Decisional second-preimage resistance: when does SPR imply PRE?

Daniel J. Bernstein; Andreas T. Hülsing

Decisional second-preimage resistance: when does SPR imply PRE?

Daniel J. Bernstein, Andreas T. Hülsing

Coding Theory and Cryptology

Research output: Other contribution › Academic

1 Downloads (Pure)

Abstract

There is a well-known gap between second-preimage resistance and preimage resistance for length-preserving hash functions. This paper introduces a simple concept that fills this gap. One consequence of this concept is that tight reductions can remove interactivity for multi-target length-preserving preimage problems, such as the problems that appear in analyzing hash-based signature systems. Previous reduction techniques applied to only a negligible fraction of all length-preserving hash functions, presumably excluding all off-the-shelf hash functions.

Original language	English
Number of pages	36
Publication status	Published - 2019

Access to Document

https://eprint.iacr.org/2019/492

Cite this

@misc{d3a6d8ce46594a03a64e1544460c536a,

title = "Decisional second-preimage resistance: when does SPR imply PRE?",

abstract = "There is a well-known gap between second-preimage resistance and preimage resistance for length-preserving hash functions. This paper introduces a simple concept that fills this gap. One consequence of this concept is that tight reductions can remove interactivity for multi-target length-preserving preimage problems, such as the problems that appear in analyzing hash-based signature systems. Previous reduction techniques applied to only a negligible fraction of all length-preserving hash functions, presumably excluding all off-the-shelf hash functions.",

author = "Bernstein, {Daniel J.} and H{\"u}lsing, {Andreas T.}",

year = "2019",

language = "English",

type = "Other",

}

TY - GEN

T1 - Decisional second-preimage resistance

T2 - when does SPR imply PRE?

AU - Bernstein, Daniel J.

AU - Hülsing, Andreas T.

PY - 2019

Y1 - 2019

N2 - There is a well-known gap between second-preimage resistance and preimage resistance for length-preserving hash functions. This paper introduces a simple concept that fills this gap. One consequence of this concept is that tight reductions can remove interactivity for multi-target length-preserving preimage problems, such as the problems that appear in analyzing hash-based signature systems. Previous reduction techniques applied to only a negligible fraction of all length-preserving hash functions, presumably excluding all off-the-shelf hash functions.

AB - There is a well-known gap between second-preimage resistance and preimage resistance for length-preserving hash functions. This paper introduces a simple concept that fills this gap. One consequence of this concept is that tight reductions can remove interactivity for multi-target length-preserving preimage problems, such as the problems that appear in analyzing hash-based signature systems. Previous reduction techniques applied to only a negligible fraction of all length-preserving hash functions, presumably excluding all off-the-shelf hash functions.

M3 - Other contribution

ER -

Decisional second-preimage resistance: when does SPR imply PRE?

Abstract

Access to Document

Fingerprint

Cite this