- Instructor: Orr Dunkelman,

phone 8447, room 408.

Office hour: Sun. 14:30-15:30

- Lecture: Wed.
**16:15-17:45**, location: Madrega 3043.

- 60% - Lecturer evaluation
- 20% - Participation in classes
- 20% - Peer evaluation

- Probabilistic Methods - 203.2480
- Computational Models - 203.6510

- 1.4.12 - The list of paper assignments has been released. Please take a look at it. In case you do not think that you can handle the paper/date, please let me know by Tuesday, 3.4.12 at midnight.
- 25.3.12 - Contrary to mentioned in class, this week's meeting will start as usual (at 16:15). On 1.4 we will have a supplementary meeting 17:30-19:00 at Jacobs' 506.
- 14.3.12 - Please take a look at the abstracts of the papers, and pick the ones you are interested in presenting. The papers are grouped into three groups, and you need to send Orr a list of at least three papers (not all of them of the same group), and three dates you would like to talk at (any Wed. when classes take place, starting the 18th of April). Please send your preferences until the 25th of March.
- 14.3.12 - The lecture of next week (21.3) as well as the office hour on Sunday (18.3) are canceled. There will a supplementary lecture on the 1.4, information concerning location will follow.
- 12.3.12 - please note the change of lecture room to Madrega 3043.
- 10.3.12 - there will be no meeting in the course on 21.3. A replacement meeting will be held (its time and place to be announced later).

Topic | Lecture | Slides | Comments |

Introduction | 7/3, 14/3 | ||

MD5/SHA1 | 14/3 | ||

Generic Attacks | 14/3,28/3,1/4 | ||

Differential Cryptanalysis | 1/4,18/4 | ||

Hitchhiker's Guide to SHA-3 | 20/6 |

**
The slides are in PDF format.
**
**
I may change the slides a little bit before and after the
lecture. Be aware of changes.
**

Number | Title | Authors | Publication Information | Paper | Student |

S1 | Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions | Antoine Joux | Crypto 2004 (pp. 306-316) | Raz, 2/5 | |

S2 | Second Preimages on n-Bit Hash Functions for Much Less than 2^n Work | John Kelsey and Bruce Schneier | Eurocrypt 2005 (pp. 474-490) | Available | |

S3 | Herding Hash Functions and the Nostradamus Attack | John Kelsey and Tadayoshi Kohno | Eurocrypt 2006 (pp. 183-200) | Ohad, 16/5 | |

S4 | Second Preimage Attacks on Dithered Hash Functions | Elena Andreeva, Charles Bouillaguet, Pierre-Alain Fouque, Jonathan J. Hoch, John Kelsey, Adi Shamir, and Sebastien Zimmer | Eurocrypt 2008 (pp. 270-288) | Tomer, 23/5 | |

S5 | Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgard | Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, and John Kelsey | Selected Areas in Cryptography 2009 (pp. 393-414) | Available | |

S6 | Improved Generic Algorithms for 3-Collisions | Antoine Joux and Stefan Lucks | Asiacrypt 2009 (pp. 347-363) | Alon, 6/6 |

Number | Title | Authors | Publication Information | Paper | Student |

I1 | Differential Collisions in SHA-0 | Florent Chabaud and Antoine Joux | Crypto 1998 (pp. 56-71) | Encrypted Zip | Fadi, 9/5 |

I2 | Near-Collisions of SHA-0 | Eli Biham and Rafi Chen | Crypto 2004 (pp. 290-305) | Available | |

I3 | Collisions of SHA-0 and Reduced SHA-1 | Eli Biham, Rafi Chen, Antoine Joux, Patrick Carribault, Christophe Lemuet, and William Jalby | Eurocrypt 2005 (pp. 36-57) | Nael, 16/5 | |

I4 | How to Break MD5 and Other Hash Functions | Xiaoyun Wang and Hongbo Yu | Eurocrypt 2005 (pp. 19-35) | Saar, 9/5 | |

I5 | Finding Collisions in the Full SHA-1 | Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu | Crypto 2005 (pp. 17-36) | Available | |

I6 | Finding SHA-1 Characteristics: General Results and Applications | Christophe De Canniere and Christian Rechberger | Asiacrypt 2006 (pp. 1-20) | Available | |

I7 | Preimages for Reduced SHA-0 and SHA-1 | Christophe De Canniere and Christian Rechberger | Crypto 2008 (pp. 179-202) | Stav, 23/5 | |

I8 | Tunnels in Hash Functions: MD5 Collisions Within a Minute | Vlastimil Klima | IACR ePrint Report 2006/105 | Report | Available |

Number | Title | Authors | Publication Information | Paper | Student |

A1 | Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities | Marc Stevens, Arjen K. Lenstra, and Benne de Weger | Eurocrypt 2007 (pp. 1-22) | Available | |

A2 | Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate | Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen K. Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger | Crypto 2009 (pp. 55-69) | Sela, 30/5 | |

A3 | Hash Functions and the (Amplified) Boomerang Attack | Antoine Joux and Thomas Peyrin | Crypto 2007 (pp. 244-263) | Available | |

A4 | The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grostl | Florian Mendel, Christian Rechberger, Martin Schlaffer, and Soren S. Thomsen | Fast Software Encryption 2009 (pp. 260-276) | Dikla, 30/5 | |

A5 | MD5 Is Weaker Than Weak: Attacks on Concatenated Combiners | Florian Mendel, Christian Rechberger, and Martin Schlaffer | Asiacrypt 2009 (pp. 144-161) | Available | |

A6 | A Note on the Practical Value of Single Hash Collisions for Special File Formats | Max Gebhardt, Georg Illies, and Werner Schindler | NIST Hash Function workshop 2005 | Ilya, 13/6 |

When reading a paper, if you need to find out some prior works, you can try and google it (either using google or google scholar). It is advisable to try "DBLP author name", searching for the paper on IACR's eprint archive, or in the Technion's CS department library (the grey books at the entrance are the proceedings, sorted by LNCS volume number). Also, taking a look at the authors' websites may be useful (note that not all authors post their papers online, but many do so).

Date | Student | Paper | Presentation |

2/5 | Raz | S1 - Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions | |

9/5 | Fadi | I1 - Differential Collisions in SHA-0 | HTML |

9/5 | Saar | I4 - How to Break MD5 and Other Hash Functions | |

16/5 | Nael | I3 - Collisions of SHA-0 and Reduced SHA-1 | |

16/5 | Ohad | S3 - Herding Hash Functions and the Nostradamus Attack | |

23/5 | Stav | I7 - Preimages for Reduced SHA-0 and SHA-1 | |

23/5 | Tomer | S4 - Second Preimage Attacks on Dithered Hash Functions | |

30/5 | Dikla | A4 - The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grostl | |

30/5 | Sela | A2 - Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate | |

6/6 | Alon | S6 - Improved Generic Algorithms for 3-Collisions | |

13/6 | Ilya | A6 - A Note on the Practical Value of Single Hash Collisions for Special File Formats |

**Note that this schedule is not final, and may be changed!**

The order between the speakers of the same class, to be determined between them (or if no agreement is found, by a coin flip).