## A Modular Design for Hash Functions: Towards Making the Mix-Compress-Mix Approach Practical (2009)

Citations: | 2 - 0 self |

### BibTeX

@MISC{Lehmann09amodular,

author = {Anja Lehmann and Stefano Tessaro},

title = {A Modular Design for Hash Functions: Towards Making the Mix-Compress-Mix Approach Practical},

year = {2009}

}

### OpenURL

### Abstract

The design of cryptographic hash functions is a very complex and failure-prone process. For this reason, this paper puts forward a completely modular and fault-tolerant approach to the construction of a full-fledged hash function from an underlying simpler hash function H and a further primitive F (such as a block cipher), with the property that collision resistance of the construction only relies on H, whereas indifferentiability from a random oracle follows from F being ideal. In particular, the failure of one of the two components must not affect the security property implied by the other component. The Mix-Compress-Mix (MCM) approach by Ristenpart and Shrimpton (ASIACRYPT 2007) envelops the hash function H between two injective mixing steps, and can be interpreted as a first attempt at such a design. However, the proposed instantiation of the mixing steps, based on block ciphers, makes the resulting hash function impractical: First, it cannot be evaluated online, and second, it produces larger hash values than H, while only inheriting the collision-resistance guarantees for the shorter output. Additionally, it relies on a trapdoor one-way permutation, which seriously compromises the use of the resulting hash function for random oracle instantiation in certain scenarios. This paper presents the first efficient modular hash function with online evaluation and short output length. The core of our approach are novel block-cipher based designs for the mixing steps of the MCM approach which rely on significantly weaker assumptions: The first mixing step is realized without any computational assumptions (besides the underlying cipher being ideal), whereas the second mixing step only requires a oneway permutation without a trapdoor, which we prove to be the minimal assumption for the construction of injective random oracles.

### Citations

1425 | Random Oracles are Practical: A Paradigm for Designing Efficient
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...rms of collision resistance, other schemes, including practical ones such as OAEP [4, 15] and PSS [5], are only proven secure under the assumption that the underlying hash function is a random oracle =-=[3]-=-, i.e., a truly random function which can be evaluated by the adversary. On the one hand, while a number of provably-secure collision-resistant hash functions, such as VSH [9] or SWIFFT [18], have bee... |

352 | The exact security of digital signatures — how to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...verse: While some schemes only assume relatively simple properties such as one-wayness or different forms of collision resistance, other schemes, including practical ones such as OAEP [4, 15] and PSS =-=[5]-=-, are only proven secure under the assumption that the underlying hash function is a random oracle [3], i.e., a truly random function which can be evaluated by the adversary. On the one hand, while a ... |

312 |
A Design Principle for Hash Functions
- Damgård
- 1989
(Show Context)
Citation Context ...the combination of two facts: (i) The mapping x ↦→ H(M1(x)) is preimage aware 7 under the same 6 Most hash functions rely on some iterated (and thus inherently online) design, such as Merkle-Damg˚ard =-=[11, 21]-=-, or sponges [6]. 7 Informally, a construction C F based on an ideal primitive F is preimage aware if there exists an algorithm – called the preimage extractor – which given the inputoutput history of... |

257 | The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...esistant hash functions, such as VSH [9] or SWIFFT [18], have been designed, they are not appropriate candidates for random oracle instantiation. On the other hand, well-known theoretical limitations =-=[8, 19]-=- only permit constructions of hash functions for random oracle instantiation from idealized primitives [10], such as a fixed-input-length random oracle or an ideal cipher, 3 but (as first pointed out ... |

216 | Optimal asymmetric encryption – How to encrypt with RSA
- BELLARE, ROGAWAY
(Show Context)
Citation Context ... on them very diverse: While some schemes only assume relatively simple properties such as one-wayness or different forms of collision resistance, other schemes, including practical ones such as OAEP =-=[4, 15]-=- and PSS [5], are only proven secure under the assumption that the underlying hash function is a random oracle [3], i.e., a truly random function which can be evaluated by the adversary. On the one ha... |

187 |
One Way Hash Functions and DES
- Merkle
- 1989
(Show Context)
Citation Context ...the combination of two facts: (i) The mapping x ↦→ H(M1(x)) is preimage aware 7 under the same 6 Most hash functions rely on some iterated (and thus inherently online) design, such as Merkle-Damg˚ard =-=[11, 21]-=-, or sponges [6]. 7 Informally, a construction C F based on an ideal primitive F is preimage aware if there exists an algorithm – called the preimage extractor – which given the inputoutput history of... |

136 | RSA-OAEP is secure under the RSA assumption
- Fujisaki, Okamoto, et al.
- 2001
(Show Context)
Citation Context ... on them very diverse: While some schemes only assume relatively simple properties such as one-wayness or different forms of collision resistance, other schemes, including practical ones such as OAEP =-=[4, 15]-=- and PSS [5], are only proven secure under the assumption that the underlying hash function is a random oracle [3], i.e., a truly random function which can be evaluated by the adversary. On the one ha... |

84 | Merkle-Damgård Revisited: How to Construct a Hash Function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...es for random oracle instantiation. On the other hand, well-known theoretical limitations [8, 19] only permit constructions of hash functions for random oracle instantiation from idealized primitives =-=[10]-=-, such as a fixed-input-length random oracle or an ideal cipher, 3 but (as first pointed out in [2]) these constructions may lose any security guarantees as soon as the adversary gets to exploit non-i... |

76 | Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ...esistant hash functions, such as VSH [9] or SWIFFT [18], have been designed, they are not appropriate candidates for random oracle instantiation. On the other hand, well-known theoretical limitations =-=[8, 19]-=- only permit constructions of hash functions for random oracle instantiation from idealized primitives [10], such as a fixed-input-length random oracle or an ideal cipher, 3 but (as first pointed out ... |

75 | A tweakable enciphering mode
- Halevi, Rogaway
- 2003
(Show Context)
Citation Context ...extension of P, while we additionally want to ensure injectivity of the resulting construction. The problem is similar in spirit to the one considered in the private-key setting by Halevi and Rogaway =-=[16]-=-, even though the peculiarities of the public setting make constructions far more challenging. 15 The ESS-Construction. We present a construction – called ESS – for the case m = 2n that relies on six ... |

54 | On Deniabililty in the Common Reference String and Random Oracle Model
- Pass
(Show Context)
Citation Context ...tional guarantees of protocols using the MCM approach (with the TE-construction) to instantiate a random oracle are affected, as properties such as deniability may be lost (cf. e.g. the works by Pass =-=[22]-=- and by Canetti et al. [7]). These observations give rise to a number of challenging open questions. Can we instantiate the first mixing stage of MCM with a weaker primitive which allows for online pr... |

40 | Universally Composable Security with Global Setup
- Canetti, Dodis, et al.
(Show Context)
Citation Context ...ols using the MCM approach (with the TE-construction) to instantiate a random oracle are affected, as properties such as deniability may be lost (cf. e.g. the works by Pass [22] and by Canetti et al. =-=[7]-=-). These observations give rise to a number of challenging open questions. Can we instantiate the first mixing stage of MCM with a weaker primitive which allows for online processing? Can we instantia... |

31 | SWIFFT: A modest proposal for FFT hashing
- Lyubashevsky, Micciancio, et al.
- 2008
(Show Context)
Citation Context ...dom oracle [3], i.e., a truly random function which can be evaluated by the adversary. On the one hand, while a number of provably-secure collision-resistant hash functions, such as VSH [9] or SWIFFT =-=[18]-=-, have been designed, they are not appropriate candidates for random oracle instantiation. On the other hand, well-known theoretical limitations [8, 19] only permit constructions of hash functions for... |

22 | Salvaging Merkle-Damg̊ard for Practical Applications
- Dodis, Ristenpart, et al.
- 2009
(Show Context)
Citation Context ...s a random (|x| + τi)-bit string for each input x ∈ {0, 1} ∗ that differs from all previously returned values with the same length) and H is collision resistant and sufficiently regular. Dodis et al. =-=[12]-=- subsequently interpreted this result as the combination of two facts: (i) The mapping x ↦→ H(M1(x)) is preimage aware 7 under the same 6 Most hash functions rely on some iterated (and thus inherently... |

17 | Building a collision-resistant compression function from non-compressing primitives
- Shrimpton, Stam
- 2008
(Show Context)
Citation Context ...This motivates the question of extending the input/output size of random permutation oracles: In Section 4.2, we present constructions (which are reminiscent of the ShrimptonStam compression function =-=[25]-=-) for extending every n to n bits RPO into a γ · n bits to γ · n bits RPO for any fixed γ > 1. In the full version we further show that in order to construct injective ROs the assumption of a one-way ... |

13 |
SevenProperty-Preserving Iterated Hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context ...for the design of a single hash function satisfying as many properties as possible. This point of view has also been adopted by NIST’s on-going SHA-3 competition [17], and motivated a series of works =-=[2, 1]-=- shifting the design problem of multi-property hash functions to the task of constructing good multiproperty compression functions. A further line of research has been devoted to robust multi-property... |

13 | VSH, an efficient and provable collision-resistant hash function
- Contini, Lenstra, et al.
(Show Context)
Citation Context ...ction is a random oracle [3], i.e., a truly random function which can be evaluated by the adversary. On the one hand, while a number of provably-secure collision-resistant hash functions, such as VSH =-=[9]-=- or SWIFFT [18], have been designed, they are not appropriate candidates for random oracle instantiation. On the other hand, well-known theoretical limitations [8, 19] only permit constructions of has... |

12 | How to build a hash function from any collision-resistant function
- Ristenpart, Shrimpton
- 2007
(Show Context)
Citation Context ... a setting where both a hash function H as well as some other (potentially ideal) primitive F (such as a block cipher) are given (a similar setup was previously considered by Ristenpart and Shrimpton =-=[23]-=-): We aim at devising a construction C H,F which is collision resistant as long as H is collision resistant, 5 and which behaves as a random oracle (with respect to the notion of indifferentiability [... |

9 | Domain extension of public random functions: Beyond the birthday barrier
- Maurer, Tessaro
- 2007
(Show Context)
Citation Context ...1} m → {0, 1} ℓ for all ℓ < m from length-preserving random oracles which is indifferentiable from a random oracle from m bits to ℓ bits, a problem which has recently received much interest (cf. e.g. =-=[20, 25]-=-). On top of this, injectivity is an extra design challenge.that ESS implements a permutation: Given output y1‖y2, the first input-half m1 is retrieved by computing z := P −1 6 (y2), m1 := z ⊕ P −1 5... |

6 | Robust multi-property combiners for hash functions revisited
- Fischlin, Lehmann, et al.
- 2008
(Show Context)
Citation Context ...s paper) also fits within the framework of [23], while the solution proposed in [23] also satisfies stronger requirements, as discussed below. We also remark that using the multi-property combiner of =-=[14]-=- one can combine a random oracle (built from F ) and H into a hash function that provably observes both properties. However, as combiners inherently do not exploit the knowledge of which one of both f... |

3 |
Multi-property preserving hash domain extensions and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ...ly permit constructions of hash functions for random oracle instantiation from idealized primitives [10], such as a fixed-input-length random oracle or an ideal cipher, 3 but (as first pointed out in =-=[2]-=-) these constructions may lose any security guarantees as soon as the adversary gets to exploit non-ideal properties of the underlying primitive. 4 While one could in principle always employ a suitabl... |

3 |
Multi-Property Preserving Combiners for Hash Functions
- Fischlin, Lehmann
- 2008
(Show Context)
Citation Context ...he design problem of multi-property hash functions to the task of constructing good multiproperty compression functions. A further line of research has been devoted to robust multi-property combiners =-=[13]-=-, which merge two hash functions such that the resulting function satisfies each of the properties possessed by at least one of the two starting functions. While these works simplify the design task, ... |

1 |
Formalizing human ignorance,” in Vietcrypt 2006
- Rogaway
- 2006
(Show Context)
Citation Context ...versary A is Adv cr H(A) := P[k $ ← K, (M, M ′ ) $ ← A(k) : M ̸= M ′ ∧ Hk(M) = Hk(M ′ )] The notion naturally extends to keyless hash functions (which can be considered in the same spirit proposed in =-=[24]-=-) and to constructions from some ideal primitive F (where A is additionally given access to F). The MCM-Construction. For a hash function H : {0, 1} ∗ → {0, 1} h , and injective maps M1 : {0, 1} ∗ → {... |