## A Framework for Iterative Hash Functions: HAIFA

Venue: | In Proceedings of Second NIST Cryptographic Hash Workshop, 2006 . Available from: www.csrc.nist.gov/pki/HashWorkshop/2006/program_2006.htm |

Citations: | 14 - 0 self |

### BibTeX

@INPROCEEDINGS{Biham_aframework,

author = {Eli Biham and Orr Dunkelman},

title = {A Framework for Iterative Hash Functions: HAIFA},

booktitle = {In Proceedings of Second NIST Cryptographic Hash Workshop, 2006 . Available from: www.csrc.nist.gov/pki/HashWorkshop/2006/program_2006.htm},

year = {}

}

### OpenURL

### Abstract

Abstract. Since the seminal works of Merkle and Damg˚ard on the iteration of compression functions, hash functions were built from compression functions using the Merkle-Damg˚ard construction. Recently, several flaws in this construction were identified, allowing for second pre-image attacks and chosen target pre-image attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent proposals such as randomized hashing, the enveloped Merkle-Damg˚ard, and the RMC and ROX modes can be all be instantiated as part of the HAsh

### Citations

289 |
A design principle for hash functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ... It is hard to find x, x ′ s.t. f(x) = f ′ (x). The Merkle-Damg˚ard construction is the most widely used transformation of cryptographic secure compression functions into cryptographic hash functions =-=[4, 13]-=-. The Merkle-Damg˚ard construction suggests a simple transformation that maintains the collision resistance property of the underlying compression function. For years it was widely believed that ∗ An ... |

97 |
Collision-Resistant Hashing: Towards Making UOWHFs Practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...resistance, Second pre-image resistance, and pre-image resistance, along with their everywhere and always variants. The RMC construction maintains these properties by using the XOR-linear hash scheme =-=[4]-=-. The construction uses two random oracles (with fixed output length). The first random oracle RO1 is used to produce strings which are XORed to the chaining values (just like in the XOR-linear scheme... |

59 | Multi-Property-Preserving Hash Domain Extension and the EMD Transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ...mostly useful for digital signatures (preventing the attack scenario where the attacker finds two colliding messages and asks the victim to sign the first). The enveloped Merkle-Damg˚ard construction =-=[3]-=- was proposed by Bellare and Ristenpart as a method to maintain the collision resistance, the pseudorandom and the pseudorandom family properties of the compression function. This is very useful for c... |

58 | Strengthening digital signatures via randomized hashing
- Halevi, Krawczyk
- 2005
(Show Context)
Citation Context ...of iterative hash functions against (second) pre-image attacks, and the prevention of easy-to-use fix-points of the compression function. HAIFA also supports variable hash size and randomized hashing =-=[6]-=- as part of the framework. HAIFA also posses the online hashing property of the Merkle-Damg˚ard construction. The computation of an HAIFA hash function requires one pass on the message, without keepin... |

46 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ... compression function as well as the second pre-image resistance. However, in recent years several counter examples for these beliefs were suggested. The first evidence for this was the works of Dean =-=[5]-=-. Dean showed that if fix-points of the compression function are easily found, then second pre-image attacks on Merkle-Damg˚ard hash functions can be mounted using O(m · 2 m/2 ) time and O(m · 2 m/2 )... |

42 | A failure-friendly design principle for hash functions
- Lucks
- 2005
(Show Context)
Citation Context ...It is possible to treat the two parameters salt and #bits as additional fields in the chaining value and removing them in the last block. The approach of increasing the chaining value was promoted in =-=[11]-=- and it may seem that our suggestion follows this approach. However, the analysis in [11] assumes that the hash function is a “good” hash function for all the bits of the chaining value, while our app... |

40 |
Preimages on n-Bit Hash Functions for Much Less than 2 n Work”, EUROCRYPT
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...es, i.e., messages that can be expanded without changing the chaining value. Later, Kelsey and Schneier have proposed the same ideas, while removing the assumption that fix-points can be easily found =-=[10]-=-. This improvement was achieved using Joux’s ideas for efficiently finding multi-collisions in an iterative hash functions [8]. It is worth mentioning that the multicollision attack shows that the str... |

13 |
and Tadayoshi Kohno. Herding hash functions and the Nostradamus attack
- Kelsey
- 2006
(Show Context)
Citation Context ...(·) and h2(·) is only as secure as the more secure of the two functions (up to some small factor).The main pitfall of these attacks is the fact that the messages that collide are relatively long. In =-=[9]-=-, Kelsey and Kohno showed that using a simple precomputation, it is possible to reduce the time requirements of pre-image attacks (in some sense) of relatively short messages, while keeping the time c... |

6 |
Breaking the ICE — Finding Multicollisions
- Hoch, Shamir
- 2006
(Show Context)
Citation Context ... on specific hash functions [18, 19, 20, 21]. Once a message is iterated more than once, it prevents the “natural” flow of all of these attacks. However, as first noted in [14], and later expanded in =-=[7, 15]-=-, any expansion and iteration function, that has a constant rate, can be attacked by variants of the multi-collision attack. Thus, despite their much slower application, and the additional memory requ... |

3 |
Preneel, Thomas Shrimpton, Seven-Properties-Preserving Iterated Hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context ... for constructions which require the pseudorandom properties of the hash function, e.g., in cases where the hash function is used in MACs. The last recent proposals for modes of iteration are the RMC =-=[1]-=- and ROX [2] by Andreeva et al. These two modes aim at preserving the collision resistance of the compression function, along with the second pre-image resistance (Sec) and the pre-image resistance (P... |