## A failure-friendly design principle for hash functions (2005)

### Cached

### Download Links

Citations: | 43 - 5 self |

### BibTeX

@INPROCEEDINGS{Lucks05afailure-friendly,

author = {Stefan Lucks},

title = {A failure-friendly design principle for hash functions},

booktitle = {},

year = {2005},

pages = {474--494},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. This paper reconsiders the established Merkle-Damg˚ard design principle for iterated hash functions. The internal state size w of an iterated n-bit hash function is treated as a security parameter of its own right. In a formal model, we show that increasing w quantifiably improves security against certain attacks, even if the compression function fails to be collision resistant. We propose the wide-pipe hash, internally using a w-bit compression function, and the double-pipe hash, with w = 2n and an n-bit compression function used twice in parallel.

### Citations

309 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...istance has failed. It has been inspired by recent advances in collision finding [25–28, 1]. The design of today’s cryptographic hash functions ubiquitously follows the Merkle/Damg˚ard (MD) structure =-=[16, 6]-=-, iterating some underlying compression function. The hash function is collision resistant, if the compression function is. However, if computing a compression function collision is somehow feasible, ... |

255 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...“. . . at least”). 2 Classes of Attacks. Informally, a real hash function H should behave like an ideal one (i.e., like a random oracle). This would not be useful for a formal definition, though (see =-=[4]-=-). Instead, one considers somewhat simpler security goals for H : {0, 1} ∗ → {0, 1} n . We consider the following classes of attacks: K-collision for K ≥ 2: Find K different M i , with H(M 1 ) = · · ·... |

248 | How to break md5 and other hash functions
- Wang, Yu
- 2005
(Show Context)
Citation Context ... In other words, given a single collision, an adversary can easily construct many more collisions. This has long been known, but recently been exploited to turn “random” collisions (as, e.g., for MD5 =-=[26]-=-) into “meaningful” ones [12, 17, 14, 15]. Even a 2nd preimage like scenario is possible [7]: given any two texts T1 and T2, Daum and Lucks presented two corresponding PostScript files with identical ... |

233 | PayWord and MicroMint: Two simple micropayment schemes
- Rivest, Shamir
- 1997
(Show Context)
Citation Context ...C �∈ {A, B, D} and H(C) = H(D). The first two classes include “traditional” 2-collisions, 1-way preimages and 1-way 2nd preimages. Some applications need protection against the large-Kvariants, e.g., =-=[10, 23, 3]-=-. The third class deals with a very natural assumption for “good” hash functions: even if the adversary somehow – with a great deal of luck, by doing much computational work, or by a mixture of both –... |

126 |
Analysis and design of cryptographic hash functions
- Preneel
- 1993
(Show Context)
Citation Context ...defeats known exploits that make collisions “meaningful” [12, 17, 14, 15, 7].sCascading. The idea to improve the security of hash functions by cascading has been discussed for a long time, see, e.g., =-=[20]-=-. Cascading looks like an obvious technique to improve the security of hash functions – but due to Joux’ attack, cascading iterated hash functions is not that useful. On the other hand, the double-pip... |

102 |
Multicollisions in iterated hash functions. application to cascaded constructions
- Joux
- 2004
(Show Context)
Citation Context ...ion function collision is somehow feasible, the hash function may fail worse than expected. E.g., finding multiple collisions should be way more expensive than finding plain (2-)collisions – but Joux =-=[11]-=- disproved this for the MD design. Also, MD hash functions completely fail to defend against 2nd collision attacks: If H(M) = H(N) for any two messages M, N, then H(M||S) = H(N||S) for all S ∈ {0, 1} ... |

83 | Merkle-Damg̊ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ... n-bit compression function, 1 our analysis would justify the usage of, say, a failure-friendly variant of RIPEMD-320 with 2n = 320 internal state bits and n = 160 output bits. Recently, Coron et al. =-=[5]-=- also analysed variants of the Merkle-Damg˚ard design in a fashion similar to the current paper. One of the proposals in [5] is rather similar to our wide-pipe design. However, [5] aims for variably-s... |

82 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ..., finding a K-collision for H is at least as hard as finding either a K-collision for f ′′ , or a collision for C. ⊓⊔ 3 This is similar to the “aSec” and “aPre” notions of hash function security from =-=[24]-=-. 4 This idea has independently been proposed by Finney in a mailing list [9]. 5 It would seem natural to assume the K-collision resistance of C ′′ . Indeed, f ′′ is Kcollision resistant if C ′ is col... |

47 |
Preimages on n-bit Hash Functions for Much Less than 2n Work
- Second
- 2005
(Show Context)
Citation Context ...ollows: C(Hi−1, Mi) = E(Mi, Hi−1) + Hi−1. (Here “+” is any group operation over {0, 1} n .) The ability to efficiently compute E −1 M (·) can be useful for the adversary, see e.g. Kelsey and Schneier =-=[13]-=- for examples. Thus, we have to extend our formalism for the security proofs accordingly – by considering a Shannon oracle, instead of a random oracle. 4.1 Double-Pipe Hash with DM Compression Functio... |

30 |
RIPEMD-160 : A strengthened Version of
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context .... Additionally, we discuss and semi-formally verify the resistance against 2nd collision attacks. Related Proposals. The double-pipe hash may remind the readers of the RIPEMD-family of hash functions =-=[22, 8]-=-, also calling two compression functions in parallel. The hash functions specified in [22, 8] combine both n-bit compression values into a single n-bit state, strictly following the Merkle-Damg˚ard de... |

27 | On the possibility of constructing meaningful hash collisions for public keys
- Lenstra, Weger
(Show Context)
Citation Context ...le collision, an adversary can easily construct many more collisions. This has long been known, but recently been exploited to turn “random” collisions (as, e.g., for MD5 [26]) into “meaningful” ones =-=[12, 17, 14, 15]-=-. Even a 2nd preimage like scenario is possible [7]: given any two texts T1 and T2, Daum and Lucks presented two corresponding PostScript files with identical MD5 hashes.sOur Contributions. This paper... |

26 | Design validations for discrete logarithm based signature schemes
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...C �∈ {A, B, D} and H(C) = H(D). The first two classes include “traditional” 2-collisions, 1-way preimages and 1-way 2nd preimages. Some applications need protection against the large-Kvariants, e.g., =-=[10, 23, 3]-=-. The third class deals with a very natural assumption for “good” hash functions: even if the adversary somehow – with a great deal of luck, by doing much computational work, or by a mixture of both –... |

24 |
On the length of cryptographic hash-values used in identi¯cation schemes
- Girault, Stern
- 1994
(Show Context)
Citation Context ...C �∈ {A, B, D} and H(C) = H(D). The first two classes include “traditional” 2-collisions, 1-way preimages and 1-way 2nd preimages. Some applications need protection against the large-Kvariants, e.g., =-=[10, 23, 3]-=-. The third class deals with a very natural assumption for “good” hash functions: even if the adversary somehow – with a great deal of luck, by doing much computational work, or by a mixture of both –... |

21 |
Colliding X.509 Certificates,” Cryptology ePrint Archive, 2005 (available at http://eprint.iacr.org/2005/067
- Wang, Weger
(Show Context)
Citation Context ...le collision, an adversary can easily construct many more collisions. This has long been known, but recently been exploited to turn “random” collisions (as, e.g., for MD5 [26]) into “meaningful” ones =-=[12, 17, 14, 15]-=-. Even a 2nd preimage like scenario is possible [7]: given any two texts T1 and T2, Daum and Lucks presented two corresponding PostScript files with identical MD5 hashes.sOur Contributions. This paper... |

17 |
One-way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...istance has failed. It has been inspired by recent advances in collision finding [25–28, 1]. The design of today’s cryptographic hash functions ubiquitously follows the Merkle/Damg˚ard (MD) structure =-=[16, 6]-=-, iterating some underlying compression function. The hash function is collision resistant, if the compression function is. However, if computing a compression function collision is somehow feasible, ... |

14 | Practical attacks on digital signatures using md5 message digest. Cryptology ePrint Archive
- Mikle
(Show Context)
Citation Context ...le collision, an adversary can easily construct many more collisions. This has long been known, but recently been exploited to turn “random” collisions (as, e.g., for MD5 [26]) into “meaningful” ones =-=[12, 17, 14, 15]-=-. Even a 2nd preimage like scenario is possible [7]: given any two texts T1 and T2, Daum and Lucks presented two corresponding PostScript files with identical MD5 hashes.sOur Contributions. This paper... |

9 |
Security analysis of a 2/3-rate double length compression function in the black-box model
- Nandi, Lee, et al.
- 2005
(Show Context)
Citation Context ... an (extremely strong) ideal compression function (i.e., a fixed-size random oracle). This is orthogonal to our approach of taking possible compression function weaknesses into account. Nandi et. al. =-=[18]-=- proposed and analysed a rather different “2/3 rate double length compression function”. Both [5] and [18] restrict their analysis to the random and Shannon oracle, while the current paper also provid... |

6 |
Black-Box Analysis of the Block-Cipher Based Hash-Function Constructions from PGV
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...D strengthening: The last block ML takes the length |M| in bits. Thus, if |M| �= |M ′ |, then ML �= M ′ L ′.) – For i ∈ {1, . . . , L}: compute Hi := C(Hi−1, Mi). – Finally: output HL. C C H[0] H[1] H=-=[2]-=- M[1] M[2] H[L−1] M[L] Fig. 1. The Merkle-Damg˚ard (MD) Hash Note that the MD hash function does not provide any resistance against 2nd collision attacks: consider messages M �= M ′ with expansions (M... |

4 |
MD5 to be Considered Harmful Someday
- Kaminski
- 2004
(Show Context)
Citation Context |

3 |
More problems with hash functions. The cryptography mailing list. 24 Aug
- Finney
- 2004
(Show Context)
Citation Context ...ion for f ′′ , or a collision for C. ⊓⊔ 3 This is similar to the “aSec” and “aPre” notions of hash function security from [24]. 4 This idea has independently been proposed by Finney in a mailing list =-=[9]-=-. 5 It would seem natural to assume the K-collision resistance of C ′′ . Indeed, f ′′ is Kcollision resistant if C ′ is collision resistant and C ′′ is K-collision resistant. But even if C ′′ is K-col... |

1 |
The story of Alice and her boss. Eurocrypt 05 rump session. http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions
- Daum, Lucks
(Show Context)
Citation Context ...ions. This has long been known, but recently been exploited to turn “random” collisions (as, e.g., for MD5 [26]) into “meaningful” ones [12, 17, 14, 15]. Even a 2nd preimage like scenario is possible =-=[7]-=-: given any two texts T1 and T2, Daum and Lucks presented two corresponding PostScript files with identical MD5 hashes.sOur Contributions. This paper describes and analyses failure-friendly iterated h... |

1 |
Private communication
- Preneel
- 2005
(Show Context)
Citation Context ... Winning the 2nd collision game takes time Ω(2 n/2 ). See Appendix A for a sketch of the proof. 6 Discussion A Variant of the double-pipe hash. To reduce the set of cryptographic assumptions, Preneel =-=[21]-=- proposed to use C : {0, 1} × {0, 1} n × {0, 1} n+m → {0, 1} n with one extra bit of input. Set H ′ i := C(0, H ′ i−1 , H′′ i−1 ||Mi), H ′′ i := C(1, H ′′ i−1 , H′ i−1 ||Mi), and finally Hash(M) := C(... |

1 | Efficient collision search attacks on SHA0. Accepted for Crypto 2005 - Wang, Yu, et al. |

1 | Finding collisions in the full SHA1. Accepted for Crypto 2005 - Wang, Yin, et al. |