## Do broken hash functions affect the security of time-stamping schemes (2006)

Venue: | In Proc. of ACNS’06, LNCS 3989 |

Citations: | 7 - 3 self |

### BibTeX

@INPROCEEDINGS{Buldas06dobroken,

author = {Ahto Buldas and Sven Laur},

title = {Do broken hash functions affect the security of time-stamping schemes},

booktitle = {In Proc. of ACNS’06, LNCS 3989},

year = {2006},

pages = {50--65}

}

### OpenURL

### Abstract

Abstract. We study the influence of collision-finding attacks on the security of time-stamping schemes. We distinguish between client-side hash functions used to shorten the documents before sending them to time-stamping servers and server-side hash functions used for establishing one way causal relations between time stamps. We derive necessary and sufficient conditions for client side hash functions and show by using explicit separation techniques that neither collisionresistance nor 2nd preimage resistance is necessary for secure time-stamping. Moreover, we show that server side hash functions can even be not one-way. Hence, it is impossible by using black-box techniques to transform collisionfinders into wrappers that break the corresponding time-stamping schemes. Each such wrapper should analyze the structure of the hash function. However, these separations do not necessarily hold for more specific classes of hash functions. Considering this, we take a more detailed look at the structure of practical hash functions by studying the Merkle-Damg˚ard (MD) hash functions. We show that attacks, which are able to find collisions for MD hash functions with respect to randomly chosen initial states, also violate the necessary security conditions for client-side hash functions. This does not contradict the black-box separations results because the MD structure is already a deviation from the black-box setting. As a practical consequence, MD5, SHA-0, and RIPEMD are no more recommended to use as client-side hash functions in time-stamping. However, there is still no evidence against using MD5 (or even MD4) as server-side hash functions. 1

### Citations

215 | How to Break MD5 and Other Hash Functions
- Wang, Yu
- 2005
(Show Context)
Citation Context ...possibly neither sufficient nor necessary in the context of particular practical applications. Recent success in finding collisions for practical hash functions (MD4,MD5, RIPEMD, SHA-0) by Wang et al =-=[16, 17, 19]-=- and later improvements [12, 18, 9, 10] raise an important question: For which practical implementations are the collisions a real threat? Modifications in software are always expensive and it would c... |

93 | Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions - Joux - 2004 |

75 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ... more attention. For example, Ross Anderson [1] listed several “freedom properties” (different from collision-freedom) arising from cryptographic constructions and applications. Rogaway and Shrimpton =-=[13]-=- presented an exhaustive study about “classical” security properties of hash functions and their mutual relationships. Hsiao and Reyzin [7] pointed out a fundamental difference between so-called publi... |

72 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ...chievable. Recent results suggest that the former situation could be very likely. We conjecture that even in such a situation, secure time-stamping is still possible. Analogous to the result by Simon =-=[14]-=-, this can probably be proven via oracle separation by constructing an oracle that provides access to a universal collision-finder but relative to which secure time-stamping schemes still exist.Refer... |

51 | Y.: Efficient Collision Search Attacks on SHA-0
- Wang, Yu, et al.
- 2005
(Show Context)
Citation Context ...possibly neither sufficient nor necessary in the context of particular practical applications. Recent success in finding collisions for practical hash functions (MD4,MD5, RIPEMD, SHA-0) by Wang et al =-=[16, 17, 19]-=- and later improvements [12, 18, 9, 10] raise an important question: For which practical implementations are the collisions a real threat? Modifications in software are always expensive and it would c... |

29 | Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications, Cryptology ePrint Archive, Report 2005/102
- Klima
- 2005
(Show Context)
Citation Context ...ssary in the context of particular practical applications. Recent success in finding collisions for practical hash functions (MD4,MD5, RIPEMD, SHA-0) by Wang et al [16, 17, 19] and later improvements =-=[12, 18, 9, 10]-=- raise an important question: For which practical implementations are the collisions a real threat? Modifications in software are always expensive and it would clearly not be economical to replace has... |

24 | The classification of hash functions
- Anderson
- 1993
(Show Context)
Citation Context ...e birth of the first practical hash functions, it was pointed out that the specific security properties as well as their mutual relationships should deserve more attention. For example, Ross Anderson =-=[1]-=- listed several “freedom properties” (different from collision-freedom) arising from cryptographic constructions and applications. Rogaway and Shrimpton [13] presented an exhaustive study about “class... |

23 | Update on SHA-1
- Rijmen, Oswald
- 2005
(Show Context)
Citation Context ...ssary in the context of particular practical applications. Recent success in finding collisions for practical hash functions (MD4,MD5, RIPEMD, SHA-0) by Wang et al [16, 17, 19] and later improvements =-=[12, 18, 9, 10]-=- raise an important question: For which practical implementations are the collisions a real threat? Modifications in software are always expensive and it would clearly not be economical to replace has... |

22 | Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins
- Hsiao, Reyzin
- 2004
(Show Context)
Citation Context ...aphic constructions and applications. Rogaway and Shrimpton [13] presented an exhaustive study about “classical” security properties of hash functions and their mutual relationships. Hsiao and Reyzin =-=[7]-=- pointed out a fundamental difference between so-called public-coin hash functions and secret-coin hash functions by showing that the former cannot be constructed from the latter in a black-box way. I... |

11 |
Finding MD5 collisions a toy for a notebook,” Cryptology ePrint Archive: Report 2005/075
- Klima
- 2005
(Show Context)
Citation Context ...ssary in the context of particular practical applications. Recent success in finding collisions for practical hash functions (MD4,MD5, RIPEMD, SHA-0) by Wang et al [16, 17, 19] and later improvements =-=[12, 18, 9, 10]-=- raise an important question: For which practical implementations are the collisions a real threat? Modifications in software are always expensive and it would clearly not be economical to replace has... |

7 | Universally Composable Time-Stamping Schemes with Audit
- Laud
(Show Context)
Citation Context ...uPre. Obviously, (A′ 1, A ′ 2) breaks h in terms of sChain with success ε(k). ⊓⊔ 5 Unpredictability Preservation vs 2nd Preimage Resistance It is known that every collision-resistant function is uPre =-=[5]-=-. However, it turns out that 2nd preimage resistance does not imply uPre and vice versa, which means that clientside hash functions need not be 2nd preimage resistant. Theorem 3. If uPre hash function... |

6 | Stornetta Secure Names for Bit–Strings - Haber, S - 1997 |

5 |
W.-Scott Stornetta. Improving the efficiency and reliability of digital time-stamping
- Bayer, Haber
- 1993
(Show Context)
Citation Context ...sed are universally one-way, which is a weaker property than collision resistance. Time-stamping schemes use hash functions for two different goals: (1) to shorten the messages on the client side and =-=(2)-=- create one-way temporal (casual) relationships on the server side. Hence, it is natural to think that the client-side hash function and the server-side hash function have different security requireme... |