## Constructing an Ideal Hash Function from Weak Ideal Compression Functions (2006)

Venue: | In Selected Areas in Cryptography, Lecture Notes in Computer Science |

Citations: | 9 - 0 self |

### BibTeX

@INPROCEEDINGS{Liskov06constructingan,

author = {Moses Liskov},

title = {Constructing an Ideal Hash Function from Weak Ideal Compression Functions},

booktitle = {In Selected Areas in Cryptography, Lecture Notes in Computer Science},

year = {2006},

pages = {358--375},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We introduce the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by undesirable properties of compression functions. We prove that the construction we give, which we call the “zipper hash, ” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with these weak ideal building blocks. The zipper hash function is relatively simple, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal (strong) compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. Keywords: Hash function, compression function, Merkle-Damg˚ard, ideal primitives, non-streamable hash functions, zipper hash.

### Citations

349 |
A certified digital signature
- Merkle
- 1989
(Show Context)
Citation Context ..., which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the basic concept of the Merkle-Damg˚ard construction =-=[6, 14]-=-: composing a compression function with itself, each time incorporating a block of the message, until the entire message is processed. If f is the compression function and x is an input divisible into... |

309 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ..., which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the basic concept of the Merkle-Damg˚ard construction =-=[6, 14]-=-: composing a compression function with itself, each time incorporating a block of the message, until the entire message is processed. If f is the compression function and x is an input divisible into... |

248 | How to break md5 and other hash functions
- Wang, Yu
- 2005
(Show Context)
Citation Context ...unctions, zipper hash. 1 Introduction The design of hash functions is a long-studied problem that has become recently more relevant because of significant attacks against commonly-used hash functions =-=[22, 20, 21, 19, 1]-=-. It is much easier to create collision functions, which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the b... |

194 | Finding collisions in the full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ...unctions, zipper hash. 1 Introduction The design of hash functions is a long-studied problem that has become recently more relevant because of significant attacks against commonly-used hash functions =-=[22, 20, 21, 19, 1]-=-. It is much easier to create collision functions, which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the b... |

126 |
Analysis and design of cryptographic hash functions
- Preneel
- 1993
(Show Context)
Citation Context ... strings z, H(x||z) = H(y||z) is another collision. Merkle-Damg˚ard strengthening does not solve this problem completely, since the attack still works if |x| = |y| and z contains the correct padding. =-=[16, 13]-=- – Joux multicollision attack [10]. It is easier than expected to find multicollisions: that is, a set of many distinct inputs that all hash to the same value. For a generic hash function, finding a t... |

112 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...ble from a random oracle when implemented with ideal components. Assuming individual components to be ideal has been established as a reasonable model for the analysis of hash functions for some time =-=[2]-=-. The work of Coron et al. has set a higher standard for hash functions analyzed on the basis of ideal primitives, and we aspire to that standard. Second, Lucks only attempts to make a hash function r... |

102 |
Multicollisions in iterated hash functions. application to cascaded constructions
- Joux
- 2004
(Show Context)
Citation Context ...er collision. Merkle-Damg˚ard strengthening does not solve this problem completely, since the attack still works if |x| = |y| and z contains the correct padding. [16, 13] – Joux multicollision attack =-=[10]-=-. It is easier than expected to find multicollisions: that is, a set of many distinct inputs that all hash to the same value. For a generic hash function, finding a tway collision should require hashi... |

57 | Efficient collision search attacks on SHA-0
- Wang, Yu, et al.
- 2005
(Show Context)
Citation Context ...unctions, zipper hash. 1 Introduction The design of hash functions is a long-studied problem that has become recently more relevant because of significant attacks against commonly-used hash functions =-=[22, 20, 21, 19, 1]-=-. It is much easier to create collision functions, which take input of a particular size and produce output of a reduced size, than a full hash function directly. It is common practice to follow the b... |

50 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...at can be chained together (by a brute force birthday attack). Once we have r such collisions, we can generate a 2 r -way collision by choosing one input for each colliding pair. – Fixed-point attack =-=[12, 7]-=-. The goal here is to come up with a second preimage for one of a set of known messages. If the target set is of size 2 t , it is easy to see that a second preimage can be found in a generic attack in... |

47 |
Preimages on n-bit Hash Functions for Much Less than 2n Work
- Second
- 2005
(Show Context)
Citation Context ...at can be chained together (by a brute force birthday attack). Once we have r such collisions, we can generate a 2 r -way collision by choosing one input for each colliding pair. – Fixed-point attack =-=[12, 7]-=-. The goal here is to come up with a second preimage for one of a set of known messages. If the target set is of size 2 t , it is easy to see that a second preimage can be found in a generic attack in... |

43 | A failure-friendly design principle for hash functions
- Lucks
- 2005
(Show Context)
Citation Context ... strings z, H(x||z) = H(y||z) is another collision. Merkle-Damg˚ard strengthening does not solve this problem completely, since the attack still works if |x| = |y| and z contains the correct padding. =-=[16, 13]-=- – Joux multicollision attack [10]. It is easier than expected to find multicollisions: that is, a set of many distinct inputs that all hash to the same value. For a generic hash function, finding a t... |

28 | Herding hash functions and the Nostradamus attack
- Kohno, Kelsey
- 2006
(Show Context)
Citation Context ...ints are used to circumvent Merkle-Damg˚ard strengthening; with fixed points, one can build “expandable messages,” which let us recover a second preimage of the correct length. – The “herding” attack =-=[11]-=-. This is an attack against the use of a hash function for commitments. The idea is to find a 2 t -way collision at a value H(x), and then find a preimage of a commitment H(x) that starts with an arbi... |

11 | Breaking the ice - finding multicollisions in iterated concatenated and expanded (ice) hash functions
- Hoch, Shamir
- 2006
(Show Context)
Citation Context ...inst that many queries. As another example, our construction does not provide security against multicollisions: in fact, it fits a known framework in which an extension of the Joux attack is possible =-=[15, 9]-=-. Nonetheless, keep in mind that the queries the adversary is allowed to make in attacking the zipper hash include attack queries, which are modeled as if they are trivial, but may in fact require sig... |

6 | Multicollision attacks on a class of hash functions. Cryptology ePrint Archive, Report 2004/330
- Nandi, Stinson
- 2004
(Show Context)
Citation Context ...inst that many queries. As another example, our construction does not provide security against multicollisions: in fact, it fits a known framework in which an extension of the Joux attack is possible =-=[15, 9]-=-. Nonetheless, keep in mind that the queries the adversary is allowed to make in attacking the zipper hash include attack queries, which are modeled as if they are trivial, but may in fact require sig... |

2 |
Merkle-damg˚ard revisited:how to construct a hash function
- Coron, Dodis, et al.
(Show Context)
Citation Context ...ecure even when the compression functions on which they are based can be attacked. We seek to improve on the work of Lucks in two ways. First, following the work of Coron, Dodis, Malimaud, and Puniya =-=[4]-=-, we will prove that our construction is not only collision-resistant, but in fact indistinguishable from a random oracle, assuming the building blocks are ideal. Coron et al. show that the basic Merk... |

2 |
Hash functions: past, present and future
- Preneel
- 2005
(Show Context)
Citation Context ...we make better constructions, or prove stronger security results, by representing our compression functions as ideal random quasigroups? Acknowledgements We would like to sincerely thank Bart Preneel =-=[17]-=- and Stefan Lucks [13] for their Asiacrypt 2005 presentations which inspired this research. We would also like to thank those with whom we had useful conversations concerning this project: Ron Rivest,... |