Section: Overall Objectives
SIMD: Selected for the second round of the NIST SHA-3 Competition
Since the recent attacks on many hash functions such as MD4, MD5, SHA-0, and SHA-1, the NIST has decided to launch a competition to choose the next standardized hash function. Among the 51 hash functions presented in february 2009 at the first NIST hash function workshop, only 14 have passed the first round in august 2009, including 3 hash functions designed by french groups: one of them is the SIMD hash function designed by our team.
Since the recent attacks use differential cryptanalysis, we tried to secure SIMD against such attacks by using a strong message expansion with a high minimal distance. SIMD also provides new ideas by tweaking the Davies-Meyer mode for constructing compression function in a special way to avoid undesiderable properties such as fixed points. The performances of SIMD are especially interesting for processors with SIMD instructions, since SIMD is highly parallelizable.
To be used in practice, cryptography must be efficient on both the machine and the user points of view. Computational cost has been a major concern for a long time, with various successes. This is still important to keep efficiency in mind. However, the security of the system is at most that of the weakest part. And this weakest part is quite often the human being: if intricate techniques have to be used, the latter will not use them.
Password-based cryptography can provide a good trade-off, if well specified. Of course, we cannot expect the same security as with a 128-bit secret key, but reasonable security levels can be reached, even with small passwords, easily memorable by users: on-line dictionary attacks only are possible for the adversary, which means that one password only can be tested per active attack.
Last year, we provided the first analysis of a 2-party key exchange, secure against adaptive adversaries, in the random oracle model. This year, we provided the first efficient scheme provably secure in the standard model. To this aim, we extended a theoretical tool, the smooth projective hash system , in order to build conditionally extractable commitments. Moreover, we studied group key exchange, in the random oracle model, with an additional property. The contributiveness means that until the adversary has not corrupted too many parties, it has no chance to bias the key the group will agree on.
Traditional wisdom says that it is impossible to do public-key cryptography from short passwords. This is because any low-entropy private key will quickly succumb to an off-line dictionary attack, made possible by the very publication of the public key, which can thus be used as a non-interactive test function. Since off-line attacks are very effective against weak secrets, it is imperative that the private keys in public-key systems be highly random and complex, but that makes them hopelessly impossible to be remembered by humans. We have thus introduced the notion of distributed password-based public-key cryptography, where a virtual high-entropy private key is implicitly defined as a concatenation of low-entropy passwords held in separate locations. The users can jointly perform private-key operations by exchanging messages over an arbitrary channel, based on their respective passwords, without ever sharing their passwords or reconstituting the key.