## Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders

### BibTeX

@MISC{Reyhanitabar_analysisof,

author = {Mohammad Reza Reyhanitabar and Willy Susilo and Yi Mu},

title = {Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders},

year = {}

}

### OpenURL

### Abstract

Abstract. Two of the most recent and powerful multi-property-preserving (MPP) hash domain extension transforms are the Ramdom-Oracle-XOR (ROX) transform and the Enveloped Shoup (ESh) transform. The former was proposed by Andreeva et al. at ASIACRYPT 2007 and the latter was proposed by Bellare and Ristenpart at ICALP 2007. In the existing literature, ten notions of security for hash functions have been considered in analysis of MPP capabilities of domain extension transforms, namely CR, Sec, aSec, eSec (TCR), Pre, aPre, ePre, MAC, PRF, PRO. Andreeva et al. showed that ROX is able to preserve seven properties; namely collision resistance (CR), three flavors of second preimage resistance (Sec, aSec, eSec) and three variants of preimage resistance (Pre, aPre, ePre). Bellare and Ristenpart showed that ESh is capable of preserving five important security notions; namely CR, message authentication code (MAC), pseudorandom function (PRF), pseudorandom oracle (PRO), and target collision resistance (TCR). Nonetheless, there is no further study on these two MPP hash domain extension transforms with regard to the other properties. The aim of this paper is to fill this gap. Firstly, we show that ROX does not preserve two other widely-used and important security notions, namely MAC and PRO. We also show a positive result about ROX, namely that it also preserves PRF. Secondly, we show that ESh does not preserve other four properties, namely Sec, aSec, Pre, and aPre. On the positive side we show that ESh can preserve ePre property. Our results in this paper provide a full picture of the MPP capabilities of both ROX and ESh transforms by completing the property-preservation analysis of these transforms in regard to all ten security

### Citations

322 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ... Damg˚ard [8] to be a CR preserving transform. Bellare and Rogaway in [6] showed that strengthened MD, despite preserving CR property, is unable to preserve UOWHF property (put forth by Naor and Yung =-=[15]-=-) which is a weaker than CR property. They renamed UOWHF as target collision resistance (TCR) and provided four domain extension transforms for preserving the TCR property. Shoup in [17] provided a tr... |

312 | A Design Principle for Hash Functions - Damgård - 1989 |

187 | One Way Hash Functions and DES - Merkle - 1989 |

102 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...ost well-known domain extension transform is the strengthened Merkle-Damg˚ard (MD) construction which was shown by Merkle [12] and Damg˚ard [8] to be a CR preserving transform. Bellare and Rogaway in =-=[6]-=- showed that strengthened MD, despite preserving CR property, is unable to preserve UOWHF property (put forth by Naor and Yung [15]) which is a weaker than CR property. They renamed UOWHF as target co... |

84 | Merkle-Damgård Revisited: How to Construct a Hash Function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...λ = 64 (in which case H is a VIL hash function). For instance, the strengthened-MD domain extension transform [12, 8, 3] yields to a VIL hash function while the Prefix-free domain extension transform =-=[7, 3]-=- yields to an AIL hash function. In practice the difference between being VIL or AIL hash function will not be of a concern as for typical value of λ = 64 almost all messages will have length less tha... |

83 | Cryptographic hash-function basics: definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ...ly transform among the twelve transforms investigated in [1] which is able to preserve seven security notions; namely CR, Sec, aSec, eSec, Pre, aPre, and ePre as put forth by Rogaway and Shrimpton in =-=[16]-=-. But unlike to other transforms, ROX “..., quite controversially, uses a random oracle in the iteration.” [1], although Andreeva et al. in [1] provide arguments justifying the merits of such a limite... |

76 | Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ... which means that if the compression function is modeled as a random oracle then the AIL hash function obtained by applying prefix-free MD transform will also be indifferentiable from a random oracle =-=[7, 11]-=-. A new line of research recently has been initiated by Bellare and Ristenpart in [4], and followed in several other works, e.g. [3, 1], with the aim of designing multi-property-preserving (MPP) domai... |

63 | Multi-property-preserving hash domain extension and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ...acle preservation for a hash function was first considered by Coron et al. in [7] using the indifferentiability framework of Maurer et al. in [11], and further studied in the following works, e.g. in =-=[4, 3]-=-. The definition for the dedicated-key setting that we consider in this paper, as shown in Fig. 1, is due to Bellare and Ristenpart [3]. PRO is defined formally as follows. Adversary A is given ‘oracl... |

60 | Strengthening digital signatures via randomized hashing
- Halevi, Krawczyk
- 2006
(Show Context)
Citation Context ...enario where one proves that the VIL hash function has property P if its underlying compression function satisfies a different property P ′ , e.g. [18], or a collection of different assumptions, e.g. =-=[10, 9]-=-.Analysis of Property-Preservation Capabilities of the ROX and ESh 15 5 Conclusion In this paper, we analyzed two recently proposed MPP hash domain extension transforms, namely the Random-Oracle-XOR ... |

47 | A composition theorem for universal one-way hash functions
- Shoup
- 2000
(Show Context)
Citation Context ...Naor and Yung [15]) which is a weaker than CR property. They renamed UOWHF as target collision resistance (TCR) and provided four domain extension transforms for preserving the TCR property. Shoup in =-=[17]-=- provided a transform (improving XLH transform of Bellare-Rogaway in [6]), which is shown to be UOWHF and CR preserving. Mironov [14] showed that Shoup’s transform is optimal from key expansion viewpo... |

16 | Hash functions: from Merkle-Damg˚ard to Shoup
- Mironov
- 2001
(Show Context)
Citation Context ...ain extension transforms for preserving the TCR property. Shoup in [17] provided a transform (improving XLH transform of Bellare-Rogaway in [6]), which is shown to be UOWHF and CR preserving. Mironov =-=[14]-=- showed that Shoup’s transform is optimal from key expansion viewpoint among masking based serial transforms for TCR preservation. Coron et al. [7] introduced the notion of random oracle preservation ... |

13 |
SevenProperty-Preserving Iterated Hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context ...MD transform will also be indifferentiable from a random oracle [7, 11]. A new line of research recently has been initiated by Bellare and Ristenpart in [4], and followed in several other works, e.g. =-=[3, 1]-=-, with the aim of designing multi-property-preserving (MPP) domain extension transforms. An MPP transform is capable of preserving multiple security properties simultaneously while extending the domai... |

13 | Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms
- Bellare, Ristenpart
- 2007
(Show Context)
Citation Context ...ble length messages to a fixed length output hash value. In the second setting, a hash function is considered as a family of functions H : K×M → {0, 1} n , also called a “dedicated-key hash function” =-=[3]-=-, indexed by a key space K. The exact role of the hash function key is application-dependent; it can be a public parameter, e.g. when the hash function is used in a digital signature, or a secret key ... |

4 | Getting the Best Out of Existing Hash Functions or What if We Are Stuck with
- Dodis, Puniya
- 2008
(Show Context)
Citation Context ...enario where one proves that the VIL hash function has property P if its underlying compression function satisfies a different property P ′ , e.g. [18], or a collection of different assumptions, e.g. =-=[10, 9]-=-.Analysis of Property-Preservation Capabilities of the ROX and ESh 15 5 Conclusion In this paper, we analyzed two recently proposed MPP hash domain extension transforms, namely the Random-Oracle-XOR ... |

4 | Collision-Resistant No More: Hash-and-Sign Paradigm Revisited”, Public Key Cryptography 2006 - Mironov |

4 |
How to Fill Up Merkle-Damg˚ard Hash Function
- Yasuda
- 2008
(Show Context)
Citation Context ...fies the same property P. This is different from a scenario where one proves that the VIL hash function has property P if its underlying compression function satisfies a different property P ′ , e.g. =-=[18]-=-, or a collection of different assumptions, e.g. [10, 9].Analysis of Property-Preservation Capabilities of the ROX and ESh 15 5 Conclusion In this paper, we analyzed two recently proposed MPP hash do... |

3 | A Three-Property-Secure Hash Function
- Andreeva, Preneel
- 2009
(Show Context)
Citation Context ...ies, namely; Pre, aPre, Sec, and aSec are not preserved by ESh. It appears to be a crux to preserve these four properties (simultaneously) in the standard model. Sec. Andreeva and Preneel in SAC 2008 =-=[2]-=- proposed a keyed transform to extend the domain of a keyless compression function. The proposed transform yields to a dedicated-key VIL hash function which is CR and Sec secure (where CR and Sec noti... |