## Constructing Secure Hash Functions from Weak Compression Functions: The Case for Non-Streamable Hash Functions (2006)

Citations: | 2 - 0 self |

### BibTeX

@MISC{Liskov06constructingsecure,

author = {Moses Liskov},

title = {Constructing Secure Hash Functions from Weak Compression Functions: The Case for Non-Streamable Hash Functions },

year = {2006}

}

### OpenURL

### Abstract

In a recent paper, Lucks espoused a “failure-friendly” approach to hash function design [12]. We expand on this idea in two main ways. First of all, we consider the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by many unusual properties of compression functions. Furthermore, the construction we give, which we call the “zipper hash,” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with ideal building blocks. The zipper hash function is relatively efficient, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. However, a comparison of these two constructions, as well as consideration of certain recent attacks against iterated hash functions, lead us to the conclusion that non-streamable hash functions may be worth considering.

### Citations

326 | A Certified Digital Signature - Merkle - 1989 |

289 |
A design principle for hash functions
- Damg˚ard
- 1990
(Show Context)
Citation Context ..., which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the basic concept of the Merkle-Damg˚ard construction =-=[6, 13]-=-: composing a compression function with itself, each time incorporating a block of the message, until the entire message is processed. If f is the compression function and x is an input divisible into... |

214 | H.: How to break MD5 and other hash functions
- Wang, Yu
(Show Context)
Citation Context ...unctions, zipper hash. 1 Introduction The design of hash functions is a long-studied problem that has become recently more relevant because of significant attacks against commonly-used hash functions =-=[20, 18, 19, 17, 1]-=-. It is much easier to create collision functions, which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the b... |

168 | Finding collisions in the full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ...unctions, zipper hash. 1 Introduction The design of hash functions is a long-studied problem that has become recently more relevant because of significant attacks against commonly-used hash functions =-=[20, 18, 19, 17, 1]-=-. It is much easier to create collision functions, which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the b... |

111 |
Analysis and Design of Cryptographic Hash Functions
- Preneel
- 1993
(Show Context)
Citation Context ...ctions: if H(x) = H(y) then for all strings z, H(x||z) = H(y||z) is another collision. Merkle-Damg˚ard strengthening does not solve this problem completely, since the attack still works if |x| = |y|. =-=[14, 12]-=- – Joux multicollision attack [9]. It is easier than expected to find multicollisions: that is, a set of many distinct inputs that all hash to the same value. For a generic hash function, finding a tw... |

103 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...ble from a random oracle when implemented with ideal components. Assuming individual components to be ideal has been established as a reasonable model for the analysis of hash functions for some time =-=[2]-=-, and since we will use this model, we should attain strong results, as Coron et al do. 1.1 Our Results In this paper, we formalize the notion of a weak ideal compression function, and show that such ... |

93 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ...rings z, H(x||z) = H(y||z) is another collision. Merkle-Damg˚ard strengthening does not solve this problem completely, since the attack still works if |x| = |y|. [14, 12] – Joux multicollision attack =-=[9]-=-. It is easier than expected to find multicollisions: that is, a set of many distinct inputs that all hash to the same value. For a generic hash function, finding a tway collision should require hashi... |

51 | Y.: Efficient Collision Search Attacks on SHA-0
- Wang, Yu, et al.
- 2005
(Show Context)
Citation Context ...unctions, zipper hash. 1 Introduction The design of hash functions is a long-studied problem that has become recently more relevant because of significant attacks against commonly-used hash functions =-=[20, 18, 19, 17, 1]-=-. It is much easier to create collision functions, which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the b... |

46 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...at can be chained together (by a brute force birthday attack). Once we have r such collisions, we can generate a 2 r -way collision by choosing one input for each colliding pair. – Fixed-point attack =-=[11, 7]-=-. The goal here is to come up with a second preimage for one of a set of known messages. If the target set is of size 2 t , it is easy to see that a second preimage can be found in a generic attack in... |

42 | A failure-friendly design principle for hash functions
- Lucks
- 2005
(Show Context)
Citation Context ...uter Science Department The College of William and Mary Williamsburg, Virginia, USA mliskov@cs.wm.edu Abstract. In a recent paper, Lucks espoused a “failure-friendly” approach to hash function design =-=[12]-=-. We expand on this idea in two main ways. First of all, we consider the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show th... |

38 |
Preimages on n-Bit Hash Functions for Much Less than 2 n Work
- Second
- 2005
(Show Context)
Citation Context ...at can be chained together (by a brute force birthday attack). Once we have r such collisions, we can generate a 2 r -way collision by choosing one input for each colliding pair. – Fixed-point attack =-=[11, 7]-=-. The goal here is to come up with a second preimage for one of a set of known messages. If the target set is of size 2 t , it is easy to see that a second preimage can be found in a generic attack in... |

25 | Herding Hash Functions and the Nostradamus Attack
- Kelsey, Kohno
- 2005
(Show Context)
Citation Context ...ints are used to circumvent Merkle-Damg˚ard strengthening; with fixed points, one can build “expandable messages,” which let us recover a second preimage of the correct length. – The “herding” attack =-=[10]-=-. This is an attack against the use of a hash function for commitments. The idea is to find a 2 t -way collision (using the Joux attack) at a value H(x), and then find a preimage of a commitment H(x) ... |

2 |
Merkle-damg˚ard revisited:how to construct a hash function
- Coron, Dodis, et al.
(Show Context)
Citation Context ...ression function, but we will explicitly allow attacks against it, in order to model a weak but minimally secure compression function. Second, following the work of Coron, Dodis, Malimaud, and Puniya =-=[4]-=-, we wish to find ways of strengthening hash functions to a high standard. Coron et al show that the basic Merkle-Damg˚ard construction is not ideal in the sense that even with an ideal compression fu... |

2 |
Hash functions: past, present and future
- Preneel
- 2005
(Show Context)
Citation Context ...l primitive be used elsewhere? – Can we make better constructions by representing our compression functions as ideal random quasigroups? Acknowledgements We would like to sincerely thank Bart Preneel =-=[15]-=- and Stefan Lucks [12] for their Asiacrypt 2005 presentations which inspired this research. We would also like to thank those with whom we had useful conversations concerning this project: Ron Rivest,... |