How to Use Merkle-Damgård — On the Security Relations between Signature Schemes and Their Inner Hash Functions

  • Emmanuel Bresson
  • Benoît Chevallier-Mames
  • Christophe Clavier
  • Aline Gouget
  • Pascal Paillier
  • Thomas Peyrin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5324)


This paper reports a thorough standard-model investigation on how attacks on hash functions impact the security of hash-and-sign signature schemes. We identify two important properties that appear to be crucial in analyzing the nature of security relations between signature schemes and their inner hash functions: primitiveness and injectivity. We then investigate the security relations in the general case of hash-and-sign signatures and in the particular case of first-hash-then-sign signatures, showing a gap of security guarantees between the two paradigms. We subsequently apply our results on two operating modes to construct a hash function family from a hash function based on the well-known Merkle-Damgård construction (such as MD5 and SHA-1). For completeness, we give concrete attack workloads for attacking operating modes used in practical implementations of signature schemes.


Hash Function Signature Scheme Random Oracle Compression Function Security Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI X9.62-1998. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (1998)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: PSS: Provably secure encoding method for digital signatures. In: IEEE P1363a (submission) (August 1998)Google Scholar
  4. 4.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and Reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Cramer, R., Shoup, V.: Signature Schemes Based on the Strong RSA Assumption. In: ACM Conference on Computer and Communications Security, pp. 46–51 (1999)Google Scholar
  8. 8.
    Damgård, I.: A Design Principle for Hash Functions. In: McCurley, K.S., Ziegler, C.D. (eds.) Advances in Cryptology 1981 - 1997. LNCS, vol. 1440, pp. 416–427. Springer, Heidelberg (1999)Google Scholar
  9. 9.
    Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signature without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. of Computing 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Guillou, L., Quisquater, J.-J.: A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  12. 12.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute,
  14. 14.
    Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Manuel, S., Peyrin, T.: Collisions on SHA-0 in one hour. FSE 2008 (to appear, 2008)Google Scholar
  16. 16.
    Mendel, F., Rechberger, C., Rijmen, V.: Update on SHA-1. In: Rump Session of Crypto 2007 (2007)Google Scholar
  17. 17.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  18. 18.
    Merkle, R.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  19. 19.
    National Institute of Standards and Technology. Digital Signature Standard (DSS). FIPS —Publication 186 (May 1994)Google Scholar
  20. 20.
    Rogaway, P.: Formalizing Human Ignorance. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Sasaki, Y., Wang, L., Ohta, Y., Kunihiro, N.: New messages difference for MD4. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 329–348. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Schnorr, C.P.: Efficient signatures generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)CrossRefzbMATHGoogle Scholar
  23. 23.
    Stevens, M., Lenstra, A., de Weger, B.: Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Wang, X.Y., Yu, H.B.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Wang, X.Y., Lai, X.J., Feng, D., Chen, H., Yu, X.: Cryptanalysis for Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Wang, X.Y., Yu, H.B., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Wang, X.Y., Yin, Y.L., Yu, H.B.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Emmanuel Bresson
    • 1
  • Benoît Chevallier-Mames
    • 1
  • Christophe Clavier
    • 2
  • Aline Gouget
    • 3
  • Pascal Paillier
    • 3
  • Thomas Peyrin
    • 4
  1. 1.DCSSIParis Cedex 07France
  2. 2.GemaltoMeudonFrance
  3. 3.GemaltoLa CiotatFrance
  4. 4.Orange LabsIssy-les-MoulineauxFrance

Personalised recommendations