3018:
1368:
Since the output length of VSH is the length of a secure RSA modulus, VSH seems quite suitable in practice for constructing "hash-then-sign" RSA signatures for arbitrarily long messages. However, such a signature must be designed carefully to ensure its security. The naĂŻve approach could be easily
1364:
The compression function is not collision-resistant. Nonetheless, the hash function VSH is collision-resistant based on the VSSR assumption. An altered version of VSH, called VSH*, uses a collision-resistant compression function and is about 5 times quicker when hashing short
455:
1614:
1325:
1154:
991:
170:
All cryptographic hash functions that are now widely used are not based on hard mathematical problems. Those few functions that are constructed on hard mathematical problems are called
1701:
is the only property proven for VSH. This does not imply preimage-resistance or other important hash function properties, and the authors state that "VSH should not be used to model
1865:
This probably rules out the applicability of VSH in digital signature schemes which produce signatures shorter than the VSH hash result, such as elliptic-curve signature schemes.
1397:
Several improvements, speedups, and more efficient variants of VSH have been proposed. None of them changes the underlying concept of the function. These improvements are called:
738:
699:
646:
812:
785:
1821:
VSH produces a very long hash (typically 1024 bits). There are no indications that a truncated VSH hash offers security that is commensurate with the hash length.
852:
832:
758:
666:
2998:
2828:
498:
probability. This is considered a useless assumption in practice because it does not tell for what size of moduli VSSR is computationally hard. Instead the
369:
1376:
The cost of each iteration is less than the cost of 3 modular multiplications. The basic version of VSH altogether requires one multiplication per
41:
33:
1523:
178:
is then known to be as hard as solving the hard mathematical problem. For the basic version of Very Smooth Hash, this hard problem is to find
2681:
1218:
2601:
1989:
1879:
171:
93:
2018:
1087:
1685:
probability. There is a strong connection between the hardness of VSDL and the hardness of computing discrete logarithms modulo
112:
message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.
3046:
2617:
1948:
1798:. As a result, VSH succumbs to a classical time-memory trade-off attack that applies to multiplicative and additive hashes.
940:
2378:
2545:
2674:
96:
means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure
1982:
1370:
2877:
2586:
2071:
2023:
154:, but can be used to build a provably secure randomized trapdoor hash function. This function can replace the
2373:
159:
1689:, which is reminiscent of, but somewhat weaker than, the connection between VSSR and integer factorization.
2667:
2591:
1874:
2993:
2948:
2761:
2360:
2002:
1998:
1710:
704:
89:
69:
2872:
1975:
2988:
2256:
2061:
2978:
2968:
2823:
2596:
2432:
2131:
2126:
1361:, which also implies second preimage resistance. VSH has not been proven to be preimage-resistant.
298:
2973:
2963:
2766:
2726:
2719:
2709:
2704:
2519:
2339:
2714:
2627:
2013:
671:
618:
3021:
2867:
2813:
2642:
2292:
2246:
2136:
2094:
2079:
503:
183:
2983:
2907:
2312:
2216:
2166:
2141:
1714:
1698:
790:
763:
175:
116:
97:
8:
2746:
2637:
2514:
2463:
2402:
2302:
2221:
2181:
2161:
1713:). VSH should not be considered a general-purpose hash function as usually understood in
1682:
1358:
495:
179:
120:
2852:
2836:
2783:
2571:
2555:
2504:
2089:
1437:
1426:; its security depends on the difficulty of finding discrete logarithms modulo a prime
837:
817:
743:
651:
140:
162:, maintaining its provable security while speeding up verification time by about 50%.
2912:
2902:
2773:
2448:
1944:
1423:
267:
155:
136:
2847:
2535:
2489:
1936:
1925:
1858:
359:
2550:
2499:
2494:
2282:
1997:
1706:
1670:
865:. All of its prime factors are smaller than 7.37, and the modular square root is
483:
2922:
2842:
2803:
2751:
2736:
2540:
2268:
1436:(VSDL) is a problem where, given a very smooth number, the task is to find its
450:{\displaystyle \textstyle x^{2}\equiv \prod _{i=0}^{k}p_{i}^{e_{i}}{\pmod {n}}}
101:
1357:
Finding a collision in VSH is as hard as solving VSSR. Thus VSH is (strongly)
3040:
3003:
2958:
2917:
2897:
2793:
2756:
2731:
2632:
2509:
1702:
151:
124:
37:
2211:
2953:
2798:
2788:
2778:
2741:
2690:
81:
182:(VSSR) of certain special numbers (VSN). This is assumed to be as hard as
2932:
2622:
2468:
2397:
2393:
668:. All prime factors are smaller than 7.37 and the Modular Square Root is
315:
be the product of two unknown primes of approximately the same size, let
302:
1609:{\displaystyle 2^{e_{1}}\equiv \prod _{i=2}^{k}p_{i}^{e_{i}}{\pmod {p}}}
2892:
2862:
2857:
2818:
1940:
1705:," and cannot be substituted into constructions that depend upon them (
1320:{\displaystyle x_{j+1}=x_{j}^{2}\prod _{i=1}^{k}p_{i}^{m_{jk+i}}\mod n}
297:, then the root can be easily computed using algorithms from fields of
1935:, Lecture Notes in Computer Science, vol. 4329, pp. 95–103,
880:. This is thus a non-trivial square root. The VSSR problem is to find
2882:
2297:
2176:
92:
invented in 2005 by Scott
Contini, Arjen Lenstra, and Ron Steinfeld.
2084:
1801:
This fact can be used to construct a preimage attack against VSH of
2927:
2887:
2576:
2473:
2458:
2453:
2443:
2407:
2327:
2241:
2121:
1909:
834:. And we suppose that this is computationally as hard as factoring
2412:
2368:
2146:
1911:
VSH, an
Efficient and Provable Collision-Resistant Hash Function.
553:
is a Very Smooth Number with respect to these parameters because
760:). This is thus a non-trivial root. The VSSR problem is to find
305:. Therefore, they are not suitable in cryptographic primitives.
277:
We are interested only in non-trivial square roots, those where
2808:
2581:
2322:
2317:
2287:
2277:
2236:
2231:
2226:
2206:
2201:
2171:
2156:
2116:
502:
is used. It says that solving VSSR is assumed to be as hard as
1422:
The VSH-DL is a discrete logarithm variant of VSH that has no
892:. This is believed to be computationally as hard as factoring
2307:
2196:
2151:
2099:
2056:
2051:
2045:
1824:
There exists a partial collision attack on VSH truncated to
1149:{\displaystyle \textstyle \ell =\sum _{i=1}^{k}l_{i}2^{i-1}}
139:), and its security proof relies on the hardness of finding
115:
Two major variants of VSH were proposed. For one, finding a
2422:
2417:
2388:
2383:
2347:
1345:
The function in step 5 is called the compression function.
2191:
2186:
2039:
1354:
The message length does not need to be known in advance.
1907:
2829:
Cryptographically secure pseudorandom number generator
1908:
Contini, S.; Lenstra, A.; Steinfeld, R. (2005-06-23),
1091:
944:
373:
1526:
1221:
1090:
986:{\displaystyle \textstyle \prod _{i=1}^{k}p_{i}<n}
943:
937:, the block length, be the largest integer such that
840:
820:
793:
766:
746:
707:
674:
654:
621:
372:
1959:
1816:
1741:consists only of zero bits and the strings satisfy
1166:be the binary representation of the message length
1608:
1319:
1148:
985:
846:
826:
806:
779:
752:
732:
693:
660:
640:
612:and so the modulus is not involved when squaring.
449:
605:. This is a trivial modular square root, because
309:Very Smooth Number Nontrivial Modular Square Root
119:is provably as difficult as finding a nontrivial
100:hashes, VSH is efficient and usable in practice.
3038:
1048:, the smallest integer greater than or equal to
899:
861:is also a Very Smooth Quadratic Residue modulo
104:, it only requires a single multiplication per
1831:The complexity of this attack against VSH is:
2675:
1983:
1001:-bit message to be hashed consisting of bits
648:is also Very Smooth Quadratic Residue modulo
1880:Provably secure cryptographic hash function
1857:as expected from a hash function with good
1737:be three bitstrings of equal length, where
521:
2682:
2668:
1990:
1976:
1720:
1417:
587:because it is a Very Smooth Number (under
583:is a Very Smooth Quadratic Residue modulo
150:VSH is not suitable as a substitute for a
1404:VSH with increased number of small primes
1313:
1312:
147:. Both versions have similar efficiency.
1923:
1681:) time algorithm which solves VSDL with
494:) time algorithm which solves VSSR with
1933:Progress in Cryptology - INDOCRYPT 2006
1498:. VSDL is the following problem: given
1407:VSH with precomputed products of primes
3039:
1903:
1901:
1899:
1897:
1895:
2663:
1971:
1917:
1434:Very Smooth Number Discrete Logarithm
576:is not a VSN under these parameters.
566:'s prime factors. On the other hand,
514:is somewhat smaller than the size of
311:(VSSR) is the following problem: Let
205:(VSN) if the largest prime factor of
131:. The other one uses a prime modulus
1413:Fast VSH with increased block length
1348:
226:Very Smooth Quadratic Residue modulo
1926:"Security of VSH in the real world"
1892:
1598:
733:{\displaystyle 20^{2}=400\equiv 15}
438:
431:
143:of very smooth numbers modulo
13:
1692:
1392:
14:
3058:
1835:Pre-computing the table offline:
908:be a large RSA composite and let
351:be the sequence of primes. Given
3017:
3016:
2689:
1817:Attack against truncated version
1401:Cubing VSH (instead of squaring)
1591:
1308:
933:be the sequence of primes. Let
526:Let the parameters be fixed as
165:
2878:Information-theoretic security
2587:NIST hash function competition
1602:
1592:
442:
432:
1:
1885:
900:VSH algorithm, basic versions
500:computational VSSR assumption
160:Cramer–Shoup signature scheme
3047:Cryptographic hash functions
2592:Password Hashing Competition
2003:message authentication codes
1999:Cryptographic hash functions
1875:Cryptographic hash functions
243:and there exists an integer
235:'s factorization is at most
7:
2994:Message authentication code
2949:Cryptographic hash function
2762:Cryptographic hash function
2546:Merkle–Damgård construction
1924:Saarinen, M.-J. O. (2006),
1868:
1725:VSH is multiplicative: Let
931:,…) = (2,3,5,…)
349:,…) = (2,3,5,…)
90:cryptographic hash function
16:Cryptographic hash function
10:
3063:
2873:Harvest now, decrypt later
1462:th prime. Let furthermore
1055:, be the number of blocks.
3012:
2989:Post-quantum cryptography
2941:
2697:
2659:
2610:
2564:
2528:
2482:
2431:
2359:
2336:
2265:
2109:
2070:
2032:
2009:
1967:
1963:
1023:. To compute the hash of
874:20 = 400 ≡ 15 (mod
68:
63:
55:
47:
29:
24:
2979:Quantum key distribution
2969:Authenticated encryption
2824:Random number generation
2340:key derivation functions
1828:least significant bits.
1671:probabilistic polynomial
1466:be a fixed constant and
1447:As in previous section,
694:{\displaystyle x_{2}=20}
641:{\displaystyle b_{2}=15}
522:Examples of VSN and VSSR
484:probabilistic polynomial
231:if the largest prime in
2974:Public-key cryptography
2964:Symmetric-key algorithm
2767:Key derivation function
2727:Cryptographic primitive
2720:Authentication protocol
2710:Outline of cryptography
2705:History of cryptography
2618:Hash-based cryptography
2520:Length extension attack
1809:complexity rather than
1721:Multiplicative property
1418:VSDL and VSH-DL variant
1371:chosen-plaintext attack
1215:in succession, compute
557:is greater than all of
2715:Cryptographic protocol
2628:Message authentication
1610:
1567:
1321:
1276:
1150:
1118:
987:
965:
848:
828:
808:
781:
754:
734:
695:
662:
642:
451:
407:
86:Very Smooth Hash (VSH)
20:Very Smooth Hash (VSH)
2868:End-to-end encryption
2814:Cryptojacking malware
1611:
1547:
1322:
1256:
1151:
1098:
988:
945:
849:
829:
809:
807:{\displaystyle b_{2}}
782:
780:{\displaystyle x_{2}}
755:
735:
696:
663:
643:
452:
387:
266:is then said to be a
88:is a provably secure
2984:Quantum cryptography
2908:Trusted timestamping
1849:Total cost: roughly
1842:Finding collisions:
1715:security engineering
1699:collision resistance
1669:is that there is no
1644:and at least one of
1524:
1219:
1088:
941:
838:
818:
791:
764:
744:
705:
672:
652:
619:
555:log(31) ≈ 7.37
510:-bit modulus, where
482:is that there is no
457:and at least one of
370:
189:For fixed constants
180:modular square roots
2747:Cryptographic nonce
2515:Side-channel attack
1589:
1440:modulo some number
1359:collision-resistant
1307:
1255:
429:
268:modular square root
141:discrete logarithms
121:modular square root
98:collision-resistant
21:
2853:Subliminal channel
2837:Pseudorandom noise
2784:Key (cryptography)
2572:CAESAR Competition
2556:HAIFA construction
2505:Brute-force attack
1941:10.1007/11941378_8
1606:
1568:
1438:discrete logarithm
1317:
1277:
1241:
1146:
1145:
983:
982:
844:
824:
804:
777:
750:
730:
691:
658:
638:
574:= 55 = 5 · 11
447:
446:
408:
355:, find an integer
203:Very Smooth Number
184:factoring integers
176:Finding collisions
19:
3034:
3033:
3030:
3029:
2913:Key-based routing
2903:Trapdoor function
2774:Digital signature
2655:
2654:
2651:
2650:
2449:ChaCha20-Poly1305
2266:Password hashing/
1950:978-3-540-49767-7
1349:Properties of VSH
1210:= 0, 1, …,
847:{\displaystyle n}
827:{\displaystyle n}
753:{\displaystyle n}
661:{\displaystyle n}
599:3 ≡ 9 (mod
551:= 35 = 5 · 7
506:a hard-to-factor
301: 0, such as
156:trapdoor function
78:
77:
3054:
3020:
3019:
2848:Insecure channel
2684:
2677:
2670:
2661:
2660:
2536:Avalanche effect
2490:Collision attack
2033:Common functions
1992:
1985:
1978:
1969:
1968:
1965:
1964:
1961:
1960:
1954:
1953:
1930:
1921:
1915:
1914:
1905:
1859:pseudorandomness
1856:
1852:
1845:
1838:
1827:
1812:
1808:
1804:
1797:
1754:
1740:
1736:
1732:
1728:
1688:
1680:
1661:
1643:
1633:
1628:
1615:
1613:
1612:
1607:
1605:
1588:
1587:
1586:
1576:
1566:
1561:
1543:
1542:
1541:
1540:
1519:
1502:, find integers
1501:
1497:
1486:
1475:
1465:
1461:
1457:
1443:
1429:
1387:
1340:
1326:
1324:
1323:
1318:
1306:
1305:
1304:
1285:
1275:
1270:
1254:
1249:
1237:
1236:
1214:
1201:
1190:
1169:
1165:
1155:
1153:
1152:
1147:
1144:
1143:
1128:
1127:
1117:
1112:
1080:
1069:
1054:
1047:
1040:
1026:
1022:
1019:and assume that
1018:
1000:
996:
992:
990:
989:
984:
975:
974:
964:
959:
936:
932:
907:
895:
891:
887:
883:
879:
871:
864:
860:
853:
851:
850:
845:
833:
831:
830:
825:
813:
811:
810:
805:
803:
802:
786:
784:
783:
778:
776:
775:
759:
757:
756:
751:
739:
737:
736:
731:
717:
716:
700:
698:
697:
692:
684:
683:
667:
665:
664:
659:
647:
645:
644:
639:
631:
630:
611:
604:
596:
586:
582:
575:
565:
556:
552:
539:
532:
517:
513:
509:
493:
474:
456:
454:
453:
448:
445:
428:
427:
426:
416:
406:
401:
383:
382:
365:
358:
354:
350:
325:
314:
296:
286:
273:
265:
261:
246:
242:
234:
230:
223:
216:
209:is at most
208:
200:
196:
192:
146:
134:
130:
111:
74:1024 bits and up
38:Arjen K. Lenstra
22:
18:
3062:
3061:
3057:
3056:
3055:
3053:
3052:
3051:
3037:
3036:
3035:
3026:
3008:
2937:
2693:
2688:
2647:
2606:
2565:Standardization
2560:
2551:Sponge function
2524:
2500:Birthday attack
2495:Preimage attack
2478:
2434:
2427:
2355:
2338:
2337:General purpose
2332:
2267:
2261:
2110:Other functions
2105:
2072:SHA-3 finalists
2066:
2028:
2005:
1996:
1958:
1957:
1951:
1928:
1922:
1918:
1906:
1893:
1888:
1871:
1854:
1850:
1843:
1839:time and space.
1836:
1825:
1819:
1810:
1806:
1805:bits which has
1802:
1756:
1742:
1738:
1734:
1730:
1726:
1723:
1695:
1693:Security of VSH
1686:
1674:
1667:VSDL assumption
1660:
1651:
1645:
1635:
1627:
1619:
1617:
1590:
1582:
1578:
1577:
1572:
1562:
1551:
1536:
1532:
1531:
1527:
1525:
1522:
1521:
1518:
1509:
1503:
1499:
1488:
1477:
1476:be primes with
1467:
1463:
1459:
1456:
1448:
1441:
1427:
1420:
1395:
1393:Variants of VSH
1377:
1369:broken under a
1351:
1339:
1330:
1291:
1287:
1286:
1281:
1271:
1260:
1250:
1245:
1226:
1222:
1220:
1217:
1216:
1206:
1192:
1189:
1183:
1171:
1167:
1163:
1157:
1133:
1129:
1123:
1119:
1113:
1102:
1089:
1086:
1085:
1071:
1067:
1059:
1049:
1045:
1038:
1032:
1024:
1020:
1016:
1009:
1002:
998:
994:
970:
966:
960:
949:
942:
939:
938:
934:
930:
923:
916:
909:
905:
902:
893:
889:
885:
881:
873:
866:
862:
858:
839:
836:
835:
819:
816:
815:
798:
794:
792:
789:
788:
771:
767:
765:
762:
761:
745:
742:
741:
712:
708:
706:
703:
702:
679:
675:
673:
670:
669:
653:
650:
649:
626:
622:
620:
617:
616:
606:
598:
588:
584:
580:
573:
567:
564:
558:
554:
550:
544:
534:
527:
524:
515:
511:
507:
487:
480:VSSR assumption
473:
464:
458:
430:
422:
418:
417:
412:
402:
391:
378:
374:
371:
368:
367:
363:
356:
352:
348:
341:
334:
327:
316:
312:
288:
278:
271:
263:
248:
244:
236:
232:
228:
221:
210:
206:
198:
194:
190:
172:provably secure
168:
144:
132:
128:
105:
94:Provably secure
48:First published
17:
12:
11:
5:
3060:
3050:
3049:
3032:
3031:
3028:
3027:
3025:
3024:
3013:
3010:
3009:
3007:
3006:
3001:
2999:Random numbers
2996:
2991:
2986:
2981:
2976:
2971:
2966:
2961:
2956:
2951:
2945:
2943:
2939:
2938:
2936:
2935:
2930:
2925:
2923:Garlic routing
2920:
2915:
2910:
2905:
2900:
2895:
2890:
2885:
2880:
2875:
2870:
2865:
2860:
2855:
2850:
2845:
2843:Secure channel
2840:
2834:
2833:
2832:
2821:
2816:
2811:
2806:
2804:Key stretching
2801:
2796:
2791:
2786:
2781:
2776:
2771:
2770:
2769:
2764:
2754:
2752:Cryptovirology
2749:
2744:
2739:
2737:Cryptocurrency
2734:
2729:
2724:
2723:
2722:
2712:
2707:
2701:
2699:
2695:
2694:
2687:
2686:
2679:
2672:
2664:
2657:
2656:
2653:
2652:
2649:
2648:
2646:
2645:
2640:
2635:
2630:
2625:
2620:
2614:
2612:
2608:
2607:
2605:
2604:
2599:
2594:
2589:
2584:
2579:
2574:
2568:
2566:
2562:
2561:
2559:
2558:
2553:
2548:
2543:
2541:Hash collision
2538:
2532:
2530:
2526:
2525:
2523:
2522:
2517:
2512:
2507:
2502:
2497:
2492:
2486:
2484:
2480:
2479:
2477:
2476:
2471:
2466:
2461:
2456:
2451:
2446:
2440:
2438:
2429:
2428:
2426:
2425:
2420:
2415:
2410:
2405:
2400:
2391:
2386:
2381:
2376:
2371:
2365:
2363:
2357:
2356:
2354:
2353:
2350:
2344:
2342:
2334:
2333:
2331:
2330:
2325:
2320:
2315:
2310:
2305:
2300:
2295:
2290:
2285:
2280:
2274:
2272:
2269:key stretching
2263:
2262:
2260:
2259:
2254:
2249:
2244:
2239:
2234:
2229:
2224:
2219:
2214:
2209:
2204:
2199:
2194:
2189:
2184:
2179:
2174:
2169:
2164:
2159:
2154:
2149:
2144:
2139:
2134:
2129:
2124:
2119:
2113:
2111:
2107:
2106:
2104:
2103:
2097:
2092:
2087:
2082:
2076:
2074:
2068:
2067:
2065:
2064:
2059:
2054:
2049:
2043:
2036:
2034:
2030:
2029:
2027:
2026:
2021:
2016:
2010:
2007:
2006:
1995:
1994:
1987:
1980:
1972:
1956:
1955:
1949:
1916:
1890:
1889:
1887:
1884:
1883:
1882:
1877:
1870:
1867:
1863:
1862:
1853:, rather than
1847:
1840:
1818:
1815:
1722:
1719:
1707:RSA signatures
1703:random oracles
1694:
1691:
1683:non-negligible
1656:
1649:
1639:= 1, …,
1623:
1604:
1601:
1597:
1594:
1585:
1581:
1575:
1571:
1565:
1560:
1557:
1554:
1550:
1546:
1539:
1535:
1530:
1514:
1507:
1452:
1419:
1416:
1415:
1414:
1411:
1408:
1405:
1402:
1394:
1391:
1390:
1389:
1374:
1366:
1362:
1355:
1350:
1347:
1343:
1342:
1334:
1327:
1316:
1311:
1303:
1300:
1297:
1294:
1290:
1284:
1280:
1274:
1269:
1266:
1263:
1259:
1253:
1248:
1244:
1240:
1235:
1232:
1229:
1225:
1203:
1185:
1175:
1159:
1142:
1139:
1136:
1132:
1126:
1122:
1116:
1111:
1108:
1105:
1101:
1097:
1094:
1082:
1063:
1056:
1042:
1036:
1021:ℓ < 2
1014:
1007:
981:
978:
973:
969:
963:
958:
955:
952:
948:
928:
921:
914:
901:
898:
843:
823:
801:
797:
774:
770:
749:
729:
726:
723:
720:
715:
711:
690:
687:
682:
678:
657:
637:
634:
629:
625:
571:
562:
548:
523:
520:
496:non-negligible
469:
462:
444:
441:
437:
434:
425:
421:
415:
411:
405:
400:
397:
394:
390:
386:
381:
377:
346:
339:
332:
303:the real field
299:characteristic
262:. The integer
167:
164:
102:Asymptotically
76:
75:
72:
66:
65:
61:
60:
57:
53:
52:
49:
45:
44:
31:
27:
26:
15:
9:
6:
4:
3:
2:
3059:
3048:
3045:
3044:
3042:
3023:
3015:
3014:
3011:
3005:
3004:Steganography
3002:
3000:
2997:
2995:
2992:
2990:
2987:
2985:
2982:
2980:
2977:
2975:
2972:
2970:
2967:
2965:
2962:
2960:
2959:Stream cipher
2957:
2955:
2952:
2950:
2947:
2946:
2944:
2940:
2934:
2931:
2929:
2926:
2924:
2921:
2919:
2918:Onion routing
2916:
2914:
2911:
2909:
2906:
2904:
2901:
2899:
2898:Shared secret
2896:
2894:
2891:
2889:
2886:
2884:
2881:
2879:
2876:
2874:
2871:
2869:
2866:
2864:
2861:
2859:
2856:
2854:
2851:
2849:
2846:
2844:
2841:
2838:
2835:
2830:
2827:
2826:
2825:
2822:
2820:
2817:
2815:
2812:
2810:
2807:
2805:
2802:
2800:
2797:
2795:
2794:Key generator
2792:
2790:
2787:
2785:
2782:
2780:
2777:
2775:
2772:
2768:
2765:
2763:
2760:
2759:
2758:
2757:Hash function
2755:
2753:
2750:
2748:
2745:
2743:
2740:
2738:
2735:
2733:
2732:Cryptanalysis
2730:
2728:
2725:
2721:
2718:
2717:
2716:
2713:
2711:
2708:
2706:
2703:
2702:
2700:
2696:
2692:
2685:
2680:
2678:
2673:
2671:
2666:
2665:
2662:
2658:
2644:
2641:
2639:
2636:
2634:
2633:Proof of work
2631:
2629:
2626:
2624:
2621:
2619:
2616:
2615:
2613:
2609:
2603:
2600:
2598:
2595:
2593:
2590:
2588:
2585:
2583:
2580:
2578:
2575:
2573:
2570:
2569:
2567:
2563:
2557:
2554:
2552:
2549:
2547:
2544:
2542:
2539:
2537:
2534:
2533:
2531:
2527:
2521:
2518:
2516:
2513:
2511:
2510:Rainbow table
2508:
2506:
2503:
2501:
2498:
2496:
2493:
2491:
2488:
2487:
2485:
2481:
2475:
2472:
2470:
2467:
2465:
2462:
2460:
2457:
2455:
2452:
2450:
2447:
2445:
2442:
2441:
2439:
2436:
2433:Authenticated
2430:
2424:
2421:
2419:
2416:
2414:
2411:
2409:
2406:
2404:
2401:
2399:
2395:
2392:
2390:
2387:
2385:
2382:
2380:
2377:
2375:
2372:
2370:
2367:
2366:
2364:
2362:
2361:MAC functions
2358:
2351:
2349:
2346:
2345:
2343:
2341:
2335:
2329:
2326:
2324:
2321:
2319:
2316:
2314:
2311:
2309:
2306:
2304:
2301:
2299:
2296:
2294:
2291:
2289:
2286:
2284:
2281:
2279:
2276:
2275:
2273:
2270:
2264:
2258:
2255:
2253:
2250:
2248:
2245:
2243:
2240:
2238:
2235:
2233:
2230:
2228:
2225:
2223:
2220:
2218:
2215:
2213:
2210:
2208:
2205:
2203:
2200:
2198:
2195:
2193:
2190:
2188:
2185:
2183:
2180:
2178:
2175:
2173:
2170:
2168:
2165:
2163:
2160:
2158:
2155:
2153:
2150:
2148:
2145:
2143:
2140:
2138:
2135:
2133:
2130:
2128:
2125:
2123:
2120:
2118:
2115:
2114:
2112:
2108:
2101:
2098:
2096:
2093:
2091:
2088:
2086:
2083:
2081:
2078:
2077:
2075:
2073:
2069:
2063:
2060:
2058:
2055:
2053:
2050:
2048:(compromised)
2047:
2044:
2042:(compromised)
2041:
2038:
2037:
2035:
2031:
2025:
2024:Known attacks
2022:
2020:
2017:
2015:
2012:
2011:
2008:
2004:
2000:
1993:
1988:
1986:
1981:
1979:
1974:
1973:
1970:
1966:
1962:
1952:
1946:
1942:
1938:
1934:
1927:
1920:
1913:
1912:
1904:
1902:
1900:
1898:
1896:
1891:
1881:
1878:
1876:
1873:
1872:
1866:
1860:
1848:
1841:
1834:
1833:
1832:
1829:
1822:
1814:
1813:as expected.
1799:
1795:
1791:
1787:
1783:
1779:
1775:
1771:
1767:
1763:
1759:
1753:
1749:
1745:
1718:
1716:
1712:
1708:
1704:
1700:
1690:
1684:
1678:
1672:
1668:
1663:
1662:is non-zero.
1659:
1655:
1648:
1642:
1638:
1632:
1626:
1622:
1599:
1595:
1583:
1579:
1573:
1569:
1563:
1558:
1555:
1552:
1548:
1544:
1537:
1533:
1528:
1517:
1513:
1506:
1495:
1492:≤ (log
1491:
1484:
1480:
1474:
1470:
1455:
1451:
1445:
1439:
1435:
1431:
1425:
1412:
1409:
1406:
1403:
1400:
1399:
1398:
1388:message bits.
1385:
1381:
1375:
1372:
1367:
1363:
1360:
1356:
1353:
1352:
1346:
1337:
1333:
1328:
1314:
1309:
1301:
1298:
1295:
1292:
1288:
1282:
1278:
1272:
1267:
1264:
1261:
1257:
1251:
1246:
1242:
1238:
1233:
1230:
1227:
1223:
1213:
1209:
1204:
1200:
1196:
1188:
1182:
1178:
1174:
1164:∈ {0,1}
1162:
1140:
1137:
1134:
1130:
1124:
1120:
1114:
1109:
1106:
1103:
1099:
1095:
1092:
1083:
1079:
1075:
1072:ℓ <
1066:
1062:
1057:
1053:
1043:
1035:
1030:
1029:
1028:
1013:
1006:
979:
976:
971:
967:
961:
956:
953:
950:
946:
927:
920:
913:
897:
877:
869:
855:
841:
821:
799:
795:
772:
768:
747:
727:
724:
721:
718:
713:
709:
688:
685:
680:
676:
655:
635:
632:
627:
623:
613:
610:
602:
595:
591:
577:
570:
561:
547:
541:
537:
530:
519:
505:
501:
497:
491:
485:
481:
476:
472:
468:
461:
439:
435:
423:
419:
413:
409:
403:
398:
395:
392:
388:
384:
379:
375:
361:
345:
338:
331:
323:
320:≤ (log(
319:
310:
306:
304:
300:
295:
291:
285:
281:
275:
269:
259:
255:
251:
240:
227:
218:
214:
204:
197:, an integer
187:
185:
181:
177:
173:
163:
161:
157:
153:
152:random oracle
148:
142:
138:
126:
125:smooth number
122:
118:
113:
109:
103:
99:
95:
91:
87:
83:
73:
71:
67:
62:
58:
54:
50:
46:
43:
42:Ron Steinfeld
39:
35:
34:Scott Contini
32:
28:
23:
2954:Block cipher
2799:Key schedule
2789:Key exchange
2779:Kleptography
2742:Cryptosystem
2691:Cryptography
2251:
1932:
1919:
1910:
1864:
1830:
1823:
1820:
1800:
1793:
1789:
1785:
1781:
1777:
1773:
1769:
1765:
1761:
1757:
1751:
1747:
1743:
1724:
1696:
1676:
1666:
1664:
1657:
1653:
1646:
1640:
1636:
1630:
1629:| <
1624:
1620:
1515:
1511:
1504:
1493:
1489:
1482:
1478:
1472:
1468:
1458:denotes the
1453:
1449:
1446:
1433:
1432:
1421:
1396:
1383:
1382:) / log(log(
1379:
1344:
1335:
1331:
1211:
1207:
1198:
1194:
1186:
1180:
1176:
1172:
1160:
1077:
1073:
1064:
1060:
1051:
1033:
1011:
1004:
925:
918:
911:
903:
875:
867:
857:The integer
856:
615:The integer
614:
608:
600:
593:
589:
579:The integer
578:
568:
559:
545:
542:
535:
528:
525:
499:
489:
479:
477:
470:
466:
459:
343:
336:
329:
321:
317:
308:
307:
293:
289:
283:
279:
276:
257:
253:
249:
238:
225:
219:
212:
202:
188:
169:
166:VSN and VSSR
158:used in the
149:
127:modulo
114:
107:
85:
82:cryptography
79:
70:Digest sizes
2942:Mathematics
2933:Mix network
2623:Merkle tree
2611:Utilization
2597:NSA Suite B
1861:properties.
1846:iterations.
1378:Ω(log(
1170:and define
220:An integer
2893:Ciphertext
2863:Decryption
2858:Encryption
2819:Ransomware
2435:encryption
2212:RadioGatĂşn
2019:Comparison
1886:References
1776:) ≡
1520:such that
1193:1 ≤
1081:(padding).
366:such that
326:, and let
247:such that
123:of a very
56:Successors
2883:Plaintext
2352:KDF1/KDF2
2271:functions
2257:Whirlpool
1652:,…,
1549:∏
1545:≡
1510:,…,
1365:messages.
1258:∏
1184:= ℓ
1138:−
1100:∑
1093:ℓ
1010:,…,
947:∏
725:≡
504:factoring
465:,…,
389:∏
385:≡
135:(with no
117:collision
30:Designers
3041:Category
3022:Category
2928:Kademlia
2888:Codetext
2831:(CSPRNG)
2577:CRYPTREC
2408:Poly1305
2328:yescrypt
2242:Streebog
2122:CubeHash
2102:(winner)
1869:See also
1487:and let
1424:trapdoor
1410:Fast VSH
1197:≤
1050:ℓ/
872:, since
475:is odd.
282:≥
270:of
252:≡
137:trapdoor
2698:General
2483:Attacks
2413:SipHash
2369:CBC-MAC
2303:LM hash
2283:Balloon
2147:HAS-160
1826:ℓ
1803:ℓ
1792:) (mod
1755:. Then
1709:, some
1697:Strong
1329:Return
1168:ℓ
1158:ℓ
1015:ℓ
999:ℓ
607:9 <
597:), and
360:coprime
25:General
2809:Keygen
2643:Pepper
2582:NESSIE
2529:Design
2323:scrypt
2318:PBKDF2
2293:Catena
2288:bcrypt
2278:Argon2
2237:Snefru
2232:Shabal
2227:SWIFFT
2207:RIPEMD
2202:N-hash
2177:MASH-2
2172:MASH-1
2157:Kupyna
2117:BLAKE3
2100:Keccak
2085:Grøstl
2062:BLAKE2
1947:
1733:, and
1618:|
997:be an
993:. Let
884:given
859:b = 15
787:given
701:since
64:Detail
2839:(PRN)
2437:modes
2313:Makwa
2308:Lyra2
2298:crypt
2247:Tiger
2197:MDC-2
2152:HAVAL
2137:Fugue
2095:Skein
2080:BLAKE
2057:SHA-3
2052:SHA-2
2046:SHA-1
1929:(PDF)
1616:with
1156:with
1076:<
740:(mod
543:Then
292:<
287:. If
256:(mod
224:is a
201:is a
2638:Salt
2602:CNSA
2469:IAPM
2423:VMAC
2418:UMAC
2403:PMAC
2398:CMAC
2394:OMAC
2389:NMAC
2384:HMAC
2379:GMAC
2348:HKDF
2217:SIMD
2167:Lane
2142:GOST
2127:ECOH
2014:List
2001:and
1945:ISBN
1746:AND
1711:MACs
1675:log(
1673:(in
1665:The
1634:for
1205:For
1191:for
1084:Let
1070:for
1058:Let
1044:Let
1031:Set
977:<
904:Let
888:and
870:= 20
814:and
538:= 31
533:and
488:log(
486:(in
478:The
237:log(
211:log(
193:and
106:log(
59:VSH*
51:2005
2474:OCB
2464:GCM
2459:EAX
2454:CWC
2444:CCM
2374:DAA
2252:VSH
2222:SM3
2192:MD6
2187:MD4
2182:MD2
2162:LSH
2132:FSB
2040:MD5
1937:doi
1772:OR
1596:mod
1485:+ 1
1481:= 2
1386:)))
1310:mod
1068:= 0
1039:= 1
722:400
531:= 5
436:mod
362:to
80:In
3043::
2090:JH
1943:,
1931:,
1894:^
1750:=
1729:,
1717:.
1444:.
1430:.
1338:+1
1177:Lk
1078:Lk
1027::
896:.
854:.
728:15
710:20
689:20
636:15
540:.
518:.
324:))
274:.
217:.
186:.
174:.
84:,
40:,
36:,
2683:e
2676:t
2669:v
2396:/
1991:e
1984:t
1977:v
1939::
1855:2
1851:2
1844:2
1837:2
1811:2
1807:2
1796:)
1794:n
1790:y
1788:(
1786:H
1784:)
1782:x
1780:(
1778:H
1774:y
1770:x
1768:(
1766:H
1764:)
1762:z
1760:(
1758:H
1752:z
1748:y
1744:x
1739:z
1735:z
1731:y
1727:x
1687:p
1679:)
1677:p
1658:k
1654:e
1650:1
1647:e
1641:k
1637:i
1631:q
1625:i
1621:e
1603:)
1600:p
1593:(
1584:i
1580:e
1574:i
1570:p
1564:k
1559:2
1556:=
1553:i
1538:1
1534:e
1529:2
1516:k
1512:e
1508:1
1505:e
1500:p
1496:)
1494:p
1490:k
1483:q
1479:p
1473:q
1471:,
1469:p
1464:c
1460:i
1454:i
1450:p
1442:n
1428:p
1384:n
1380:n
1373:.
1341:.
1336:L
1332:x
1315:n
1302:i
1299:+
1296:k
1293:j
1289:m
1283:i
1279:p
1273:k
1268:1
1265:=
1262:i
1252:2
1247:j
1243:x
1239:=
1234:1
1231:+
1228:j
1224:x
1212:L
1208:j
1202:.
1199:k
1195:i
1187:i
1181:i
1179:+
1173:m
1161:i
1141:1
1135:i
1131:2
1125:i
1121:l
1115:k
1110:1
1107:=
1104:i
1096:=
1074:i
1065:i
1061:m
1052:k
1046:L
1041:.
1037:0
1034:x
1025:m
1017:)
1012:m
1008:1
1005:m
1003:(
995:m
980:n
972:i
968:p
962:k
957:1
954:=
951:i
935:k
929:3
926:p
924:,
922:2
919:p
917:,
915:1
912:p
910:(
906:n
894:n
890:n
886:b
882:x
878:)
876:n
868:x
863:n
842:n
822:n
800:2
796:b
773:2
769:x
748:n
719:=
714:2
686:=
681:2
677:x
656:n
633:=
628:2
624:b
609:n
603:)
601:n
594:n
592:,
590:c
585:n
581:9
572:2
569:m
563:1
560:m
549:1
546:m
536:n
529:c
516:n
512:s
508:s
492:)
490:n
471:k
467:e
463:0
460:e
443:)
440:n
433:(
424:i
420:e
414:i
410:p
404:k
399:0
396:=
393:i
380:2
376:x
364:n
357:x
353:n
347:3
344:p
342:,
340:2
337:p
335:,
333:1
330:p
328:(
322:n
318:k
313:n
294:n
290:x
284:n
280:x
272:b
264:x
260:)
258:n
254:x
250:b
245:x
241:)
239:n
233:b
229:n
222:b
215:)
213:n
207:m
199:m
195:n
191:c
145:p
133:p
129:n
110:)
108:n
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.