The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle–Damgård transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle–Damgård construction and are easily implementable in practice.

Abstract Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographichash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewedinterest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adoptedbefore being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA familyin particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H0 from a given cascade-based hash function H forvarious cryptographic applications, such as collision-resistance, one-wayness, pseudorandomness, etc. We require each proposed construction of H0 to satisfy the following "axioms". 1. The construction should consist of one or two "black-box " calls to H.2. In particular, one is not allowed to know/use anything about the internals of H, such as modifying theinitialization vector or affecting the value of the chaining variable. 3. The construction should support variable-length inputs.4. Compared to a single evaluation of H(M), the evaluation of H0(M) should make at most a fixed (smallconstant) number of extra calls to the underlying compression function of H. In other words, the efficiencyof H0 is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for eachgiven desired security requirement, we discuss the weakest requirement on the compression function of H whichwould make this mode secure. We also give the implications of these results for using existing hash functions

We present an approach to design cryptographic hash functions that builds on and improves the one underlying the Panama hash function. We discuss the properties of the resulting hash functions that need to be investigated and give a concrete design called RadioGat un that is quite competitive with SHA-1 in terms of performance. We are busy performing an analysis of RadioGat un and present in this paper some preliminary results.

♦ “Paradigm for designing secure and efficient protocols ” (BR’93). ♦ Assume existence of a publicly accessible ideal random function and prove protocol security. ♦ Replace ideal random function by an actual “secure hash function ” (such as SHA-1) to deploy protocol. ♦ Hope that nothing breaks down! Is SHA-1 Really Random? ♦ Is SHA-1 obscure enough to successfully replace a random oracle? ♦ No. Practical hash functions usually iteratively apply a fixed length compression function to the input (called the Merkle Damgard construction). f f f