## Universal One-Way Hash Functions and their Cryptographic Applications (1989)

### Cached

### Download Links

- [www.wisdom.weizmann.ac.il]
- [www.wisdom.weizmann.ac.il]
- DBLP

### Other Repositories/Bibliography

Citations: | 313 - 13 self |

### BibTeX

@INPROCEEDINGS{Naor89universalone-way,

author = {Moni Naor and Moti Yung},

title = {Universal One-Way Hash Functions and their Cryptographic Applications},

booktitle = {},

year = {1989},

pages = {33--43}

}

### Years of Citing Articles

### OpenURL

### Abstract

We define a Universal One-Way Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal one-way hash functions exist if any 1-1 one-way functions exist. Among the various applications of the primitive is a One-Way based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor one-way functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR-88 13632. A preliminary version of this work app...

### Citations

2912 | L.: A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ted the research program of basing cryptographic primitives on general assumptions. 1 Examples of cryptographic primitives (in addition to the new one mentioned above) are: (a) secure message sending =-=[6, 31, 30, 13]-=-, (b) cryptographically secure pseudo-random generation [33, 2], and (c) general zero-knowledge interactive proofs [14]. In recent years, all these primitives have been constructed under formal genera... |

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...sm and it enriches the choice of candidates for underlying mathematical tools for implementations. Therefore, general assumptions are appealing to both theorists and practitioners. Diffie and Hellman =-=[6]-=-, who initiated public-key cryptography in 1976, suggested the general tools of one-way functions and one-way trapdoor functions. Basically, a function F is one-way if for a random x, given F (x) it i... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ted the research program of basing cryptographic primitives on general assumptions. 1 Examples of cryptographic primitives (in addition to the new one mentioned above) are: (a) secure message sending =-=[6, 31, 30, 13]-=-, (b) cryptographically secure pseudo-random generation [33, 2], and (c) general zero-knowledge interactive proofs [14]. In recent years, all these primitives have been constructed under formal genera... |

1041 | Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Rackoff
- 1989
(Show Context)
Citation Context ...ition to the new one mentioned above) are: (a) secure message sending [6, 31, 30, 13], (b) cryptographically secure pseudo-random generation [33, 2], and (c) general zero-knowledge interactive proofs =-=[14]-=-. In recent years, all these primitives have been constructed under formal general assumptions: message sending on trapdoor one-way functions [35, 17], pseudo random bit generator [35, 22, 11, 17], an... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...stem is provably secure. Two signature schemes not based on trapdoor functions were suggested previously, however neither of them was proved secure, even in the weakest sense of [15]: Fiat and Shamir =-=[8] suggested-=- a method on converting zero knowledge proofs for identification into efficient signatures schemes. Merkle [23] provided a pragmatic signature scheme based on any "encryption function". Our ... |

668 |
Universal classes of hash functions
- Carter, Wegman
- 1977
(Show Context)
Citation Context ...g k and A's internal random choices. We will first assume that we have a one-way permutation f . The source of the compression will be a family of strongly universal hash functions. Carter and Wegman =-=[34, 4]-=- defined strongly universal 2 functions as a family of functions G where g : C 7! B for all g 2 G if for every pair of inputs (a 1 ; a 2 ) and pair of outputs (b 1 ; b 2 ), the number of functions tha... |

628 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ... d children. If k is the value of the security parameter and t messages have been signed so far, then the length of a signature in such a system is O(k 2 log d t). 11 Using pseudo-random functions of =-=[10] we can ma-=-ke our scheme "memoryless", in the sense that the signer need not remember the messages that he has signed or even their number. In particular many (authorized) signers can exist simultaneou... |

604 |
How to generate cryptographically strong sequences of pseudorandom bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...assumptions. 1 Examples of cryptographic primitives (in addition to the new one mentioned above) are: (a) secure message sending [6, 31, 30, 13], (b) cryptographically secure pseudo-random generation =-=[33, 2]-=-, and (c) general zero-knowledge interactive proofs [14]. In recent years, all these primitives have been constructed under formal general assumptions: message sending on trapdoor one-way functions [3... |

516 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...)) = x and the knowledge of D enables easy inversion. The idea of Diffie and Hellman has since been formalized, and proof techniques based on complexity theory have been developed. In particular, Yao =-=[35]-=- has initiated the research program of basing cryptographic primitives on general assumptions. 1 Examples of cryptographic primitives (in addition to the new one mentioned above) are: (a) secure messa... |

248 | New directions in cryptography - e, Hellman - 1976 |

234 | Bit Commitment Using Pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ... been constructed under formal general assumptions: message sending on trapdoor one-way functions [35, 17], pseudo random bit generator [35, 22, 11, 17], and general zero-knowledge interactive proofs =-=[12, 20, 27]-=- on one-way functions. 1.2 One-way hash The need for a primitive that allows hashing so that it would be hard to find collisions was recognized since the earlier days of modern cryptography: Diffie an... |

214 |
A digital signature based on a conventional encryption function
- Merkle
- 1987
(Show Context)
Citation Context ...ier days of modern cryptography: Diffie and Hellman [6] mention such functions and Rabin [28] lists required properties of such functions. Other examples of work involving such functions are Merkle's =-=[24, 25, 23]-=- and Damgard [5]. One usage of such functions was in conjunction with digital signatures: instead of signing a long message, apply the hash function and sign the result. The property that all previous... |

162 |
Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ... been constructed under formal general assumptions: message sending on trapdoor one-way functions [35, 17], pseudo random bit generator [35, 22, 11, 17], and general zero-knowledge interactive proofs =-=[12, 20, 27]-=- on one-way functions. 1.2 One-way hash The need for a primitive that allows hashing so that it would be hard to find collisions was recognized since the earlier days of modern cryptography: Diffie an... |

147 | Hiding informations and signatures in trapdoor knapsacks
- Merkle, Hellman
- 1978
(Show Context)
Citation Context ...ument was that since inversion is hard to compute, a forgery is intractable and the system is secure. The first implementations of public-key cryptography (the Merkle-Hellman, RSA and Rabin`s schemes =-=[26, 31, 30]-=-) gave signature schemes of this kind. Following [6], signature systems design has become an extensive field of research (see [15]); we concentrate here only on provably secure systems. The first sche... |

139 |
One-way functions and pseudorandom generators
- Levin
- 1987
(Show Context)
Citation Context ...eractive proofs [14]. In recent years, all these primitives have been constructed under formal general assumptions: message sending on trapdoor one-way functions [35, 17], pseudo random bit generator =-=[35, 22, 11, 17]-=-, and general zero-knowledge interactive proofs [12, 20, 27] on one-way functions. 1.2 One-way hash The need for a primitive that allows hashing so that it would be hard to find collisions was recogni... |

103 |
Constructing digital signatures from a one-way function
- Lamport
- 1979
(Show Context)
Citation Context ...nt our one-way based scheme: its components, algorithms, and security proof. 4.1 Background: Tagging System- "One-Time Signature" The starting point of our system is the Diffie-Lamport taggi=-=ng system [21]-=-; both the system of Bellare and Micali [2] and the practical system of Merkle [23] which motivated us were based on it. The suggestion of [21] is to make public a one-way function f and a window, whi... |

79 | Efficient cryptographic schemes provably as secure as subset sum
- Impagliazzo, Naor
- 1996
(Show Context)
Citation Context ...UOWHF from any one-way function. It would be interesting to see more efficient constructions, perhaps based on more restrictive assumptions. One such construction was given by Impagliazzo and Naor in =-=[18]-=-. based of on the hardness of random subset sum problems of certain dimensions. 6 Acknowledgments We would like to thank Manuel Blum, Benny Chor, Cynthia Dwork, Amos Fiat, Oded Goldreich, Stuart Haber... |

79 |
On the Generation of Cryptographically Strong Pseudorandom Sequences
- Shamir
- 1983
(Show Context)
Citation Context ...assumptions. 1 Examples of cryptographic primitives (in addition to the new one mentioned above) are: (a) secure message sending [6, 31, 30, 13], (b) cryptographically secure pseudo-random generation =-=[33, 2]-=-, and (c) general zero-knowledge interactive proofs [14]. In recent years, all these primitives have been constructed under formal general assumptions: message sending on trapdoor one-way functions [3... |

60 |
On the existence of pseudorandom generators
- Goldreich, Krawczyk, et al.
- 1988
(Show Context)
Citation Context ...eractive proofs [14]. In recent years, all these primitives have been constructed under formal general assumptions: message sending on trapdoor one-way functions [35, 17], pseudo random bit generator =-=[35, 22, 11, 17]-=-, and general zero-knowledge interactive proofs [12, 20, 27] on one-way functions. 1.2 One-way hash The need for a primitive that allows hashing so that it would be hard to find collisions was recogni... |

50 | Transitive signature schemes - Micali, Rivest |

43 |
How to Sign Given Any Trapdoor Function
- Bellare, Micali
- 1988
(Show Context)
Citation Context ...previously signed. A secure system was designed under the assumption that factoring is hard, or a more general assumption that claw-free trapdoor permutations exist [15]. Recently, Bellare and Micali =-=[1]-=- have shown how to construct a secure signature system based on the assumption that trapdoor one-way permutations exist; this matches the original suggestion of Diffie and Hellman, but this time the s... |

37 |
Authentication and Public Key System
- Merkle, Secrecy
- 1979
(Show Context)
Citation Context ...ier days of modern cryptography: Diffie and Hellman [6] mention such functions and Rabin [28] lists required properties of such functions. Other examples of work involving such functions are Merkle's =-=[24, 25, 23]-=- and Damgard [5]. One usage of such functions was in conjunction with digital signatures: instead of signing a long message, apply the hash function and sign the result. The property that all previous... |

24 |
digitalized signatures , in Foundation of Secure Computation
- Rabin
- 1977
(Show Context)
Citation Context ...d for a primitive that allows hashing so that it would be hard to find collisions was recognized since the earlier days of modern cryptography: Diffie and Hellman [6] mention such functions and Rabin =-=[28]-=- lists required properties of such functions. Other examples of work involving such functions are Merkle's [24, 25, 23] and Damgard [5]. One usage of such functions was in conjunction with digital sig... |

20 |
A secure digital signature scheme
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...key cryptography (the Merkle-Hellman, RSA and Rabin`s schemes [26, 31, 30]) gave signature schemes of this kind. Following [6], signature systems design has become an extensive field of research (see =-=[15]-=-); we concentrate here only on provably secure systems. The first scheme to deal formally with the notion of security of signature scheme was suggested by Goldwasser, Micali and Yao [16] who also poin... |

10 |
Two Remarks Concerning the GMR Signature Scheme
- Goldreich
- 1986
(Show Context)
Citation Context ...tion. We summarize the above: Theorem 3 If 1-1 one-way functions exist, then the one-way based signature scheme described above is secure. 4.5 Efficiency Suggestions for improving the efficiency from =-=[15, 9, 24, 1]-=- are applicable to our scheme as well. Instead of a linked list we can arrange the one-time signatures in a d-way tree, where the parent tags all its d children. If k is the value of the security para... |

8 |
New Hash Functions and Their Use
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...tography) private keys are not required. Furthermore, it can provide authentication even to a new or a casual user; this cannot be achieved by previously suggested (private) fingerprinting techniques =-=[34, 29]-=-. This scenario exemplifies the setting of this paper which combines cryptographic security and data compression; as we shall see, this setting includes a variety of applications. We consider cryptogr... |

5 | On-line/O -line Digital Signatures - Even, Goldreich, et al. - 1990 |

3 |
Collision Free Hash Functions and
- Damgard
- 1987
(Show Context)
Citation Context ...graphy: Diffie and Hellman [6] mention such functions and Rabin [28] lists required properties of such functions. Other examples of work involving such functions are Merkle's [24, 25, 23] and Damgard =-=[5]-=-. One usage of such functions was in conjunction with digital signatures: instead of signing a long message, apply the hash function and sign the result. The property that all previous researcher look... |

3 |
Rabin Digital Signatures and Public Key Functions as Intractable as Factoring
- O
- 1979
(Show Context)
Citation Context ...ted the research program of basing cryptographic primitives on general assumptions. 1 Examples of cryptographic primitives (in addition to the new one mentioned above) are: (a) secure message sending =-=[6, 31, 30, 13]-=-, (b) cryptographically secure pseudo-random generation [33, 2], and (c) general zero-knowledge interactive proofs [14]. In recent years, all these primitives have been constructed under formal genera... |

2 |
A certified digital signature, manuscript, 1979, see also
- Merkle
- 1990
(Show Context)
Citation Context ...ier days of modern cryptography: Diffie and Hellman [6] mention such functions and Rabin [28] lists required properties of such functions. Other examples of work involving such functions are Merkle's =-=[24, 25, 23]-=- and Damgard [5]. One usage of such functions was in conjunction with digital signatures: instead of signing a long message, apply the hash function and sign the result. The property that all previous... |

1 |
Pseudo-random Generation given from a Oneway Function, STOC 89
- Impagliazzo, Levin, et al.
(Show Context)
Citation Context ...2], and (c) general zero-knowledge interactive proofs [14]. In recent years, all these primitives have been constructed under formal general assumptions: message sending on trapdoor one-way functions =-=[35, 17]-=-, pseudo random bit generator [35, 22, 11, 17], and general zero-knowledge interactive proofs [12, 20, 27] on one-way functions. 1.2 One-way hash The need for a primitive that allows hashing so that i... |

1 |
Rabin Fingerprinting by Random Polynomials
- O
- 1981
(Show Context)
Citation Context ...tography) private keys are not required. Furthermore, it can provide authentication even to a new or a casual user; this cannot be achieved by previously suggested (private) fingerprinting techniques =-=[34, 29]-=-. This scenario exemplifies the setting of this paper which combines cryptographic security and data compression; as we shall see, this setting includes a variety of applications. We consider cryptogr... |

1 |
One-way functions are necessary and sufficent for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...mplement construction such a public fingerprints and digital signature. On the other hand we have seen how any 1-1 one-way function can support the construction of such families. Very recently Rompel =-=[32]-=- has extended our work and showed how to construct a UOWHF from any one-way function. It would be interesting to see more efficient constructions, perhaps based on more restrictive assumptions. One su... |

1 | Two Remarks Concerning the GMR - Goldreich |

1 | A Certi ed - Merkle - 1979 |

1 | One-way functions are necessary and su cent for secure signatures - Rompel - 1990 |