658, pp.15-23, Springer-Verlag, 1993.
[54] Joux A., Multicollisions in iterated Hash functions. Application to cascade constructions. In Crypto’2004, LNCS 3152, pp.306-316, Springer-Verlag, 2004.
[55] Dean R.D., Formal Aspects of Mobile Code Security. Ph. D. dissertation, Princeton University,1999.
[56] Kelsey J. and Schneier B., Second preimages on n-bit hash functions for much less than 2n work. In Europcrypt’2005, LNCS 3494, pp.474-490, Springer- Verlag, 2005.
[57] Kelsey J. and Kohno T., Herding Hash Functions and the Nostradamus Attack, In Europcrypt’2006, LNCS 4004, pp.183-200, Springer-Verlag, 2006.
[58] Gauravaram P., Millan W., Neito J.G.. and Dawson E., 3C-A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode ofoperation for Cryptographic Hash Function. The preliminary draft version of this work is available at eprint-2005/390.
[59] Praveen Gauravaram and John Kelsey, Linear-XOR and Additive Checksums Don’t Protect Damg?rd-Merkle Hashes from Generic Attacks, CT-RSA 2008, LNCS 4964, pp.36-51, Springer-Verlag, 2008.
[60] Biham E. and Dunkelman O., A Framework for Iterative Hash Functions- HAIFA, http://www.csrc.nist.gov/pki/HashWorkshop/2006/Papers.
[61] Biham E and Chen R., Near collision for SHA-0, Advances in Crypto'04, LNCS 3152, pp.290-305, Springer-Verlag, 2004.
[62]李瑞林,孙兵,李超.模2n剩余类环上加法运算的差分性质[A].第五届中国信息和通信安全学术会议论文集[C],科学出版社,2007, pp.97-101.
[63] A. Klimov and A. Shamir, A New Class of Invertible Mappings[A]. In Cryptographic Hardware and Embedded Systems-CHES 2002, LNCS 2523, pp.470-483, Springer-Verlag, 2003.
[64] A. Klimov and A. Shamir. Cryptographic Applications of T-functions[A]. In Selected Areas in Cryptography-SAC 2003[C], LNCS 3006, pp.248-261, Springer-Verlag, 2004.
[65] Ilya O.Levin, On Single Cycle Functions, http://www.literatecode.com/get/scfn.pdf.
[66]肖皇培,张国基.基于Hash函数的报文鉴别方法.计算机工程, 2007年3月,第33卷,第6期, pp.101-103.