## Salvaging Merkle-Damg˚ard for Practical Applications (2009)

Citations: | 20 - 2 self |

### BibTeX

@MISC{Dodis09salvagingmerkle-damg˚ard,

author = {Yevgeniy Dodis and Thomas Ristenpart and Thomas Shrimpton},

title = {Salvaging Merkle-Damg˚ard for Practical Applications},

year = {2009}

}

### OpenURL

### Abstract

Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damg˚ard transform applied to a corresponding compression function. Moreover, it is well known that the resulting “structured ” hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damg˚ard based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle-Damg˚ard transform, applied to a “strong enough ” compression function. In particular, we show that a fixed-length compressing random oracle, as well as the currently used Davies-Meyer compression function (the latter analyzed in the ideal cipher model) are “strong enough ” for the two specific weakenings of the random oracle that we develop. These weaker notions, described below, are quite natural and should be interesting in their own right: • Preimage Aware Functions. Roughly, if an attacker found a “later useful ” output y of the function, then it must