## Strengthening Digital Signatures via Randomized Hashing (2005)

### Cached

### Download Links

- [www.iacr.org]
- [web.cecs.pdx.edu]
- [www.ee.technion.ac.il]
- [webee.technion.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | In Cynthia Dwork, editor, Advances in Cryptology – CRYPTO 2006, volume 4117 of Lecture |

Citations: | 58 - 2 self |

### BibTeX

@INPROCEEDINGS{Halevi05strengtheningdigital,

author = {Shai Halevi and Hugo Krawczyk},

title = {Strengthening Digital Signatures via Randomized Hashing},

booktitle = {In Cynthia Dwork, editor, Advances in Cryptology – CRYPTO 2006, volume 4117 of Lecture},

year = {2005},

pages = {41--59},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

We propose randomized hashing as a mode of operation for cryptographic hash functions intended for use with standard digital signatures and without necessitating of any changes in the internals of the underlying hash function (e.g., the SHA family) or in the signature algorithms (e.g., RSA or DSA). The goal is to free practical digital signature schemes from their current reliance on strong collision resistance by basing the security of these schemes on significantly weaker properties of the underlying hash function, thus providing a safety net in case the (current or future) hash functions in use turn out to be less resilient to collision search than initially thought. We design a specific mode of operation that takes into account engineering considerations (such as simplicity, efficiency and compatibility with existing implementations) as well as analytical soundness. Specifically, the scheme entails unmodified use of the hash function with randomization applied only to the message before it is input to the hash function. We formally show the sufficiency of an assumption significantlu weaker than collision-resistance for proving the security of the scheme.

### Citations

835 | A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ... that it may allow a signer to find two messages with the same hash value. This, however, represents no violation of signature security (c.f. the standard definition of Goldwasser, Micali, and Rivest =-=[12]-=-). Specifically, the potential ability of the signer to find collisions does not allow any other party to forge signatures thus protecting the signer against malicious parties. At the same time, recip... |

479 | Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...block r to each message block before inputting it into the hash function (see below for a comparison of this scheme to one in [26]). That is, H c r(m1, . . . , mL) def = H c (m1 ⊕ r, . . . , mL ⊕ r). =-=(1)-=- We show this scheme to be TCR under SPR-like assumption on the underlying compression function h (see below). On the other hand, the Hr constructionis clearly not eTCR; in order to obtain an eTCR sc... |

292 |
A design principle for hash functions
- Damgård
- 1990
(Show Context)
Citation Context ... H(M) = H(M ′ ), except with insignificant probability. 1 Contemporary constructions of (allegedly) collision-resistant hash functions follow the so called Merkle-Damg˚ard (M-D) iterated construction =-=[17, 9]-=-. Such constructions start with a compression function h that maps input pairs (c, m) into an output c ′ where c and c ′ are of fixed length n (e.g., n = 160) and m is of fixed length b (e.g., b = 512... |

284 | Security arguments for digital signatures and blind signatures
- Pointcheval, Sterrn
- 2000
(Show Context)
Citation Context ...(randomized) signature schemes do not essentially use the collision resistance property of the random-oracle (as evidenced, for example, by the fact that some of these proofs, such as those following =-=[22]-=-, remain meaningful even when you have a random-oracle with relatively short output, e.g., 80 bits). This brings up the interesting question of exhibiting variants of the random-oracle model where one... |

197 | One-way functions are necessary and sufficient for secure signatures - Rompel - 1990 |

97 |
Collision-Resistant Hashing: Towards Making UOWHFs Practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ... depend on full collision resistance were constructed in the influential work of Naor and Yung [20] who introduced the notion of universal one-way hash functions, or UOWHF. Later, Bellare and Rogaway =-=[3]-=- renamed them to the more descriptive (and catchy) name of target collision resistant (TCR) hash functions, a term that we adopt here. Roughly, a family of hash functions {Hr}r∈R (for some set R) is t... |

94 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ...sumption significantlu weaker than collision-resistance for proving the security of the scheme. 1 Introduction Recent cryptanalytical advances in the area of collision-resistant hash functions (CRHF) =-=[8, 5, 15, 6, 16, 29, 30, 31, 32]-=-, especially the attacks against MD5 and SHA-1, have shaken our confidence in the security of existing hash functions as well as in our ability to design secure CRHF. These attacks remind us that cryp... |

75 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ...ect on the future security of digital signatures. Relations between various notions. In our presentation we use quite a few notions of security for hash functions, some new and others well known (see =-=[24]-=-). Articulating the relations between these notions is not the focus of this paper. In some places we comment about implication or separation between these notions, but we do not explicitly show separ... |

73 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ...amilies implies the existence of collision-resistant families (from n + 1 to n bits). Hence c-SPR implies the existence of collision-resistant hashing families (in particular, this shows that Simon’s =-=[27]-=- separation result applies to black-box constructions of c-SPR; it does not mean, however, that the M-D iteration of a c-SPR compression function is necessarily collision resistant). Still, for a part... |

48 |
One Way Hash Functions and
- Merkle
- 1989
(Show Context)
Citation Context ... H(M) = H(M ′ ), except with insignificant probability. 1 Contemporary constructions of (allegedly) collision-resistant hash functions follow the so called Merkle-Damg˚ard (M-D) iterated construction =-=[17, 9]-=-. Such constructions start with a compression function h that maps input pairs (c, m) into an output c ′ where c and c ′ are of fixed length n (e.g., n = 160) and m is of fixed length b (e.g., b = 512... |

46 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...ility in the order of tL/2 n ) against Hr are indeed possible since SPR attacks against H can be translated into TCR attacks against Hr and we know that such birthday-type SPR attacks against H exist =-=[11, 16]-=-. This motivates two questions: Can we have a flavor of SPR for which there is a tight reduction to TCR? Can this SPR game be defined such that it is only vulnerable to linear generic attacks? The ans... |

45 | A Composition Theorem for Universal One-Way Hash Functions
- Shoup
- 2000
(Show Context)
Citation Context ...we consider, denoted Hr, simply XOR’s a random b-bit block r to each message block before inputting it into the hash function (see below for a comparison of this construction with Shoup’s scheme from =-=[26]-=-). That is, H c r(m1, . . . , mL) def = H c (m1 ⊕ r, . . . , mL ⊕ r). (1) We show this scheme to be TCR under SPR-like assumption on the underlying compression function h (see below). On the other han... |

40 |
Preimages on n-Bit Hash Functions for Much Less than 2 n Work”, EUROCRYPT
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...sumption significantlu weaker than collision-resistance for proving the security of the scheme. 1 Introduction Recent cryptanalytical advances in the area of collision-resistant hash functions (CRHF) =-=[8, 5, 15, 6, 16, 29, 30, 31, 32]-=-, especially the attacks against MD5 and SHA-1, have shaken our confidence in the security of existing hash functions as well as in our ability to design secure CRHF. These attacks remind us that cryp... |

25 | Design and Validations for Discrete Logarithm Based
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...proof of security (not even in the case that the underlying hash function is fully collision resistant). The “closest relatives”, namely, the DSA-II variant of Brickel, Pointcheval, Vaudenay and Yung =-=[7]-=- or the RSA-PSS scheme of Bellare and Rogaway [2], have a proof of security in the random oracle model. Interestingly, these proofs use in an essential way the randomization of the hash function, not ... |

10 |
Abelian square-free dithering for iterated hash functions”, Presented at ECrypt Hash Function Workshop
- Rivest
(Show Context)
Citation Context ...y attacks against Hr do exist. It is possible, however, to design variants of M-D hash functions (e.g., appending a sequence number to each block or using the “dithering” technique proposed by Rivest =-=[23]-=-) for which the best generic attacks achieve linear degradation only. Thus, the main motivation and usefulness of the game m-SPR and its tight reduction to TCR is for the analysis of such variants. 3.... |

7 |
Yiqun Lisa Yin, and Hongbo Yu “Finding
- Wang
- 2005
(Show Context)
Citation Context ...eed by our results, and is ready for implementation and integration with existing applications. 1 Introduction Recent cryptanalytical advances in the area of collision-resistant hash functions (CRHF) =-=[9, 5, 16, 6, 17, 31, 32, 33, 34]-=-, especially the attacks against MD5 and SHA-1, have shaken our confidence in the security of existing hash functions as well as in our ability to design secure CRHF. These attacks remind us that cryp... |

5 |
Bellovin and Eric K. Rescorla, “Deploying a New Hash Algorithm”, NDSS’06. http://www.cs.columbia.edu/~smb/papers/new-hash.pdf
- Steven
(Show Context)
Citation Context ...compatibility, the signaling/negotiation of algorithms and capabilities, version rolling, etc. are not made worse by our proposal than what is already needed to support a simple hash function upgrade =-=[4]-=-. Considering the simplicity and minimalistic nature of our randomization scheme, we believe that the extra changes (transmission or re-use of r) are well worth the substantial security gain they prov... |

4 | Collision-Resistant No More: Hash-and-Sign Paradigm Revisited”, Public Key Cryptography 2006
- Mironov
(Show Context)
Citation Context ...es when we are dealing with relatively weak (at least not CR) hash functions (clearly, random oracles are “very strong hash functions”). See some results related to this question in Appendix B and in =-=[19]-=-. We also point out that the random-oracle proofs for some of the above (randomized) signature schemes do not essentially use the collision resistance property of the random-oracle (as evidenced, for ... |

3 |
The Exact Security of
- Bellare, Rogaway
(Show Context)
Citation Context ...underlying hash function is fully collision resistant). The “closest relatives”, namely, the DSA-II variant of Brickel, Pointcheval, Vaudenay and Yung [7] or the RSA-PSS scheme of Bellare and Rogaway =-=[2]-=-, have a proof of security in the random oracle model. Interestingly, these proofs use in an essential way the randomization of the hash function, not unlike the TCR or eTCR constructions. In some sen... |

1 |
Randomized Hashing: Specification and Deployment
- Halevi, Krawczyk
(Show Context)
Citation Context ...signature itself (under the signed value in RSA or by re-using the random r = g k component in DSA). We further discuss these issues in Section 5. A full specification of the ˜ Hr mode is included in =-=[13]-=-. Related Schemes. Bellare and Rogaway [3] explored the problem of constructing TCR hashing for long messages from TCR functions that work on short inputs, and showed that the M-D iteration of a TCR c... |

1 |
Preneel and Sangjin Lee, “Higher Order Universal One-Way Hash Functions”, ASIACRYPT
- Hong, Bart
- 2004
(Show Context)
Citation Context ...structions Hr and ˜ Hr. We also note that c-SPR is related to the “hierarchy of collision resistance” of Mironov [18], and that e-SPR is a weaker property than the L-order TCR property of Hong et al. =-=[14]-=-. We stress that ultimately, the question of whether or not a particular compression function (such as those in the SHA family) is e-SPR can only be addressed by cryptanalysts trying to attack this pr... |

1 | Hash Functions: From Merkle-Damg˚ard to
- Mironov
(Show Context)
Citation Context ...atural but is closer to SPR and reflects more accurately the “real hardness” of the constructions Hr and ˜ Hr. We also note that c-SPR is related to the “hierarchy of collision resistance” of Mironov =-=[18]-=-, and that e-SPR is a weaker property than the L-order TCR property of Hong et al. [14]. We stress that ultimately, the question of whether or not a particular compression function (such as those in t... |

1 | Szydlo and Yiqun Lisa Yin, “Collision-Resistant usage of MD5 and SHA-1 via Message Preprocessing”, Cryptology ePrint Archive, Report 2005/248 - Michael |

1 |
How to Break
- Wang, Yu
- 2005
(Show Context)
Citation Context ...sumption significantlu weaker than collision-resistance for proving the security of the scheme. 1 Introduction Recent cryptanalytical advances in the area of collision-resistant hash functions (CRHF) =-=[8, 5, 15, 6, 16, 29, 30, 31, 32]-=-, especially the attacks against MD5 and SHA-1, have shaken our confidence in the security of existing hash functions as well as in our ability to design secure CRHF. These attacks remind us that cryp... |

1 |
Finding Collisions in the Full SHA-1”, CRYPTO 2005. More Proofs A.1 From m-SPR to TCR ∗ In this section we introduce a new SPR game, called m-SPR (m for multiple), whose main advantage over previous games is that it has a tight (constant factor) reductio
- Wang, Yin, et al.
(Show Context)
Citation Context |

1 |
http://www.csrc.nist.gov/pki/ HashWorkshop/2006/Presentations/YIN NIST2ndHashWorshop-ContiniYin-Aug25-2006.pdf More Proofs A.1 From m-SPR to TCR ∗ In this section we introduce a new SPR game, called m-SPR (m for multiple), whose main advantage over previ
- Yin, Workshop
- 2006
(Show Context)
Citation Context ...lemma, we comment that the exact assertion of this lemma (and thus the proof) depend on whether we view the IV c0 as a random input to the TCR attacker or a parameter of the 4 Recent work by Lisa Yin =-=[35]-=- has shown a concrete interesting example: while current attacks show that the compression function of MD5 is neither e-SPR nor r-SPR, these attacks do not seem to apply to breaking the TCR property o... |