Merkle–Damgård revisited: How to construct a hash function

Merkle–Damgård revisited: How to construct a hash function (2005)

Cached

Download Links

[www.gemplus.com]

by Jean-Sébastien Coron , Yevgeniy Dodis , Cécile Malinaud , Prashant Puniya

Citations:

51 - 5 self

BibTeX

@INPROCEEDINGS{Coron05merkle–damgårdrevisited:,
    author = {Jean-Sébastien Coron and Yevgeniy Dodis and Cécile Malinaud and Prashant Puniya},
    title = {Merkle–Damgård revisited: How to construct a hash function},
    booktitle = {},
    year = {2005},
    pages = {430--448},
    publisher = {Springer-Verlag}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle–Damgård transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle–Damgård construction and are easily implementable in practice.

Citations

1130	Random oracles are practical: A paradigm for designing efficient protocols - Bellare, Rogaway - 1993
484	Universally composable security: A new paradigm for cryptographic protocols - Canetti - 2005
288	The exact security of digital signatures - how to sign with rsa and rabin - Bellare, Rogaway - 1996
244	How to construct pseudorandom permutations from pseudorandom functions - Luby, Rackoff - 1988
231	A design principle for hash functions - Damgård - 1989
200	Optimal Asymmetric Encryption - Bellare, Rogaway - 1994
137	The security of cipher block chaining - Bellare, Kilian, et al. - 1994
130	A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission - Pfitzmann, Waidner - 2001
88	P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical - Bellare, Rogaway - 1997
79	Pseudorandom Functions Revisited: The Cascade Construction and its Concrete Security - Bellare, Canetti, et al. - 1996
78	An analysis of the blockcipher-based hash functions from PGV - Black, Rogaway, et al.
56	Oded Goldreich, and Shai Halevi, The random oracle methodology, revisited - Canetti - 1998
56	Hash functions based on block ciphers: A synthetic approach - Preneel, Govaerts, et al. - 1993
47	Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case - Nielsen - 2002
44	Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology - Maurer, Renner, et al. - 2004
41	One way hash functions and - Merkle - 1990
41	A Composition Theorem for Universal One-Way Hash Functions. In: EUROCRYPT’00 - Shoup - 2000
33	The Random Oracle Methodology - Canetti, Goldreich, et al.
29	On the (in)security of the fiat-shamir paradigm - Goldwasser, Tauman-Kalai - 2003
26	Design Principles for Iterated Hash Functions. Cryptology ePrint Archive, Report 2004/253, 2004. http://eprint.iacr.org. 8. Stefan Lucks. A Failure-Friendly Design Principle for Hash Functions - Lucks
25	Secure Hash Standard, Federal Information Processing Standards Publication 180-1 - FIPS - 1995
22	Constructing VIL-MACs from FIL-MACs: Message authentication under weakened assumptions - An, Bellare - 1999
18	A secure one-way hash function built from DES - Winternitz - 1984
8	Randomness Extraction and Key Derivation Using - Dodis, Gennaro, et al. - 2004
8	Single-key AIL-MACs from any FIL-MAC - Maurer, Sjödin - 2005
7	The MD5 message-digest algorithm, Internet Request for Comments 1321 - RFC - 1992
6	Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology - Maurer, Renner, et al. - 2004
5	Boldyreva and Adriana Palacio. An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem - Bellare, Alexandra - 2004
5	On the Generic Insecurity - Dodis, Oliveira, et al. - 2005