## Hash functions in the dedicated-key setting: Design choices and MPP transforms (2007)

### Cached

### Download Links

- [cseweb.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- [eprint.iacr.org]
- [www.cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | 34th International Colloquium on Automata, Languages and Programming – ICALP 2007, volume 4596 of Lecture Notes in Computer Science |

Citations: | 13 - 1 self |

### BibTeX

@INPROCEEDINGS{Bellare07hashfunctions,

author = {Mihir Bellare and Thomas Ristenpart},

title = {Hash functions in the dedicated-key setting: Design choices and MPP transforms},

booktitle = {34th International Colloquium on Automata, Languages and Programming – ICALP 2007, volume 4596 of Lecture Notes in Computer Science},

year = {2007},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

In the dedicated-key setting, one starts with a compression function f: {0, 1} k ×{0, 1} n+d → {0, 1} n and builds a family of hash functions H f: K × M → {0, 1} n indexed by a key space K. This is different from the more traditional design approach used to build hash functions such as MD5 or SHA-1, in which compression functions and hash functions do not have dedicated key inputs. We explore the benefits and drawbacks of building hash functions in the dedicated-key setting (as compared to the more traditional approach), highlighting several unique features of the former. Should one choose to build hash functions in the dedicated-key setting, we suggest utilizing multi-property-preserving (MPP) domain extension transforms. We analyze seven existing dedicated-key transforms with regard to the MPP goal and propose two simple

### Citations

1535 | Security Architecture for the Internet Protocol
- Kent, Atkinson
- 1998
(Show Context)
Citation Context ... and used as message authentication codes (MACs) and pseudrandom functions (PRFs). (For example, HMAC [3], a popular hash-function based construction, is used for message authentication in SSH, IPsec =-=[15]-=-, and TLS [13] and for key derivation, where it must be a PRF, in TLS [13] and IKE [14].) Hash function design should reflect such usage, and for transforms this means being multi-property-preserving:... |

1425 | Random Oracles are Practical: A Paradigm for Designing Efficient - Bellare, Rogaway - 1993 |

503 | Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...traditional hash function H h : M → {0, 1} n as a MAC scheme, H h must be keyed, which means some of the input is set aside (a posteriori) for key bits. The canonical construct in this domain is HMAC =-=[3, 2]-=-, which is widely standardized and used. (NIST FIPS 198, ANSI X9.71, IETF RFC 2104, SSL, SSH, IPSEC, TLS, IEEE 802.11i, and IEEE 802.16e are only some instances.) Note that in these applications keys ... |

405 |
The MD5 Message Digest Algorithm
- Rivest
- 1992
(Show Context)
Citation Context ...ion transform H that utilizes f as a black box to implement the hash function H f : M → {0, 1} n associated to f, where M is some large message space. Most in-use hash functions, for example the MD-x =-=[24]-=- family and SHA-1 [22], were constructed using this approach. There also exists a second setting for hash function design and analysis, in which compression functions and hash functions both have a de... |

352 | The exact security of digital signatures — how to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...ny with disjoint security requirements. For example, hash functions are currently simultaneously utilized for being CR and for instantiating random oracles (in schemes such as RSAOAEP [7] and RSA-PSS =-=[8]-=- specified in the RSA PKCS#1 v2.1 standard [23]). Hash functions are also keyed and used as message authentication codes (MACs) and pseudrandom functions (PRFs). (For example, HMAC [3], a popular hash... |

322 | Universal one-way hash functions and their cryptographic applications - Naor, Yung - 1989 |

312 |
A Design Principle for Hash Functions
- Damgård
- 1989
(Show Context)
Citation Context ...sforms. In Section 5 we provide an MPP-orientated treatment of transforms in the dedicated-key setting, analyzing seven previously proposed Merkle-Damg˚ard-like transforms: plain Merkle-Damg˚ard (MD) =-=[19, 12]-=-, strengthened MD (sMD) [12], prefix-free MD (Pre) [18], Shoup’s transform (Sh) [28], the strengthened Nested Iteration transform (sNI) [1], the Nested Iteration transform (NI) [18], and the Chain-Shi... |

251 | How to Break MD5 and Other Hash Functions
- Wang, Yu
(Show Context)
Citation Context ...verifying digital signatures) and so in these settings every party must have access to the key. This paper. Due to recent collision-finding attacks against in-use hash functions such as MD5 and SHA-1 =-=[30, 31]-=-, new hash functions are going to be designed and standardized. A crucial choice for designers will be whether one should build hash functions in the first setting (continuing in the current tradition... |

250 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...applications, many with disjoint security requirements. For example, hash functions are currently simultaneously utilized for being CR and for instantiating random oracles (in schemes such as RSAOAEP =-=[7]-=- and RSA-PSS [8] specified in the RSA PKCS#1 v2.1 standard [23]). Hash functions are also keyed and used as message authentication codes (MACs) and pseudrandom functions (PRFs). (For example, HMAC [3]... |

187 |
One Way Hash Functions and DES
- Merkle
- 1989
(Show Context)
Citation Context ...sforms. In Section 5 we provide an MPP-orientated treatment of transforms in the dedicated-key setting, analyzing seven previously proposed Merkle-Damg˚ard-like transforms: plain Merkle-Damg˚ard (MD) =-=[19, 12]-=-, strengthened MD (sMD) [12], prefix-free MD (Pre) [18], Shoup’s transform (Sh) [28], the strengthened Nested Iteration transform (sNI) [1], the Nested Iteration transform (NI) [18], and the Chain-Shi... |

115 | The security of triple encryption and a framework for code-based game-playing proofs - Bellare, Rogaway - 2006 |

111 | Message authentication with one-way hash functions - Tsudik - 1992 |

102 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...roperty P, then T f provably has property P. A “No” means that there exists a compression function f with 3sCR-Pr MAC-Pr PRF-Pr PRO-Pr TCR-Pr Efficiency τ(L) Key bits MD No [19, 12] No Yes No [11] No =-=[9]-=- ⌈(L + 1)/d⌉ k sMD Yes [19, 12] No Yes No [11] No [9] ⌈(L + 65)/d⌉ k Pre No Yes [18] Yes Yes [11] No ⌈(L + 1)/(d − 1)⌉ k Sh Yes [28] No Yes No Yes [28] ⌈(L + 65)/d⌉ k + ζ(L) sNI Yes Yes [1] Yes Yes [5... |

96 | Pseudorandom functions revisited: The cascade construction and its concrete security," Proc. 37th Annual Symposium on the Foundations of Computer 2This section has not been discussed in the lectures
- Bellare, Canetti, et al.
- 1997
(Show Context)
Citation Context ...he unforgeability of MACs built from hash functions requires the compression function to be a pseudorandom function (PRF) when keyed appropriately and the transform to be PRF-Pr (e.g., prefix-free MD =-=[4]-=-, EMD [5], and NMAC [3, 2], etc.). However, unforgeability is a weaker security goal than being a PRF: any PRF is a good MAC but not vice versa. The reason we have to rely on PRFs for message authenti... |

86 | New Proofs for NMAC and HMAC: Security without CollisionResistance
- Bellare
(Show Context)
Citation Context ...M s i = M c i for 1 ≤ i ≤ j. 5.3 Pseudorandom Function Preservation In the non-dedicated-key setting, building PRF preserving transforms is non-trivial and the proofs of security can be quite complex =-=[3, 4, 2]-=-. In stark contrast to this, we show that all of the dedicated-key transforms considered here are PRF-Pr, and the proof establishing this is relatively straightforward. We note that the main differenc... |

84 | Merkle-Damgård Revisited: How to Construct a Hash Function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ... f has property P, then T f provably has property P. A “No” means that there exists a compression function f with 3sCR-Pr MAC-Pr PRF-Pr PRO-Pr TCR-Pr Efficiency τ(L) Key bits MD No [19, 12] No Yes No =-=[11]-=- No [9] ⌈(L + 1)/d⌉ k sMD Yes [19, 12] No Yes No [11] No [9] ⌈(L + 65)/d⌉ k Pre No Yes [18] Yes Yes [11] No ⌈(L + 1)/(d − 1)⌉ k Sh Yes [28] No Yes No Yes [28] ⌈(L + 65)/d⌉ k + ζ(L) sNI Yes Yes [1] Yes... |

83 | Cryptographic hash-function basics: definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ... logarithmic (in the maximum message length) amount of key material. Mironov has given strong evidence that one cannot do better for MD-style transforms [20]. Furthermore, any CR function is also TCR =-=[26]-=-, and so one might simply stop with a dedicated-key transform that preserves the four properties already considered. Still, target-collision resistant functions are useful in some settings [9] and ach... |

76 | Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ... by A and S, and the coins used by F = RFDom,Rng and f = RFn+d,n. The simulator S maintains state across queries and has oracle access to F. For more details on the pseudorandom oracle definition see =-=[5, 11, 16]-=-. We say that F is (t, L, ɛ)-xxx for xxx ∈ {tcr, cr} if any adversary A running in time at most t and outputing messages of length less than or equal to L bits has ɛ probability of success in the xxx ... |

68 | Datagram Transport Layer Security
- Rescorla, Modadugu
- 2006
(Show Context)
Citation Context ...essage authentication codes (MACs) and pseudrandom functions (PRFs). (For example, HMAC [3], a popular hash-function based construction, is used for message authentication in SSH, IPsec [15], and TLS =-=[13]-=- and for key derivation, where it must be a PRF, in TLS [13] and IKE [14].) Hash function design should reflect such usage, and for transforms this means being multi-property-preserving: a transform s... |

63 | Multi-property-preserving hash domain extension and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ... wide variety of applications with disjoint security requirements, we suggest building hash functions using multi-property-preserving (MPP) transforms, introduced for the non-dedicated-key setting in =-=[5]-=-. An MPP transform H simultaneously preserves numerous properties of interest: if the compression function f has security property P, then H f has P also. We investigate nine transforms, two of which ... |

47 | A composition theorem for universal one-way hash functions
- Shoup
- 2000
(Show Context)
Citation Context ...ed-key setting, analyzing seven previously proposed Merkle-Damg˚ard-like transforms: plain Merkle-Damg˚ard (MD) [19, 12], strengthened MD (sMD) [12], prefix-free MD (Pre) [18], Shoup’s transform (Sh) =-=[28]-=-, the strengthened Nested Iteration transform (sNI) [1], the Nested Iteration transform (NI) [18], and the Chain-Shift transform (CS) [18]. Figure 1 summarizes our results for the existing seven trans... |

30 | Constructing VIL-MACs from FIL-MACs: message authentication under weakened assumptions
- An, Bellare
- 1999
(Show Context)
Citation Context ...le-Damg˚ard-like transforms: plain Merkle-Damg˚ard (MD) [19, 12], strengthened MD (sMD) [12], prefix-free MD (Pre) [18], Shoup’s transform (Sh) [28], the strengthened Nested Iteration transform (sNI) =-=[1]-=-, the Nested Iteration transform (NI) [18], and the Chain-Shift transform (CS) [18]. Figure 1 summarizes our results for the existing seven transforms. For each transform we determine if it is collisi... |

22 | Formalizing human ignorance: Collision-resistant hashing without the keys, 2006. Cryptology ePrint Archive: Report 2006/281
- Rogaway
(Show Context)
Citation Context ...ting. In the prior setting we would lose all security guarantees. Keying and collision-resistance. Hash functions with dedicated key inputs are an easy solution for the foundations-of-hashing dilemma =-=[25]-=-, which is a problem of theoretical interest. The dilemma refers to the fact that h: {0, 1} n+d → {0, 1} n can not be collision-resistant: by the pigeonhole principle there are two strings X, X ′ both... |

16 | Hash functions: from Merkle-Damg˚ard to Shoup
- Mironov
- 2001
(Show Context)
Citation Context ... a significant number of key bits, in fact logarithmic in the number of blocks hashed. To make matters worse, there is strong evidence that we’re not likely to do much better with MD-style transforms =-=[20, 27]-=-. Nevertheless we add this property to the list, and investigate which transforms are target collision-resistance preserving (TCR-Pr) in Section 5.5. Summary of results and discussion. The summary of ... |

14 | Single-Key AIL-MACs from Any FIL-MAC
- Maurer, Sjdin
(Show Context)
Citation Context ... of transforms in the dedicated-key setting, analyzing seven previously proposed Merkle-Damg˚ard-like transforms: plain Merkle-Damg˚ard (MD) [19, 12], strengthened MD (sMD) [12], prefix-free MD (Pre) =-=[18]-=-, Shoup’s transform (Sh) [28], the strengthened Nested Iteration transform (sNI) [1], the Nested Iteration transform (NI) [18], and the Chain-Shift transform (CS) [18]. Figure 1 summarizes our results... |

10 | Inidifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ... by A and S, and the coins used by F = RFDom,Rng and f = RFn+d,n. The simulator S maintains state across queries and has oracle access to F. For more details on the pseudorandom oracle definition see =-=[5, 11, 16]-=-. We say that F is (t, L, ɛ)-xxx for xxx ∈ {tcr, cr} if any adversary A running in time at most t and outputing messages of length less than or equal to L bits has ɛ probability of success in the xxx ... |

2 | Masking Based Domain Extenders for UOWHFs: Bounds and Constructions. In: Cryptology ePrint Archive, Report 2003/255
- Sarkar
- 2003
(Show Context)
Citation Context ... a significant number of key bits, in fact logarithmic in the number of blocks hashed. To make matters worse, there is strong evidence that we’re not likely to do much better with MD-style transforms =-=[20, 27]-=-. Nevertheless we add this property to the list, and investigate which transforms are target collision-resistance preserving (TCR-Pr) in Section 5.5. Summary of results and discussion. The summary of ... |

1 | Domain Expansion of MACs: Alternative Uses of the FIL-MAC
- Maurer, Sjödin
- 2005
(Show Context)
Citation Context ... unforgeability preserving (which we’ll call MAC-Pr) transforms are known in this setting. On the other hand, if we work in the dedicated-key setting, then there are straightforward MAC-Pr transforms =-=[1, 18, 17]-=-. This allows us to utilize hash functions as MACs under just the assumption that h: {0, 1} k × {0, 1} n+d → {0, 1} n is a good MAC, which provides a better security guarantee. To see why, note that a... |

1 |
Domain Expansion of MACs: Alternative Uses of the FIL-MAC. Cryptography and Coding 2005
- Maurer, Sjödin
- 2005
(Show Context)
Citation Context ... unforgeability preserving (which we’ll call MAC-Pr) transforms are known in this setting. On the other hand, if we work in the dedicated-key setting, then there are straightforward MAC-Pr transforms =-=[1, 18, 17]-=-. This allows us to utilize hash functions as MACs under just the assumption that h: {0, 1} k × {0, 1} n+d → {0, 1} n is a good MAC, which provides a better security guarantee. To see why, note that a... |