## Multi-Property-Preserving Hash Domain Extension and the EMD Transform (2006)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [csrc.nist.gov]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology – ASIACRYPT 2006 |

Citations: | 59 - 7 self |

### BibTeX

@INPROCEEDINGS{Bellare06multi-property-preservinghash,

author = {Mihir Bellare and Thomas Ristenpart},

title = {Multi-Property-Preserving Hash Domain Extension and the EMD Transform},

booktitle = {Advances in Cryptology – ASIACRYPT 2006},

year = {2006},

pages = {299--314},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract We point out that the seemingly strong pseudorandom oracle preserving (PRO-Pr) propertyof hash function domain-extension transforms defined and implemented by Coron et. al. [12] can actually weaken our guarantees on the hash function, in particular producing a hash functionthat fails to be even collision-resistant (CR) even though the compression function to which the transform is applied is CR. Not only is this true in general, but we show that all the transformspresented in [12] have this weakness. We suggest that the appropriate goal of a domain extension transform for the next generation of hash functions is to be multi-property preserving, namelythat one should have a single transform that is simultaneously at least collision-resistance preserving, pseudorandom function preserving and PRO-Pr. We present an efficient new transformthat is proven to be multi-property preserving in this sense.

### Citations

1341 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...dardized and used. (NIST FIPS 198, ANSI X9.71, IETF RFC 2104, SSL, SSH, IPSEC, TLS, IEEE 802.11i, and IEEE 802.16e are only some instances.) Hash functions are also used to instantiate random oracles =-=[4]-=- in public-key schemes such as RSAOAEP [5] and RSA-PSS [6] in the RSA PKCS#1 v2.1 standard [16]. CR is insufficient for arguing the security of hash function based MACs or PRFs, let alone hashfunction... |

477 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ... usage makes it obvious that CR no longer suffices as the security goal for hash functions. In order to obtain MACs and PRFs, hash functions were keyed. The canonical construct in this domain is HMAC =-=[3, 2]-=- which is widely standardized and used. (NIST FIPS 198, ANSI X9.71, IETF RFC 2104, SSL, SSH, IPSEC, TLS, IEEE 802.11i, and IEEE 802.16e are only some instances.) Hash functions are also used to instan... |

330 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...04, SSL, SSH, IPSEC, TLS, IEEE 802.11i, and IEEE 802.16e are only some instances.) Hash functions are also used to instantiate random oracles [4] in public-key schemes such as RSAOAEP [5] and RSA-PSS =-=[6]-=- in the RSA PKCS#1 v2.1 standard [16]. CR is insufficient for arguing the security of hash function based MACs or PRFs, let alone hashfunction based random oracles. And it does not end there. Whether ... |

289 |
A Design Principle for Hash Functions
- Damgård
- 1990
(Show Context)
Citation Context ...ndent random oracles from Dom to Rng.Transform CR-Pr PRO-Pr PRF-Pr Number of calls to h to hash M, |M| = b ≥ d Plain MD (MD) No No No N(b) = ⌈ ⌉ b d ⎧ ⌈ ⌉ bd ⎪⎨ if b mod d<d−64 Strengthened MD (SMD) =-=[12, 10]-=- No No N(b) = ⌈ ⌉ ⎪⎩ bd + 1 otherwise Prefix-Free (PRE) No [9] [1] N(b) = ⌈ ⌉ b d−1 Chop Solution (CHP) No [9] ? N(b) = ⌈ ⌉ b d NMAC Construction (NT) No [9] ? N(b) = ⌈ ⌉ b d + 1 HMAC Construction (HT... |

240 | P.: Optimal Asymmetric Encryption
- Bellare, Rogaway
(Show Context)
Citation Context ....71, IETF RFC 2104, SSL, SSH, IPSEC, TLS, IEEE 802.11i, and IEEE 802.16e are only some instances.) Hash functions are also used to instantiate random oracles [4] in public-key schemes such as RSAOAEP =-=[5]-=- and RSA-PSS [6] in the RSA PKCS#1 v2.1 standard [16]. CR is insufficient for arguing the security of hash function based MACs or PRFs, let alone hashfunction based random oracles. And it does not end... |

217 | H.: 'How to Break MD5 and Other Hash Functions
- Wang, Yu
(Show Context)
Citation Context ...an and will be done, and focus on the domain extension problem. Our confidence in the emergence of strong compression functions might be questioned in the light of the recent collisionfinding attacks =-=[18, 17]-=- that have destroyed some hash functions and tainted others. But we do not feel a need for pessimism. We recall the story for block ciphers, where the AES yielded by the NIST competition was not only ... |

175 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...a domain extension transform H that utilizes h as a black box to implement the hash function Hh : {0, 1} ∗ → {0, 1} n associated to h. All current hash functions use the Merkle-Damgård (MD) transform =-=[12, 10]-=- because it has been proven [12, 10] to be collision-resistance preserving (CR-Pr): if h is collisionresistant (CR) then so is Hh . This means that the cryptanalytic validation task can be confined to... |

105 | The security of triple encryption and a framework for code-based game-playing proofs
- Bellare, Rogaway
- 2006
(Show Context)
Citation Context ...nd f . We thus have that Pr [ f C A 2 , f ⇒ 1 ] = Pr [ AG0 ⇒ 1 ] and Pr [ f C A 1 , f ⇒ 1 ] = Pr [ AG1 ⇒ 1 ] . Since G0 and G1 are identical-until-bad we have by the fundamental lemma of game playing =-=[7]-=- that Pr [ AG0 ⇒ 1 ] − Pr [ AG1 ⇒ 1 ] ≤ Pr [ AG1 sets bad ] . The right hand side is at most 2−n because f is a random oracle. Thus, Adv pro C2,S (A2) = Pr [ A G0 ⇒ 1 ] − Pr [ F F ,S A ⇒ 1 ] = Pr [ A ... |

92 | Pseudorandom functions revisited: The cascade construction and its concrete security
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context .... However our transform still has several advantages over their transforms. One is that ours is cheaper, i.e. more efficient, and this matters in practice. Another is that ours is PRF-Pr. A result of =-=[1]-=- implies that one of the transforms of [9] is PRF-Pr, but whether or not this is true for the others is not clear. Summary. Figure 1 summarizes our quantitative results. We now recap our main contribu... |

83 | New Proofs for NMAC and HMAC: Security without Collision-Resistance
- Bellare
- 2006
(Show Context)
Citation Context ...the key-via-IV strategy to create a keyed version of our transform, which is EMDe K1,K2 (M) = e◦ (K1, K2, M) (for some PRF e). The resulting scheme is very similar to NMAC, which we know to be PRF-Pr =-=[2]-=-. Because our transform allows direct adversarial control over a portion of the input to the envelope function, we can not can not directly utilize the proof of NMAC (which assumes instead that these ... |

79 |
Oded Goldreich, and Shai Halevi, The random oracle methodology, revisited
- Canetti
- 1998
(Show Context)
Citation Context ... PRO-Pr transform works on a real compression function, we have essentially no provable guarantees on the resulting hash function. This is in some ways analogous to the kinds of issues pointed out in =-=[8, 13]-=- about the sometimes impossibility of instantiating random oracles. The fact that a PRO-Pr transform need not in general be CR-Pr does not mean that some particular PRO-Pr transform is not CR-Pr. We t... |

76 | P.: Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...mihir,tristenp} Abstract. We point out that the seemingly strong pseudorandom oracle preserving (PRO-Pr) property of hash function domain-extension transforms defined and implemented by Coron et. al. =-=[1]-=- can actually weaken our guarantees on the hash function, in particular producing a hash function that fails to be even collision-resistant (CR) even though the compression function to which the trans... |

73 | C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
(Show Context)
Citation Context ...they fail to be CR-Pr. This point is somewhat subtle so needs some explanation. We use the moniker pseudorandom oracle for any construction that is indifferentiable from a random oracle as defined in =-=[11]-=-. A transform is PRO-Pr if it preserves the property of “behaving like a random oracle”: if h is modeled as a random oracle, then Hh should be a pseudorandom oracle. As explained at length in [9], thi... |

39 |
Yevgeniy Dodis, Cécile Malinaud, and Prashant Puniya. Merkle-Damg˚ard Revisited: How to Construct a Hash Function
- Coron
- 2005
(Show Context)
Citation Context ... provide a practical, proven-secure multi-domain extension transform suitable for use with the next generation of hash functions; (3) point to some subtle weaknesses in the transforms of Coron et al. =-=[9]-=- that imply they are not only not suitable multi-property transforms but in fact in some ways provide lower security guarantees than even the current MD transform. 1 Introduction Background. Recall th... |

26 | Constructing VIL-MACs from FIL-MACs: Message authentication under weakened assumptions - An, Bellare - 1999 |

6 |
Yiqun Lisa Yin, and Hongbo Yu. Finding collisions in the full SHA-1
- Wang
- 2005
(Show Context)
Citation Context ...an and will be done, and focus on the domain extension problem. Our confidence in the emergence of strong compression functions might be questioned in the light of the recent collisionfinding attacks =-=[18, 17]-=- that have destroyed some hash functions and tainted others. But we do not feel a need for pessimism. We recall the story for block ciphers, where the AES yielded by the NIST competition was not only ... |

3 |
A design principle for hash functions. Advances in Cryptology – CRYPTO ’89
- Damg˚ard
- 1990
(Show Context)
Citation Context ...main extension transform H that utilizes h as a black box to implement the hash function H h : {0,1} ∗ → {0,1} n associated to h. All widely-used hash functions use the Merkle-Damg˚ard (MD) transform =-=[2, 3]-=- because it has been proven [2, 3] to be collision-resistance preserving (CR-Pr): if h is collision-resistant (CR) then so is H h . This means that the cryptanalytic validation task can be confined to... |