Abstract
Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean’s method of finding expandable messages for finding a second preimage in the Merkle-Damgård hash function to existentially forge a signature scheme based on a t-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in 2t/2 chosen messages plus 2t/2 + 1 off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.
The work in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-642-01001-9_35
Chapter PDF
References
Akl, S.G.: On the Security of Compressed Encodings. In: Chaum, D. (ed.) Advances in Cryptology: Proceedings of Crypto 1993, pp. 209–230. Plenum Press, New York (1983)
Anderson, R., Biham, E.: Tiger: A Fast New Hash Function. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 89–97. Springer, Heidelberg (1996)
ANSI. ANSI X9.62:2005: Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) (2005)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Bellare, M., Rogaway, P.: Collision-resistant hashing: Towards making uOWHFs practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)
Bellovin, S., Rescorla, E.: Deploying a New Hash Algorithm. In: Proceedings of NDSS. Internet Society (Feburary 2006)
Biham, E., Dunkelman, O.: A Framework for Iterative Hash Functions - HAIFA. Cryptology ePrint Archive, Report 2007/278 (2007) (Accessed on May 14, 2008), http://eprint.iacr.org/2007/278
Boneh, D., Boyen, X.: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. Journal of Cryptology 21(2), 149–177 (2008)
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)
Dang, Q.: NIST Special Publication 800-106 Draft Randomized Hashing Digital Signatures (2007) (Accessed on July 21, 2008), http://csrc.nist.gov/publications/drafts/Draft-SP-800-106/Draft-SP800-106.pdf
Dang, Q.: Draft NIST Special Publication 800-106 Draft Randomized Hashing Digital Signatures (2008) (Accessed on August 6, 2008), http://csrc.nist.gov/publications/drafts/800-106/2nd-Draft_SP800-106_July2008.pdf
Dang, Q., Perlner, R.: Personal communication (October 2008)
Davies, D., Price, W.: Security for Computer Networks. John Wiley, Chichester (1984)
Davies, D.W., Price, W.L.: The Application of Digital Signatures Based on Public-Key Cryptosystems. In: Proc. Fifth Intl. Computer Communications Conference, pp. 525–530 (October 1980)
Dean, R.D.: Formal Aspects of Mobile Code Security. PhD thesis, Princeton University (1999)
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl – A SHA-3 Candidate. First Round of NIST’s SHA-3 Competition (2008) (Accessed on January 5, 2009), http://www.groestl.info/Groestl.pdf
Gauravaram, P., McCullagh, A., Dawson, E.: Collision Attacks on MD5 and SHA-1: Is this the “Sword of Damocles” for Electronic Commerce? In: Clark, A., McPherson, M., Mohay, G. (eds.) AusCERT Conference Refereed R & D Stream, pp. 1–13 (2006)
Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM Journal on Computing 17(2), 281–308 (1988)
Halevi, S., Krawczyk, H.: Strengthening digital signatures via randomized hashing. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 41–59. Springer, Heidelberg (2006), http://www.ee.technion.ac.il/~hugo/rhash/rhash.pdf
Halevi, S., Krawczyk, H.: The RMX Transform and Digital Signatures (2006) (Accessed on July 30, 2008), http://www.ee.technion.ac.il/~hugo/rhash/rhash-nist.pdf
Halevi, S., Shao, W., Krawczyk, H., Boneh, D., McIntosh, M.: Implementing the Halevi-Krawczyk Randomized Hashing Scheme (2007) (Accessed on July 28, 2008), http://www.ee.technion.ac.il/~hugo/rhash/implementation.pdf
Hohl, W., Lai, X., Meier, T., Waldvogel, C.: Security of Iterated Hash Functions Based on Block Ciphers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 379–390. Springer, Heidelberg (1994)
Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)
Lenstra, A.K., de Weger, B.: On the Possibility of Constructing Meaningful Hash Collisions for Public Keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)
Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)
Mironov, I.: Collision-Resistant No More: Hash-and-Sign Paradigm Revisited. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 140–156. Springer, Heidelberg (2006)
Miyaguchi, S., Ohta, K., Iwata, M.: Confirmation that Some Hash Functions Are Not Collision Free. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 326–343. Springer, Heidelberg (1991)
NIST. FIPS PUB 186-2: Digital Signature Standard (DSS) (January 2000) (Accessed on August 15, 2008), http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf
NIST. FIPS PUB 180-2-Secure Hash Standard (August 2002) (Accessed on May 18, 2008), http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
NIST. Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. Docket No: 070911510-7512-01 (November 2007)
NIST. Draft FIPS PUB 186-3: Digital Signature Standard (2008) (Accessed on January 4, 2008), http://csrc.nist.gov/publications/drafts/fips_186-3/Draft_FIPS-186-3_November2008.pdf
Pasini, S., Vaudenay, S.: Hash-and-Sign with Weak Hashing Made Secure. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 338–354. Springer, Heidelberg (2007)
Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)
Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)
Rivest, R.: The MD5 Message-Digest Algorithm. Internet Request for Comment RFC 1321, Internet Engineering Task Force (April 1992)
RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard. RSA Data Security, Inc. (June 2002) (Accessed on August 15, 2008), ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf
Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: MD5 Considered Harmful Today Creating A Rogue CA Certificate. Presented at 25th Annual Chaos Communication Congress (2008) (Accessed on January 3, 2009), http://www.win.tue.nl/hashclash/rogue-ca/
Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)
Yasuda, K.: How to Fill Up Merkle-Damgård Hash Functions. In: Pieprzyk, J. (ed.) Advances in Cryptology - ASIACRYPT 2008. LNCS, vol. 5350, pp. 272–289. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gauravaram, P., Knudsen, L.R. (2009). On Randomizing Hash Functions to Strengthen the Security of Digital Signatures. In: Joux, A. (eds) Advances in Cryptology - EUROCRYPT 2009. EUROCRYPT 2009. Lecture Notes in Computer Science, vol 5479. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01001-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-01001-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01000-2
Online ISBN: 978-3-642-01001-9
eBook Packages: Computer ScienceComputer Science (R0)