Hash Functions in the DedicatedKey Setting: Design Choices and MPP Transforms
 In ICALP ’07, volume 4596 of LNCS
, 2007
"... In the dedicatedkey setting, one starts with a compression function f: {0, 1} k ×{0, 1} n+d → {0, 1} n and builds a family of hash functions H f: K × M → {0, 1} n indexed by a key space K. This is different from the more traditional design approach used to build hash functions such as MD5 or SHA1, ..."
Cited by 13 (1 self)
In the dedicatedkey setting, one starts with a compression function f: {0, 1} k ×{0, 1} n+d → {0, 1} n and builds a family of hash functions H f: K × M → {0, 1} n indexed by a key space K. This is different from the more traditional design approach used to build hash functions such as MD5 or SHA1, in which compression functions and hash functions do not have dedicated key inputs. We explore the benefits and drawbacks of building hash functions in the dedicatedkey setting (as compared to the more traditional approach), highlighting several unique features of the former. Should one choose to build hash functions in the dedicatedkey setting, we suggest utilizing multipropertypreserving (MPP) domain extension transforms. We analyze seven existing dedicatedkey transforms with regard to the MPP goal and propose two simple
Amplifying Collision Resistance: A ComplexityTheoretic Treatment
 Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture
"... Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collisi ..."
Cited by 9 (1 self)
Abstract. We initiate a complexitytheoretic treatment of hardness amplification for collisionresistant hash functions, namely the transformation of weakly collisionresistant hash functions into strongly collisionresistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good tradeoff between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.
NonTrivial BlackBox Combiners for CollisionResistant HashFunctions don’t Exist
 Advances in Cryptology — Eurocrypt 2007, Lecture Notes in Computer Science
"... Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the ou ..."
Cited by 9 (1 self)
Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the output of any ` − k + 1 of the components, unfortunately this is not very practical as the length of the output of the combiner is quite large. We show that this is unavoidable as no blackbox (k, `)robust combiner whose output is significantly shorter than what can be achieved by concatenation exists. This answers a question of Boneh and Boyen (Crypto’06). 1
Random Oracles and Auxiliary Input ⋆
"... Abstract. We introduce a variant of the random oracle model where oracledependent auxiliary input is allowed. In this setting, the adversary gets an auxiliary input that can contain information about the random oracle. Using simple examples we show that this model should be preferred over the class ..."
Cited by 8 (0 self)
Abstract. We introduce a variant of the random oracle model where oracledependent auxiliary input is allowed. In this setting, the adversary gets an auxiliary input that can contain information about the random oracle. Using simple examples we show that this model should be preferred over the classical variant where the auxiliary input is independent of the random oracle. In the presence of oracledependent auxiliary input, the most important proof technique in the random oracle model—lazy sampling—does not apply directly. We present a theorem and a variant of the lazy sampling technique that allows one to perform proofs in the new model almost as easily as in the old one. As an application of our approach and to illustrate how existing proofs can be adapted, we prove that
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Cited by 8 (0 self)
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
A ThreePropertySecure Hash Function
"... Abstract. This paper proposes a new hash construction based on the widely used MerkleDamg˚ard (MD) iteration [Mer90,Dam90]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property prese ..."
Cited by 3 (0 self)
Abstract. This paper proposes a new hash construction based on the widely used MerkleDamg˚ard (MD) iteration [Mer90,Dam90]. It achieves the three basic properties required from a cryptographic hash function: collision (Coll), second preimage (Sec) and preimage (Pre) security. We show property preservation for the first two properties in the standard security model and the third Pre security property is proved in the random oracle model. Similar to earlier known hash constructions that achieve a form of Sec (eSec [RS04]) property preservation [BR97,Sho00], we make use of fixed key material in the iteration. But while these hashes employ keys of size at least logarithmic in the message length (in blocks), we only need a small constant key size. Another advantage of our construction is that the underlying compression function is instantiated as a keyless primitive. The Sec security of our hash scheme, however, relies heavily on the standard definitional assumption that the target messages are sufficiently random. An example of a practical application that requires Sec security and satisfies this definitional premise on the message inputs is the popular CramerShoup encryption scheme [CS03]. Still, in practice we have other hashing applications where the target messages are not sampled from spaces with uniform distribution. And while our scheme is Sec preserving for uniform message distributions, we show that this is not always the case for other distributions. 1
The MD6 hash function A proposal to NIST for SHA3
, 2008
"... This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA3 hash function competition 1. Significant features of MD6 include: • Accepts input messages of any length up to 2 64 − 1 bits, and produces message digests of any desir ..."
Cited by 3 (1 self)
This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA3 hash function competition 1. Significant features of MD6 include: • Accepts input messages of any length up to 2 64 − 1 bits, and produces message digests of any desired size from 1 to 512 bits, inclusive, including
Enhanced Security Notions for DedicatedKey Hash Functions: Definitions and Relationships
, 2005
"... In this paper, we revisit security notions for dedicatedkey hash functions, considering two essential theoretical aspects; namely, formal definitions for security notions, and the relationships among them. Our contribution is twofold. First, we provide a new set of enhanced security notions for de ..."
Cited by 2 (0 self)
In this paper, we revisit security notions for dedicatedkey hash functions, considering two essential theoretical aspects; namely, formal definitions for security notions, and the relationships among them. Our contribution is twofold. First, we provide a new set of enhanced security notions for dedicatedkey hash functions. The provision of this set of enhanced properties has been motivated by the introduction of enhanced target collision resistance (eTCR) property by Halevi and Krawczyk at Crypto 2006. We notice that the eTCR property does not belong to the set of the seven security notions previously investigated by Rogaway and Shrimpton at FSE 2004; namely: Coll, Sec, aSec, eSec, Pre, aPre and ePre. The fact that eTCR, as a new useful property, is the enhanced variant of the wellknown TCR (a.k.a. eSec or UOWHF) property motivates one to investigate the possibility of providing enhanced variants for the other properties. We provide such an enhanced set of properties. Interestingly, there are six enhanced variants of security notions available, excluding “ePre” which can be demonstrated to be nonenhanceable. As the second and main part of our contribution, we provide a full picture of relationships (i.e. implications and separations) among the (thirteen) security properties including the (six) enhanced properties and the previously considered seven properties. The implications and separations are supported by formal proofs (reductions) and/or counterexamples in the concretesecurity framework.
ANOTHER LOOK AT HMAC
"... Abstract. HMAC is the most widelydeployed cryptographichashfunctionbased message authentication code. First, we describe a security issue that arises because of inconsistencies in the standards and the published literature regarding keylength. We prove a separation result between two versions of ..."
Cited by 2 (2 self)
Abstract. HMAC is the most widelydeployed cryptographichashfunctionbased message authentication code. First, we describe a security issue that arises because of inconsistencies in the standards and the published literature regarding keylength. We prove a separation result between two versions of HMAC, which we denote HMAC std and HMAC Bel, the former being the realworld version standardized by Bellare et al. in 1997 and the latter being the version described in Bellare’s proof of security in his Crypto 2006 paper. Second, we describe how HMAC NIST (the FIPS version standardized by NIST), while provably secure, succumbs to a practical attack in the multiuser setting. Third, we describe a fundamental defect from a practiceoriented standpoint in Bellare’s 2006 security result for HMAC, and show that because of this defect his proof gives a security guarantee that is of little value in practice. We give a new proof of NMAC security that gives a stronger result for NMAC and HMAC – and solves an “interesting open problem ” from Bellare’s Crypto 2006 paper – and discuss its limitations. 1.
An Investigation of the Enhanced Target Collision Resistance Property for Hash Functions
 CRYPTOLOGY EPRINT ARCHIVE, REPORT 2009/506
, 2009
"... We revisit the enhanced target collision resistance (eTCR) property as a newly emerged notion of security for dedicatedkey hash functions, which has been put forth by Halevi and Krawczyk at CRYPTO’06, in conjunction with the Randomized Hashing mode to achieve this property. Our contribution is tw ..."
Cited by 1 (1 self)
We revisit the enhanced target collision resistance (eTCR) property as a newly emerged notion of security for dedicatedkey hash functions, which has been put forth by Halevi and Krawczyk at CRYPTO’06, in conjunction with the Randomized Hashing mode to achieve this property. Our contribution is twofold. Firstly, we provide a full picture of the relationships between eTCR and each of the seven security properties for a dedicatedkey hash function, considered by Rogaway and Shrimpton at FSE’04; namely, collision resistance (CR), the three variants of secondpreimage resistance (Sec, aSec, eSec) and the three variants of preimage resistance (Pre, aPre, ePre). The results show that, for an arbitrary dedicatedkey hash function, eTCR is not implied by any of these seven properties, and it can only imply three of the properties; namely, eSec (TCR), Sec, Pre. In the second part of the paper, we analyze the eTCR preservation capabilities of several domain extension transforms (a.k.a. modes of operation) for hash functions, including (Plain, Strengthened, and Prefixfree) MerkleDamg˚ard, Randomized Hashing, Shoup, Enveloped Shoup, XOR Linear Hash (XLH), and Linear Hash (LH). From this analysis it turns out that, with the exception of a nested variant of LH, none of the investigated transforms can preserve the eTCR property.