Results 1 
4 of
4
MerkleDamg˚ard Revisited: How to Construct a Hash Function
 Advances in Cryptology, Crypto 2005
"... The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than col ..."
Abstract

Cited by 74 (8 self)
 Add to MetaCart
The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than collisionresistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixedlength building block is viewed as a random oracle or an ideal blockcipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixedlength primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA1 and MD5 — the (strengthened) MerkleDamg˚ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain MerkleDamg˚ard construction and are easily implementable in practice.
Getting the Best Out of Existing Hash Functions;or What if We Are Stuck with SHA?
"... Abstract Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographichash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencie ..."
Abstract
 Add to MetaCart
Abstract Cascade chaining is a very efficient and popular mode of operation for building various kinds of cryptographichash functions. In particular, it is the basis of the most heavily utilized SHA function family. Recently, many researchers pointed out various practical and theoretical deficiencies of this mode, which resulted in a renewedinterest in building specialized modes of operations and new hash functions with better security. Unfortunately, it appears unlikely that a new hash function (say, based on a new mode of operation) would be widely adoptedbefore being standardized, which is not expected to happen in the foreseeable future. Instead, it seems likely that practitioners would continue to use the cascade chaining, and the SHA familyin particular, and try to work around the deficiencies mentioned above. In this paper we provide a thorough treatment of how to soundly design a secure hash function H0 from a given cascadebased hash function H forvarious cryptographic applications, such as collisionresistance, onewayness, pseudorandomness, etc. We require each proposed construction of H0 to satisfy the following "axioms". 1. The construction should consist of one or two "blackbox " calls to H.2. In particular, one is not allowed to know/use anything about the internals of H, such as modifying theinitialization vector or affecting the value of the chaining variable. 3. The construction should support variablelength inputs.4. Compared to a single evaluation of H(M), the evaluation of H0(M) should make at most a fixed (smallconstant) number of extra calls to the underlying compression function of H. In other words, the efficiencyof H0 is negligibly close to that of H. We discuss several popular modes of operation satisfying the above axioms. For each such mode and for eachgiven desired security requirement, we discuss the weakest requirement on the compression function of H whichwould make this mode secure. We also give the implications of these results for using existing hash functions
a beltandmill hash function
"... We present an approach to design cryptographic hash functions that builds on and improves the one underlying the Panama hash function. We discuss the properties of the resulting hash functions that need to be investigated and give a concrete design called RadioGat un that is quite competitive with S ..."
Abstract
 Add to MetaCart
We present an approach to design cryptographic hash functions that builds on and improves the one underlying the Panama hash function. We discuss the properties of the resulting hash functions that need to be investigated and give a concrete design called RadioGat un that is quite competitive with SHA1 in terms of performance. We are busy performing an analysis of RadioGat un and present in this paper some preliminary results.
Prashant PuniyaThe Random Oracle Methodology
"... ♦ “Paradigm for designing secure and efficient protocols ” (BR’93). ♦ Assume existence of a publicly accessible ideal random function and prove protocol security. ♦ Replace ideal random function by an actual “secure hash function ” (such as SHA1) to deploy protocol. ♦ Hope that nothing breaks down! ..."
Abstract
 Add to MetaCart
♦ “Paradigm for designing secure and efficient protocols ” (BR’93). ♦ Assume existence of a publicly accessible ideal random function and prove protocol security. ♦ Replace ideal random function by an actual “secure hash function ” (such as SHA1) to deploy protocol. ♦ Hope that nothing breaks down! Is SHA1 Really Random? ♦ Is SHA1 obscure enough to successfully replace a random oracle? ♦ No. Practical hash functions usually iteratively apply a fixed length compression function to the input (called the Merkle Damgard construction). f f f