Journal of Cryptology

, Volume 25, Issue 2, pp 271–309 | Cite as

A Simple Variant of the Merkle–Damgård Scheme with a Permutation

  • Shoichi HiroseEmail author
  • Je Hong Park
  • Aaram Yun


We propose a new composition scheme for hash functions. It is a variant of the Merkle–Damgård construction with a permutation applied right before the processing of the last message block. We analyze the security of this scheme using the indifferentiability formalism, which was first adopted by Coron et al. to the analysis of hash functions. We also study the security of simple MAC constructions out of this scheme. Finally, we discuss the random oracle indifferentiability of this scheme with a double-block-length compression function or the Davies–Meyer compression function composed of a block cipher.

Key words

Hash function Merkle–Damgård construction Random oracle Ideal cipher Indifferentiability Pseudorandom function MAC 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    E. Andreeva, G. Neven, B. Preneel, T. Shrimpton, Seven-property-preserving iterated hashing: ROX, in Advances in Cryptology—ASIACRYPT 2007. LNCS, vol. 4833 (2007), pp. 130–146 CrossRefGoogle Scholar
  2. [2]
    J.H. An, M. Bellare, Constructing VIL-MACs from FIL-MACs: message authentication under weakened assumptions, in Advances in Cryptology—CRYPTO’99. LNCS, vol. 1666 (1999), pp. 252–269 Google Scholar
  3. [3]
    M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance, in Advances in Cryptology—CRYPTO 2006. LNCS, vol. 4117 (2006), pp. 602–619 CrossRefGoogle Scholar
  4. [4]
    M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—CRYPTO’96. LNCS, vol. 1109 (1996), pp. 1–15 Google Scholar
  5. [5]
    M. Bellare, R. Canetti, H. Krawczyk, Pseudorandom functions revisited: the cascade construction and its concrete security, in Proc. of FOCS’96 (1996), pp. 514–523 Google Scholar
  6. [6]
    M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in Advances in Cryptology—EUROCRYPT 2003. LNCS, vol. 2656 (2003), pp. 491–506 CrossRefGoogle Scholar
  7. [7]
    M. Bellare, T. Ristenpart, Multi-property-preserving hash domain extension and the EMD transform, in Advances in Cryptology—ASIACRYPT 2006. LNCS, vol. 4284 (2006), pp. 299–314 CrossRefGoogle Scholar
  8. [8]
    M. Bellare, T. Ristenpart, Hash functions in the dedicated-key setting: design choices and MPP transforms, in Automata, Languages and Programming—ICALP 2007. LNCS, vol. 4596 (2007), pp. 399–410 CrossRefGoogle Scholar
  9. [9]
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—EUROCRYPT 2006. LNCS, vol. 4004 (2006), pp. 409–426 CrossRefGoogle Scholar
  10. [10]
    R. Bhattacharyya, A. Mandal, M. Nandi, Indifferentiability characterization of hash functions and optimal bounds of popular domain extensions, in Progress in Cryptology—INDOCRYPT 2009. LNCS, vol. 5922 (2009), pp. 199–218 CrossRefGoogle Scholar
  11. [11]
    B. den Boer, A. Mosselaers, Collisions for the compression function of MD5, in Advances in Cryptology—EUROCRYPT’93. LNCS, vol. 765 (1994), pp. 293–304 Google Scholar
  12. [12]
    D. Chang, S. Lee, M. Nandi, M. Yung, Indifferentiable security analysis of popular hash function with prefix-free padding, in Advances in Cryptology—ASIACRYPT 2006. LNCS, vol. 4284 (2006), pp. 283–298 CrossRefGoogle Scholar
  13. [13]
    D. Chang, M. Nandi, Improved indifferentiability security analysis of chopMD hash function, in Fast Software Encryption—FSE 2008. LNCS, vol. 5086 (2008), pp. 429–443 CrossRefGoogle Scholar
  14. [14]
    S. Contini, Y.L. Yin, Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions, in Advances in Cryptology—ASIACRYPT 2006. LNCS, vol. 4284 (2006), pp. 37–53 CrossRefGoogle Scholar
  15. [15]
    J.-S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle–Damgård revisited: how to construct a hash function, in Advances in Cryptology—CRYPTO 2005. LNCS, vol. 3621 (2005), pp. 430–448 CrossRefGoogle Scholar
  16. [16]
    I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO’89. LNCS, vol. 435 (1989), pp. 416–427 Google Scholar
  17. [17]
    S. Hirose, H. Kuwakado, A scheme to base a hash function on a block cipher, in Selected Areas in Cryptography—SAC 2008. LNCS, vol. 5381 (2008), pp. 262–275 CrossRefGoogle Scholar
  18. [18]
    S. Hirose, J.H. Park, A. Yun, A simple variant of the Merkle–Damgård scheme with a permutation, in Advances in Cryptology—ASIACRYPT 2007. LNCS, vol. 4833 (2007), pp. 113–129 CrossRefGoogle Scholar
  19. [19]
    J. Kelsey, in Public Comments on the Draft Federal Information Processing Standard (FIPS) Draft FIPS 180-2, Secure Hash Standard (SHS) (2001) Google Scholar
  20. [20]
    J. Kim, A. Biryukov, B. Preneel, S. Lee, On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1, in Security and Cryptography for Networks—SCN 2006. LNCS, vol. 4116 (2006), pp. 242–256 CrossRefGoogle Scholar
  21. [21]
    J. Lee, J.P. Steinberger, Multi-property-preserving domain extension using polynomial-based modes of operation, in Advances in Cryptology—EUROCRYPT 2010. LNCS, vol. 6110 (2010), pp. 573–596 CrossRefGoogle Scholar
  22. [22]
    S. Lucks, A failure-friendly design principle for hash functions, in Advances in Cryptology—ASIACRYPT 2005. LNCS, vol. 3788 (2005), pp. 474–494 CrossRefGoogle Scholar
  23. [23]
    U.M. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography—TCC 2004. LNCS, vol. 2951 (2004), pp. 21–39 CrossRefGoogle Scholar
  24. [24]
    U. Maurer, J. Sjödin, Single-key AIL-MACs from any FIL-MAC, in Automata, Languages and Programming—ICALP 2005. LNCS, vol. 3580 (2005), pp. 472–484 CrossRefGoogle Scholar
  25. [25]
    A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996) CrossRefGoogle Scholar
  26. [26]
    R. Merkle, One way hash functions and DES, in Advances in Cryptology—CRYPTO’89. LNCS, vol. 435 (1989), pp. 428–446 Google Scholar
  27. [27]
    M. Nandi, Towards optimal double-length hash functions, in Progress in Cryptology—INDOCRYPT 2005. LNCS, vol. 3797 (2005), pp. 77–89 CrossRefGoogle Scholar
  28. [28]
    B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: a synthetic approach, in Advances in Cryptology—CRYPTO’93. LNCS, vol. 773 (1994), pp. 368–378 Google Scholar
  29. [29]
    P. Rogaway, T. Shrimpton, Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance, in Fast Software Encryption—FSE 2004. LNCS, vol. 3017 (2004), pp. 371–388 CrossRefGoogle Scholar
  30. [30]
    G. Tsudik, Message authentication with one-way hash functions. ACM Comput. Commun. Rev. 22(5), 29–38 (1992) CrossRefGoogle Scholar
  31. [31]
    K. Yasuda, A double-piped mode of operation for MACs, PRFs and PROs: security beyond the birthday barrier, in Advances in Cryptology—EUROCRYPT 2009. LNCS, vol. 5479 (2009), pp. 242–259 CrossRefGoogle Scholar
  32. [32]
    K. Yasuda, HMAC without the “second” key, in Information Security—ISC 2009. LNCS, vol. 5735 (2009), pp. 443–458 Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.Graduate School of EngineeringUniversity of FukuiFukuiJapan
  2. 2.Electronics and Telecommunications Research InstituteDaejeonKorea
  3. 3.School of Electrical and Computer EngineeringUlsan National Institute of Science and TechnologyUlsanKorea

Personalised recommendations