Merkle-Damgård Revisited: How to Construct a Hash Function

  • Jean-Sébastien Coron
  • Yevgeniy Dodis
  • Cécile Malinaud
  • Prashant Puniya
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3621)

Abstract

The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgård transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle-Damgård construction and are easily implementable in practice.

References

  1. 1.
    An, J.H., Bellare, M.: Constructing VIL-MACs from FIL-MACs: Message Authentication under Weakened Assumptions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 252–269. Springer, Heidelberg (1999)Google Scholar
  2. 2.
    Bellare, M., Boldyreva, A., Palacio, A.: An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical : a paradigm for designing efficient protocols. In: Proceedings of the First Annual Conference on Computer and Commmunications Security. ACM, New York (1993)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom Functions Re-visited: The Cascade Construction and Its Concrete Security. In: Proc. 37th FOCS, pp. 514–523. IEEE, Los Alamitos (1996)Google Scholar
  9. 9.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 320. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: Proceedings of the 42nd Symposium on Foundations of Computer Science, FOCS (2001); Cryptology ePrint Archive, Report 2000/067, http://eprint.iacr.org/
  11. 11.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: STOC 1998. ACM, New York (1998)Google Scholar
  12. 12.
    Canetti, R., Goldreich, O., Halevi, S.: On the random oracle methodology as applied to Length-Restricted Signature Schemes. In: Proceedings of Theory of Cryptology Conference, pp. 40–57 (2004)Google Scholar
  13. 13.
    Damgård, I.: Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  14. 14.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Dodis, Y., Oliveira, R., Pietrzak, K.: On the Generic Insecurity of the Full Domain Hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    FIPS 180-1, Secure hash standard, Federal Information Processing Standards Publication 180-1, U.S. Department of Commerce/N.I.S.T., National Technical Information Service, Springfield, Virginia, April 17 (1995) (supersedes FIPS PUB 180)Google Scholar
  17. 17.
    National Institute of Standards and Technology (NIST). Secure hash standard. FIPS 180-2 (August 2002)Google Scholar
  18. 18.
    RFC 1321, The MD5 message-digest algorithm, Internet Request for Comments 1321, R.L. Rivest (April 1992)Google Scholar
  19. 19.
    Goldwasser, S., Tauman, Y.: On the (In)security of the Fiat-Shamir Paradigm. In: Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science, pp. 102–114 (2003)Google Scholar
  20. 20.
    Handschuh, H., Naccache, D.: SHACAL. In: Preneel, B. (ed.) First Open NESSIE Workshop, Leuven, Belgium, November 13-14 (2000)Google Scholar
  21. 21.
    Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. SIAM J. Comput. 17(2) (April 1988)Google Scholar
  22. 22.
    Lucks, S.: Design Principles for Iterated Hash Functions, available at E-Print Archive, http://eprint.iacr.org/2004/253
  23. 23.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Maurer, U., Sjodin, J.: Single-key AIL-MACs from any FIL-MAC. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 472–484. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  26. 26.
    Nielsen, J.B.: Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-Committing Encryption Case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  27. 27.
    PKCS #1 v2.1, RSA Cryptography Standard (draft), document available at http://www.rsa.security.com/rsalabs/pkcs
  28. 28.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE Symposium on Security and Privacy, pp. 184–200. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  29. 29.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar
  30. 30.
    Shoup, V.: A composition theorem for universal one-way hash functions. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 445–452. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Winternitz, R.: A secure one-way hash function built from DES. In: Proceedings of the IEEE Symposium on Information Security and Privacy, pp. 88–90. IEEE Press, Los Alamitos (1984)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Yevgeniy Dodis
    • 2
  • Cécile Malinaud
    • 3
  • Prashant Puniya
    • 2
  1. 1.University of Luxembourg 
  2. 2.New-York University 
  3. 3.Gemplus Card International 

Personalised recommendations